Red team, Blue Team or White Cell

How trends in IT force Security to behave as an Immune System

RED TEAM, BLUE TEAM OR WHITE CELLS?

This work is licensed under a Creative Commons

Attribution-ShareAlike 4.0 International License.

Image: Yersinia pestis (bubonic plague) a CC NC ND image by Philip Moyer -

https://www.flickr.com/photos/59039691@N00/2539168777/

Frank Breedijk• Security Officer at Schuberg Philis

• (Official) Security dude since 2000

• Author of Seccubus

Coordinates:• https://www.linkedin.com/in/seccubus

• @Seccubus on Twitter

• [email protected]

WHO AM I?

Barriers – First line of defense• Skin

• Stomach acid

• Acidic oil on skin

Sort of our firewalls, IPS, Anti-virus

IMMUNE SYSTEM 101 – NONSPECIFIC

Image: boom barrier a CC NC SA image by miez!


Hard shell, soft

center…

OLD STYLE SECURITY APPROACH

Image: Egg with glowing eyes a CC NC SA image by Keith Marshall


THE EGG HAS HATCHED…

SaaS

PaaS

The ugly truth has been revealed

We still suck at making good eggshells…

THE EGG HAS HATCHED

Image: P1010649 a CC SA image by Rick Kimpel

https://www.flickr.com/photos/18606128@N00/201198827/ Image: @akaasjager’s top by Frank Breedijk

No matter how well you secure an

infrastructure, there is always somebody who

can break into it.

JOIN THE RED TEAM, WE HAVE COOKIES…

Image:

http://devopsreactions.tumblr.com/post/4916808

8989/backup-and-dr-testing

Humans are not wrapped in bubble wrap

(mostly)

Humans ingest parts of their environment

Humans interact in funny ways

While we do get sick,

we don’t die often…

THE IMMUNE SYSTEM IS AWESOME!

Image: Bubble mummy a CC NC SA image by Katie Laird


Not just barriers

Inflamation• Getting materials where they need to be

• Making life a bit harder for the attacker

Phagocytes• Know what a bacterium/virus looks like

• Eat it

Comparable to

incident response…

IMMUNE SYSTEM 101 – NONSPECIFIC

Video source: https://www.youtube.com/watch?v=aWItglvTiLc

Mist, schon Vormittags Brand! a CC NC SA image by André


When a white cell eats an antigen it represents

its receptor on its outside

The immune system ( the T and B

Lymphocytes) create anti-bodies and effector T-

Cells

Antibodies fit the antigen receptors and kill

antigens

Effector T-Cells kill infected body cells

Antibodies make you immune

IMMUNE SYSTEM 102 – SPECIFIC / ADAPTIVE

Preferably before they can do harm

ANTIBODIES KILL ANTIGENS

A CC NC SA image by Alex


The body has several feedback loops like this

Fast• Pain, bad taste

• ‘Must not continue’

• ‘Must not do that again’

Moderate• Generation of antibodies

Slow• Evolutionary

• ‘Survival isn’t mandatory’

FEEDBACK LOOPS

Image: Lightning Loop a CC image by Dakota Ray


Sometimes the body cannot create enough

anti-bodies

Sometimes it cannot do it fast enough

A treatment with anti-biotics will help

Anti-biotics just kill any bacteria

Good bacteria suffer as well

ANTI-BIOTICS

Image: Radioactive Injection a CC NC SA image by Taran Rampersad


Firewalls• What is not exposed cannot be attacked

Web Application Firewall• OWASP Common Rule Set

Intrusion Prevention Systems

Minimize you exposure

Keep out people that are

clearly up to no good

INFOSEC IMMUNITYNONSPECIFIC IMMUNITY - BARRIERS

Source: http://devopsreactions.tumblr.com/post /46061575774/surviving-a-

ddos-attack

Current feedback loops are too slow• Developer writes/tests code on own laptop

• Developer checks in code

• Code gets picked up by build system

• Is (maybe) unit tested

• Is manually tested for functionality

• Many changes are accumulated in a release

• Release is deployed in acceptance

• Pentest is conducted on acceptance

• Issues are discovered

The shorter the feedback loop

the greater the learning effect

INFOSEC IMMUNITYFAST FEEDBACK LOOP

Source: http://www.gifbay.com/gif/description-141598

Integrate security tools into your build street

Plenty of code quality tools out there:• Commercial: HP, IBM, Veracode, WhiteHat Security,

Qualys, Checkmarkx, Trustwave, Apptherity, Contrast

Security, Pradco, Acunetix, N-Stalker, Virtual Forge, Trend

Micro, Burp Suite

• Open Source: Skipfish, Nikto, ZAP, Seccubus, Gauntlt

Include checking for

vulnerable

sub-components

INFOSEC IMMUNITYFASTER FEEDBACK LOOPS

Train developers• Good patterns prevent injuries

• Learns developers to spot potential security issues early

Do (peer) code review• Don’t commit directly, use pull requests

Include security in your scrum• Standups

• Sprint planning

• Backlog grooming

• Acceptance by product owner

INFOSEC IMMUNITYLEARN FROM OTHERS

Source: http://devopsreactions.tumblr.com/post/48511362536

/i-dont-need-to-test-that-what-can-possibly-go-wrong

Having Security review all changes simply

doesn’t scale

PEER REVIEW IS KEY

Source: http://securityreactions.tumblr.com/post/

67562914945/java-source-code-review

Learn from the failures of others• Including ‘Darwin Award winners’

Learn from good examples• Share your successes

INFOSEC IMMUNITYFAST FEEDBACK LOOP

Source: http://testerreactions.tumblr.com/post/50489315537

/new-implementation-first-verification

Heartbleed affected 2/3 of all SSL servers

A small mistake implementing a ping

“We can’t even add Ping, how the heck are we going to fix everything else?” – Dan Kaminsky

Vulnerability introduced in code in December 2011

Vulnerability in production code since March 2012

Publicly known in August 2014

INFOSEC IMMUNITYNONSPECIFIC IMMUNITY – INFLAMATION

Finding and fixing incidents

But, also representing these incidents

to the feedback loops

INFOSEC IMMUNITYNONSPECIFIC IMMUNITY - PHAGOCYTES

Source: http://securityreactions.tumblr.com/post/59198452899/crypto-

implementation-in-whistle-im

Feed back security findings

Feed back as WAF signatures• Anti-bodies / Band-aid

Feed back as Unit Tests• Anti-bodies

• Shortens feedback loop to developers

Feed back al lessons learned• Learn from those that have had (major) incidents

INFOSEC IMMUNITYFASTER FEEDBACK LOOPS

Image: TV Vortex a CC image by Alexis O’Connor


alert tcp $EXTERNAL_NET any -> $HOME_NET

$HTTP_PORTS (msg:”Volex – Possible CVE-2014-6271 bash

Vulnerability Requested (header) “; flow:established,to_server;

content:”() {“; http_header; threshold:type limit, track by_src,

count 1, seconds 120; sid:2014092401;)

Of course it is not a permanent solution

But, it makes life a little bit harder for the

attacker

It buys you system so time to come up with a

fix

WAF SIGNATURES FOR VULNERABILITIES

Bleeding Kitty a CC image by Daniel Lobo


If a security issue has been discovered

Or, if you are building a sensitive function

Make sure you write a security unit test

EXAMPLE 1

FEED BACK SECURITY UNIT TESTS




EXAMPLE 2


17 class ApiRbacTest(ResourceTestCaseWithHelpers):

18 fixtures = (

19 'auth_user',

20 'team',

21 )

22

23 def test_candidate_resource(self):

24 bundle = self.create_bundle_for_resource_test(models.Candidate)

25

26 def test_list_endpoints(url):

27 # As an anonymous user.

28 TeamGroupPermission.objects.all().delete()

29 self.logout()

30

31 self.assertHttpUnauthorized(self.api_client.get(url))

32 self.assertHttpUnauthorized(self.api_client.put(url))

33 self.assertHttpUnauthorized(self.api_client.post(url))

34 self.assertHttpUnauthorized(self.api_client.patch(url, data=bundle.data_list))

35 self.assertHttpUnauthorized(self.api_client.delete(url))

36

37 # As a user with read-only permissions.

38 self.add_permission_for_user('admin', 'comp_sbp', settings.PERMISSIONS.SHOW_ATS)

39 self.logout()

40 self.login('admin', 'admin')

41

42 self.assertHttpOK(self.api_client.get(url))

43 self.assertHttpUnauthorized(self.api_client.put(url, data=bundle.data_list))

44 self.assertHttpUnauthorized(self.api_client.post(url, data=bundle.data_detail))

45 self.assertHttpUnauthorized(self.api_client.patch(url, data=bundle.data_list))

46 self.assertHttpUnauthorized(self.api_client.delete(url))

47

48 # As a user with read-write permissions.

49 self.add_permission_for_user('admin', 'comp_sbp', settings.PERMISSIONS.EDIT_ATS)




EXAMPLE 3


The negative space is just as interesting

DON’T JUST TEST THE HAPPY FLOW

Sometimes you just

have to say NO.

INFOSEC IMMUNITYANTI-BIOTICS

So parts of your code

really need to be

protected

CROWN JUWELS

Crown of King Christian IV a CC NC ND image by Ville Misaki


INFOSEC IMMUNITYSIGNATURES ON CRITICAL CODE

New/changed code is checked in

Critical code does NOT match signature

Build failsSecurity team reviews critical

code and signs itBuild ok!

Life (in Infosec) is full of little surprises

Attacks only get better,

they never get worse

DON’T EXPECT TO BE PERFECT

Source: http://imgur.com/c9pCa18

The days of InfoSec Island/Castle have ended

If you didn’t realize this this, don’t worry:

“Survival isn’t mandatory”

Security needs to align to the tools used by

developers

Acting as immune system means• Help stopping blatantly offensive elements

• Provide early feedback

• Cleaning up infections and

• Help build resistance against new vulnerabilities

• Providing a shot of anti-biotics if needed

SUMMARY

Image: Fortress Lérins a CC SA image by Mark Fischer


SECURITY IS PART OF ALL THE WAYS OF DEVOP

System thinking• Code not in production isn’t code

• Code that isn’t secure isn’t code

Stop treating security as a silo…

Image: 2010 a CC NC ND image by Annais Ferreira,

http://www.flickr.com/photos/79083322@N00/4453826217/

ALLOW SECURITY TO PROVIDE A STRONG FEEDBACK SIGNAL

The shorter the feedback loops are, the

better the learning effect• Automated security testing

• Unit tests for security

• Signed code

• Allow security to pull the Andon cord

• Have Nagios tests for security?

ALLOW FOR EXPERIMENTATION???

DevOps is THE chance

for security to finally get it right

Image: Rainbolt a CC NC ND image by Brian Auer,

http://www.flickr.com/photos/29814800@N00/1480408255/

Doctor Jack• Registered EDP auditor

• Licensed MD

• Good friend

• ‘Dirty mind is a joy forever…’

THANK YOU…

Frank Breedijk• Security Officer at Schuberg Philis

• (Official) Security dude since 2000

• Author of Seccubus

Coordinates:• https://www.linkedin.com/in/seccubus

• @Seccubus on Twitter

• [email protected]

WHO AM I?

Red team, Blue Team or White Cell

Internet

Transcript of Red team, Blue Team or White Cell