Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Battle in the Clouds - Attacker vs Defender on AWS

698 views

Published on

"The interaction between attackers and defenders is like a ping pong game, and that is exactly how we did this research. On the offensive Mo will share his tools and tactics attacking AWS Infrastructures from Recon to Attacks to Post Exploitation on different services with a focus on Elastic Container Service(ECS). After each attack step, Dani will explain the defensive side and tools and tactics for hardening the AWS Infrastructure from Designing a secure Cloud Architecture to Detection to Hardening specific services like Docker containers on ECS. After the battle, we will both walk-through common misconfiguration problems, one-click solutions for monitoring and attack detection, and workflows for pentesters on AWS. One of the most important lessons from our research is the importance of the interaction between pentesters and developers/DevOps engineers, and how a few days of working side by side can help us secure our current systems and learn to develop future systems with security in mind.

Dani and Mohsan will demonstrate an entire kill chain on a hypothetical organization operating in an AWS environment and pivoting into their internal Active Directory network. The demonstration will cover reconnaissance methods for a cloud environment, an attack on a AWS hosted webserver that results in compromise of access keys. The access keys will be utilized to access a separate AWS service, followed by escalation of privileges to administrator. We will further demonstrate exfiltration methods, setting up persistence in AWS, and last but not least pivoting to the internal AD environment and obtaining Domain Admin privileges.

Many open source tools will be used as well as some custom python scripts on the offensive side, for example: TruffleHog for scanning for leaked keys on github, S3Scanner for enumerating S3 buckets, amass for DNS Mapping and Subdomain Enumeration, Cloud Mapper for reconnaissance and auditing, Prowler for assessing security, Pacu and Metasploit for exploitation, and more.

On the defensive side, we will introduce Open Source tools like HashiCorp Vault and AWS Parameter Store for secret management, NAXSI as an open source WAF, Vulnerability scanners for Docker, AWS KMS for creating and rotating keys for in-transit and at-rest data encryption, CloudTrail and CloudWatch for detection of suspicious activity and alarming, and more."

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Battle in the Clouds - Attacker vs Defender on AWS

  1. 1. Battle in the Clouds: Attacker vs Defender on AWS Dani Goland Mohsan Farid
  2. 2. Shared Responsibility Model
  3. 3. Hummus Bombing Celery Workers
  4. 4. Relay 101
  5. 5. Exchange Abuse
  6. 6. Exchange Abuse
  7. 7. Exchange Abuse
  8. 8. Exchange Abuse
  9. 9. Pivoting isn’t always easy but it sho is fun!
  10. 10. Everybody Wants To Rule The World
  11. 11. Shell Yeah!
  12. 12. Lateral-aly
  13. 13. Post Exploitation
  14. 14. Post Exploitation
  15. 15. Post Exploitation
  16. 16. Post Exploitation
  17. 17. Post Exploitation
  18. 18. Post Exploitation
  19. 19. Post Exploitation
  20. 20. Infrastructure As Code (Hashicorp Terraform / AWS Cloudformation)
  21. 21. Immutable Infrastructure(Hashicorp Packer) • Bake AMIs with Packer • Use Ansible to harden the OS • https://github.com/openstack/ansi ble-hardening
  22. 22. Secret Management • Hashicorp Vault/AWS SSM Parameter Store • Granular control over access to secrets • Automatic generation of short-lived DB credentials(Vault)
  23. 23. Interservice Communication • Use TLS • Manage your own keys via Vault • Use Consul Connect sidecar to automatically proxy your traffic encrypted.
  24. 24. WAF • AWS WAF Custom Rules or Managed Rules • Open Source Solutions Like NAXSI(with NGINX) https://github.com/nbs-system/naxsi
  25. 25. Example Architecture • ALB à NGINX(w/ NAXSI) à ECS with Consul Connect Sidecar à Vault
  26. 26. AWS Services Guard Duty – A threat detection service that continuously monitors for malicious activity and unauthorized behavior. Inspector - An automated security assessment service that helps improve the security and compliance of applications deployed on AWS.
  27. 27. VirusBay Registration Code: “DEFCON27”

×