SlideShare a Scribd company logo

Cloud Attacks: A Live Simulation of Cloud MIsconfiguration Attacks

Download as PPTX, PDF
D
DiemShin

The leading cause of data breaches in the cloud aren’t application or OS vulnerabilities--it’s cloud misconfiguration, which are almost always due to customer error. Unfortunately, these mistakes are easy to make and extraordinarily common in enterprise cloud environments. We’ve moved beyond simple “misconfigured S3 bucket” incidents and into more advanced attacks that exploit a series of common cloud misconfiguration vulnerabilities--many of which are often missed or not even categorized as misconfigurations by security teams.

Software
1 of 13
CLOUD ATTACKS A Live Simulation of Cloud Misconfiguration Exploits Josh Stella, Co-Founder & CTO Fugue
#InfoSecWorld AGENDA 1. Overview of cloud misconfiguration risk 2. Live Demo: Cloud misconfiguration exploits in action 3. Actionable steps to secure your cloud environment 4. Q&A
#InfoSecWorld A MAJOR SECURITY RISK Nearly all successful attacks on cloud services are the result of customer misconfiguration, mismanagement and mistakes. 93%CONCERNED FOR MAJOR SECURITY BREACH DUE TO MISCONFIGURATION “ ⎯ Neil MacDonald, Gartner “
CLOUD MISCONFIGURATION IS A MAJOR SECURITY RISK 66%IAM 59%SECURITY GROUP RULES 51%OBJECT STORAGE ACCESS POLICIES 42%ENCRYPTION IN TRANSIT DISABLED
Many dangerous cloud misconfigurations are: • not recognized as misconfigurations by security teams • not considered policy violations by compliance frameworks • exceedingly common in enterprise cloud environments CLOUD MISCONFIGURATION IS OFTEN OVERLOOKED
Before Cloud 1. Identify your target organization 2. Search for vulnerabilities to exploit HACKER STRATEGY HAS EVOLVED Cloud 1. Identify misconfiguration vulnerabilities 2. Prioritize your target organizations Bad actors use automation to find and exploit cloud misconfiguration
Before Cloud 1. Network and security teams deliver infrastructure to app teams 2. Network analysis and threat detection tools identify intrusions; human-guided response SECURITY STRATEGY MUST EVOLVE TOO Cloud 1. Developers create their own infrastructure and are empowered to secure it 2. Policy as code validation tools prevent misconfiguration; automated detection and remediation eliminates it Cloud security is a software engineering problem, not a security analysis problem.
A DEMONSTRATION OF A CLOUD MISCONFIGURATION ATTACK
ONE Firewall Misconfiguration Causes often include “drift” and orphaned resources THIS MISCONFIGURATION ATTACK IN REVIEW TWO Accessing EC2 instance Causes include unpatched instances containing a vulnerability (often orphaned) THREE Getting IAM role access to S3 Insecure use of IAM and EC2 permissions FOUR Bucket discovery and duplication The danger of a single IAM role with broad permissions
1: Monitor all access point configurations • Continuously monitor Security Groups for misconfiguration (e.g. access from 0.0.0.0/0) 2: Apply Principle of Least Permission • Ruthlessly limit IAM roles to business requirements for the app • Use different end points for read and write operations • Eliminate S3 bucket listing in production environments 3: Don’t allow EC2 instances to have IAM roles that allow attaching or replacing role policies KEY TAKEAWAYS AND RECOMMENDATIONS
4. Ruthlessly clean up unused cloud resources (especially EC2 instances and S3 buckets) • “Orphaned” resources are common and can contain misconfigurations and unpatched OS or application vulnerabilities 5. Include cloud misconfiguration in penetration testing • Use outside pen testers who understand cloud misconfiguration and how to exploit it 6. Use automated remediation for security-critical cloud resources • Focus first on VPCs, S3 buckets, Security Groups, EC2, and IAM) 7. Use an open source policy as code framework for validating compliance • Open Policy Agent and Rego policy language KEY TAKEAWAYS AND RECOMMENDATIONS
#InfoSecWorld QUESTIONS? Q&A Resources: Fugue Developer is free forever: www.fugue.co/go Validate Terraform with Regula: https://github.com/fugue/regula Fregot (for working with Rego): https://github.com/fugue/fregot Open Policy Agent: https://www.openpolicyagent.org/
THANK YOU! Josh Stella, Co-Founder & CTO Fugue

Recommended

Humla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null SingaporeHumla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null Singapore
n|u - The Open Security Community
 
CSS17: Houston - Stories from the Security Operations Center
CSS17: Houston - Stories from the Security Operations CenterCSS17: Houston - Stories from the Security Operations Center
CSS17: Houston - Stories from the Security Operations Center
Alert Logic
 
2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development 2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development
Cheng-Yi Yu
 
Web App Attacks - Stats & Remediation
Web App Attacks - Stats & RemediationWeb App Attacks - Stats & Remediation
Web App Attacks - Stats & Remediation
Qualys
 
Top 5 Priorities for Cloud Security
Top 5 Priorities for Cloud SecurityTop 5 Priorities for Cloud Security
Top 5 Priorities for Cloud Security
Teri Radichel
 
CSS 17: NYC - Stories from the SOC
CSS 17: NYC - Stories from the SOCCSS 17: NYC - Stories from the SOC
CSS 17: NYC - Stories from the SOC
Alert Logic
 
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software VulnerabilitiesHow Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software Vulnerabilities
Bunmi Sowande
 
Acronis Active Protection: A Way To Combat Ransomware Attack
Acronis Active Protection: A Way To Combat Ransomware AttackAcronis Active Protection: A Way To Combat Ransomware Attack
Acronis Active Protection: A Way To Combat Ransomware Attack
Acronis
 

Recommended

Humla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null SingaporeHumla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null Singapore
n|u - The Open Security Community
 
CSS17: Houston - Stories from the Security Operations Center
CSS17: Houston - Stories from the Security Operations CenterCSS17: Houston - Stories from the Security Operations Center
CSS17: Houston - Stories from the Security Operations Center
Alert Logic
 
2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development 2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development
Cheng-Yi Yu
 
Web App Attacks - Stats & Remediation
Web App Attacks - Stats & RemediationWeb App Attacks - Stats & Remediation
Web App Attacks - Stats & Remediation
Qualys
 
Top 5 Priorities for Cloud Security
Top 5 Priorities for Cloud SecurityTop 5 Priorities for Cloud Security
Top 5 Priorities for Cloud Security
Teri Radichel
 
CSS 17: NYC - Stories from the SOC
CSS 17: NYC - Stories from the SOCCSS 17: NYC - Stories from the SOC
CSS 17: NYC - Stories from the SOC
Alert Logic
 
How Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software VulnerabilitiesHow Malware Works - Understanding Software Vulnerabilities
How Malware Works - Understanding Software Vulnerabilities
Bunmi Sowande
 
Acronis Active Protection: A Way To Combat Ransomware Attack
Acronis Active Protection: A Way To Combat Ransomware AttackAcronis Active Protection: A Way To Combat Ransomware Attack
Acronis Active Protection: A Way To Combat Ransomware Attack
Acronis
 
Security Risks & Vulnerabilities in Skype
Security Risks & Vulnerabilities in SkypeSecurity Risks & Vulnerabilities in Skype
Security Risks & Vulnerabilities in Skype
Kelum Senanayake
 
CSS 17: NYC - Realities of Security in the Cloud
CSS 17: NYC - Realities of Security in the CloudCSS 17: NYC - Realities of Security in the Cloud
CSS 17: NYC - Realities of Security in the Cloud
Alert Logic
 
New microsoft application security problem
New microsoft application security problemNew microsoft application security problem
New microsoft application security problem
John Davis
 
Re solution - corona virus cyber security infographic
Re solution - corona virus cyber security infographicRe solution - corona virus cyber security infographic
Re solution - corona virus cyber security infographic
Jacob Tranter
 
Cisco WebEx vulnerability: it’s a kind of magic
Cisco WebEx vulnerability: it’s a kind of magicCisco WebEx vulnerability: it’s a kind of magic
Cisco WebEx vulnerability: it’s a kind of magic
ITrust - Cybersecurity as a Service
 
Secure Coding 2013
Secure Coding 2013 Secure Coding 2013
Secure Coding 2013
The eCore Group
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
Alert Logic
 
CSS17: Atlanta - Realities of Security in the Cloud
CSS17: Atlanta - Realities of Security in the CloudCSS17: Atlanta - Realities of Security in the Cloud
CSS17: Atlanta - Realities of Security in the Cloud
Alert Logic
 
Internship brochure
Internship brochureInternship brochure
Internship brochure
FixNix Inc.,
 
The Intersection of Security & DevOps
The Intersection of Security & DevOpsThe Intersection of Security & DevOps
The Intersection of Security & DevOps
Alert Logic
 
The World Against the Bad, Cisco AMP Solution to the Rescue
The World Against the Bad, Cisco AMP Solution to the RescueThe World Against the Bad, Cisco AMP Solution to the Rescue
The World Against the Bad, Cisco AMP Solution to the Rescue
Cisco Canada
 
Reality Check: Security in the Cloud
Reality Check: Security in the CloudReality Check: Security in the Cloud
Reality Check: Security in the Cloud
Alert Logic
 
Intel McAfee DeepSAFE Technology
Intel McAfee DeepSAFE TechnologyIntel McAfee DeepSAFE Technology
Intel McAfee DeepSAFE Technology
Can Your Security
 
Leveraging Osquery for DFIR @ Scale _BSidesSF_2020
Leveraging Osquery for DFIR @ Scale _BSidesSF_2020Leveraging Osquery for DFIR @ Scale _BSidesSF_2020
Leveraging Osquery for DFIR @ Scale _BSidesSF_2020
Sohini Mukherjee
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
Alert Logic
 
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
Agile Network India | DevSecOps - The What and the Why | Ritesh ShregillAgile Network India | DevSecOps - The What and the Why | Ritesh Shregill
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
AgileNetwork
 
Owasp and friends
Owasp and friendsOwasp and friends
Owasp and friends
Mažvydas Skuodas
 
Cisco amp for endpoints
Cisco amp for endpointsCisco amp for endpoints
Cisco amp for endpoints
Cisco Canada
 
Managing Application Config and Secrets
Managing Application Config and SecretsManaging Application Config and Secrets
Managing Application Config and Secrets
Eng Teong Cheah
 
Protecting Against Web Attacks
Protecting Against Web AttacksProtecting Against Web Attacks
Protecting Against Web Attacks
Alert Logic
 
Core strategies to develop defense in depth in AWS
Core strategies to develop defense in depth in AWSCore strategies to develop defense in depth in AWS
Core strategies to develop defense in depth in AWS
Shane Peden
 
7 Ways To Cyberattack And Hack Azure
7 Ways To Cyberattack And Hack Azure7 Ways To Cyberattack And Hack Azure
7 Ways To Cyberattack And Hack Azure
Abdul Khan
 

More Related Content

What's hot

What's hot (20)

Security Risks & Vulnerabilities in Skype
Security Risks & Vulnerabilities in SkypeSecurity Risks & Vulnerabilities in Skype
Security Risks & Vulnerabilities in Skype
 
CSS 17: NYC - Realities of Security in the Cloud
CSS 17: NYC - Realities of Security in the CloudCSS 17: NYC - Realities of Security in the Cloud
CSS 17: NYC - Realities of Security in the Cloud
 
New microsoft application security problem
New microsoft application security problemNew microsoft application security problem
New microsoft application security problem
 
Re solution - corona virus cyber security infographic
Re solution - corona virus cyber security infographicRe solution - corona virus cyber security infographic
Re solution - corona virus cyber security infographic
 
Cisco WebEx vulnerability: it’s a kind of magic
Cisco WebEx vulnerability: it’s a kind of magicCisco WebEx vulnerability: it’s a kind of magic
Cisco WebEx vulnerability: it’s a kind of magic
 
Secure Coding 2013
Secure Coding 2013 Secure Coding 2013
Secure Coding 2013
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 
CSS17: Atlanta - Realities of Security in the Cloud
CSS17: Atlanta - Realities of Security in the CloudCSS17: Atlanta - Realities of Security in the Cloud
CSS17: Atlanta - Realities of Security in the Cloud
 
Internship brochure
Internship brochureInternship brochure
Internship brochure
 
The Intersection of Security & DevOps
The Intersection of Security & DevOpsThe Intersection of Security & DevOps
The Intersection of Security & DevOps
 
The World Against the Bad, Cisco AMP Solution to the Rescue
The World Against the Bad, Cisco AMP Solution to the RescueThe World Against the Bad, Cisco AMP Solution to the Rescue
The World Against the Bad, Cisco AMP Solution to the Rescue
 
Reality Check: Security in the Cloud
Reality Check: Security in the CloudReality Check: Security in the Cloud
Reality Check: Security in the Cloud
 
Intel McAfee DeepSAFE Technology
Intel McAfee DeepSAFE TechnologyIntel McAfee DeepSAFE Technology
Intel McAfee DeepSAFE Technology
 
Leveraging Osquery for DFIR @ Scale _BSidesSF_2020
Leveraging Osquery for DFIR @ Scale _BSidesSF_2020Leveraging Osquery for DFIR @ Scale _BSidesSF_2020
Leveraging Osquery for DFIR @ Scale _BSidesSF_2020
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
Agile Network India | DevSecOps - The What and the Why | Ritesh ShregillAgile Network India | DevSecOps - The What and the Why | Ritesh Shregill
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
 
Owasp and friends
Owasp and friendsOwasp and friends
Owasp and friends
 
Cisco amp for endpoints
Cisco amp for endpointsCisco amp for endpoints
Cisco amp for endpoints
 
Managing Application Config and Secrets
Managing Application Config and SecretsManaging Application Config and Secrets
Managing Application Config and Secrets
 
Protecting Against Web Attacks
Protecting Against Web AttacksProtecting Against Web Attacks
Protecting Against Web Attacks
 

Similar to Cloud Attacks: A Live Simulation of Cloud MIsconfiguration Attacks

The 3 Recommendations for Cloud Security
The 3 Recommendations for Cloud SecurityThe 3 Recommendations for Cloud Security
The 3 Recommendations for Cloud Security
VAST
 
Chaos engineering for cloud native security
Chaos engineering for cloud native securityChaos engineering for cloud native security
Chaos engineering for cloud native security
Kennedy
 

Similar to Cloud Attacks: A Live Simulation of Cloud MIsconfiguration Attacks (20)

Core strategies to develop defense in depth in AWS
Core strategies to develop defense in depth in AWSCore strategies to develop defense in depth in AWS
Core strategies to develop defense in depth in AWS
 
7 Ways To Cyberattack And Hack Azure
7 Ways To Cyberattack And Hack Azure7 Ways To Cyberattack And Hack Azure
7 Ways To Cyberattack And Hack Azure
 
Outpost24 webinar - Mastering the art of multicloud security
Outpost24 webinar - Mastering the art of multicloud securityOutpost24 webinar - Mastering the art of multicloud security
Outpost24 webinar - Mastering the art of multicloud security
 
The 3 Recommendations for Cloud Security
The 3 Recommendations for Cloud SecurityThe 3 Recommendations for Cloud Security
The 3 Recommendations for Cloud Security
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KLBreaking Secure Mobile Applications - Hack In The Box 2014 KL
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
 
Cloud computing final show
Cloud computing final showCloud computing final show
Cloud computing final show
 
Cloud security risks
Cloud security risksCloud security risks
Cloud security risks
 
Cloud security risks
Cloud security risksCloud security risks
Cloud security risks
 
Cloud Security_ Unit 4
Cloud Security_ Unit 4Cloud Security_ Unit 4
Cloud Security_ Unit 4
 
The Ultimate Guide For Cloud Penetration Testing.pdf
The Ultimate Guide For Cloud Penetration Testing.pdfThe Ultimate Guide For Cloud Penetration Testing.pdf
The Ultimate Guide For Cloud Penetration Testing.pdf
 
Cloud Security Governance
Cloud Security GovernanceCloud Security Governance
Cloud Security Governance
 
Keynote: Which way is the SolarWind Blowing? Techniques are changing…are you ...
Keynote: Which way is the SolarWind Blowing? Techniques are changing…are you ...Keynote: Which way is the SolarWind Blowing? Techniques are changing…are you ...
Keynote: Which way is the SolarWind Blowing? Techniques are changing…are you ...
 
Chaos engineering for cloud native security
Chaos engineering for cloud native securityChaos engineering for cloud native security
Chaos engineering for cloud native security
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
DBMS Vulnerabilities And Threats.pptx
DBMS Vulnerabilities And Threats.pptxDBMS Vulnerabilities And Threats.pptx
DBMS Vulnerabilities And Threats.pptx
 
Rik Ferguson
Rik FergusonRik Ferguson
Rik Ferguson
 
Expand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and DataExpand Your Control of Access to IBM i Systems and Data
Expand Your Control of Access to IBM i Systems and Data
 
AWS Security Best Practices, SaaS and Compliance
AWS Security Best Practices, SaaS and ComplianceAWS Security Best Practices, SaaS and Compliance
AWS Security Best Practices, SaaS and Compliance
 
The 15 best cloud security practices
The 15 best cloud security practices The 15 best cloud security practices
The 15 best cloud security practices
 
Top 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngTop 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn Cường
 

Recently uploaded

Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
VictoriaMetrics
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
Papp Krisztián
 

Recently uploaded (20)

WSO2Con2024 - Organization Management: The Revolution in B2B CIAM
WSO2Con2024 - Organization Management: The Revolution in B2B CIAMWSO2Con2024 - Organization Management: The Revolution in B2B CIAM
WSO2Con2024 - Organization Management: The Revolution in B2B CIAM
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
 
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxArtyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptx
 
WSO2CON 2024 - How CSI Piemonte Is Apifying the Public Administration
WSO2CON 2024 - How CSI Piemonte Is Apifying the Public AdministrationWSO2CON 2024 - How CSI Piemonte Is Apifying the Public Administration
WSO2CON 2024 - How CSI Piemonte Is Apifying the Public Administration
 
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
 
WSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security ProgramWSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security Program
 
WSO2Con2024 - Low-Code Integration Tooling
WSO2Con2024 - Low-Code Integration ToolingWSO2Con2024 - Low-Code Integration Tooling
WSO2Con2024 - Low-Code Integration Tooling
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK Software
 
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
 
WSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go Platformless
 
WSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaS
 
WSO2Con2024 - Hello Choreo Presentation - Kanchana
WSO2Con2024 - Hello Choreo Presentation - KanchanaWSO2Con2024 - Hello Choreo Presentation - Kanchana
WSO2Con2024 - Hello Choreo Presentation - Kanchana
 
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of TransformationWSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
WSO2CON 2024 - Designing Event-Driven Enterprises: Stories of Transformation
 
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With SimplicityWSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
 
WSO2Con2024 - Navigating the Digital Landscape: Transforming Healthcare with ...
WSO2Con2024 - Navigating the Digital Landscape: Transforming Healthcare with ...WSO2Con2024 - Navigating the Digital Landscape: Transforming Healthcare with ...
WSO2Con2024 - Navigating the Digital Landscape: Transforming Healthcare with ...
 
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open SourceWSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
 

Cloud Attacks: A Live Simulation of Cloud MIsconfiguration Attacks

  • 1. CLOUD ATTACKS A Live Simulation of Cloud Misconfiguration Exploits Josh Stella, Co-Founder & CTO Fugue
  • 2. #InfoSecWorld AGENDA 1. Overview of cloud misconfiguration risk 2. Live Demo: Cloud misconfiguration exploits in action 3. Actionable steps to secure your cloud environment 4. Q&A
  • 3. #InfoSecWorld A MAJOR SECURITY RISK Nearly all successful attacks on cloud services are the result of customer misconfiguration, mismanagement and mistakes. 93%CONCERNED FOR MAJOR SECURITY BREACH DUE TO MISCONFIGURATION “ ⎯ Neil MacDonald, Gartner “
  • 4. CLOUD MISCONFIGURATION IS A MAJOR SECURITY RISK 66%IAM 59%SECURITY GROUP RULES 51%OBJECT STORAGE ACCESS POLICIES 42%ENCRYPTION IN TRANSIT DISABLED
  • 5. Many dangerous cloud misconfigurations are: • not recognized as misconfigurations by security teams • not considered policy violations by compliance frameworks • exceedingly common in enterprise cloud environments CLOUD MISCONFIGURATION IS OFTEN OVERLOOKED
  • 6. Before Cloud 1. Identify your target organization 2. Search for vulnerabilities to exploit HACKER STRATEGY HAS EVOLVED Cloud 1. Identify misconfiguration vulnerabilities 2. Prioritize your target organizations Bad actors use automation to find and exploit cloud misconfiguration
  • 7. Before Cloud 1. Network and security teams deliver infrastructure to app teams 2. Network analysis and threat detection tools identify intrusions; human-guided response SECURITY STRATEGY MUST EVOLVE TOO Cloud 1. Developers create their own infrastructure and are empowered to secure it 2. Policy as code validation tools prevent misconfiguration; automated detection and remediation eliminates it Cloud security is a software engineering problem, not a security analysis problem.
  • 8. A DEMONSTRATION OF A CLOUD MISCONFIGURATION ATTACK
  • 9. ONE Firewall Misconfiguration Causes often include “drift” and orphaned resources THIS MISCONFIGURATION ATTACK IN REVIEW TWO Accessing EC2 instance Causes include unpatched instances containing a vulnerability (often orphaned) THREE Getting IAM role access to S3 Insecure use of IAM and EC2 permissions FOUR Bucket discovery and duplication The danger of a single IAM role with broad permissions
  • 10. 1: Monitor all access point configurations • Continuously monitor Security Groups for misconfiguration (e.g. access from 0.0.0.0/0) 2: Apply Principle of Least Permission • Ruthlessly limit IAM roles to business requirements for the app • Use different end points for read and write operations • Eliminate S3 bucket listing in production environments 3: Don’t allow EC2 instances to have IAM roles that allow attaching or replacing role policies KEY TAKEAWAYS AND RECOMMENDATIONS
  • 11. 4. Ruthlessly clean up unused cloud resources (especially EC2 instances and S3 buckets) • “Orphaned” resources are common and can contain misconfigurations and unpatched OS or application vulnerabilities 5. Include cloud misconfiguration in penetration testing • Use outside pen testers who understand cloud misconfiguration and how to exploit it 6. Use automated remediation for security-critical cloud resources • Focus first on VPCs, S3 buckets, Security Groups, EC2, and IAM) 7. Use an open source policy as code framework for validating compliance • Open Policy Agent and Rego policy language KEY TAKEAWAYS AND RECOMMENDATIONS
  • 12. #InfoSecWorld QUESTIONS? Q&A Resources: Fugue Developer is free forever: www.fugue.co/go Validate Terraform with Regula: https://github.com/fugue/regula Fregot (for working with Rego): https://github.com/fugue/fregot Open Policy Agent: https://www.openpolicyagent.org/
  • 13. THANK YOU! Josh Stella, Co-Founder & CTO Fugue