Abstract

Most defense talks are about how to code and pentest applications to secure them before deployment. As a security education company, we have had to deploy extremely insecure applications on our infrastructure, providing thousands of hackers around the world low level access to sensitive files, debugging capabilities and even kernel manipulation abilities on our lab environment. All this while still maintaining control of the infrastructure, protecting users from each other and monitoring all activities performed within our network. The resulting scenario is literally one of “assumed breach” where we must ensure that the “attackers” who have access to these insecure machines cannot cause any further havoc beyond this scope. To accomplish this, we have built our systems from the ground up, leveraging entirely open source technologies such as Docker and KVM. Lots of lessons were learned and many things were done in unconventional ways to secure this infrastructure. In this talk, we wish to share our experience on how to go about building a secure infrastructure hosting extremely insecure applications mirroring an assumed breach scenario!