improving cloud security with attacker profiling
play

Improving Cloud Security with Attacker Profiling Bryan D. Payne - PowerPoint PPT Presentation

Oct 23, 2022 •48 likes •498 views

Improving Cloud Security with Attacker Profiling Bryan D. Payne Engineering Manager, Platform Security Who is out to get me? What do they want? Why are we losing? Platform Security at Netflix Netflix Open Connect Appliance - AWS Mgmt -

  1. Improving Cloud Security with Attacker Profiling Bryan D. Payne Engineering Manager, Platform Security

  2. Who is out to get me? What do they want? Why are we losing?

  3. Platform Security at Netflix

  4. Netflix Open Connect Appliance - AWS Mgmt - Security Tools 2 - Code Review Platform Microservices in the Cloud - Forensics / IR - IT Security Security - Content Protection - Device Security Overview 1 Device or Browser Platform Security - Foundational Security Services - Security in Common Platform - Security by Default in base AMI

  5. Self-Service CA Crypto / Key Management Service Trusted Services (Netflix) Classic Secret Deployment Service Security via AWS Instance Identity & Trusted Services CloudHSM Metadata Access (AWS) Signature Management Key Management Side Channel Leaks Hypervisor Firmware Malicious Insider Great Unknown Physical Security Supply Chain Hardware Platform

  6. Service Creation Service Maintenance Review Deploy Ubiquitous Security Services Security Audit Implement Security Security Defaults IR / Forensics Implement Report • Partner with other teams • Make security transparent (or easy) Plan Security • Focus on common components Improvements • Also focus on strategic risks Platform Security

  7. Who is out to get me?

  9. BBC Newsnight, 11 February 2010 https://www.youtube.com/watch?v=1pMuV2o4Lrw

  10. Murdoch et al, Chip and PIN is Broken, IEEE Symposium on Security and Privacy, 2010 Greenberg, X-Ray Scans Expose and Ingenious Chip-and-PIN Card Hack, Wired, 19 October 2015

  11. Attacker Motivations • financial / business • political / idealogical • revenge • demonstration • fun

  12. Political & Industrial Espionage Intelligence Services Financial Serious Organized Crime Attacker Skill & Exploitation Likelihood Financial & Idealogical Highly Capable Groups Financial, Revenge, Fun Motivated Individuals Fun, Demonstration Script Kiddies Likelihood of Attack OpenStack Security Guide (CC BY 3.0) http://docs.openstack.org/sec/

  13. • Little trust in authorities • Desire control • Hacker life kept secret • “Don’t foul your own nest”

  14. Attacker Characteristics • creative and brilliant • curious • motivated • shy in real life • comfortable with computers “Yes, I am a criminal. My crime is that of curiosity.” The Hacker Manifesto

  15. Attack Characteristics • access (nmap, exploit, configuration error, etc) • file cleaners • backdoor • password cracking • monitor system admin • proceed with goals (files, network sniffing, etc)

  16. Photo Credit: Google http://www.google.com/about/datacenters/gallery/

  17. What do they want?

  18. "Diamonds" by Swamibu - http://flickr.com/photos/swamibu/1182138940/. Licensed under CC BY 2.0 via Commons

  19. "Antwerpen Hoveniersstraat" by Thorsten1997 - Own work. Licensed under Public Domain via Commons

  20. 19 February 2003 BBC News http://news.bbc.co.uk/2/hi/europe/2782305.stm

  21. 1. Combination dial 2. Keyed lock 3. Seismic sensor 4. Locked steel grate 5. Magnetic sensor 6. External security camera 7. Keypad to disarm sensors 8. Light sensor 9. Internal security camera 10. Heat / motion sensor Joshua Davis. The Untold Story of the World’s Biggest Diamond Heist . Wired, http://archive.wired.com/politics/law/magazine/17-04/ff_diamonds

  22. • USG employee background checks & fingerprints • Credit cards • User data • PPI: SSN, driver’s license, phone, address, DoB, etc • Passwords

  23. Photo Credit: Tom Varco (CC BY-SA 3.0) https://en.wikipedia.org/wiki/Safe#/media/File:Safe.jpg Photo Credit: Jonathunder (CC BY-SA 3.0) https://en.wikipedia.org/wiki/Bank_vault#/media/File:WinonaSavingsBankVault.JPG

  24. risk threat vulnerability consequence ● ●

  25. risk threat vulnerability consequence ● ● asset attack vectors controls

  26. http://lockheedmartin.com/content/dam/lockheed/data/isgs/documents/Threat-Driven%20Approach%20whitepaper.pdf

  27. http://lockheedmartin.com/content/dam/lockheed/data/isgs/documents/Threat-Driven%20Approach%20whitepaper.pdf

  28. Cloud Attack Graphs • Cloud account credentials • Instance account credentials • Your employees, supply chains, code • Provider’s employees, supply chains, code • Corporate network • Build pipeline

  29. Why are we losing? … and how can we improve?

  30. Increasing Security Investment Increasing Security Engineering Efficiencies Tipping Point

  31. Simple Libraries Traditional Libraries (e.g., python-cryptography) (e.g., openssl) #include <openssl/conf.h> /* Initialise the encryption operation. IMPORTANT - ensure you use a key #include <openssl/evp.h> * and IV size appropriate for your cipher #include <openssl/err.h> * In this example we are using 256 bit AES (i.e. a 256 bit key). The #include <string.h> * IV size for *most* modes is the same as the block size. For AES this * is 128 bits */ int main(int arc, char *argv[]) if(1 != EVP_EncryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, key, iv)) { handleErrors(); /* Set up the key and iv. Do I need to say to not hard code these in a * real application? :-) /* Provide the message to be encrypted, and obtain the encrypted output. */ * EVP_EncryptUpdate can be called multiple times if necessary */ /* A 256 bit key */ if(1 != EVP_EncryptUpdate(ctx, ciphertext, &len, plaintext, plaintext_len)) unsigned char *key = "01234567890123456789012345678901"; handleErrors(); ciphertext_len = len; /* A 128 bit IV */ unsigned char *iv = "01234567890123456"; /* Finalise the encryption. Further ciphertext bytes may be written at * this stage. /* Message to be encrypted */ */ unsigned char *plaintext = if(1 != EVP_EncryptFinal_ex(ctx, ciphertext + len, &len)) handleErrors(); "The quick brown fox jumps over the lazy dog"; ciphertext_len += len; /* Buffer for ciphertext. Ensure the buffer is long enough for the /* Clean up */ * ciphertext which may be longer than the plaintext, dependant on the EVP_CIPHER_CTX_free(ctx); * algorithm and mode */ return ciphertext_len; unsigned char ciphertext[128]; } /* Buffer for the decrypted text */ from cryptography.fernet import Fernet unsigned char decryptedtext[128]; int decrypt(unsigned char *ciphertext, int ciphertext_len, unsigned char *key, unsigned char *iv, unsigned char *plaintext) int decryptedtext_len, ciphertext_len; { EVP_CIPHER_CTX *ctx; /* Initialise the library */ ERR_load_crypto_strings(); int len; OpenSSL_add_all_algorithms(); key = Fernet.generate_key() OPENSSL_config(NULL); int plaintext_len; /* Encrypt the plaintext */ /* Create and initialise the context */ f = Fernet(key) ciphertext_len = encrypt(plaintext, strlen(plaintext), key, iv, if(!(ctx = EVP_CIPHER_CTX_new())) handleErrors(); ciphertext); /* Initialise the decryption operation. IMPORTANT - ensure you use a key /* Do something useful with the ciphertext here */ * and IV size appropriate for your cipher ciphertext = f.encrypt(b”A message.") printf("Ciphertext is:\n"); * In this example we are using 256 bit AES (i.e. a 256 bit key). The BIO_dump_fp(stdout, ciphertext, ciphertext_len); * IV size for *most* modes is the same as the block size. For AES this * is 128 bits */ plaintext = f.decrypt(ciphertext) /* Decrypt the ciphertext */ if(1 != EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, key, iv)) decryptedtext_len = decrypt(ciphertext, ciphertext_len, key, iv, handleErrors(); decryptedtext); /* Provide the message to be decrypted, and obtain the plaintext output. /* Add a NULL terminator. We are expecting printable text */ * EVP_DecryptUpdate can be called multiple times if necessary decryptedtext[decryptedtext_len] = '\0'; */ if(1 != EVP_DecryptUpdate(ctx, plaintext, &len, ciphertext, ciphertext_len)) /* Show the decrypted text */ handleErrors(); printf("Decrypted text is:\n"); plaintext_len = len; printf("%s\n", decryptedtext); /* Finalise the decryption. Further plaintext bytes may be written at /* Clean up */ * this stage. EVP_cleanup(); */ ERR_free_strings(); if(1 != EVP_DecryptFinal_ex(ctx, plaintext + len, &len)) handleErrors(); plaintext_len += len; return 0; } /* Clean up */ EVP_CIPHER_CTX_free(ctx); int encrypt(unsigned char *plaintext, int plaintext_len, unsigned char *key, unsigned char *iv, unsigned char *ciphertext) return plaintext_len; { } EVP_CIPHER_CTX *ctx; [edit] int len; int ciphertext_len; /* Create and initialise the context */ if(!(ctx = EVP_CIPHER_CTX_new())) handleErrors();

  32. Sidebar: Key Management @Netflix

  33. Simple Framework for Key Handling Throughput Protection It’s Exposed! It lives… Low Sensitivity High Low No biggie In lots of VMs It’ll be a long Medium Sensitivity Medium Medium In very few VMs week. In Special High Sensitivity Low High No. Just. No. Hardware

  34. Use Case of a Key Implies Handling Requirements TLS Session Key - Fast, Handled in Dynamic Environment 
 But easy to have a reasonable policy if we lose it • Certificate Authority Private Key - Maybe not used so much • Probably way more important that you just don’t lose it

Recommend

The Network Network Security Secure against what/whom Security goals Attacker model Same

The Network Network Security Secure against what/whom Security goals Attacker model Same

The Network Network Security Secure against what/whom Security goals Attacker model Same hub `trusted LAN Internet Eavesdrop / block messages / insert messages / ... Typical attacker model security protocol analysis: Attacker

780 views • 63 slides
CSE484/CSE584 BASIC WEB SECURITY MODEL Dr. Benjamin Livshits Web Security Web Attacker Sets up

CSE484/CSE584 BASIC WEB SECURITY MODEL Dr. Benjamin Livshits Web Security Web Attacker Sets up

CSE484/CSE584 BASIC WEB SECURITY MODEL Dr. Benjamin Livshits Web Security Web Attacker Sets up malicious site visited by victim; no control of network Alice Network Security Network Attacker Intercepts and controls network communication

907 views • 44 slides
Chapter 9 Cloud Security Contents Security in an interconnected world, cloud security

Chapter 9 Cloud Security Contents Security in an interconnected world, cloud security

Chapter 9 Cloud Security Contents Security in an interconnected world, cloud security risks. Attacks in a cloud environment, top threats. Security, a major concern for cloud users. Privacy. Trust. Operating systems

661 views • 38 slides
ATT&amp;CK the Attacker Assessing &amp; Improving Detection Capabilities # whoami Christian

ATT&amp;CK the Attacker Assessing &amp; Improving Detection Capabilities # whoami Christian

ATT&amp;CK the Attacker Assessing &amp; Improving Detection Capabilities # whoami Christian Kollee Studied Computer Science at University of Erlangen- Nueremberg (Diplom-Informatik) Several years at various universities and at

551 views • 19 slides
Computer Security Foundations What is Security? Attacker Assets Threat Counter- measure

Computer Security Foundations What is Security? Attacker Assets Threat Counter- measure

IN3210 Network Security Computer Security Foundations What is Security? Attacker Assets Threat Counter- measure Computer Security Security of computers and networks Protection of digital assets Axioms of Computer Security:

240 views • 23 slides
Cloud Benchmarking Estimating Cloud Application Performance Based on Micro Benchmark Profiling

Cloud Benchmarking Estimating Cloud Application Performance Based on Micro Benchmark Profiling

software evolution &amp; architecture lab Department of Informatics s.e.a.l. Cloud Benchmarking Estimating Cloud Application Performance Based on Micro Benchmark Profiling Joel Scheuner 2017-06-15 Page 1 Master Thesis Defense software

510 views • 38 slides
for hardware or embedded security Erik Poll Digital Security Radboud University Nijmegen 1

for hardware or embedded security Erik Poll Digital Security Radboud University Nijmegen 1

Attacker Models for hardware or embedded security Erik Poll Digital Security Radboud University Nijmegen 1 Security-sensitive hardware: examples 2 Naive attacker model Attacks on communication channels exploiting lousy crypto or insecure

904 views • 45 slides
Cloud Security Today Presenter: Jason Sheffield Topics What are the issues today? What is the

Cloud Security Today Presenter: Jason Sheffield Topics What are the issues today? What is the

Cloud Security Today Presenter: Jason Sheffield Topics What are the issues today? What is the Cloud? How the Cloud is delivered: Iaas, PaaS and SaaS Cloud security challenges and risk Current Cloud security report Cloud security technology

302 views • 27 slides
Outline Get Off of My Cloud 8271 discussion of cloud computing security (combined)

Outline Get Off of My Cloud 8271 discussion of cloud computing security (combined)

Outline Get Off of My Cloud 8271 discussion of cloud computing security (combined) Administrative discussions Stephen McCamant University of Minnesota Multi-Cloud Oblivious Storage Old and new topics in security Cloud threats, old and new

645 views • 8 slides
Web Application Security Attacks on the Web Attacker Web User Application Web Database Web

Web Application Security Attacks on the Web Attacker Web User Application Web Database Web

IN3210 Network Security Web Application Security Attacks on the Web Attacker Web User Application Web Database Web Server Application 2 The OWASP Foundation The Open Web Application Security Project (OWASP) is a 501(c)(3)

1.21k views • 60 slides
Why is Thermodynamic Profiling Essential for Improving the Performance of Nowcasting Systems?

Why is Thermodynamic Profiling Essential for Improving the Performance of Nowcasting Systems?

Why is Thermodynamic Profiling Essential for Improving the Performance of Nowcasting Systems? Volker Wulfmeyer, Andreas Behrendt, Eva Hammann, Florian Spth, Shravan Muppa, Simon Metzendorf, Andrea Riede, Stephan Adam, Thomas Schwitalla Institute

500 views • 18 slides
1 1.2. Guidelines for Information Security of Cloud Computing Category Main contents of measure

1 1.2. Guidelines for Information Security of Cloud Computing Category Main contents of measure

Agenda Related Polices to Cloud Computing I. Guidelines for Information Security of Cloud II. Computing Cloud Security Certification Scheme in KOREA Cloud Security Certification Program in Korea III. April. 11, 2017 Jungduk (JD) KIM, Ph.

403 views • 5 slides
Improving Road Safety by Profiling Different Accident Type Te Team am 7 : 7 : An Ange gela,

Improving Road Safety by Profiling Different Accident Type Te Team am 7 : 7 : An Ange gela,

Improving Road Safety by Profiling Different Accident Type Te Team am 7 : 7 : An Ange gela, la, Ayl ylada, ada, Ce Celi lia, a, Dobby obby, , Ma Mahs hsa DATA MINING GOAL Profile certain accident types by identifying the factors

350 views • 13 slides
Security and Privacy for Cloud Computing Refik Molva Cloud Computing Outsourcing

Security and Privacy for Cloud Computing Refik Molva Cloud Computing Outsourcing

Security and Privacy for Cloud Computing Refik Molva Cloud Computing Outsourcing Storage Computation High availability No maintenance Decreased Costs Elasticity &amp; Flexibility Security and Privacy for Cloud

529 views • 36 slides
CSE 504: Project Proposal Jennifer Niederlnder 01/13/2016 Improving Security Testing

CSE 504: Project Proposal Jennifer Niederlnder 01/13/2016 Improving Security Testing

CSE 504: Project Proposal Jennifer Niederlnder 01/13/2016 Improving Security Testing Improving Security Testing or Collect security errors Derive Patterns Improving Performance Improving Performance 1. Take the code 2. Point out

423 views • 9 slides
The Cloud-y Future of Security Technologies Adam J. ODonnell, Ph.D. Director, Cloud

The Cloud-y Future of Security Technologies Adam J. ODonnell, Ph.D. Director, Cloud

The Cloud-y Future of Security Technologies Adam J. ODonnell, Ph.D. Director, Cloud Engineering Immunet, Inc. Monday, August 22, 2011 The Cloud-y Future of Security Technologies Adam J. ODonnell, Ph.D. Chief Architect, Cloud

848 views • 68 slides
CSE 127: Introduction to Security Lecture 15: TLS Deian Stefan UCSD Fall 2019 Material from

CSE 127: Introduction to Security Lecture 15: TLS Deian Stefan UCSD Fall 2019 Material from

CSE 127: Introduction to Security Lecture 15: TLS Deian Stefan UCSD Fall 2019 Material from Nadia Heninger, Dan Boneh, Stefan Savage Reminder: Network Attacker Threat Model Network Attacker: Controls infrastructure: Routers, DNS

1.29k views • 76 slides
CSE 127: Introduction to Security Lecture 15: TLS Nadia Heninger and Deian Stefan UCSD Fall

CSE 127: Introduction to Security Lecture 15: TLS Nadia Heninger and Deian Stefan UCSD Fall

CSE 127: Introduction to Security Lecture 15: TLS Nadia Heninger and Deian Stefan UCSD Fall 2019 Some material from Dan Boneh, Stefan Savage Reminder: Network Attacker Threat Model Network Attacker: Controls infrastructure: Routers, DNS

1.36k views • 67 slides
Security in Cloud Computing A survey of the unique challenges and risks inherent to the Cloud

Security in Cloud Computing A survey of the unique challenges and risks inherent to the Cloud

Security in Cloud Computing A survey of the unique challenges and risks inherent to the Cloud Computing model. Presented By: Marissa Hollingsworth Overview What is Cloud Computing? Unique Security Concerns in the Cloud

556 views • 34 slides
Cloud Native Visibility and Security Chris Kranz Sysdig Secure DevOps for Cloud Native Open by

Cloud Native Visibility and Security Chris Kranz Sysdig Secure DevOps for Cloud Native Open by

Cloud Native Visibility and Security Chris Kranz Sysdig Secure DevOps for Cloud Native Open by design Ecosystem integration Strong momentum Founded by Wireshark Cloud-native security Customer expansion mirrors co-creator and

247 views • 22 slides
Estimating Cloud Application Performance Based on Micro-Benchmark Profiling Joel Scheuner,

Estimating Cloud Application Performance Based on Micro-Benchmark Profiling Joel Scheuner,

Estimating Cloud Application Performance Based on Micro-Benchmark Profiling Joel Scheuner, Philipp Leitner Joel Scheuner ! scheuner@chalmers.se &quot; joe4dev # @joe4dev Supported by Context: Public Infrastructure-as-a-Service Clouds IaaS

607 views • 26 slides
Multi-Aspect Profiling of Kernel Rootkit Behavior Ryan Riley, Xuxian Jiang, Dongyan Xu Purdue

Multi-Aspect Profiling of Kernel Rootkit Behavior Ryan Riley, Xuxian Jiang, Dongyan Xu Purdue

Multi-Aspect Profiling of Kernel Rootkit Behavior Ryan Riley, Xuxian Jiang, Dongyan Xu Purdue University, North Carolina State University EuroSys 2009 Nrnberg, Germany Rootkits Stealthy malware Hide attacker Modifying the OS

674 views • 53 slides
Migration To Cloud Why Cloud Advantages of Cloud Managed Rapid Rapid Increased Security

Migration To Cloud Why Cloud Advantages of Cloud Managed Rapid Rapid Increased Security

Migration To Cloud Why Cloud Advantages of Cloud Managed Rapid Rapid Increased Security Cap-ex Free Resilience Infrastructure Elasticity Infrastructure Flexibility Sevices 5% of organizations have migrated at least 30% 41% 52%

540 views • 11 slides
Leaving no one behind The role of evidence-building and profiling to include displacement in

Leaving no one behind The role of evidence-building and profiling to include displacement in

Leaving no one behind The role of evidence-building and profiling to include displacement in recovering and development processes Natalia Krynsky Baal , Coordinator, Joint IDP Profiling Service WHAT IS PROFILING? Defining profiling A

439 views • 12 slides

More recommend