Lessons IT Can Steal from Hackers
What skills do hackers have that your IT department may not have in such great supply? Resiliency, according to Kelly Shortridge, the author of Security Chaos Engineering: Sustaining Resilience in Software and Systems and a senior principal engineer at Fastly in the office of the CTO.
Shortridge spoke at Black Hat this month about what IT security pros can learn from attackers. Specifically, she pointed out:
- Attackers have a faster operational tempo;
- Attackers design, develop, and operate mechanisms to outmaneuver IT;
- Attackers research interconnections and interactions in systems; and
- Attackers have more tangible and actionable success metrics.
“All of these reflect a foundation of resilience: The ability to prepare for, recover from, and adapt to adverse events,” she said in her presentation.
She explored how resiliency could be applied to IT teams to keep hackers at bay and improve IT’s own resiliency in the face of attacks. In this post, we’ll look at two of Shortridge’s recommendations:
- Leveraging Infrastructure as Code
- Automating security through the Continuous Integration/Continuous Development pipeline.
Work at a Faster Tempo with IaC
Attackers pivot quickly in the face of adversity and they rapidly evolve their methods, Shortridge said. IT security can speed up its own tempo by adopting approaches from modern software engineering, she contended. For instance, developers and IT should use configuration as code, which she defined as the practice of declaring configurations through markup rather than manual processes. Likewise, IT security should leverage Infrastructure-as-Code (IaC), which is the ability to create and manage infrastructure via declarative specification.
“The practice of IaC, you can think of it as using the same sort of process as source code but instead of generating the same application binary, every time we’re generating the same environment; it creates more reliable and predictable services,” she said. “Organizations are already using IaC for the audit trail it generates and that absolutely still supports security because it makes processes more repeatable, which means fewer mistakes.”
IaC also removes “old stuff” when you add “new stuff in,” she said. “You can think of it as aware of how to undo all the parts of the old config,” she added.
It provides faster incident response because it allows you to automatically redeploy infrastructure when an incident happens or when there are indicators of an incident without impacting the end-user experience.
“When you have automated, reprovisioning infrastructure, it means that compromise workloads can be killed and restarted or redeployed as soon as an attack is detected,” she said.
Another IaC benefit: It minimizes misconfigurations.
“Our favorite defenders, the National Security Agency, have highlighted misconfigurations as the most worrisome cloud vulnerability because they’re both easy for attackers to exploit and they’re also highly prevalent,” she said. “A critical part of the resilience revolution is embracing that failure is inevitable, that mistakes and misconfigurations are inevitable. But we can recover from failure, and we can adapt with it gracefully.”
IaC helps on both accounts by correcting misconfigurations and minimizing the impact of failure when it inevitably occurs, she said. It also helps with faster patching and deployment of security changes or fixes, she added.
“I think the real lesson of the Equifax incident is that patching processes must be usable else, frankly, procrastination is a logical course of action,” Shortridge said. “So IaC helps with this, it reduces friction in the way of releasing patches of these fixes. It also decentralizes the process which promotes looser organizational coupling, vehicles those that self-serve security, that’s been very hot over the past year.”
It can also be used to minimize environmental drift, she said because IaC allows you to revert to previous deployments as needed.
“We also get stronger change control with infrastructures as code,” she said. “So it introduces change control by writing source code management or SCM, that enables peer reviews on configurations and also really strong change log.”
CI/CD and Invariant Enforcement a ‘Game Changer’ for Defense
IT can automate security checks by focusing on continued integration and continuous delivery/continuous deployment. CI/CD lets IT move faster and track what it does — or even revert to a previous state, which is something attackers can’t do.
“Using automation, CI/CD pipelines ensure that these activities occur at regular intervals with minimal interference required by humans. So I think we should really appreciate CI/CD not just as a mechanism to avoid the toil and foibles of manual deploys, which I’ve experienced myself, but also as a tool to make software delivery more repeatable, predictable, and consistent,” Shortridge said.
The other crucial thing CI/CD can do is enforce invariants, she said. An invariant is a condition or property that must hold true throughout the execution of a program or system. Invariants can be used to help ensure the correctness of a program or system, but also used to simplify the design and implementation of a program or system.
Invariants allow IT to achieve whatever properties it wants the same way every time software is built, deployed and delivered.
“Crucially, we can enforce security invariants, which I kind of think is a game changer for defense,” she said. “So for example, we can enforce invariants like database servers should only make outgoing network connections to their replication peers and a small list of core services. Or services must communicate over TLS and validate remote certificates. Or only images built by our CI/CD system may run on the production Kubernetes environment or cluster. …So variants are important, but I think the speed elements is even more crucial and it brings us even more of an advantage.”
Automated CI/CD pipelines mean patches can be tested and pushed to production in hours versus days, she added. This doesn’t just allow companies to build and deliver software more quickly; it also allows IT to fix vulnerabilities and security issues more quickly, she said. CI/CD also allows you to roll back whenever needed, which can be a lifesaver when there is an incident, she added.
This post is part one of a two-part series. Check back on Friday for part two!