Successfully reported this slideshow.
Your SlideShare is downloading. ×

Can't Touch This: Detecting Lateral Movement In Zero Touch Environments

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Loading in …3
×

Check these out next

1 of 18 Ad

Can't Touch This: Detecting Lateral Movement In Zero Touch Environments

Zero-touch environments are a product of the fast-moving world of DevOps which is being adopted by an increasing number of successful companies. This session will show that by leveraging the constraints of this environment, we can identify malicious network traffic which would otherwise blend into the noise. First presented at DEF CON 28's Cloud Village.

Zero-touch environments are a product of the fast-moving world of DevOps which is being adopted by an increasing number of successful companies. This session will show that by leveraging the constraints of this environment, we can identify malicious network traffic which would otherwise blend into the noise. First presented at DEF CON 28's Cloud Village.

Advertisement
Advertisement

More Related Content

Recently uploaded (20)

Advertisement

Can't Touch This: Detecting Lateral Movement In Zero Touch Environments

  1. 1. Can’t Touch This: Detecting Lateral Movement in Zero-Touch Environments Phillip Marlow DEF CON Cloud Village 2020 Approved for Public Release; Distribution Unlimited. Case Number 20-2069
  2. 2. Disclaimers & Acknowledgements Approved for Public Release; Distribution Unlimited. Case Number 20-2069 ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. The author's affiliation with The MITRE Corporation is provided for identification purposes only, and is not intended to convey or imply MITRE's concurrence with, or support for, the positions, opinions, or viewpoints expressed by the author. Research conducted to fulfill degree requirements for the SANS Technology Institute’s Master of Science degree. Thank you to Tanya Baccam, Faculty Research Advisor Thank you to my wife Madeline, whom I also don’t speak for in this presentation.
  3. 3. > whoami • Security + DevOps = • Wrote my first vulnerable code in elementary school • Began learning to write exploit code in middle school • First time DEF CON speaker • Learning through hacking
  4. 4. Why Should I Care About DevOps? • Running any applications? That’s just the way it is now. • Cloud native • It’s also better for security @redteamwrangler https://teespring.com/shop/my-c2-has-five-nines-front
  5. 5. Attacker’s Options Internet Workstation Bastion App Server Source Repo Test Servers Configuration Server 1 2 3
  6. 6. Traditional Application Deployment • Developer gives Ops a deployment package and install instructions • Ops logs in to app server, manually installs software • Time to patch? Another manual login and install
  7. 7. Traditional Lateral Movement • To log in and do configuration, Ops has highly privileged credentials • Often the credentials are stored in plaintext on Ops workstations: • SSH Keys, e.g. ~/.ssh/id_rsa • API Tokens/Keys, e.g. ~/.aws/credentials • Attackers use these to move deeper into the environment to steal data, install malware, steal compute resources, etc
  8. 8. What Is Zero-Touch? • Google defined Zero-Touch Networking/Production • Used by mature DevOps organizations https://www.usenix.org/sites/default/files/conference/ protected-files/srecon19emea_slides_wolafka.pdf https://storage.googleapis.com/pub-tools-public- publication-data/pdf/45687.pdf
  9. 9. Zero-Touch Deployment https://www.usenix.org/sites/default/files/conference/protected-files/srecon19emea_slides_wolafka.pdf No Humans
  10. 10. Zero-Touch Deployment Internet Workstation Bastion App Server Source Repo Test Servers Configuration Server 3
  11. 11. Traditional Lateral Movement Internet Workstation Bastion App Server
  12. 12. Lateral Movement in a Zero-Touch Network Internet Workstation Bastion App Server Source Repo Test Servers Configuration Server
  13. 13. Detecting Lateral Movement • Define protected servers • Define human access points • Watch for ANY connections from the manual access points to protected servers • Alert, investigate, etc… • Profit!
  14. 14. Demo Time
  15. 15. But What About Cloud?! • Traffic Mirroring/Virtual Network Tap/Packet Mirroring • Flow Logs • Tagging/Asset Inventory is important • But… there are visibility challenges
  16. 16. Next Steps • If you’re not zero-touch yet – do it! • Implement this detection on your platform of choice • Tailor it to your specific environment • Correlate these events with other suspicious traffic
  17. 17. Lessons Learned • Know your network • Don’t be afraid to look for stupid simple things
  18. 18. Thank You! Phillip Marlow @wolramp

×