Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hello From the Other Side

Ian Coldwater
November 21, 2019
Technology
0
470

Hello From the Other Side

Attackers have user stories too. Are you designing with them in mind?

As an attacker, Ian Coldwater would like to help you understand these users and their stories. What do their mindsets, motivations and methodologies look like? What do attackers look for when they look at a Kubernetes context, what do they do when they get in there, and what can you do to help protect your clusters and code against them?

Being able to understand these perspectives can help you broaden your own. Let’s explore them together, and learn how to build stronger, more secure systems accordingly.

Ian Coldwater

November 21, 2019
Tweet

More Decks by Ian Coldwater

See All by Ian Coldwater
Advanced Persistence Threats: The Future of Kubernetes Attacks
iancoldwater
1
2.6k
Bridge Construction Kit: DevOps and Security Don’t Have to Be Islands
iancoldwater
2
440
Hello World
iancoldwater
1
170
The Path Less Traveled: Abusing Kubernetes Defaults
iancoldwater
7
7.1k
Crafty Requests: Deep Dive into Kubernetes CVE-2018-1002105
iancoldwater
2
340
Ship of Fools: Shoring Up Kubernetes Security
iancoldwater
3
2.5k

Other Decks in Technology

See All in Technology
なぜ今 AI Agent なのか _近藤憲児
kenjikondobai
4
1.4k
マルチプロダクトな開発組織で 「開発生産性」に向き合うために試みたこと / Improving Multi-Product Dev Productivity
sugamasao
1
310
【Pycon mini 東海 2024】Google Colaboratoryで試すVLM
kazuhitotakahashi
2
540
ISUCONに強くなるかもしれない日々の過ごしかた/Findy ISUCON 2024-11-14
fujiwara3
8
870
AGIについてChatGPTに聞いてみた
blueb
0
130
FlutterアプリにおけるSLI/SLOを用いたユーザー体験の可視化と計測基盤構築
ostk0069
0
100
CysharpのOSS群から見るModern C#の現在地
neuecc
2
3.5k
SREが投資するAIOps ~ペアーズにおけるLLM for Developerへの取り組み~
takumiogawa
1
430
OCI Security サービス 概要
oracle4engineer
PRO
0
6.5k
TypeScript、上達の瞬間
sadnessojisan
46
13k
Zennのパフォーマンスモニタリングでやっていること
ryosukeigarashi
0
150
心が動くエンジニアリング ── 私が夢中になる理由
16bitidol
0
100

Featured

See All Featured
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.3k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
109
49k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
506
140k
Imperfection Machines: The Place of Print at Facebook
scottboms
265
13k
Optimizing for Happiness
mojombo
376
70k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
356
29k
What's in a price? How to price your products and services
michaelherold
243
12k
Making Projects Easy
brettharned
115
5.9k
Automating Front-end Workflow
addyosmani
1366
200k
Building a Scalable Design System with Sketch
lauravandoore
459
33k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
26
1.4k
Typedesign – Prime Four
hannesfritz
40
2.4k

Transcript

  1. HELLO FROM THE OTHER SIDE Dispatches From a Kubernetes Attacker

    @IanColdwater

  2. My name is Ian Coldwater. I’m a Lead Platform Security

    Engineer at Heroku, a Salesforce company. I specialize in hacking and hardening Kubernetes, containers and cloud infrastructure. @IanColdwater

  3. HI COMMUNITY! @IanColdwater

  4. DIVERSITY BUILDS STRONGER SYSTEMS @IanColdwater

  5. WHO DO YOU DESIGN FOR? @IanColdwater

  6. ATTACKERS HAVE USER STORIES TOO @IanColdwater

  7. WHO ARE ATTACKERS? @IanColdwater

  8. HOW DO ATTACKERS THINK? @IanColdwater

  9. WHAT DO YOU SEE? @IanColdwater

  10. WHAT DO YOU SEE? kubectl auth can-i --list --namespace=kube-system @IanColdwater

  11. WHAT DO ATTACKERS LOOK FOR? @IanColdwater

  12. ATTACKER METHODOLOGY @IanColdwater

  13. DESIGNING FOR DEFENSE @IanColdwater

  14. WHAT IS YOUR THREAT MODEL? • What are you trying

    to protect? • Who are you trying to protect it from? @IanColdwater

  15. WHAT’S IN YOUR GRAPH? • Know what you’re running, and

    understand it well. • What connects? What crosses? Where are the rough edges? • What would an attacker see? @IanColdwater

  16. CHECK YOUR ASSUMPTIONS @IanColdwater

  17. THINGS YOU CAN DO @IanColdwater

  18. MAKE FRIENDS! @IanColdwater

  19. GET PRACTICE • Capture the Flag: overthewire.org, picoctf.com, hackthebox.eu •

    goose.game • Play with your own systems! @IanColdwater

  20. BETTER TOGETHER @IanColdwater

  21. WE CAN DO IT! @IanColdwater

  22. RESOURCES • Kubernetes security audit • attack trees • attackers

    think in graphs • bug bounties and black swans • CIS benchmarks • https://k8s.io/security • github.com/kelseyhightower/ nocode - the best way to write secure and reliable applications! @IanColdwater