Viewing entries in
Infosec

Bsides Melbourne 2019

Bsides Melbourne 2019

Excited be giving my talk at the upcoming Security Bsides Melbourne this year. The topic is helping teams build better threat models and is entitled “What are we worried about?”.

I have been running lots of workshops with product and engineering teams. Context is king, sharing incident and breach analysis from the Verizon DBIR and other sources with these teams so they can better understand the kinda of threats and incident thats actually happen in their industry.

I have also been experimenting with ways I can help teams explore different threat actors / security personas. I have found a way that makes understating attacker motivations, resources and likely behaviour much more accessible and easy to relate to. 

I wrote about it a little here but look forward to running through it at the conference where I can expand in more detail and answer questions.

Altogether when teams are equipped with data on breaches in their industry and have a solid understanding of the threat actors it becomes much easier for them to build realistic threat models.


The conference looks great and I am really looking forward to catching up with people and seeing lots of the other talks.

Hope to see you there!

Infosec reading list 2019

Infosec reading list 2019

I got some great feedback from people at meetups and conferences that my reading list for 2018 was very helpful for them and asked I do another one this year. So here it is!

Last year had a heavy focus on everything  related to my day job in appsec. This time around I am going to pick from a wide range of security topics that interest me outside my usual focus of application security and security analyst kind of reading.

The most important theme I noted in the books I picked out for 2019 show my leanings and interests towards better understanding offensive security especially red team and attack simulation.

This is primarily because I want to become become a better defender and start to think about better joint exercises and collaboration with both the red and the the blue team might look like.

Im looking to get a much better understanding of red team tactics and how the engagements play out. Typically to date I have been assisting clients in scoping and remediation of red team engagements without having eyes on a deeper understanding of how the engagements play out I think its much harder for a defender like me to get the best value working with both teams.

Same objectives as with the The Hacker Playbook above. More red team reading :)

This was a recommendation from Amazon while I was looking at threat modelling books earlier last year. Often in threat modelling training I call attention to the mix of internal versus the external threats we must consider but feel like I might not be giving enough attention to the malicious insider threat element. I think this will help me think about the way I communicate insider threats to the people I am running threat modelling workshops with.

This is purely for pleasure, I had a quick hunt around for some reading on the Dark Hotel APT but couldn’t find anything that took my interest.

Along similar lines was this on Stuxnet. I remember following along as best I could on social media and infosec news when this was happening but this seems like it will take my understands of the event up a notch. Its going to be a fun read!

Again another book for pleasure. I am quite interested to know the history behind the Pinkertons and this is where I am going to start.

The description from Amazon covers it best:

The true story of Kate Warne and the other women who served as Pinkertons, fulfilling the adage, “Well-behaved Women Seldom Make History.”

Most students of the Old West and American law enforcement history know the story of the notorious and ruthless Pinkerton Detective Agency and the legends behind their role in establishing the Secret Service and tangling with Old West Outlaws. But the true story of Kate Warne, an operative of the Pinkerton Agency and the first woman detective in America—and the stories of the other women who served their country as part of the storied crew of crime fighters—are not well known. For the first time, the stories of these intrepid women are collected here and richly illustrated throughout with numerous historical photographs. From Kate Warne’s probable affair with Allan Pinkerton, and her part in saving the life of Abraham Lincoln in 1861 to the lives and careers of the other women who broke out of the Cult of True Womanhood in pursuit of justice, these true stories add another dimension to our understanding of American history.

I learned about Joe Navarro when I was an avid and regular tournament poker player looking to get an edge on reading body language and people.

I read several of his books and spotted this, I am going to read it and see how it potentially supplements the books I read last year on social engineering.

I read Robert Cialdini Influence: The Psychology of Persuasion last year and found it a real eye opener. Especially stacked with the other books I was reading on social engineering at the time.

Drift into Failure
By Sidney Dekker

I have referenced Sidney Dekker in previous engineering culture blog posts around blameless post mortems and just and restorative engineering cultures.

A deeper understanding of failure seems like an absolute no brainer for anyone building and trying to secure complex systems.

A very kind and thoughtful present from my twitter #HackerSecretSanta this year from @keithrozario. I feel like the infosec world is lagging a bit culturally behind our SRE and ops friends. I want to build the best bridges I can with these teams and part of doing that is ensuring I continue my education on Devops culture.

Very interested to hear about the books you read over the break and what you plan on reading in 2019. Feel free to reach out and e-mail form the contact page or hit me up on twitter @SparkleOps.

Threat modelling - Security Personas

Threat modelling - Security Personas

I get real satisfaction out of running threat modelling workshops because after the session I can almost immediately see the results in the changes that get made in design and overhearing some of the conversations had around the security controls our applications need to have in place *before* we build them.  

I start threat modelling workshops by leading a discussion about what the term vulnerability actually means, stealing the definition from google:

"The quality or state of being exposed to the possibility of being attacked or harmed".

By that definition vulnerability is being exposed and there is only a unqualified potential of being attacked.

The key point to note to the class is usually an attacker needs to gain something from attacking you. It might be financial gain, something ideological or a just a display of skill and bragging rights. The question is what is their motivation? Why do this? 

The exercise of threat modelling will help us learn how we might be vulnerable but also help us understand the threats in terms of who, for what reasons and to what impact an attacker of their ability could have. We can then start to make well reasoned decisions using our limited resources to best defend our people and systems.

When we come to the who part of our threat model having a set of 'security personas' to select from helps us in the exercise of thinking about the types of the people, their abilities and motivations and perhaps look at the likely approach of multiple security personas on the same vulnerability. 

When tasked with thinking up some examples the class will often create security personas based on things they've seen or read about security incidents in the media or even in TV series or movies. This means initially your class might be saying we need to prepared to defend against highly skilled hackers or governments so it’s  Fsociety or Mossad that are our problem. 

This especially for a less technical audience with little to no infosec exposure is reasonable as while we might be security professionals who live and breathe this sort of mental exercise its likely your class does not.

You need to help people learn about the more realistic threats like, insider threats, an integrator getting compromised or the non malicious  genuine mistakes made by your staff like security misconfigurations or loosing a company laptop.  Once you help them get into it the range of threats the team needs to consider during threat modelling is almost always much wider then they'd probably initially considered. 

Unfortunately in my experience during workshops some members of the class will tag a certain person, team, product or vendor they work with (probably not present) as a security persona as in their eyes they are to blame for the vulnerabilities they know about and thus a called out as a threat. This is toxic and from the very outset I make it clear its unacceptable to do this in the workshop. 

So how do I overcome these two problems? Well you need to give your workshop an engaging set of characters they can kick off great conversations with, build a story around and then invent a new set of security personas to take forward with them for the rest of the workshop. 

For this I’m using sets of images of Funko pop collectible characters and asking the class questions like “Who is this?" and "Whats their skill set" and then "What are their potential motivations?" to help them imagine a story and build a security persona.

Ill give you a few examples and the kind of story we might attribute to a selection of these characters. 

Muttley is a high school student. He loves computers, especially other peoples computers. Hes recently got access to some penetration testing tools and is experimenting on public systems using a laptop he fished out of a dumpster. He often scans for unpatched Wordpress and Drupal websites and anything on Shodan with default credentials and then defaces or shuts them down them for a laugh. 

Muttley is a high school student. He loves computers, especially other peoples computers. Hes recently got access to some penetration testing tools and is experimenting on public systems using a laptop he fished out of a dumpster. He often scans for unpatched Wordpress and Drupal websites and anything on Shodan with default credentials and then defaces or shuts them down them for a laugh. 

This is Loki, he’s a security researcher. Loki loves hacking and will try and  make some cash from his research anyway he can. Sometimes he will go through a legitimate channel to sell his discoveries like  Bugcrowd  or  hacker one . But no big deal if he cant get paid by them or the vulnerable company hes talking to .... there are other places to sell vulerabilties to.

This is Loki, he’s a security researcher. Loki loves hacking and will try and  make some cash from his research anyway he can. Sometimes he will go through a legitimate channel to sell his discoveries like Bugcrowd or hacker one. But no big deal if he cant get paid by them or the vulnerable company hes talking to .... there are other places to sell vulerabilties to.

This is Grumpy bear.  This is anyone who is mad at you or your company. Could be a customer, a vendor, employee or someone who just doesn't happen to agree with what you do for a living. They might not be a computer expert with offensive capabilities but that wont stop them paying your offices a visit. 

This is Grumpy bear.

This is anyone who is mad at you or your company. Could be a customer, a vendor, employee or someone who just doesn't happen to agree with what you do for a living. They might not be a computer expert with offensive capabilities but that wont stop them paying your offices a visit. 

Not all threats are external or even malicious.  This is Tony the operations lead at your company. Hes currently busy getting devops sorted in the business (whatever that is) and doing all kinds of neat stuff in AWS while your company moves to the cloud.  Tony has no experience with AWS but convinced moving all the servers to the cloud is basically like a digital data center migration. How hard could it be? 

Not all threats are external or even malicious.

This is Tony the operations lead at your company. Hes currently busy getting devops sorted in the business (whatever that is) and doing all kinds of neat stuff in AWS while your company moves to the cloud.

Tony has no experience with AWS but convinced moving all the servers to the cloud is basically like a digital data center migration. How hard could it be? 

It’s fun for the class to hear the stories their peers invent for your selection of these characters and what kind of resulting security personas get put forward. Perhaps if your leading the class be ready to offer some security personas of your own for a few of the characters if things get stale. 

Once you’ve done this you can start to think about these security personas might go about attacking your systems or people. 

You can ask questions to spark people’s imagination like “How is Muttley going to be different to Loki at approaching social engineering?” or “What happens when Grumpy bear steals Tonys laptop?” to encourage your workshop to think through various scenarios and hopefully unearth even more vulnerabilities. 

I hope this novel way of building security personas helps you either consider the kind of security personas to include in your threat models or in your teaching others to threat model. Its important the process is both engaging and done in a safe positive fashion and I think this approach really works great. 

I am always looking for ways to improve the workshops I run and how to engage and teach people about application security, so I was pretty pleased to get this reply to the tweet stream that spawned the blog post from  @ladynerd .

capture.PNG
tink.jpeg

I don't think I have seen any of the Tinker Bell movies. So for homework I guess ill be watching them to answer this one and give some consideration to how our own biases could impact the the security personas we create.

If you have any tips or comments on how you help people consider the personas in their threat modelling id love to hear from you. Hit me up on twitter @Sparkleops. 

Banner art credit Tony Fleecs https://www.tonyfleecs.com/ 💖