11. Infrastructure as a Service
Adv Platforms & Big Data
ML and Predictive Analytics
Voice / Recommendations / ?
??
?
??
?
YOU Born-in-the-Cloud
Competition
Cloud Capabilities
16. Why Do You Need A Strategy?
Game of Thrones (HBO)
17. All Your Data Are Belong To Hackers
14 million customer records leaked
4 million credit cards stolen
Millions of classified images stolen
Open k8s cluster
Cryptomining & data exfil
Elastic Search Cluster open on the Internet
Not to mention people sharing their hard-drives
18. Publicly Writable Buckets!
â—Ź LA Times website was tricking readers into mining
cryptocurrency for some guy
â—Ź Bucket was left publicly writable
â—Ź Miner just uploaded some of his on javascript
â—Ź LA Times happily served it out
For Three Weeks
19. Everything can be public
â—Ź S3 Buckets
â—Ź Container Registries
â—Ź Disk Volumes and Boot Images!
â—Ź Lambda Executions
â—Ź SNS Topics
â—Ź SQS Queues
â—Ź KMS Keys???
Cloud Security Posture (Your AWS Account 2019)
20. Subdomain Takeovers
â—Ź Route53 is your friend!
â—Ź Orphaned Aliases
aws route53 list-resource-record-sets --hosted-zone-id Z2WCA2W1V2XMNG --
query "ResourceRecordSets[].[AliasTarget.DNSName,Name]" --output text |
grep s3
s3-website.us-east-2.amazonaws.com. wateringhole.room17.com.
If you don’t own the bucket,
I can for the low low price of nothing!
aws s3 mb wateringhole.room17.com
21. Secrets
â—Ź GitHub
â—Ź UserData
â—Ź Lambda Functions
â—Ź Lambda Layers
â—Ź Env Vars
â—Ź Wide Open k8s
â—Ź Your Laptop
Upload
Game of Thrones (HBO)
24. Account Takeovers
â—Ź IAM Users
â—Ź KMS Deletions
â—Ź Crypto Mining!
â—Ź Denial of Wallet
â—Ź Account Ransom
25. Capital One
â—Ź Metadata Abuse!
â—Ź Overly permissive roles!
â—Ź Undetected Data Exfiltration!
â—Ź Guns!*
â—Ź Senate Inquiries!
What's in your dumpster fire?
* Attacker's landlord had illegal firearms which were seized as part of the search
26. Lateral vs Vertical Movement
â—Ź Lateral Movement
â—‹ Network to network
â—‹ Cloud account to cloud account
â—Ź Vertical movement
â—‹ Use cloud creds to compromise machine
â—‹ Use popped machine to pivot to cloud-layer
Gravity (Warner Bros. Pictures 2013)
https://summitroute.com/blog/2019/02/04/lateral_movement_abusing_trust/
https://www.chrisfarris.com/post/lateral-movement-aws/
27. AWS does a bad job of making it
hard to do stupid things
31. Cloud Security Standard
• KISS
• Focus on your risk and your culture
• Define accountability
• CIS Benchmarks are a start
• Consensus Driven
• Requirements “must”
• Best Practices “should”
https://www.chrisfarris.com/post/cloud-security-standard/
33. AWS Organizations
AWS Account Governance Service
â—Ź Easy to create new accounts
â—Ź Consolidated Billing
â—Ź Service Control Policies
34. Service Control Policies
SCPs Limit what your child accounts can do.
Examples
- Protect CloudTrail / GuardDuty
- Protect KMS Keys
- Prevent VPC changes
- Block unapproved services
- Leave the organization
35. Security Account
â—Ź Audit rights to all accounts
â—Ź Manage GuardDuty and other services
â—Ź CloudTrail
â—Ź Inventory
https://www.chrisfarris.com/post/securityaccount/
38. Antiope
â—Ź Lots of accounts and lots of regions makes for a big haystack
â—Ź Enterprise tools are ridiculously expensive
● AWS Config service doesn’t support all AWS services we use
â—Ź Requirement to track (and identify) foreign AWS accounts
â—Ź Search engine to help find BGSHs
â—Ź Opensource
â—Ź Azure & GCP are in progress
â—Ź An-Tie-Oh-Pee
https://github.com/turnerlabs/antiope
Robin Wright as Antiope
Wonder Woman 1984 (Warner Bros. Pictures)
39. What It Monitors (Today)
â—Ź EC2
â—Ź Security Groups
â—Ź Elastic Network
Interfaces
â—Ź Route 53
Domains
â—Ź Route 53 Zones
â—Ź ElasticSearch
â—Ź ECS Tasks &
Clusters
â—Ź ECR Repos
â—Ź CloudFront
â—Ź CloudFormation
â—Ź AMIs
â—Ź VPCs, VPN &
Direct connect
â—Ź IAM Roles &
Users
â—Ź Lambda &
Lambda Layers
â—Ź Trusted Advisor
â—Ź Support Cases
43. Threat Hunting In Antiope
Hypothesis: “Someone has a publicly open AWS
ElasticSearch domain”
Step 1 - Inventory all ElasticSearch domains
Step 2 - ES Query to find access policy with Principal = *
and no Conditions
Step 3 - panic a little
Step 4 - add query to CSS Scorecards
44. Threat Hunting In Antiope II
Hypothesis: “There are CloudFront distributions pointing to
buckets that don’t exist or are controlled by others”
Step 1 - Inventory all CloudFront distributions
Step 2 - ES Query to find distributions with S3 as an origin
Step 3 - ES Query to get all Buckets.
Step 4 - Python script to merge
Step 5 - Hand off results to VM team
Casablanca (Warner Bros. Pictures 1942)
45. Multicloud
â—Ź Opensource community is focused on AWS
● Vendors are just starting to “get” Azure
â—Ź IAM is vastly different
â—Ź Account-governance is vastly different
48. Prepare
â—Ź Capture CloudTrail somewhere safe
â—Ź Set your Security Contact
â—Ź Work with your SOC to understand CloudTrail
â—‹ Build Detections & Alerts
â—Ź IR Permissions in all accounts
49. Identify
â—Ź AWS Abuse is usually your IOC
â—Ź Monitor the Support tickets
â—Ź Or CloudTrail Searches
â—Ź GuardDuty can help
â—‹ GuardDuty Severities are not good guidance
50. Containment, Eradication & Recovery
Review CloudTrail
- What user did it?
- Rotate password & access key
- What else did they do?
CloudTrail is the single best tool ever for
account compromise
51. Containment, Eradication & Recovery
â—Ź Isolate Instances with IR security groups
â—Ź Leverage tools for instance forensics
â—‹ ssm_acquire can be fully automated
â—‹ Threat Response and Margarita Shotgun are good
too