SlideShare a Scribd company logo

Building Security Controls around Attack Models

S
SeniorStoryteller

Stephan Chenette persentation at Rugged DevOps: DevOps Connect during RSA Conference 2016

Technology
1 of 32
Download to read offline
@StephanChenette @AttackIQ Building Security Controls Around Attack Models
#RuggedDevOps If you see something cool… Get today’s Rugged DevOps presentations in your inbox mmiller@sonatype.com
#WhoAmI? • @StephanChenette, CEO and Founder @AttackIQ AttackIQcreated the first continuoussecurity testing platform to challengeexisting host, network and cloud infrastructure securitycontrols to help organizationssafely validate and measure their defense in depth strategy. • Started my career in 1999 in Security – total of 16+ years – Grad School at UCSD • Director of research IOActive , Head of Websense Security Labs, SAIC, eEye Digital Security • Sit on the advisory board for CyberTECH, CISO Round Table of Southern California and Build it Securely and I head up the local OWASP Chapter, AppSec California Conference • Invited speaker at Blackhat, RSA, CanSec West, AusCERT, RECON, SOURCE, ToorCON, ISSA, etc. • Main Interest - Offensive and Defensive Techniques
Agenda Building Security Controls Around Attack Models Continuous Deployment Continuous Validation
DevOps Has established a culture and environment where building, testing, and releasing software, can happen rapidly, frequently, and more reliably. Continuous Deployment Infrastructure as Code
Rugged DevOps Goal of Security: reduce business risk Cyber security is a business issue, not an IT issue.
Risk Risk = impact * likelihood
Protecting Assets Measures must be taken to ensure the integrity, security, accuracy, and privacy of all systems and data. Wrap Security Controls around Valued Assets • Compliance • Business Continuity
Trust, but verify Multiple Security Controls in place – how do you validate them all?
Continuous Validation Rugged DevOps Responsibility Continuous Validation Continuous Deployment
Why Validate Security Controls? To Minimize Risk. Risk = impact * likelihood If you drive impact down, the risk is minimized Benefits – minimized risk, more effective, efficient, consolidated security program
How do you minimize your threat impact? Identify The Attackers Identify the Attack Techniques Build Adversarial Playbook Replay Attacker Playbook Analyze Security Controls Results Improve or Add New Security Controls
This can start with simple validation Identify security control assumptions Build Security Control Unit Test Exercise Unit Test Analyze Security Controls Results Improve or Add New Security Controls
Security testing is not point in time DevOps is Code as Infrastructure Rugged DevOps is Code as Security Unit Testing Your Security Controls Regression Testing your Security Infrastructure
Key Focus Points in Modelling • Prioritizing the Highest Risk Threats, Adversarial Objectives and Methods • Prioritize Security Controls (purpose, function, assumption) • Create a process that can be: – Automated, replicated and consistent
Attack Stages • External Reconnaissance • Initial Breach • Gaining Persistence • Escalate Privileges • Lateral Movement • Access to Data Stores • Command and Control • Exfiltration
Goal • Duplicate real attack techniques and tactics in an automated fashion • Automatically test each expectation as that asset or security control is deployed
Stage Tactic Pass/Fail/Detect Technology Controls Initial Breach Install malware (Citadel) on vendor machine. Use stolen credentials to connect to Target's network. Exploit webapp vulnerability by uploading PHP web shell (xmlrpc.php). Query Active Directory, using LDAP protocol, for relevant target services (MSSSQLvc/BillingServer). Privilege Escalation Use "Pass-the-hash" to obtain NT hash token. Persistence Create new domain admin account with stolen token. Access to other Data Stores Utilize new credentials to scan, using "Angry IP Scanner," for accessible computers. Use a port forwarding tool to tunnel through several servers, bypassing security measures. Use RDP and Microsoft PSExec utility to execute processes. Use Microsoft Orchestratorto remain persistent and execute arbitrary code. Remotely install malware (Kaptoxa) onto POS machines, scrape POS memory, and save data to a local file. Exfiltration Create remote fileshare on remote FTP-enabled machine and copy data file to the machine. Use script to send file to attacker via FTP. Example: Target Breach
Example: Target Breach • Initial Breach Stage Tactic Pass/Fail/Detect Technology Controls Initial Breach Install malware (Citadel) on vendormachine. Use stolen credentials to connect to Target's network. Exploit webapp vulnerability by uploading PHP web shell (xmlrpc.php). Query Active Directory, using LDAP protocol, for relevant target services (MSSSQLvc/BillingServer).
Example: Target Breach Stage Tactic Pass/Fail/Detect Technology Controls Privilege Escalation Use "Pass-the-hash" to obtain NT hash token. Access to other Data Stores Utilize new credentials to scan, using "Angry IP Scanner," for accessible computers. Use a port forwarding tool to tunnel through several servers, bypassing security measures. Use RDP and Microsoft PSExec utility to execute processes. Use Microsoft Orchestrator to remain persistent and execute arbitrary code. Remotely install malware (Kaptoxa) onto POS machines, scrape POS memory, and save data to a local file. • Privilege Escalation
Example: Target Breach Stage Tactic Pass/Fail/Detect Technology Controls Exfiltration Create remote fileshare on remote FTP-enabled machine and copy data file to the machine. Use script to send file to attacker via FTP.
Measure • Detection – Time • Prevention – Yes/No
Stage Tactic Pass/Fail/Detect Technology Controls Initial Breach Install malware (Citadel) on vendor machine. PD Generic AV (Symantec) Use stolen credentials to connect to Target's network. F Behavior Analytics Exploit webapp vulnerability by uploading PHP web shell (xmlrpc.php). PD Web App Firewall Query Active Directory, using LDAP protocol, for relevant target services (MSSSQLvc/BillingServer). F N/A Privilege Escalation Use "Pass-the-hash" to obtain NT hash token. PD AV Detected mimikatz Persistence Create new domain admin account with stolen token. F N/A Access to other Data Stores Utilize new credentials to scan, using "Angry IP Scanner," for accessible computers. F N/A Use a port forwarding tool to tunnel through several servers, bypassing security measures. F Palo Alto Use RDP and Microsoft PSExec utility to execute processes. D Crowdstrike Falcon Use Microsoft Orchestratorto remain persistent and execute arbitrary code. P Cylance Prevent Remotely install malware (Kaptoxa) onto POS machines, scrape POS memory, and save data to a local file. F Symantec Exfiltration Create remote fileshare on remote FTP-enabled machine and copy data file to the machine. F Behavior Analytics Use script to send file to attacker via FTP. F Firewall/IPS Example: Target Breach
Modeling Exercise • Installation of Web Shell on network • Lateral Movement (Pass-the-Hash Technique) w/ mimikatz • Use of known port scanner • Use of PA/PSExec with dumped credential hashes • Use of Built-in-tools at potentially anomalous times • Download of known malware • Access to FTP to potentially unknown remote machine
Defense-in-Depth Metrics Identified Tactic • % Failed –% Detected –% Prevented • Identify, prioritize need for control technology
Trust, but Verify • Validate your security controls • Regression Testing • Unit Testing
Focus • Run routine attack modeling automatically as your apps/security controls are deployed via chef/Jenkins, etc. • Identify gaps or blind spots • Design your controls around the attacker tactics
Adversarial Modeling • Does not take much time/energy • Creates Data-driven reasoning around buying/purchasing decisions • Build repository of related attacks • Shows historical improvements around baseline • Consolidates security technologies
Where to Start • IT/Ops/SOC/Dev/Management Involvement • Build threat intelligence/attack repository • Move to attack models • Communicate output clearly to show improvements
Conclusion What can be measured can be improved Implementing security controls around relevant attack models will save you time, money and resources and focuses on minimizing the true risks to your organization Security as Code Continuous Validation
• Thank you. • Stephan Chenette, CEO and Founder, stephan@attackiq.com • @stephanchenette @attackiq
Get today’s Rugged DevOps presentations in your inbox mmiller@sonatype.com

Recommended

Building a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationBuilding a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationZane Lackey
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOpsSeniorStoryteller
 
Rugged DevOps at Scale with Rich Mogull
Rugged DevOps at Scale with Rich MogullRugged DevOps at Scale with Rich Mogull
Rugged DevOps at Scale with Rich MogullSeniorStoryteller
 
Security War Games
Security War GamesSecurity War Games
Security War GamesSeniorStoryteller
 
How to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsHow to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsZane Lackey
 
DevSecCon London 2017: Threat modeling in a CI environment by Steven Wierckx
DevSecCon London 2017: Threat modeling in a CI environment by Steven WierckxDevSecCon London 2017: Threat modeling in a CI environment by Steven Wierckx
DevSecCon London 2017: Threat modeling in a CI environment by Steven WierckxDevSecCon
 
Nick Drage & Fraser Scott - Epic battle devops vs security
Nick Drage & Fraser Scott - Epic battle devops vs securityNick Drage & Fraser Scott - Epic battle devops vs security
Nick Drage & Fraser Scott - Epic battle devops vs securityDevSecCon
 
dotSecurity2017
dotSecurity2017dotSecurity2017
dotSecurity2017Zane Lackey
 

Recommended

Building a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationBuilding a Modern Security Engineering Organization
Building a Modern Security Engineering OrganizationZane Lackey
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOpsSeniorStoryteller
 
Rugged DevOps at Scale with Rich Mogull
Rugged DevOps at Scale with Rich MogullRugged DevOps at Scale with Rich Mogull
Rugged DevOps at Scale with Rich MogullSeniorStoryteller
 
Security War Games
Security War GamesSecurity War Games
Security War GamesSeniorStoryteller
 
How to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsHow to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsZane Lackey
 
DevSecCon London 2017: Threat modeling in a CI environment by Steven Wierckx
DevSecCon London 2017: Threat modeling in a CI environment by Steven WierckxDevSecCon London 2017: Threat modeling in a CI environment by Steven Wierckx
DevSecCon London 2017: Threat modeling in a CI environment by Steven WierckxDevSecCon
 
Nick Drage & Fraser Scott - Epic battle devops vs security
Nick Drage & Fraser Scott - Epic battle devops vs securityNick Drage & Fraser Scott - Epic battle devops vs security
Nick Drage & Fraser Scott - Epic battle devops vs securityDevSecCon
 
dotSecurity2017
dotSecurity2017dotSecurity2017
dotSecurity2017Zane Lackey
 
Silver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSilver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSeniorStoryteller
 
Elizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonElizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonDevSecCon
 
Security and DevOps Overview
Security and DevOps OverviewSecurity and DevOps Overview
Security and DevOps OverviewAdrian Sanabria
 
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...Adrian Sanabria
 
Turning security into code by Jeff Williams
Turning security into code by Jeff WilliamsTurning security into code by Jeff Williams
Turning security into code by Jeff WilliamsDevSecCon
 
Chaos engineering for cloud native security
Chaos engineering for cloud native securityChaos engineering for cloud native security
Chaos engineering for cloud native securityKennedy
 
2016 virus bulletin
2016 virus bulletin2016 virus bulletin
2016 virus bulletinAdrian Sanabria
 
Amy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsAmy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsSeniorStoryteller
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon
 
Open Source Defense for Edge 2017
Open Source Defense for Edge 2017Open Source Defense for Edge 2017
Open Source Defense for Edge 2017Adrian Sanabria
 
Effective approaches to web application security
Effective approaches to web application security Effective approaches to web application security
Effective approaches to web application security Zane Lackey
 
ChaoSlingr: Introducing Security based Chaos Testing
ChaoSlingr: Introducing Security based Chaos TestingChaoSlingr: Introducing Security based Chaos Testing
ChaoSlingr: Introducing Security based Chaos TestingAaron Rinehart
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012Nick Galbreath
 
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world casesDevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world casesDevSecCon
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyJason Suttie
 
DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney DevSecCon
 
The R.O.A.D to DevOps
The R.O.A.D to DevOpsThe R.O.A.D to DevOps
The R.O.A.D to DevOpsSeniorStoryteller
 
Integrating DevOps and Security
Integrating DevOps and SecurityIntegrating DevOps and Security
Integrating DevOps and SecurityStijn Muylle
 
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...Aaron Rinehart
 
AllDayDevOps Security Chaos Engineering 2019
AllDayDevOps Security Chaos Engineering 2019 AllDayDevOps Security Chaos Engineering 2019
AllDayDevOps Security Chaos Engineering 2019 Aaron Rinehart
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Toolscentralohioissa
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityAlert Logic
 

More Related Content

What's hot

Silver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSilver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSeniorStoryteller
 
Elizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonElizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonDevSecCon
 
Security and DevOps Overview
Security and DevOps OverviewSecurity and DevOps Overview
Security and DevOps OverviewAdrian Sanabria
 
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...Adrian Sanabria
 
Turning security into code by Jeff Williams
Turning security into code by Jeff WilliamsTurning security into code by Jeff Williams
Turning security into code by Jeff WilliamsDevSecCon
 
Chaos engineering for cloud native security
Chaos engineering for cloud native securityChaos engineering for cloud native security
Chaos engineering for cloud native securityKennedy
 
Amy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsAmy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsSeniorStoryteller
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon
 
Open Source Defense for Edge 2017
Open Source Defense for Edge 2017Open Source Defense for Edge 2017
Open Source Defense for Edge 2017Adrian Sanabria
 
Effective approaches to web application security
Effective approaches to web application security Effective approaches to web application security
Effective approaches to web application security Zane Lackey
 
ChaoSlingr: Introducing Security based Chaos Testing
ChaoSlingr: Introducing Security based Chaos TestingChaoSlingr: Introducing Security based Chaos Testing
ChaoSlingr: Introducing Security based Chaos TestingAaron Rinehart
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012Nick Galbreath
 
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world casesDevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world casesDevSecCon
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyJason Suttie
 
DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney DevSecCon
 
Integrating DevOps and Security
Integrating DevOps and SecurityIntegrating DevOps and Security
Integrating DevOps and SecurityStijn Muylle
 
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...Aaron Rinehart
 
AllDayDevOps Security Chaos Engineering 2019
AllDayDevOps Security Chaos Engineering 2019 AllDayDevOps Security Chaos Engineering 2019
AllDayDevOps Security Chaos Engineering 2019 Aaron Rinehart
 

What's hot (20)

Silver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security SolutionsSilver Lining for Miles: DevOps for Building Security Solutions
Silver Lining for Miles: DevOps for Building Security Solutions
 
Elizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonElizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unison
 
Security and DevOps Overview
Security and DevOps OverviewSecurity and DevOps Overview
Security and DevOps Overview
 
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
 
Turning security into code by Jeff Williams
Turning security into code by Jeff WilliamsTurning security into code by Jeff Williams
Turning security into code by Jeff Williams
 
Chaos engineering for cloud native security
Chaos engineering for cloud native securityChaos engineering for cloud native security
Chaos engineering for cloud native security
 
2016 virus bulletin
2016 virus bulletin2016 virus bulletin
2016 virus bulletin
 
Amy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOpsAmy DeMartine - 7 Habits of Rugged DevOps
Amy DeMartine - 7 Habits of Rugged DevOps
 
DevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim MackeyDevSecCon London 2017: when good containers go bad by Tim Mackey
DevSecCon London 2017: when good containers go bad by Tim Mackey
 
Open Source Defense for Edge 2017
Open Source Defense for Edge 2017Open Source Defense for Edge 2017
Open Source Defense for Edge 2017
 
Effective approaches to web application security
Effective approaches to web application security Effective approaches to web application security
Effective approaches to web application security
 
ChaoSlingr: Introducing Security based Chaos Testing
ChaoSlingr: Introducing Security based Chaos TestingChaoSlingr: Introducing Security based Chaos Testing
ChaoSlingr: Introducing Security based Chaos Testing
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
 
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world casesDevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
 
DEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journeyDEVSECOPS: Coding DevSecOps journey
DEVSECOPS: Coding DevSecOps journey
 
DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney DevSecCon London 2017: Shift happens ... by Colin Domoney
DevSecCon London 2017: Shift happens ... by Colin Domoney
 
The R.O.A.D to DevOps
The R.O.A.D to DevOpsThe R.O.A.D to DevOps
The R.O.A.D to DevOps
 
Integrating DevOps and Security
Integrating DevOps and SecurityIntegrating DevOps and Security
Integrating DevOps and Security
 
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
RSA 2021 Navigating the Unknowable: Resilience through Security Chaos Enginee...
 
AllDayDevOps Security Chaos Engineering 2019
AllDayDevOps Security Chaos Engineering 2019 AllDayDevOps Security Chaos Engineering 2019
AllDayDevOps Security Chaos Engineering 2019
 

Similar to Building Security Controls around Attack Models

Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Toolscentralohioissa
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityAlert Logic
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsSetu Parimi
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chanceDr. Anish Cheriyan (PhD)
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile WorldDavid Lindner
 
3. APTs Presentation
3. APTs Presentation3. APTs Presentation
3. APTs Presentationisc2-hellenic
 
How-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your Code
How-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your CodeHow-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your Code
How-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your CodeDevOps.com
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecLalit Kale
 
Security Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLCSecurity Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLCRahul Raghavan
 
Using Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security ProblemsUsing Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security Problemskiansahafi
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxAnurag Srivastava
 
The Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security AnalyticsThe Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security AnalyticsDemetrio Milea
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security IntelligenceSplunk
 
Sasa milic, cisco advanced malware protection
Sasa milic, cisco advanced malware protectionSasa milic, cisco advanced malware protection
Sasa milic, cisco advanced malware protectionDejan Jeremic
 
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...PranavPatil822557
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalrkadayam
 
Port of seattle security presentation david morris
Port of seattle security presentation david morrisPort of seattle security presentation david morris
Port of seattle security presentation david morrisEmily2014
 
The Joy of Proactive Security
The Joy of Proactive SecurityThe Joy of Proactive Security
The Joy of Proactive SecurityAndy Hoernecke
 

Similar to Building Security Controls around Attack Models (20)

Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Tools
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chance
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
3. APTs Presentation
3. APTs Presentation3. APTs Presentation
3. APTs Presentation
 
How-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your Code
How-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your CodeHow-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your Code
How-To Find Malicious Backdoors and Business Logic Vulnerabilities in Your Code
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
Security Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLCSecurity Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLC
 
Deepika_Resume
Deepika_ResumeDeepika_Resume
Deepika_Resume
 
Using Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security ProblemsUsing Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security Problems
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptx
 
The Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security AnalyticsThe Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security Analytics
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security Intelligence
 
Sasa milic, cisco advanced malware protection
Sasa milic, cisco advanced malware protectionSasa milic, cisco advanced malware protection
Sasa milic, cisco advanced malware protection
 
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
Machine Learning , Analytics & Cyber Security the Next Level Threat Analytics...
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps final
 
Port of seattle security presentation david morris
Port of seattle security presentation david morrisPort of seattle security presentation david morris
Port of seattle security presentation david morris
 
The Joy of Proactive Security
The Joy of Proactive SecurityThe Joy of Proactive Security
The Joy of Proactive Security
 

More from SeniorStoryteller

Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...SeniorStoryteller
 
Where Bits & Bytes Meet Flesh and Blood - Joshua Corman
Where Bits & Bytes Meet Flesh and Blood - Joshua CormanWhere Bits & Bytes Meet Flesh and Blood - Joshua Corman
Where Bits & Bytes Meet Flesh and Blood - Joshua CormanSeniorStoryteller
 
Implementing DevOps in a Regulated Environment - DJ Schleen
Implementing DevOps in a Regulated Environment - DJ SchleenImplementing DevOps in a Regulated Environment - DJ Schleen
Implementing DevOps in a Regulated Environment - DJ SchleenSeniorStoryteller
 
Scaling Rugged DevOps to Thousands of Applications - Panel Discussion
Scaling Rugged DevOps to Thousands of Applications - Panel DiscussionScaling Rugged DevOps to Thousands of Applications - Panel Discussion
Scaling Rugged DevOps to Thousands of Applications - Panel DiscussionSeniorStoryteller
 
Making Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybMaking Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybSeniorStoryteller
 
What We Learned from Four Years of Sciencing the Crap Out of DevOps - Nicole ...
What We Learned from Four Years of Sciencing the Crap Out of DevOps - Nicole ...What We Learned from Four Years of Sciencing the Crap Out of DevOps - Nicole ...
What We Learned from Four Years of Sciencing the Crap Out of DevOps - Nicole ...SeniorStoryteller
 
Release Engineering & Rugged DevOps: An Intersection - J. Paul Reed
Release Engineering & Rugged DevOps: An Intersection - J. Paul ReedRelease Engineering & Rugged DevOps: An Intersection - J. Paul Reed
Release Engineering & Rugged DevOps: An Intersection - J. Paul ReedSeniorStoryteller
 
Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan ...
Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan ...Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan ...
Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan ...SeniorStoryteller
 
Ops Happens: DevOps Beyond Deployment - Damon Edwards
Ops Happens: DevOps Beyond Deployment - Damon EdwardsOps Happens: DevOps Beyond Deployment - Damon Edwards
Ops Happens: DevOps Beyond Deployment - Damon EdwardsSeniorStoryteller
 
Building Security In - A Tale of Two Stories - Laksh Raghavan
Building Security In - A Tale of Two Stories - Laksh RaghavanBuilding Security In - A Tale of Two Stories - Laksh Raghavan
Building Security In - A Tale of Two Stories - Laksh RaghavanSeniorStoryteller
 
Breaking Bad Equilibruim - John Willis
Breaking Bad Equilibruim - John WillisBreaking Bad Equilibruim - John Willis
Breaking Bad Equilibruim - John WillisSeniorStoryteller
 
DevSecOps - Building Rugged Software
DevSecOps - Building Rugged SoftwareDevSecOps - Building Rugged Software
DevSecOps - Building Rugged SoftwareSeniorStoryteller
 
NuGet Package Management Done Right
NuGet Package Management Done RightNuGet Package Management Done Right
NuGet Package Management Done RightSeniorStoryteller
 
Hero's Tookit: Start Your Rugged DevOps Journey with Nexus, Jenkins and Docker
Hero's Tookit: Start Your Rugged DevOps Journey with Nexus, Jenkins and DockerHero's Tookit: Start Your Rugged DevOps Journey with Nexus, Jenkins and Docker
Hero's Tookit: Start Your Rugged DevOps Journey with Nexus, Jenkins and DockerSeniorStoryteller
 
The End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzThe End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzSeniorStoryteller
 
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySafely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySeniorStoryteller
 
Software Supply Chain Automation Removes Roadblocks to Rugged DevOps
Software Supply Chain Automation Removes Roadblocks to Rugged DevOpsSoftware Supply Chain Automation Removes Roadblocks to Rugged DevOps
Software Supply Chain Automation Removes Roadblocks to Rugged DevOpsSeniorStoryteller
 
Heroes’ Journey: Learning from Successful DevOps Transformations
Heroes’ Journey: Learning from Successful DevOps TransformationsHeroes’ Journey: Learning from Successful DevOps Transformations
Heroes’ Journey: Learning from Successful DevOps TransformationsSeniorStoryteller
 
Rugged DevOps: Aligning Your Team and Your Powers for Success
Rugged DevOps: Aligning Your Team and Your Powers for SuccessRugged DevOps: Aligning Your Team and Your Powers for Success
Rugged DevOps: Aligning Your Team and Your Powers for SuccessSeniorStoryteller
 
Create Rugged Applications: Managing Your Software Supply Chain
Create Rugged Applications: Managing Your Software Supply ChainCreate Rugged Applications: Managing Your Software Supply Chain
Create Rugged Applications: Managing Your Software Supply ChainSeniorStoryteller
 

More from SeniorStoryteller (20)

Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
 
Where Bits & Bytes Meet Flesh and Blood - Joshua Corman
Where Bits & Bytes Meet Flesh and Blood - Joshua CormanWhere Bits & Bytes Meet Flesh and Blood - Joshua Corman
Where Bits & Bytes Meet Flesh and Blood - Joshua Corman
 
Implementing DevOps in a Regulated Environment - DJ Schleen
Implementing DevOps in a Regulated Environment - DJ SchleenImplementing DevOps in a Regulated Environment - DJ Schleen
Implementing DevOps in a Regulated Environment - DJ Schleen
 
Scaling Rugged DevOps to Thousands of Applications - Panel Discussion
Scaling Rugged DevOps to Thousands of Applications - Panel DiscussionScaling Rugged DevOps to Thousands of Applications - Panel Discussion
Scaling Rugged DevOps to Thousands of Applications - Panel Discussion
 
Making Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybMaking Security Agile - Oleg Gryb
Making Security Agile - Oleg Gryb
 
What We Learned from Four Years of Sciencing the Crap Out of DevOps - Nicole ...
What We Learned from Four Years of Sciencing the Crap Out of DevOps - Nicole ...What We Learned from Four Years of Sciencing the Crap Out of DevOps - Nicole ...
What We Learned from Four Years of Sciencing the Crap Out of DevOps - Nicole ...
 
Release Engineering & Rugged DevOps: An Intersection - J. Paul Reed
Release Engineering & Rugged DevOps: An Intersection - J. Paul ReedRelease Engineering & Rugged DevOps: An Intersection - J. Paul Reed
Release Engineering & Rugged DevOps: An Intersection - J. Paul Reed
 
Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan ...
Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan ...Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan ...
Requirements Gathering for a Successful Rugged DevOps Implementation - Hasan ...
 
Ops Happens: DevOps Beyond Deployment - Damon Edwards
Ops Happens: DevOps Beyond Deployment - Damon EdwardsOps Happens: DevOps Beyond Deployment - Damon Edwards
Ops Happens: DevOps Beyond Deployment - Damon Edwards
 
Building Security In - A Tale of Two Stories - Laksh Raghavan
Building Security In - A Tale of Two Stories - Laksh RaghavanBuilding Security In - A Tale of Two Stories - Laksh Raghavan
Building Security In - A Tale of Two Stories - Laksh Raghavan
 
Breaking Bad Equilibruim - John Willis
Breaking Bad Equilibruim - John WillisBreaking Bad Equilibruim - John Willis
Breaking Bad Equilibruim - John Willis
 
DevSecOps - Building Rugged Software
DevSecOps - Building Rugged SoftwareDevSecOps - Building Rugged Software
DevSecOps - Building Rugged Software
 
NuGet Package Management Done Right
NuGet Package Management Done RightNuGet Package Management Done Right
NuGet Package Management Done Right
 
Hero's Tookit: Start Your Rugged DevOps Journey with Nexus, Jenkins and Docker
Hero's Tookit: Start Your Rugged DevOps Journey with Nexus, Jenkins and DockerHero's Tookit: Start Your Rugged DevOps Journey with Nexus, Jenkins and Docker
Hero's Tookit: Start Your Rugged DevOps Journey with Nexus, Jenkins and Docker
 
The End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon LietzThe End of Security as We Know It - Shannon Lietz
The End of Security as We Know It - Shannon Lietz
 
Safely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous DeliverySafely Removing the Last Roadblock to Continuous Delivery
Safely Removing the Last Roadblock to Continuous Delivery
 
Software Supply Chain Automation Removes Roadblocks to Rugged DevOps
Software Supply Chain Automation Removes Roadblocks to Rugged DevOpsSoftware Supply Chain Automation Removes Roadblocks to Rugged DevOps
Software Supply Chain Automation Removes Roadblocks to Rugged DevOps
 
Heroes’ Journey: Learning from Successful DevOps Transformations
Heroes’ Journey: Learning from Successful DevOps TransformationsHeroes’ Journey: Learning from Successful DevOps Transformations
Heroes’ Journey: Learning from Successful DevOps Transformations
 
Rugged DevOps: Aligning Your Team and Your Powers for Success
Rugged DevOps: Aligning Your Team and Your Powers for SuccessRugged DevOps: Aligning Your Team and Your Powers for Success
Rugged DevOps: Aligning Your Team and Your Powers for Success
 
Create Rugged Applications: Managing Your Software Supply Chain
Create Rugged Applications: Managing Your Software Supply ChainCreate Rugged Applications: Managing Your Software Supply Chain
Create Rugged Applications: Managing Your Software Supply Chain
 

Recently uploaded

Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 

Recently uploaded (20)

Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 

Building Security Controls around Attack Models

  • 1. @StephanChenette @AttackIQ Building Security Controls Around Attack Models
  • 2. #RuggedDevOps If you see something cool… Get today’s Rugged DevOps presentations in your inbox mmiller@sonatype.com
  • 3. #WhoAmI? • @StephanChenette, CEO and Founder @AttackIQ AttackIQcreated the first continuoussecurity testing platform to challengeexisting host, network and cloud infrastructure securitycontrols to help organizationssafely validate and measure their defense in depth strategy. • Started my career in 1999 in Security – total of 16+ years – Grad School at UCSD • Director of research IOActive , Head of Websense Security Labs, SAIC, eEye Digital Security • Sit on the advisory board for CyberTECH, CISO Round Table of Southern California and Build it Securely and I head up the local OWASP Chapter, AppSec California Conference • Invited speaker at Blackhat, RSA, CanSec West, AusCERT, RECON, SOURCE, ToorCON, ISSA, etc. • Main Interest - Offensive and Defensive Techniques
  • 4. Agenda Building Security Controls Around Attack Models Continuous Deployment Continuous Validation
  • 5. DevOps Has established a culture and environment where building, testing, and releasing software, can happen rapidly, frequently, and more reliably. Continuous Deployment Infrastructure as Code
  • 6. Rugged DevOps Goal of Security: reduce business risk Cyber security is a business issue, not an IT issue.
  • 7. Risk Risk = impact * likelihood
  • 8. Protecting Assets Measures must be taken to ensure the integrity, security, accuracy, and privacy of all systems and data. Wrap Security Controls around Valued Assets • Compliance • Business Continuity
  • 9. Trust, but verify Multiple Security Controls in place – how do you validate them all?
  • 10. Continuous Validation Rugged DevOps Responsibility Continuous Validation Continuous Deployment
  • 11. Why Validate Security Controls? To Minimize Risk. Risk = impact * likelihood If you drive impact down, the risk is minimized Benefits – minimized risk, more effective, efficient, consolidated security program
  • 12. How do you minimize your threat impact? Identify The Attackers Identify the Attack Techniques Build Adversarial Playbook Replay Attacker Playbook Analyze Security Controls Results Improve or Add New Security Controls
  • 13. This can start with simple validation Identify security control assumptions Build Security Control Unit Test Exercise Unit Test Analyze Security Controls Results Improve or Add New Security Controls
  • 14. Security testing is not point in time DevOps is Code as Infrastructure Rugged DevOps is Code as Security Unit Testing Your Security Controls Regression Testing your Security Infrastructure
  • 15. Key Focus Points in Modelling • Prioritizing the Highest Risk Threats, Adversarial Objectives and Methods • Prioritize Security Controls (purpose, function, assumption) • Create a process that can be: – Automated, replicated and consistent
  • 16. Attack Stages • External Reconnaissance • Initial Breach • Gaining Persistence • Escalate Privileges • Lateral Movement • Access to Data Stores • Command and Control • Exfiltration
  • 17. Goal • Duplicate real attack techniques and tactics in an automated fashion • Automatically test each expectation as that asset or security control is deployed
  • 18. Stage Tactic Pass/Fail/Detect Technology Controls Initial Breach Install malware (Citadel) on vendor machine. Use stolen credentials to connect to Target's network. Exploit webapp vulnerability by uploading PHP web shell (xmlrpc.php). Query Active Directory, using LDAP protocol, for relevant target services (MSSSQLvc/BillingServer). Privilege Escalation Use "Pass-the-hash" to obtain NT hash token. Persistence Create new domain admin account with stolen token. Access to other Data Stores Utilize new credentials to scan, using "Angry IP Scanner," for accessible computers. Use a port forwarding tool to tunnel through several servers, bypassing security measures. Use RDP and Microsoft PSExec utility to execute processes. Use Microsoft Orchestratorto remain persistent and execute arbitrary code. Remotely install malware (Kaptoxa) onto POS machines, scrape POS memory, and save data to a local file. Exfiltration Create remote fileshare on remote FTP-enabled machine and copy data file to the machine. Use script to send file to attacker via FTP. Example: Target Breach
  • 19. Example: Target Breach • Initial Breach Stage Tactic Pass/Fail/Detect Technology Controls Initial Breach Install malware (Citadel) on vendormachine. Use stolen credentials to connect to Target's network. Exploit webapp vulnerability by uploading PHP web shell (xmlrpc.php). Query Active Directory, using LDAP protocol, for relevant target services (MSSSQLvc/BillingServer).
  • 20. Example: Target Breach Stage Tactic Pass/Fail/Detect Technology Controls Privilege Escalation Use "Pass-the-hash" to obtain NT hash token. Access to other Data Stores Utilize new credentials to scan, using "Angry IP Scanner," for accessible computers. Use a port forwarding tool to tunnel through several servers, bypassing security measures. Use RDP and Microsoft PSExec utility to execute processes. Use Microsoft Orchestrator to remain persistent and execute arbitrary code. Remotely install malware (Kaptoxa) onto POS machines, scrape POS memory, and save data to a local file. • Privilege Escalation
  • 21. Example: Target Breach Stage Tactic Pass/Fail/Detect Technology Controls Exfiltration Create remote fileshare on remote FTP-enabled machine and copy data file to the machine. Use script to send file to attacker via FTP.
  • 22. Measure • Detection – Time • Prevention – Yes/No
  • 23. Stage Tactic Pass/Fail/Detect Technology Controls Initial Breach Install malware (Citadel) on vendor machine. PD Generic AV (Symantec) Use stolen credentials to connect to Target's network. F Behavior Analytics Exploit webapp vulnerability by uploading PHP web shell (xmlrpc.php). PD Web App Firewall Query Active Directory, using LDAP protocol, for relevant target services (MSSSQLvc/BillingServer). F N/A Privilege Escalation Use "Pass-the-hash" to obtain NT hash token. PD AV Detected mimikatz Persistence Create new domain admin account with stolen token. F N/A Access to other Data Stores Utilize new credentials to scan, using "Angry IP Scanner," for accessible computers. F N/A Use a port forwarding tool to tunnel through several servers, bypassing security measures. F Palo Alto Use RDP and Microsoft PSExec utility to execute processes. D Crowdstrike Falcon Use Microsoft Orchestratorto remain persistent and execute arbitrary code. P Cylance Prevent Remotely install malware (Kaptoxa) onto POS machines, scrape POS memory, and save data to a local file. F Symantec Exfiltration Create remote fileshare on remote FTP-enabled machine and copy data file to the machine. F Behavior Analytics Use script to send file to attacker via FTP. F Firewall/IPS Example: Target Breach
  • 24. Modeling Exercise • Installation of Web Shell on network • Lateral Movement (Pass-the-Hash Technique) w/ mimikatz • Use of known port scanner • Use of PA/PSExec with dumped credential hashes • Use of Built-in-tools at potentially anomalous times • Download of known malware • Access to FTP to potentially unknown remote machine
  • 25. Defense-in-Depth Metrics Identified Tactic • % Failed –% Detected –% Prevented • Identify, prioritize need for control technology
  • 26. Trust, but Verify • Validate your security controls • Regression Testing • Unit Testing
  • 27. Focus • Run routine attack modeling automatically as your apps/security controls are deployed via chef/Jenkins, etc. • Identify gaps or blind spots • Design your controls around the attacker tactics
  • 28. Adversarial Modeling • Does not take much time/energy • Creates Data-driven reasoning around buying/purchasing decisions • Build repository of related attacks • Shows historical improvements around baseline • Consolidates security technologies
  • 29. Where to Start • IT/Ops/SOC/Dev/Management Involvement • Build threat intelligence/attack repository • Move to attack models • Communicate output clearly to show improvements
  • 30. Conclusion What can be measured can be improved Implementing security controls around relevant attack models will save you time, money and resources and focuses on minimizing the true risks to your organization Security as Code Continuous Validation
  • 31. • Thank you. • Stephan Chenette, CEO and Founder, stephan@attackiq.com • @stephanchenette @attackiq
  • 32. Get today’s Rugged DevOps presentations in your inbox mmiller@sonatype.com