How to use hacker persona’s to successfully build DevSecOps Pipeline • Robin Yeman • Lockheed Martin Sr. Fellow • Lockheed Martin • twitter @robinyeman
Agenda • DevOps and Pipeline • Securing the pipeline • Apply the practices 2
DevOps and delivery pipeline
DevOps DevOps is “a cross-disciplinary community of practice dedicated to the study of building, evolving and operating rapidly-changing resilient systems at scale.” - Jez Humble
Why DevOps Forsgren, Nicole. “DevOps Solutions | Google Cloud.” Google , Google, 22 Aug. 2019, https://cloud.google.com/devops/state-of- devops/.
DevOps Pipeline Requirements / Design Version Control Build Tool(s) Continuous Integration Test Framework(s) API Library End to End Security Integrated Development Commit & Build Validate Deploy D Application Code & Build Application a Environment s Production Integration Acceptance h Version Control Deploy Test Test b o Commit & Build Validate Deploy Automation Package Infrastructure Infrastructure a r d API Library Configuration Artifact Repository Product Backlog Environments Monitoring Management Schedule
Securing the delivery pipeline
Threat Modeling I dentify Assets • • D efine the Attack Surface • Using IDDIL-ATC Methodology – D ecompose the System Gain understanding • – Assess risk I dentify Attack Vectors • – Justify security controls L ist Threat Actors • A nalysis & Assessment • T riage • C ontrols •
DevOps Pipeline Threat Model
Attack Surfaces in the pipeline Requirements / Design Version Control Build Tool(s) Continuous Integration Test Framework(s) API Library End to End Security APT Integrated Development Commit & Build Validate Deploy D Application Code & Build Application a Environment s Production Integration Acceptance h Version Control Test Test Deploy b o Commit & Build Validate Deploy Automation Package Infrastructure Infrastructure a Careless Insider r Dev d API Library Configuration Artifact Repository Product Backlog Environments Monitoring Management Schedule
Defining Persona’s • Alan Cooper’s the Inmates are Running the Asylum – Hypothetical Archetypes – Precise & Specific Description of the User – Define user’s objectives • Lene Nielson’s 4 Perspectives – Goal Directed – Role-based – Engaging – Fictional
Why Hacker Personas? Culture & Awareness. Understand adversary tactics & drivers • Prioritize security risks • Communicate generalized attacker profiles that identify • common black hat hacker motives and desires What does the attacker like to see – identifies exploitable – weaknesses Justify Security Control Selection • What does the attacker not like to see – identifies effective security – controls
How do we “discover” hacker personas? Threat Types (analogous to User Roles) Advanced Attackers (APTs, Military, Industrial) – • Comment Crew, Lazarus Group, Oilrig Hacktivists – Anonymous, Chaos Computer Club, LulzSec, OurMine • Insider – • Spy, Compromised employee, disgruntled employee Lone Wolf – • Iceman, Robert Morris, Julian Assange, Edward Snowden Sources: anonymous, attack.mitre.org, apt.threattracking.com
Intelligence Sources Near Range Threats: • Internal Intelligence • Partner Intelligence Mid Range Threats: • Open Source Intelligence (OSINT) • Industry Intelligence Global attacks require Long Range Threats: global intelligence • Homeland Intelligence • Ally Intelligence
Ministry of State Security (MSS) FBI cyber most wanted People's Liberation Army (PLA) Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU)
Hacker Persona Examples
Careless Developer Chuck Careless Developer As a Developer I want check-in features Skillset: quickly so that I can go move on to Degree in computer science with less something else. than five years experience. Explores the latest technology at home with the ability to code in multiple languages As a Developer I want avoid Identification: administrative work so that I can code Real Name: Charles Diavol which is more fun! Alias: Charles 123 Motivations: As a Developer I want try the latest Wants to maximize delivery of software Wants access to use the latest tech and libraries technology available so that I can keep Reduce workload of perceived overhead work my skills current. Frustrations: Governance and compliance that slows him down Ever-growing technical debt Legacy technology 17
Malicious Developer Marty Malicious Developer As a Malicious Developer I want inject malicious code so that I can see what Skillset: happens. Extensive coding experience at OS & Kernel level. Develops cyber attack tools. Wants to get paid by his employer as well as his dark web As a Malicious Developer I want associates. increasing privilege so that I can view Identification: data that has not been shared with me. Real Name: Martin Smith Handles: KRNL KON Motivations: As a Malicious Developer I want crash Appear aboveboard and ethical ( follows rules) Ensure nobody notices I am injecting malicious logic the server so that I can deny service to Take full advantage of weak process to remain undetected my co-workers. Frustrations: Security controls that limit, block or monitor code changes Inline automated security tools that detect malicious code Automated / manual testing that discover malicious code 18
Advanced Persistent Threat (APT) Annie APT As a Annie APT I want to eavesdrop on Skillset: company X and obtain sensitive information that can be sold. Highly trained and skilled in cyber attacks of all kinds. Effective social engineer. Skilled at evading detection. As a Annie APT I want to upload malware on your computer so that I can Identification: Real Name: Annie Alvarez obtain personal information. Handles: Triple Pez, 3Pez, Pez Motivations: As a Annie APT I want to upload Use highly effective attacks, including social engineering Gain Trust, Develop relationships through social media ransomware so that I can extort victims After compromise, remain undetected to meet objectives to further my political agenda. Frustrations: When I exploit a target without enough privilege to move forward with my objectives Security controls that block outbound communication 19
Application and Benefits
USING PERSONAS Is An Annie ie cap capabl ble? e? Annie Recon Actor Connection Exploit Evaluate Visibility User Awareness Detection/Prioritization Least Priv / Zero Trust Personalized Target Creates Position of Escalate to malicious Falsified Alias Engagement Trust content or co-opt behavior
Hacker Persona Benefits “Spatial” (visual) Understanding Identify effective countermeasures Prioritize defenses Measure effectiveness Chuck Coding Build Integrate Deploy Automated SAST Code Bashing Automated DAST Continuous Test Flaw injected into Flaw passes integration Exposure in Production Code security flaw build
Positive Shifts
“Lessons” on Personas • Change culture “Put on the Black Hoodie” • Build and Socialize Personas • Agile Security Game – Shostack • The Phantom Hacker 24
Future DevOpsSec: Seamlessly integrate security into the implementation pipeline; ensuring everyone takes responsibility while continuing to shorten feedback loops Feed Back highway Security Security Team Community Intelligence highway Security Testing & Data Platform
Recommend
More recommend
