SlideShare a Scribd company logo

Gray Cover_ The dangers of cloudshells.pdf

Colin Estep
Colin Estep

This document discusses the security risks of Google Cloud Shell. Cloud Shell provides a free Linux container with 5GB of storage and tools that can be accessed through a web browser. It is invisible to most security controls and logging within an organization. The document outlines how an attacker could use Cloud Shell to exfiltrate data by uploading files through the web interface or command line to external sites without leaving any traces in standard cloud logs. It recommends limiting access to Cloud Shell and monitoring its usage through a proxy or by inspecting traffic to port 6000 to detect any malicious activity.

Technology
1 of 36
Download to read offline
2022 © Netskope Confidential. All rights reserved. Gray Cover: The dangers of cloud shells Colin Estep Principal Security Researcher Netskope Threat Labs
2022 © Netskope Confidential. All rights reserved. • Introduction to Google Cloud Shell • Common Controls and Logging • How to abuse Cloud Shell • Mitigating your risk Agenda
2022 © Netskope Confidential. All rights reserved. Google Cloud Shell can be an avenue for data exfiltration Why is it a problem? • Invisible to most organizations • Easy to exploit • Evades robust security controls The Problem
2022 © Netskope Confidential. All rights reserved. Introduction to Google Cloud Shell
2022 © Netskope Confidential. All rights reserved. What is Google Cloud Shell? • A free linux-based container providing some compute services • Can provide a shell in the browser • Deleted an hour after the session is closed
2022 © Netskope Confidential. All rights reserved. Does anything persist? • 5 GB of persistent storage (unless running in Ephemeral mode) • It can hold your shell customization (like .bashrc) across sessions • In order to make use of the storage, Cloud Shell allows you to upload files to the container.
2022 © Netskope Confidential. All rights reserved. Tools included
2022 © Netskope Confidential. All rights reserved. Options for launching Cloud Shell Via Web Browser Via Command Line
2022 © Netskope Confidential. All rights reserved. Where is it running? Google Managed Customer Managed Cloud Shell Compute Services App Engine Kubernetes Engine Compute Engine Google runs the container for you Corporate Laptops / Desktops
2022 © Netskope Confidential. All rights reserved. Common Controls and Logging
2022 © Netskope Confidential. All rights reserved. What GCP provides - Basic Controls Enable / Disable services Control group/user access Firewall policies
2022 © Netskope Confidential. All rights reserved. What GCP provides - VPC Service Controls
2022 © Netskope Confidential. All rights reserved. Google Ops Agent Collects telemetry from Compute Engine instances
2022 © Netskope Confidential. All rights reserved. What GCP provides - Logging
2022 © Netskope Confidential. All rights reserved. Common Controls and Logging Customer Managed Environment Corporate Laptops / Desktops Cloud Firewall Rules Cloud APIs Cloud IAM VPC Service Controls Ops Agent Cloud Logging
2022 © Netskope Confidential. All rights reserved. How to abuse Cloud Shell
2022 © Netskope Confidential. All rights reserved. Exploitation Scenario: Data Exfiltration Cloud Shell Internet Corporate Laptops / Desktops File.io Pastebin.com [malicious domain] Upload Upload
2022 © Netskope Confidential. All rights reserved. Controls and Logging Cloud Shell Internet Corporate Laptops / Desktops File.io Pastebin.com [malicious domain] Upload Upload
2022 © Netskope Confidential. All rights reserved. Controls and Logging Cloud Shell Internet Corporate Laptops / Desktops File.io Pastebin.com [malicious domain] Upload Upload No IAM controls to limit access No audit logs for Cloud Shell API
2022 © Netskope Confidential. All rights reserved. Controls and Logging Cloud Shell Internet Corporate Laptops / Desktops File.io Pastebin.com [malicious domain] Upload Upload No visibility into the traffic No limiting controls on the traffic
2022 © Netskope Confidential. All rights reserved. Controls and Logging Cloud Shell Internet Corporate Laptops / Desktops File.io Pastebin.com [malicious domain] Upload Upload No logs for uploads No shell history No agent support
2022 © Netskope Confidential. All rights reserved. Controls and Logging Cloud Shell Internet Corporate Laptops / Desktops File.io Pastebin.com [malicious domain] Upload Upload No traffic visibility No Internet access restrictions
2022 © Netskope Confidential. All rights reserved. Uploads to Cloud Shell Cloud Shell Internet Corporate Laptops / Desktops File.io Pastebin.com [malicious domain] Upload Upload
2022 © Netskope Confidential. All rights reserved. Uploads to Cloud Shell Cloud Shell Internet Corporate Laptops / Desktops File.io Pastebin.com [malicious domain] Upload Upload HTTPS via Web Interface SSH via Command Line
2022 © Netskope Confidential. All rights reserved. Uploads via Browser
2022 © Netskope Confidential. All rights reserved. Uploading through the web interface looks like this: Uploads via Browser (metadata)
2022 © Netskope Confidential. All rights reserved. Uploading through the web interface looks like this: Uploads via Browser (metadata) Destination directory Host domain
2022 © Netskope Confidential. All rights reserved. Uploads via Browser (file content) File contents
2022 © Netskope Confidential. All rights reserved. • You must install the google command line utility: gcloud • Use gcloud to start a shell or an upload A file upload command example: gcloud cloud-shell scp localhost:~/sensitive_file cloudshell:~/sensitive_file Uploads via Command Line
2022 © Netskope Confidential. All rights reserved. Uploads via Command Line Below is the output of debugging from gcloud (--verbosity="debug"): Key pair: “google_compute_engine” Sends SCP to port 6000
2022 © Netskope Confidential. All rights reserved. Mitigating your risk
2022 © Netskope Confidential. All rights reserved. Limit Usage • Cloud Shell can be disabled for Google Workspace or Cloud Identity Users • Allow a subset of your users that need it (least privilege)
2022 © Netskope Confidential. All rights reserved. Finding Exploitation - Web Interface Cloud Shell Internet Corporate Laptops / Desktops File.io Pastebin.com [malicious domain] Upload Upload Web Proxy with Decryption Data Loss Prevention
2022 © Netskope Confidential. All rights reserved. Finding Exploitation - Command Line Cloud Shell Internet Corporate Laptops / Desktops File.io Pastebin.com [malicious domain] Upload Upload Monitor calls to cloud shell Monitor traffic volume to port 6000
2022 © Netskope Confidential. All rights reserved. • Cloud Shell is not included in commonly used controls and logging provided by GCP • It would be very easy for a malicious insider or malware to exploit it • We need monitoring in place from our environment to address: – Web-based uploads – SCP-based uploads • We should take a least privilege approach, and limit access to Cloud Shell Take-Aways
2022 © Netskope Confidential. All rights reserved. Colin Estep Netskope Threat Labs LinkedIn: https://www.linkedin.com/in/colinestep/ Twitter: @colinsecure Thank you!

Recommended

KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being HackedKCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being HackedNico Meisenzahl
 
How to Prevent Your Kubernetes Cluster From Being Hacked
How to Prevent Your Kubernetes Cluster From Being HackedHow to Prevent Your Kubernetes Cluster From Being Hacked
How to Prevent Your Kubernetes Cluster From Being HackedNico Meisenzahl
 
Altinity Webinar: Introduction to Altinity.Cloud-Platform for Real-Time Data.pdf
Altinity Webinar: Introduction to Altinity.Cloud-Platform for Real-Time Data.pdfAltinity Webinar: Introduction to Altinity.Cloud-Platform for Real-Time Data.pdf
Altinity Webinar: Introduction to Altinity.Cloud-Platform for Real-Time Data.pdfAltinity Ltd
 
Digital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudDigital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudVelocidex Enterprises
 
Kubernetes best practices with GKE
Kubernetes best practices with GKEKubernetes best practices with GKE
Kubernetes best practices with GKEGDG Cloud Bengaluru
 
Elastic build environment
Elastic build environmentElastic build environment
Elastic build environmentCachet Software Solutions Ltd
 
Cicd.pdf
Cicd.pdfCicd.pdf
Cicd.pdfssuser37d481
 
CloudOps CloudStack Days, Austin April 2015
CloudOps CloudStack Days, Austin April 2015CloudOps CloudStack Days, Austin April 2015
CloudOps CloudStack Days, Austin April 2015CloudOps2005
 

Recommended

KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being HackedKCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being Hacked
KCD Munich 2022: How to Prevent Your Kubernetes Cluster From Being HackedNico Meisenzahl
 
How to Prevent Your Kubernetes Cluster From Being Hacked
How to Prevent Your Kubernetes Cluster From Being HackedHow to Prevent Your Kubernetes Cluster From Being Hacked
How to Prevent Your Kubernetes Cluster From Being HackedNico Meisenzahl
 
Altinity Webinar: Introduction to Altinity.Cloud-Platform for Real-Time Data.pdf
Altinity Webinar: Introduction to Altinity.Cloud-Platform for Real-Time Data.pdfAltinity Webinar: Introduction to Altinity.Cloud-Platform for Real-Time Data.pdf
Altinity Webinar: Introduction to Altinity.Cloud-Platform for Real-Time Data.pdfAltinity Ltd
 
Digital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudDigital Forensics and Incident Response in The Cloud
Digital Forensics and Incident Response in The CloudVelocidex Enterprises
 
Kubernetes best practices with GKE
Kubernetes best practices with GKEKubernetes best practices with GKE
Kubernetes best practices with GKEGDG Cloud Bengaluru
 
Elastic build environment
Elastic build environmentElastic build environment
Elastic build environmentCachet Software Solutions Ltd
 
Cicd.pdf
Cicd.pdfCicd.pdf
Cicd.pdfssuser37d481
 
CloudOps CloudStack Days, Austin April 2015
CloudOps CloudStack Days, Austin April 2015CloudOps CloudStack Days, Austin April 2015
CloudOps CloudStack Days, Austin April 2015CloudOps2005
 
Securing Containers - Sathyajit Bhat - Adobe
Securing Containers - Sathyajit Bhat - AdobeSecuring Containers - Sathyajit Bhat - Adobe
Securing Containers - Sathyajit Bhat - AdobeCodeOps Technologies LLP
 
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Velocidex Enterprises
 
MySQL Database Service Webinar: Upgrading from on-premise MySQL to MDS
MySQL Database Service Webinar: Upgrading from on-premise MySQL to MDSMySQL Database Service Webinar: Upgrading from on-premise MySQL to MDS
MySQL Database Service Webinar: Upgrading from on-premise MySQL to MDSFrederic Descamps
 
GCP - GCE, Cloud SQL, Cloud Storage, BigQuery Basic Training
GCP - GCE, Cloud SQL, Cloud Storage, BigQuery Basic TrainingGCP - GCE, Cloud SQL, Cloud Storage, BigQuery Basic Training
GCP - GCE, Cloud SQL, Cloud Storage, BigQuery Basic TrainingSimon Su
 
Cloud Composer workshop at Airflow Summit 2023.pdf
Cloud Composer workshop at Airflow Summit 2023.pdfCloud Composer workshop at Airflow Summit 2023.pdf
Cloud Composer workshop at Airflow Summit 2023.pdfLeah Cole
 
MuleSoft Meetup Vancouver 5th Virtual Event
MuleSoft Meetup Vancouver 5th Virtual EventMuleSoft Meetup Vancouver 5th Virtual Event
MuleSoft Meetup Vancouver 5th Virtual EventVikalp Bhalia
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudMITRE ATT&CK
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes securityThomas Fricke
 
[20200720]cloud native develoment - Nelson Lin
[20200720]cloud native develoment - Nelson Lin[20200720]cloud native develoment - Nelson Lin
[20200720]cloud native develoment - Nelson LinHanLing Shen
 
Kubernetes fingerprinting with Prometheus.pdf
Kubernetes fingerprinting with Prometheus.pdfKubernetes fingerprinting with Prometheus.pdf
Kubernetes fingerprinting with Prometheus.pdfKawimbaLofgrens
 
Kubernetes Security Best Practices for DevOps
Kubernetes Security Best Practices for DevOpsKubernetes Security Best Practices for DevOps
Kubernetes Security Best Practices for DevOpsDevOps.com
 
InfluxDB Live Product Training
InfluxDB Live Product TrainingInfluxDB Live Product Training
InfluxDB Live Product TrainingInfluxData
 
Continuous Delivery of Cloud Applications with Docker Containers and IBM Bluemix
Continuous Delivery of Cloud Applications with Docker Containers and IBM BluemixContinuous Delivery of Cloud Applications with Docker Containers and IBM Bluemix
Continuous Delivery of Cloud Applications with Docker Containers and IBM BluemixFlorian Georg
 
When Less is More - Save Brain Cycles with GKE Autopilot and Cloud Run
When Less is More - Save Brain Cycles with GKE Autopilot and Cloud RunWhen Less is More - Save Brain Cycles with GKE Autopilot and Cloud Run
When Less is More - Save Brain Cycles with GKE Autopilot and Cloud RunZaar Hai
 
Kochi Mulesoft Meetup #11 - Runtime Fabric on Google Kubernetes Engine (GKE)
Kochi Mulesoft Meetup #11 - Runtime Fabric on Google Kubernetes Engine (GKE)Kochi Mulesoft Meetup #11 - Runtime Fabric on Google Kubernetes Engine (GKE)
Kochi Mulesoft Meetup #11 - Runtime Fabric on Google Kubernetes Engine (GKE)sumitahuja94
 
Kubernetes security with AWS
Kubernetes security with AWSKubernetes security with AWS
Kubernetes security with AWSKasun Madura Rathnayaka
 
Dockerizing apps for the Deployment Platform of the Month with OSGi - David B...
Dockerizing apps for the Deployment Platform of the Month with OSGi - David B...Dockerizing apps for the Deployment Platform of the Month with OSGi - David B...
Dockerizing apps for the Deployment Platform of the Month with OSGi - David B...mfrancis
 
Session 4 GCCP.pptx
Session 4 GCCP.pptxSession 4 GCCP.pptx
Session 4 GCCP.pptxDSCIITPatna
 
Openstack Summit Vancouver 2018 - Multicloud Networking
Openstack Summit Vancouver 2018 - Multicloud NetworkingOpenstack Summit Vancouver 2018 - Multicloud Networking
Openstack Summit Vancouver 2018 - Multicloud NetworkingShannon McFarland
 
Docker and Jenkins [as code]
Docker and Jenkins [as code]Docker and Jenkins [as code]
Docker and Jenkins [as code]Mark Waite
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 

More Related Content

Similar to Gray Cover_ The dangers of cloudshells.pdf

Securing Containers - Sathyajit Bhat - Adobe
Securing Containers - Sathyajit Bhat - AdobeSecuring Containers - Sathyajit Bhat - Adobe
Securing Containers - Sathyajit Bhat - AdobeCodeOps Technologies LLP
 
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Velocidex Enterprises
 
MySQL Database Service Webinar: Upgrading from on-premise MySQL to MDS
MySQL Database Service Webinar: Upgrading from on-premise MySQL to MDSMySQL Database Service Webinar: Upgrading from on-premise MySQL to MDS
MySQL Database Service Webinar: Upgrading from on-premise MySQL to MDSFrederic Descamps
 
GCP - GCE, Cloud SQL, Cloud Storage, BigQuery Basic Training
GCP - GCE, Cloud SQL, Cloud Storage, BigQuery Basic TrainingGCP - GCE, Cloud SQL, Cloud Storage, BigQuery Basic Training
GCP - GCE, Cloud SQL, Cloud Storage, BigQuery Basic TrainingSimon Su
 
Cloud Composer workshop at Airflow Summit 2023.pdf
Cloud Composer workshop at Airflow Summit 2023.pdfCloud Composer workshop at Airflow Summit 2023.pdf
Cloud Composer workshop at Airflow Summit 2023.pdfLeah Cole
 
MuleSoft Meetup Vancouver 5th Virtual Event
MuleSoft Meetup Vancouver 5th Virtual EventMuleSoft Meetup Vancouver 5th Virtual Event
MuleSoft Meetup Vancouver 5th Virtual EventVikalp Bhalia
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudMITRE ATT&CK
 
[20200720]cloud native develoment - Nelson Lin
[20200720]cloud native develoment - Nelson Lin[20200720]cloud native develoment - Nelson Lin
[20200720]cloud native develoment - Nelson LinHanLing Shen
 
Kubernetes fingerprinting with Prometheus.pdf
Kubernetes fingerprinting with Prometheus.pdfKubernetes fingerprinting with Prometheus.pdf
Kubernetes fingerprinting with Prometheus.pdfKawimbaLofgrens
 
Kubernetes Security Best Practices for DevOps
Kubernetes Security Best Practices for DevOpsKubernetes Security Best Practices for DevOps
Kubernetes Security Best Practices for DevOpsDevOps.com
 
InfluxDB Live Product Training
InfluxDB Live Product TrainingInfluxDB Live Product Training
InfluxDB Live Product TrainingInfluxData
 
Continuous Delivery of Cloud Applications with Docker Containers and IBM Bluemix
Continuous Delivery of Cloud Applications with Docker Containers and IBM BluemixContinuous Delivery of Cloud Applications with Docker Containers and IBM Bluemix
Continuous Delivery of Cloud Applications with Docker Containers and IBM BluemixFlorian Georg
 
When Less is More - Save Brain Cycles with GKE Autopilot and Cloud Run
When Less is More - Save Brain Cycles with GKE Autopilot and Cloud RunWhen Less is More - Save Brain Cycles with GKE Autopilot and Cloud Run
When Less is More - Save Brain Cycles with GKE Autopilot and Cloud RunZaar Hai
 
Kochi Mulesoft Meetup #11 - Runtime Fabric on Google Kubernetes Engine (GKE)
Kochi Mulesoft Meetup #11 - Runtime Fabric on Google Kubernetes Engine (GKE)Kochi Mulesoft Meetup #11 - Runtime Fabric on Google Kubernetes Engine (GKE)
Kochi Mulesoft Meetup #11 - Runtime Fabric on Google Kubernetes Engine (GKE)sumitahuja94
 
Dockerizing apps for the Deployment Platform of the Month with OSGi - David B...
Dockerizing apps for the Deployment Platform of the Month with OSGi - David B...Dockerizing apps for the Deployment Platform of the Month with OSGi - David B...
Dockerizing apps for the Deployment Platform of the Month with OSGi - David B...mfrancis
 
Session 4 GCCP.pptx
Session 4 GCCP.pptxSession 4 GCCP.pptx
Session 4 GCCP.pptxDSCIITPatna
 
Openstack Summit Vancouver 2018 - Multicloud Networking
Openstack Summit Vancouver 2018 - Multicloud NetworkingOpenstack Summit Vancouver 2018 - Multicloud Networking
Openstack Summit Vancouver 2018 - Multicloud NetworkingShannon McFarland
 
Docker and Jenkins [as code]
Docker and Jenkins [as code]Docker and Jenkins [as code]
Docker and Jenkins [as code]Mark Waite
 

Similar to Gray Cover_ The dangers of cloudshells.pdf (20)

Securing Containers - Sathyajit Bhat - Adobe
Securing Containers - Sathyajit Bhat - AdobeSecuring Containers - Sathyajit Bhat - Adobe
Securing Containers - Sathyajit Bhat - Adobe
 
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3
 
MySQL Database Service Webinar: Upgrading from on-premise MySQL to MDS
MySQL Database Service Webinar: Upgrading from on-premise MySQL to MDSMySQL Database Service Webinar: Upgrading from on-premise MySQL to MDS
MySQL Database Service Webinar: Upgrading from on-premise MySQL to MDS
 
GCP - GCE, Cloud SQL, Cloud Storage, BigQuery Basic Training
GCP - GCE, Cloud SQL, Cloud Storage, BigQuery Basic TrainingGCP - GCE, Cloud SQL, Cloud Storage, BigQuery Basic Training
GCP - GCE, Cloud SQL, Cloud Storage, BigQuery Basic Training
 
Cloud Composer workshop at Airflow Summit 2023.pdf
Cloud Composer workshop at Airflow Summit 2023.pdfCloud Composer workshop at Airflow Summit 2023.pdf
Cloud Composer workshop at Airflow Summit 2023.pdf
 
MuleSoft Meetup Vancouver 5th Virtual Event
MuleSoft Meetup Vancouver 5th Virtual EventMuleSoft Meetup Vancouver 5th Virtual Event
MuleSoft Meetup Vancouver 5th Virtual Event
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The Cloud
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes security
 
[20200720]cloud native develoment - Nelson Lin
[20200720]cloud native develoment - Nelson Lin[20200720]cloud native develoment - Nelson Lin
[20200720]cloud native develoment - Nelson Lin
 
Kubernetes fingerprinting with Prometheus.pdf
Kubernetes fingerprinting with Prometheus.pdfKubernetes fingerprinting with Prometheus.pdf
Kubernetes fingerprinting with Prometheus.pdf
 
Kubernetes Security Best Practices for DevOps
Kubernetes Security Best Practices for DevOpsKubernetes Security Best Practices for DevOps
Kubernetes Security Best Practices for DevOps
 
InfluxDB Live Product Training
InfluxDB Live Product TrainingInfluxDB Live Product Training
InfluxDB Live Product Training
 
Continuous Delivery of Cloud Applications with Docker Containers and IBM Bluemix
Continuous Delivery of Cloud Applications with Docker Containers and IBM BluemixContinuous Delivery of Cloud Applications with Docker Containers and IBM Bluemix
Continuous Delivery of Cloud Applications with Docker Containers and IBM Bluemix
 
When Less is More - Save Brain Cycles with GKE Autopilot and Cloud Run
When Less is More - Save Brain Cycles with GKE Autopilot and Cloud RunWhen Less is More - Save Brain Cycles with GKE Autopilot and Cloud Run
When Less is More - Save Brain Cycles with GKE Autopilot and Cloud Run
 
Kochi Mulesoft Meetup #11 - Runtime Fabric on Google Kubernetes Engine (GKE)
Kochi Mulesoft Meetup #11 - Runtime Fabric on Google Kubernetes Engine (GKE)Kochi Mulesoft Meetup #11 - Runtime Fabric on Google Kubernetes Engine (GKE)
Kochi Mulesoft Meetup #11 - Runtime Fabric on Google Kubernetes Engine (GKE)
 
Kubernetes security with AWS
Kubernetes security with AWSKubernetes security with AWS
Kubernetes security with AWS
 
Dockerizing apps for the Deployment Platform of the Month with OSGi - David B...
Dockerizing apps for the Deployment Platform of the Month with OSGi - David B...Dockerizing apps for the Deployment Platform of the Month with OSGi - David B...
Dockerizing apps for the Deployment Platform of the Month with OSGi - David B...
 
Session 4 GCCP.pptx
Session 4 GCCP.pptxSession 4 GCCP.pptx
Session 4 GCCP.pptx
 
Openstack Summit Vancouver 2018 - Multicloud Networking
Openstack Summit Vancouver 2018 - Multicloud NetworkingOpenstack Summit Vancouver 2018 - Multicloud Networking
Openstack Summit Vancouver 2018 - Multicloud Networking
 
Docker and Jenkins [as code]
Docker and Jenkins [as code]Docker and Jenkins [as code]
Docker and Jenkins [as code]
 

Recently uploaded

Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 

Gray Cover_ The dangers of cloudshells.pdf

  • 1. 2022 © Netskope Confidential. All rights reserved. Gray Cover: The dangers of cloud shells Colin Estep Principal Security Researcher Netskope Threat Labs
  • 2. 2022 © Netskope Confidential. All rights reserved. • Introduction to Google Cloud Shell • Common Controls and Logging • How to abuse Cloud Shell • Mitigating your risk Agenda
  • 3. 2022 © Netskope Confidential. All rights reserved. Google Cloud Shell can be an avenue for data exfiltration Why is it a problem? • Invisible to most organizations • Easy to exploit • Evades robust security controls The Problem
  • 4. 2022 © Netskope Confidential. All rights reserved. Introduction to Google Cloud Shell
  • 5. 2022 © Netskope Confidential. All rights reserved. What is Google Cloud Shell? • A free linux-based container providing some compute services • Can provide a shell in the browser • Deleted an hour after the session is closed
  • 6. 2022 © Netskope Confidential. All rights reserved. Does anything persist? • 5 GB of persistent storage (unless running in Ephemeral mode) • It can hold your shell customization (like .bashrc) across sessions • In order to make use of the storage, Cloud Shell allows you to upload files to the container.
  • 7. 2022 © Netskope Confidential. All rights reserved. Tools included
  • 8. 2022 © Netskope Confidential. All rights reserved. Options for launching Cloud Shell Via Web Browser Via Command Line
  • 9. 2022 © Netskope Confidential. All rights reserved. Where is it running? Google Managed Customer Managed Cloud Shell Compute Services App Engine Kubernetes Engine Compute Engine Google runs the container for you Corporate Laptops / Desktops
  • 10. 2022 © Netskope Confidential. All rights reserved. Common Controls and Logging
  • 11. 2022 © Netskope Confidential. All rights reserved. What GCP provides - Basic Controls Enable / Disable services Control group/user access Firewall policies
  • 12. 2022 © Netskope Confidential. All rights reserved. What GCP provides - VPC Service Controls
  • 13. 2022 © Netskope Confidential. All rights reserved. Google Ops Agent Collects telemetry from Compute Engine instances
  • 14. 2022 © Netskope Confidential. All rights reserved. What GCP provides - Logging
  • 15. 2022 © Netskope Confidential. All rights reserved. Common Controls and Logging Customer Managed Environment Corporate Laptops / Desktops Cloud Firewall Rules Cloud APIs Cloud IAM VPC Service Controls Ops Agent Cloud Logging
  • 16. 2022 © Netskope Confidential. All rights reserved. How to abuse Cloud Shell
  • 17. 2022 © Netskope Confidential. All rights reserved. Exploitation Scenario: Data Exfiltration Cloud Shell Internet Corporate Laptops / Desktops File.io Pastebin.com [malicious domain] Upload Upload
  • 18. 2022 © Netskope Confidential. All rights reserved. Controls and Logging Cloud Shell Internet Corporate Laptops / Desktops File.io Pastebin.com [malicious domain] Upload Upload
  • 19. 2022 © Netskope Confidential. All rights reserved. Controls and Logging Cloud Shell Internet Corporate Laptops / Desktops File.io Pastebin.com [malicious domain] Upload Upload No IAM controls to limit access No audit logs for Cloud Shell API
  • 20. 2022 © Netskope Confidential. All rights reserved. Controls and Logging Cloud Shell Internet Corporate Laptops / Desktops File.io Pastebin.com [malicious domain] Upload Upload No visibility into the traffic No limiting controls on the traffic
  • 21. 2022 © Netskope Confidential. All rights reserved. Controls and Logging Cloud Shell Internet Corporate Laptops / Desktops File.io Pastebin.com [malicious domain] Upload Upload No logs for uploads No shell history No agent support
  • 22. 2022 © Netskope Confidential. All rights reserved. Controls and Logging Cloud Shell Internet Corporate Laptops / Desktops File.io Pastebin.com [malicious domain] Upload Upload No traffic visibility No Internet access restrictions
  • 23. 2022 © Netskope Confidential. All rights reserved. Uploads to Cloud Shell Cloud Shell Internet Corporate Laptops / Desktops File.io Pastebin.com [malicious domain] Upload Upload
  • 24. 2022 © Netskope Confidential. All rights reserved. Uploads to Cloud Shell Cloud Shell Internet Corporate Laptops / Desktops File.io Pastebin.com [malicious domain] Upload Upload HTTPS via Web Interface SSH via Command Line
  • 25. 2022 © Netskope Confidential. All rights reserved. Uploads via Browser
  • 26. 2022 © Netskope Confidential. All rights reserved. Uploading through the web interface looks like this: Uploads via Browser (metadata)
  • 27. 2022 © Netskope Confidential. All rights reserved. Uploading through the web interface looks like this: Uploads via Browser (metadata) Destination directory Host domain
  • 28. 2022 © Netskope Confidential. All rights reserved. Uploads via Browser (file content) File contents
  • 29. 2022 © Netskope Confidential. All rights reserved. • You must install the google command line utility: gcloud • Use gcloud to start a shell or an upload A file upload command example: gcloud cloud-shell scp localhost:~/sensitive_file cloudshell:~/sensitive_file Uploads via Command Line
  • 30. 2022 © Netskope Confidential. All rights reserved. Uploads via Command Line Below is the output of debugging from gcloud (--verbosity="debug"): Key pair: “google_compute_engine” Sends SCP to port 6000
  • 31. 2022 © Netskope Confidential. All rights reserved. Mitigating your risk
  • 32. 2022 © Netskope Confidential. All rights reserved. Limit Usage • Cloud Shell can be disabled for Google Workspace or Cloud Identity Users • Allow a subset of your users that need it (least privilege)
  • 33. 2022 © Netskope Confidential. All rights reserved. Finding Exploitation - Web Interface Cloud Shell Internet Corporate Laptops / Desktops File.io Pastebin.com [malicious domain] Upload Upload Web Proxy with Decryption Data Loss Prevention
  • 34. 2022 © Netskope Confidential. All rights reserved. Finding Exploitation - Command Line Cloud Shell Internet Corporate Laptops / Desktops File.io Pastebin.com [malicious domain] Upload Upload Monitor calls to cloud shell Monitor traffic volume to port 6000
  • 35. 2022 © Netskope Confidential. All rights reserved. • Cloud Shell is not included in commonly used controls and logging provided by GCP • It would be very easy for a malicious insider or malware to exploit it • We need monitoring in place from our environment to address: – Web-based uploads – SCP-based uploads • We should take a least privilege approach, and limit access to Cloud Shell Take-Aways
  • 36. 2022 © Netskope Confidential. All rights reserved. Colin Estep Netskope Threat Labs LinkedIn: https://www.linkedin.com/in/colinestep/ Twitter: @colinsecure Thank you!