2. #RuggedDevOps
If you see something cool…
Get today’s Rugged DevOps presentations in your inbox
mmiller@sonatype.com
3. #WhoAmI?
• @StephanChenette, CEO and Founder @AttackIQ
AttackIQcreated the first continuoussecurity testing platform to challengeexisting host,
network and cloud infrastructure securitycontrols to help organizationssafely validate
and measure their defense in depth strategy.
• Started my career in 1999 in Security – total of 16+ years – Grad School at UCSD
• Director of research IOActive , Head of Websense Security Labs, SAIC, eEye Digital
Security
• Sit on the advisory board for CyberTECH, CISO Round Table of Southern California and
Build it Securely and I head up the local OWASP Chapter, AppSec California Conference
• Invited speaker at Blackhat, RSA, CanSec West, AusCERT, RECON, SOURCE, ToorCON,
ISSA, etc.
• Main Interest - Offensive and Defensive Techniques
5. DevOps
Has established a culture and environment
where building, testing, and releasing software,
can happen rapidly, frequently, and more
reliably.
Continuous Deployment
Infrastructure as Code
6. Rugged DevOps
Goal of Security: reduce business risk
Cyber security is a business
issue, not an IT issue.
8. Protecting Assets
Measures must be taken to ensure the integrity,
security, accuracy, and privacy of all systems and
data.
Wrap Security Controls around Valued Assets
• Compliance
• Business Continuity
11. Why Validate Security Controls?
To Minimize Risk.
Risk = impact * likelihood
If you drive impact down, the risk is
minimized
Benefits – minimized risk, more effective,
efficient, consolidated security program
12. How do you minimize your threat impact?
Identify The
Attackers
Identify the
Attack
Techniques
Build
Adversarial
Playbook
Replay Attacker
Playbook
Analyze
Security
Controls Results
Improve or Add
New Security
Controls
13. This can start with simple validation
Identify security
control
assumptions
Build Security
Control Unit
Test
Exercise Unit
Test
Analyze
Security
Controls Results
Improve or Add
New Security
Controls
14. Security testing is not point in time
DevOps is Code as Infrastructure
Rugged DevOps is Code as Security
Unit Testing Your Security Controls
Regression Testing your Security Infrastructure
15. Key Focus Points in Modelling
• Prioritizing the Highest Risk Threats,
Adversarial Objectives and Methods
• Prioritize Security Controls (purpose, function,
assumption)
• Create a process that can be:
– Automated, replicated and consistent
16. Attack Stages
• External Reconnaissance
• Initial Breach
• Gaining Persistence
• Escalate Privileges
• Lateral Movement
• Access to Data Stores
• Command and Control
• Exfiltration
17. Goal
• Duplicate real attack techniques and tactics in
an automated fashion
• Automatically test each expectation as that
asset or security control is deployed
18. Stage Tactic Pass/Fail/Detect Technology Controls
Initial Breach Install malware (Citadel) on vendor machine.
Use stolen credentials to connect to Target's network.
Exploit webapp vulnerability by uploading PHP web shell (xmlrpc.php).
Query Active Directory, using LDAP protocol, for relevant target services
(MSSSQLvc/BillingServer).
Privilege Escalation Use "Pass-the-hash" to obtain NT hash token.
Persistence Create new domain admin account with stolen token.
Access to other Data Stores Utilize new credentials to scan, using "Angry IP Scanner," for accessible computers.
Use a port forwarding tool to tunnel through several servers, bypassing security measures.
Use RDP and Microsoft PSExec utility to execute processes.
Use Microsoft Orchestratorto remain persistent and execute arbitrary code.
Remotely install malware (Kaptoxa) onto POS machines, scrape POS memory, and save
data to a local file.
Exfiltration Create remote fileshare on remote FTP-enabled machine and copy data file to the
machine.
Use script to send file to attacker via FTP.
Example: Target Breach
19. Example: Target Breach
• Initial Breach
Stage Tactic Pass/Fail/Detect Technology Controls
Initial Breach Install malware (Citadel) on
vendormachine.
Use stolen credentials to
connect to Target's network.
Exploit webapp vulnerability by
uploading PHP web shell
(xmlrpc.php).
Query Active Directory, using
LDAP protocol, for relevant
target services
(MSSSQLvc/BillingServer).
20. Example: Target Breach
Stage Tactic Pass/Fail/Detect Technology Controls
Privilege
Escalation
Use "Pass-the-hash" to obtain NT hash
token.
Access to other
Data Stores
Utilize new credentials to scan, using "Angry
IP Scanner," for accessible computers.
Use a port forwarding tool to tunnel through
several servers, bypassing security measures.
Use RDP and Microsoft PSExec utility to
execute processes.
Use Microsoft Orchestrator to remain
persistent and execute arbitrary code.
Remotely install malware (Kaptoxa) onto
POS machines, scrape POS memory, and
save data to a local file.
• Privilege Escalation
21. Example: Target Breach
Stage Tactic Pass/Fail/Detect Technology Controls
Exfiltration Create remote fileshare on
remote FTP-enabled machine
and copy data file to the
machine.
Use script to send file to attacker
via FTP.
23. Stage Tactic Pass/Fail/Detect Technology Controls
Initial Breach Install malware (Citadel) on vendor machine. PD Generic AV (Symantec)
Use stolen credentials to connect to Target's network. F Behavior Analytics
Exploit webapp vulnerability by uploading PHP web shell (xmlrpc.php). PD Web App Firewall
Query Active Directory, using LDAP protocol, for relevant target services
(MSSSQLvc/BillingServer).
F N/A
Privilege Escalation Use "Pass-the-hash" to obtain NT hash token. PD AV Detected mimikatz
Persistence Create new domain admin account with stolen token. F N/A
Access to other Data Stores Utilize new credentials to scan, using "Angry IP Scanner," for accessible computers. F N/A
Use a port forwarding tool to tunnel through several servers, bypassing security measures. F Palo Alto
Use RDP and Microsoft PSExec utility to execute processes. D Crowdstrike Falcon
Use Microsoft Orchestratorto remain persistent and execute arbitrary code. P Cylance Prevent
Remotely install malware (Kaptoxa) onto POS machines, scrape POS memory, and save
data to a local file.
F Symantec
Exfiltration Create remote fileshare on remote FTP-enabled machine and copy data file to the
machine.
F Behavior Analytics
Use script to send file to attacker via FTP. F Firewall/IPS
Example: Target Breach
24. Modeling Exercise
• Installation of Web Shell on network
• Lateral Movement (Pass-the-Hash Technique) w/
mimikatz
• Use of known port scanner
• Use of PA/PSExec with dumped credential hashes
• Use of Built-in-tools at potentially anomalous
times
• Download of known malware
• Access to FTP to potentially unknown remote
machine
26. Trust, but Verify
• Validate your security controls
• Regression Testing
• Unit Testing
27. Focus
• Run routine attack modeling automatically as
your apps/security controls are deployed via
chef/Jenkins, etc.
• Identify gaps or blind spots
• Design your controls around the attacker
tactics
28. Adversarial Modeling
• Does not take much time/energy
• Creates Data-driven reasoning around
buying/purchasing decisions
• Build repository of related attacks
• Shows historical improvements around
baseline
• Consolidates security technologies
29. Where to Start
• IT/Ops/SOC/Dev/Management Involvement
• Build threat intelligence/attack repository
• Move to attack models
• Communicate output clearly to show
improvements
30. Conclusion
What can be measured can be improved
Implementing security controls around relevant
attack models will save you time, money and
resources and focuses on minimizing the true risks
to your organization
Security as Code
Continuous Validation
31. • Thank you.
• Stephan Chenette, CEO and Founder,
stephan@attackiq.com
• @stephanchenette @attackiq
32. Get today’s Rugged DevOps presentations in your inbox
mmiller@sonatype.com