Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hello From the Other Side

Ian Coldwater
November 21, 2019
Technology
0
460

Hello From the Other Side

Attackers have user stories too. Are you designing with them in mind?

As an attacker, Ian Coldwater would like to help you understand these users and their stories. What do their mindsets, motivations and methodologies look like? What do attackers look for when they look at a Kubernetes context, what do they do when they get in there, and what can you do to help protect your clusters and code against them?

Being able to understand these perspectives can help you broaden your own. Let’s explore them together, and learn how to build stronger, more secure systems accordingly.

Ian Coldwater

November 21, 2019
Tweet

More Decks by Ian Coldwater

See All by Ian Coldwater
Advanced Persistence Threats: The Future of Kubernetes Attacks
iancoldwater
1
2.6k
Bridge Construction Kit: DevOps and Security Don’t Have to Be Islands
iancoldwater
2
440
Hello World
iancoldwater
1
170
The Path Less Traveled: Abusing Kubernetes Defaults
iancoldwater
7
7.1k
Crafty Requests: Deep Dive into Kubernetes CVE-2018-1002105
iancoldwater
2
340
Ship of Fools: Shoring Up Kubernetes Security
iancoldwater
3
2.5k

Other Decks in Technology

See All in Technology
物価高なラスベガスでの過ごし方
zakky
0
380
MAMを軸とした動画ハンドリングにおけるAI活用前提の整備と次世代ビジョン / abema-ai-mam
cyberagentdevelopers
PRO
1
110
신뢰할 수 있는 AI 검색 엔진을 만들기 위한 Liner의 여정
huffon
0
340
Java x Spring Boot Warm up
kazu_kichi_67
2
490
CAMERA-Suite: 広告文生成のための評価スイート / ai-camera-suite
cyberagentdevelopers
PRO
3
270
バクラクにおける可観測性向上の取り組み
yuu26
3
420
ExaDB-D dbaascli で出来ること
oracle4engineer
PRO
0
3.6k
Aurora_BlueGreenDeploymentsやってみた
tsukasa_ishimaru
1
120
visionOSでの空間表現実装とImmersive Video表示について / ai-immersive-visionos
cyberagentdevelopers
PRO
1
110
AWS CDKでデータリストアの運用、どのように設計する?~Aurora・EFSの実践事例を紹介~/aws-cdk-data-restore-aurora-efs
mhrtech
4
650
Commitment vs Harrisonism - Keynote for Scrum Niseko 2024
miholovesq
6
1.1k
大規模データ基盤チームのオンプレTiDB運用への挑戦 / dpu-tidb
cyberagentdevelopers
PRO
1
110

Featured

See All Featured
ReactJS: Keep Simple. Everything can be a component!
pedronauck
664
120k
Typedesign – Prime Four
hannesfritz
39
2.4k
Optimizing for Happiness
mojombo
376
69k
Automating Front-end Workflow
addyosmani
1365
200k
Build your cross-platform service in a week with App Engine
jlugia
229
18k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
27
790
GitHub's CSS Performance
jonrohan
1030
460k
The Art of Programming - Codeland 2020
erikaheidi
51
13k
A Philosophy of Restraint
colly
203
16k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
3
370
Producing Creativity
orderedlist
PRO
341
39k
Code Reviewing Like a Champion
maltzj
519
39k

Transcript

  1. HELLO FROM THE OTHER SIDE Dispatches From a Kubernetes Attacker

    @IanColdwater

  2. My name is Ian Coldwater. I’m a Lead Platform Security

    Engineer at Heroku, a Salesforce company. I specialize in hacking and hardening Kubernetes, containers and cloud infrastructure. @IanColdwater

  3. HI COMMUNITY! @IanColdwater

  4. DIVERSITY BUILDS STRONGER SYSTEMS @IanColdwater

  5. WHO DO YOU DESIGN FOR? @IanColdwater

  6. ATTACKERS HAVE USER STORIES TOO @IanColdwater

  7. WHO ARE ATTACKERS? @IanColdwater

  8. HOW DO ATTACKERS THINK? @IanColdwater

  9. WHAT DO YOU SEE? @IanColdwater

  10. WHAT DO YOU SEE? kubectl auth can-i --list --namespace=kube-system @IanColdwater

  11. WHAT DO ATTACKERS LOOK FOR? @IanColdwater

  12. ATTACKER METHODOLOGY @IanColdwater

  13. DESIGNING FOR DEFENSE @IanColdwater

  14. WHAT IS YOUR THREAT MODEL? • What are you trying

    to protect? • Who are you trying to protect it from? @IanColdwater

  15. WHAT’S IN YOUR GRAPH? • Know what you’re running, and

    understand it well. • What connects? What crosses? Where are the rough edges? • What would an attacker see? @IanColdwater

  16. CHECK YOUR ASSUMPTIONS @IanColdwater

  17. THINGS YOU CAN DO @IanColdwater

  18. MAKE FRIENDS! @IanColdwater

  19. GET PRACTICE • Capture the Flag: overthewire.org, picoctf.com, hackthebox.eu •

    goose.game • Play with your own systems! @IanColdwater

  20. BETTER TOGETHER @IanColdwater

  21. WE CAN DO IT! @IanColdwater

  22. RESOURCES • Kubernetes security audit • attack trees • attackers

    think in graphs • bug bounties and black swans • CIS benchmarks • https://k8s.io/security • github.com/kelseyhightower/ nocode - the best way to write secure and reliable applications! @IanColdwater