QCON NEW YORK 2017

Conference: Jun 26-28, 2017
Workshops: Jun 29-30, 2017

Presentation: Offense At Scale

Track: 
Security War Stories

Location:

  • Dumbo / Navy Yard

Duration

Duration: 
2:55pm - 3:45pm

Day of week:

  • Tuesday

Level:

  • Intermediate

Persona:

  • Architect
  • CTO/CIO/Leadership
  • Developer
  • Security Professional

More talks on:

Key Takeaways

  • Learn how hackers (offense) are changing their attack approach and how those changes affect how we develop and deploy code for billions of users
  • Understand the security challenges of scale and ephemeral infrastructure.
  • Hear how Offense teams improve and strengthen Defense

Abstract

We know that scale, size, and complexity affects security in huge ways. As our deployments grow in size, the requirement for automation brings with it the inherent challenges of authentication, authorization, and a long list of other security controls. But, how do scale, size, and complexity affect your adversaries’ offense operations?

This talk will explore how we look at offense in a world of large containerized deployments and ephemeral environments, through the lens of a Red Team that is exclusively focused on targeting them. Attendees will walk away with a solid understanding of the traditional model of low and slow, and how it is increasingly irrelevant in a software stack that is constantly changing due to deployment at every layer.

Interview

Question: 
What is your role today?
Answer: 
I am the Director of Penetration Testing and Red Team at Yahoo. In addition to managing the team I am heads down doing technical work to push the boundaries of offense.
Question: 
Can you explain your talk title to me?
Answer: 
My talk is about how offense needs to change in the face of scalable architectures and fast moving tech stacks.
Question: 
How would you describe the persona of the target audience of this talk: Architect (Generalist), Data Architect, Tech Lead, Developer (JVM), Developer (NON-JVM), Sr Management (VP, CTO, CIO, Director), Project Manager / Process / Agile Coach, Something else
Answer: 
All of the above. The talk is technical but not specific to any one technology. Engineers will walk away with a technical understanding of how attackers will target scalable infrastructures. The C level executive will walk away understanding how offensive strategies adapt to changing times.
Question: 
What’s the motivation for your talk?
Answer: 
A good offense helps strengthen defense. Scale is bringing a lot of change to how we develop and deploy code to millions of users. This requires change by security organizations. Right now attackers enjoy the upper hand due to a lack of automation and a large number of vulnerable systems. Offense needs to change our techniques in order to be successful in the future.
The talk is all about how offense is changing when it has to target operations at scale, when it has to target tech stacks that are changing very quickly. So offense has to adapt to that. I'll show how we, at Yahoo, have approached that problem from an offensive perspective, and how offense is going to have to change in the future in response to that. Of course we do that so that we can give some insight into people who are working in these tech environments who are building new defensive security measures into these tech stacks so they can understand how offense is going to change in response to them.
Question: 
Can you give me an example of what a security issue that doesn’t hold up the same at scale as it does at a smaller scale?
Answer: 
Let’s say you have a billion users. If you took the top password out of all of the password dump databases that exist on the dark web and tried it once against a billion accounts, you basically have no risk of account lockout and a very high chance for success rate. So at that scale, how do you defend all those accounts? How do you protect all those accounts when the attacker is almost guaranteed to have a high success rate?
Question: 
Are you going to go into details on what to do, on recommendations that you make?
Answer: 
The are a few solutions for the defense but one of the main points of the talk that this is coming from an offensive perspective. If you look at how attacks have always been in the past, there is a lot of low and slow approach and staying stealthy. But I think in the future, as these tech stacks move and they change and they scale out into enormous sizes, that the offense is going to automate in the same way these tech stacks do. With that automation comes speed and you don’t necessarily need the element of stealth to be successful.
Question: 
What are your key takeaways for this talk?
Answer: 
I think this is a unique opportunity for the defensive side to take advantage of all the things that scale gives you. Scale gives you the ability to do ephemeral and immutable infrastructures, which makes the job of the attacker much harder. So this is a unique opportunity to sort of turn that asymmetry around and make it much harder for attackers to be successful.
Question: 
What challenges do containers present for our threat models?
Answer: 
Well, there are a whole bunch of challenges there in … so there are the traditional issues that have already reared their head so far which is like shipping containers with old code and old vulnerabilities. There is the challenge of forensic tools that aren’t quite prepared for those environments yet. And of course, from the offensive side, there is the challenge of the fact that you need to maintain persistence on the targets you have compromised and a container may not be around for a long time so there is a new challenge there in gaining and maintaining persistence.
Question: 
Are there any unique challenges that are specific to DevOps that someone that is Blue Team might not be thinking about?
Answer: 
Yeah, I think one of the big challenges is that with scale comes more data. It is easy to say "big data" as a buzzword, but when you are doing security, time is a very important factor and I think the way we look at attack and defend, in the future is going to come down to who is faster. If the defensive side just doesn’t have the ability to not only analyze, but just move logs to the right place for security analysis, if they can’t do that faster, than an attacker can do their attack chain, then they are in a lot of trouble.
Question: 
What do you feel is the most disruptive tech in IT right now?
Answer: 
I think IoT has actually been a big game changer, at least for security, when it comes to disruption. Embedded platforms are not something that we have always traditionally had a good handle on, and now that it is exploding and the amount of data it’s generating, has just compounded the problem and I think it is only going to get worse.

Speaker: Chris Rohlf

Director - Penetration Testing / Red Team @Yahoo

Chris Rohlf is currently the Director of the Yahoo Penetration Testing and Red Team in NYC, where he specializes in vulnerability discovery, exploitation, and reverse engineering. Chris has 13 years of experience in various security roles including developer, researcher and consultant. Prior to Yahoo, Chris was the founder of Leaf Security Research, a boutique security consulting firm; a Principal Security Consultant at Matasano Security in NYC; and worked as a Security Researcher for the U.S. Department of Defense. Chris has discovered and published many security vulnerabilities affecting web browsers, operating systems and more. He has spoken at industry conferences including Black Hat and is the author of several open-source security tools.

Find Chris Rohlf at

Speaker page

@chrisrohlf
Director - Penetration Testing / Red Team @ Yahoo

Similar Talks

Learnings from a Culture First Startup
CTO @Buffer
Sunil Sadasivan
Securing Your Containers
Global Solutions Architect @Venafi
Carl Bourne
Architecting Your Application for Federation
Senior Development Evangelist @Okta
Joël Franusic
A Practitioner's Tale: Uniting Dev, Sec, and Ops Tribes
Sr. Principal Solution Architect @Sonatype
Curtis Yanko
Becoming an Outlier
Software Architect @VinSolutions, Author @pluralsight
Cory House
ESPN Next Generation APIs Powering Web, Mobile, TV
Senior Director of Distribution Platforms @ESPN
Manny Pelarinos
The Human Side of Microservices
Tech Lead @Yelp
John Billings
Lessons Learned on Uber's Journey into Microservices
Software Engineer @Uber
Emily Reinhold
What They Don’t Tell You About Microservices…
CTO @Yodle
Daniel Rolnick

Tracks

Monday, 13 June

Tuesday, 14 June

Wednesday, 15 June

See the Full Schedule

Conference for Professional Software Developers

Follow QCon

Contact

Menu

QCons around the World

Qcon