Successfully reported this slideshow.
Your SlideShare is downloading. ×

Can't Touch This: Detecting Lateral Movement In Zero Touch Environments

Dec. 06, 2022
0 likes 2 views
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Upcoming SlideShare
Using Cloud to Improve AppSec
Using Cloud to Improve AppSec
Loading in …3
×

Check these out next

x86-less ScyllaDB: Exploring an All-ARM Cluster
ScyllaDB
Optimizing ScyllaDB Performance via Observability
ScyllaDB
Maximum Uptime Cluster Orchestration with Ansible
ScyllaDB
Sink Your Teeth into Streaming at Any Scale
ScyllaDB
Synopsys_site.pptx
Arthur528009
ScyllaDB at Strava
ScyllaDB
Developing Enterprise Consciousness: Building Modern Open Data Platforms
ScyllaDB
Key-Key-Value Store: Generic NoSQL Datastore with Tombstone Reduction and Aut...
ScyllaDB
1 of 18 Ad

Can't Touch This: Detecting Lateral Movement In Zero Touch Environments

Dec. 06, 2022
0 likes 2 views
Technology

Zero-touch environments are a product of the fast-moving world of DevOps which is being adopted by an increasing number of successful companies. This session will show that by leveraging the constraints of this environment, we can identify malicious network traffic which would otherwise blend into the noise. First presented at DEF CON 28's Cloud Village.

Zero-touch environments are a product of the fast-moving world of DevOps which is being adopted by an increasing number of successful companies. This session will show that by leveraging the constraints of this environment, we can identify malicious network traffic which would otherwise blend into the noise. First presented at DEF CON 28's Cloud Village.

Technology
Advertisement

Recommended

Using Cloud to Improve AppSec
Phillip Marlow
3 views
18 slides
Testing 12-Factor Apps
Phillip Marlow
3 views
17 slides
Hacking DevOps
Phillip Marlow
27 views
16 slides
Can't Touch This: Detecting Lateral Movement In Zero Touch Environments
Phillip Marlow
2 views
17 slides
Can't Touch This: Detecting Lateral Movement In Zero Touch Environments
Phillip Marlow
2 views
16 slides
Finding Secrets in Source Code the DevOps Way
Phillip Marlow
63 views
14 slides
Does your motivation need a kick start?
University of Southern Queensland
16k views
29 slides
Better than a New Year's Resolution: A New Mindset
Deepak Chopra MD (official)
306.2k views
7 slides
Advertisement

More Related Content

Recently uploaded (20)

x86-less ScyllaDB: Exploring an All-ARM Cluster
ScyllaDB
0 views
Optimizing ScyllaDB Performance via Observability
ScyllaDB
0 views
Maximum Uptime Cluster Orchestration with Ansible
ScyllaDB
0 views
Sink Your Teeth into Streaming at Any Scale
ScyllaDB
0 views
Synopsys_site.pptx
Arthur528009
0 views
ScyllaDB at Strava
ScyllaDB
0 views
Developing Enterprise Consciousness: Building Modern Open Data Platforms
ScyllaDB
0 views
Key-Key-Value Store: Generic NoSQL Datastore with Tombstone Reduction and Aut...
ScyllaDB
0 views
Using ScyllaDB for Distribution of Game Assets in Unreal Engine
ScyllaDB
0 views
Strategies For Migrating From SQL to NoSQL — The Apache Kafka Way
ScyllaDB
0 views
Automating the Hunt for Non-Obvious Sources of Latency Spreads
ScyllaDB
0 views
Integrating ScyllaDB with Quarkus
ScyllaDB
0 views
Data Platform Architecture Principles and Evaluation Criteria
ScyllaDB
0 views
Scalable and Resilient Security Ratings Platform with ScyllaDB
ScyllaDB
0 views
Future of Compliance
Daniel Hurst
0 views
Mini cube salt bath furnace 1000°C
Borel Swiss
0 views
ShareChat's Journey Migrating 100TB of Data to ScyllaDB with NO Downtime
ScyllaDB
0 views
Building Next Generation Drivers: Optimizing Performance in Go and Rust
ScyllaDB
0 views
CI/CD for Data - Building Data Development Environment with lakeFS
ScyllaDB
0 views
16119 - Get to Know Your Data Sets (1).pdf
3operatordcslipiPeng
0 views
x86-less ScyllaDB: Exploring an All-ARM Cluster
ScyllaDB
0 views
20 slides
Optimizing ScyllaDB Performance via Observability
ScyllaDB
0 views
23 slides
Maximum Uptime Cluster Orchestration with Ansible
ScyllaDB
0 views
59 slides
Sink Your Teeth into Streaming at Any Scale
ScyllaDB
0 views
30 slides
Synopsys_site.pptx
Arthur528009
0 views
12 slides
ScyllaDB at Strava
ScyllaDB
0 views
16 slides

Featured (20)

How to Plan and Set Financial Goals
Experian_US
22.9k views
Choose Your Own (Career) Adventure
Lauren Galanter
27k views
chatgpt dalle.pptx
Ellen Edmands
2.2k views
25 Mission Statements From the World's Most Valuable Brands
Palo Alto Software
2.1M views
Trying To Change A Habit? Beware These 5 Traps.
Gretchen Rubin
9.2k views
Statistics On The Importance Of Employee Feedback
Officevibe
32.3k views
25 Time Management Hacks to Kickstart the New Year
Étienne Garbugli
219.7k views
The 3 Secrets of Highly Successful Graduates
Reid Hoffman
828.3k views
12 Days of Productivity
Redbooth
92.2k views
Data Design: Where Math and Art Collide
Trina Chiasson
89.1k views
How a Smart Leader Sets SMART Goals
Weekdone.com
86.7k views
Getting Started With OKRs (Objective Key Results)
The Moonshot Planner
2.9k views
A Guide to the Holiday Job Search
Noelle Gross, Career Strategy Coach
5k views
How to Have Difficult Conversations
Mattan Griffel
485.4k views
How to pretend you know soccer
Devesh Khanal
19.4k views
10 Productivity Hacks Backed By Science
When I Work
52k views
5 Ways to Give Feedback that Elicits Real Change
BambooHR
380.7k views
The Best Study Tips Revealed
LinkedIn
47.6k views
Understanding Artificial Intelligence - Major concepts for enterprise applica...
APPANION
30.1k views
Four Public Speaking Tips From Standup Comedians
Ross Simmonds
100.7k views
How to Plan and Set Financial Goals
Experian_US
22.9k views
39 slides
Choose Your Own (Career) Adventure
Lauren Galanter
27k views
19 slides
chatgpt dalle.pptx
Ellen Edmands
2.2k views
20 slides
25 Mission Statements From the World's Most Valuable Brands
Palo Alto Software
2.1M views
32 slides
Trying To Change A Habit? Beware These 5 Traps.
Gretchen Rubin
9.2k views
7 slides
Statistics On The Importance Of Employee Feedback
Officevibe
32.3k views
17 slides
Advertisement

Can't Touch This: Detecting Lateral Movement In Zero Touch Environments

  1. 1. Can’t Touch This: Detecting Lateral Movement in Zero-Touch Environments Phillip Marlow DEF CON Cloud Village 2020 Approved for Public Release; Distribution Unlimited. Case Number 20-2069
  2. 2. Disclaimers & Acknowledgements Approved for Public Release; Distribution Unlimited. Case Number 20-2069 ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. The author's affiliation with The MITRE Corporation is provided for identification purposes only, and is not intended to convey or imply MITRE's concurrence with, or support for, the positions, opinions, or viewpoints expressed by the author. Research conducted to fulfill degree requirements for the SANS Technology Institute’s Master of Science degree. Thank you to Tanya Baccam, Faculty Research Advisor Thank you to my wife Madeline, whom I also don’t speak for in this presentation.
  3. 3. > whoami • Security + DevOps = • Wrote my first vulnerable code in elementary school • Began learning to write exploit code in middle school • First time DEF CON speaker • Learning through hacking
  4. 4. Why Should I Care About DevOps? • Running any applications? That’s just the way it is now. • Cloud native • It’s also better for security @redteamwrangler https://teespring.com/shop/my-c2-has-five-nines-front
  5. 5. Attacker’s Options Internet Workstation Bastion App Server Source Repo Test Servers Configuration Server 1 2 3
  6. 6. Traditional Application Deployment • Developer gives Ops a deployment package and install instructions • Ops logs in to app server, manually installs software • Time to patch? Another manual login and install
  7. 7. Traditional Lateral Movement • To log in and do configuration, Ops has highly privileged credentials • Often the credentials are stored in plaintext on Ops workstations: • SSH Keys, e.g. ~/.ssh/id_rsa • API Tokens/Keys, e.g. ~/.aws/credentials • Attackers use these to move deeper into the environment to steal data, install malware, steal compute resources, etc
  8. 8. What Is Zero-Touch? • Google defined Zero-Touch Networking/Production • Used by mature DevOps organizations https://www.usenix.org/sites/default/files/conference/ protected-files/srecon19emea_slides_wolafka.pdf https://storage.googleapis.com/pub-tools-public- publication-data/pdf/45687.pdf
  9. 9. Zero-Touch Deployment https://www.usenix.org/sites/default/files/conference/protected-files/srecon19emea_slides_wolafka.pdf No Humans
  10. 10. Zero-Touch Deployment Internet Workstation Bastion App Server Source Repo Test Servers Configuration Server 3
  11. 11. Traditional Lateral Movement Internet Workstation Bastion App Server
  12. 12. Lateral Movement in a Zero-Touch Network Internet Workstation Bastion App Server Source Repo Test Servers Configuration Server
  13. 13. Detecting Lateral Movement • Define protected servers • Define human access points • Watch for ANY connections from the manual access points to protected servers • Alert, investigate, etc… • Profit!
  14. 14. Demo Time
  15. 15. But What About Cloud?! • Traffic Mirroring/Virtual Network Tap/Packet Mirroring • Flow Logs • Tagging/Asset Inventory is important • But… there are visibility challenges
  16. 16. Next Steps • If you’re not zero-touch yet – do it! • Implement this detection on your platform of choice • Tailor it to your specific environment • Correlate these events with other suspicious traffic
  17. 17. Lessons Learned • Know your network • Don’t be afraid to look for stupid simple things
  18. 18. Thank You! Phillip Marlow @wolramp

×