Andrew has an incisive security engineering ethos gained building and destroying high-traffic web applications. Proficient in systems development, testing, and operations, he is comfortable profiling and securing every tier of a bare metal or cloud native system, and has battle-hardened experience delivering containerised solutions to enterprise and government. He is a co-founder at https://control-plane.io
How to Train your Red Team (for Cloud Native)
How do we safely introduce Cloud Native software without opening unexpected security holes? By understanding risk, modelling threats, and attacking our own systems.
“Simulation” (i.e. playing hacking games on production-like infrastructure) is rising to prominence as a comprehensive training method for penetration testers, Red Teams, and infrastructure engineers. It safely demonstrates the risks an organisation or platform may face by using a controlled environment that looks and feels like production — but is only a clone.
In this highly technical talk we:
- cover the challenges faced introducing Cloud Native to financial organisations
- show the steps taken to threat model Kubernetes
- build and automate attack trees and kill chains for likely (and perversely difficult) compromise scenarios
- demonstrate an open-source Kubernetes CTF platform