Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Cloud Native Computing Foundation / Online Programs / 28 Sep 2023
Cloud Native Computing Foundation / Online Programs / 28 Sep 2023
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Optimizing breaking attack chains

Description

No description was provided for this meeting.
If this is YOUR meeting, an easy way to fix this is to add a description to your video, wherever mtngs.io found it (probably YouTube).

A

Hello, everyone and thank you for joining this webinar I'm iska I'm, a software developer at armo and recently I've been working on a really interesting concept that I'd like to tell you about today called attack chains.

A

I'll start with an overview of what an attack chain is and how we Define them in armo, then we'll see a demo with real live attack chains, we'll talk about how we can break in the tax chain and what added value we can get from this concept.

A

An attack chain is a series of misconfigurations or vulnerabilities that a malicious actor can exploit to access and manipulate your environment. Now this is often referred to in the industry as attack paths and I'll, be using the terms, attack chains and attack paths interchangeably throughout this webinar. But I, really like the analogy of this concept as a chain where each link represents some exploitable risk. You have in your system and together they create a whole chain or a path.

A

Each link on its own may seem like a harmless misconfiguration, but in the context of an attack chain, it's a vital link leading the attacker to your core resources.

A

From the attacker's perspective, the chain is only as strong as its weakest link. So in order to break a chain, we would only need to fix the risks on a specific Link in the chain. In Arma, we've defined two types of attack paths.

A

This first one describes a workload that is exposed through a service or an Ingress, has critical vulnerabilities on its image and has some sort of misconfiguration that can allow further impact in the environment like Secrets or credentials that are mounted to it or the service account token, which can ultimately allow an attacker to manipulate other resources.

A

The second attack path is a workload, that's similarly exposed and has no resource limit set, thus creating a potential denial of service by an attacker monopolizing the resources.

A

Now, let's see in action on armo platform in this cluster, we've identified two attack paths that correlate to the two types of attack paths we've just seen in this first one. We see that our deployment is exposed through a load. Balancer has critical vulnerabilities on its image and has three different risks that can cause further impact, like the fact that no network policy is applied on it.

A

Each of these links map to either a security control used by cubescape misconfiguration scanner or a cve identified by its vulnerability scanner. You may already be aware of each of these misconfigurations and cves, but attack paths put them into context, allowing you to identify those that have the most impact.

A

Now, let's look at the second type. It describes a potential flooding of the node resources caused by missing limit configurations on this workload.

A

If we look at the details, we can see again that this workload is exposed and has no limits applied to the memory and CPU resources. Now I want to break this chain. We're all aware that for grafana to bring value it has to be exposed.

A

So this is a risk we should be willing to accept, but for the other link, We may have been willing to accept this misconfiguration of No Limit set- or at least it wouldn't have been our top priority to fix, but seeing it in the context of an attack path, highlights the urgency and makes fixing it a priority.

A

So, let's we can use this fix button to help us quickly identify where and how to fix it. These lines are what we need to add in order to remediate this problem. We can just copy this yaml or download it as a file. Now, let's open our favorite text, editor paste change. These values, I'm just going to use the same values of the requests for the limits and apply.

A

Now, let's navigate back to our attack path, page click scan again and see the effect that this simple change has had on our environment.

A

Amazing there we are that simple fix fixing one control for one resource broke in attack chain just goes to show that an attack chain is as strong as its weakest link. So now that we've learned about and understood this cool New Concept, what can we do with it now? We know how it is trying to maintain a secure environment. The amount of work is overwhelming.

A

The idea of attack chains is not to introduce new threats and more things to worry about it's to add a way to prioritize existing threats based on the risk they pose. So we can work on what has the most impact on our security posture?

A

What do I mean by that? Our misconfiguration scans and our image scans? They spew out thousands of issues we need to take care of, and we just don't have the time to fix them all. So we use tools and information like the severity of each risk to prioritize our work and that's great, but attack chains or attack paths. Take this a step further because we won't be fixing all our issues, but by fixing the right issue, a small change can have a big impact.

A

If you remember in our demo, fixing just one single control for a single deployment broke a serious attack chain.

A

After seeing these risks in the context of an attack path, we get information about how exploitable they are and what impact they have on our environment and we're able to prioritize fixing misconfigurations that can cause serious harm and, with our limited and precious time, invest our efforts to get the most impact on our security posture.

A

So what did we learn today? An attack chain is a series of risks that an attacker can exploit in order to access and manipulate your environment.

A

Attack chains can provide context to our cves and our misconfigurations that we may have known about previously and didn't know we should prioritize and an attack chain is only as strong as its weakest link. Thank you all. So much for joining I hope this helps you prioritize your efforts and Harden your security.