Can't Touch This: Detecting Lateral Movement In Zero Touch Environments

•

0 likes•8 views

Zero-touch environments are a product of the fast-moving world of DevOps which is being adopted by an increasing number of successful companies. This session will show that by leveraging the constraints of this environment, we can identify malicious network traffic which would otherwise blend into the noise. First presented at DEF CON 28's Cloud Village.

Technology

Can’t Touch This: Detecting
Lateral Movement in Zero-Touch
Environments
Phillip Marlow
DEF CON Cloud Village 2020
Approved for Public Release; Distribution Unlimited. Case Number 20-2069

Disclaimers & Acknowledgements
Approved for Public Release; Distribution Unlimited. Case Number 20-2069
©2020 The MITRE Corporation. ALL RIGHTS RESERVED. The author's affiliation
with The MITRE Corporation is provided for identification purposes only, and
is not intended to convey or imply MITRE's concurrence with, or support for,
the positions, opinions, or viewpoints expressed by the author.
Research conducted to fulfill degree requirements for the
SANS Technology Institute’s Master of Science degree.
Thank you to Tanya Baccam, Faculty Research Advisor
Thank you to my wife Madeline,
whom I also don’t speak for in
this presentation.

> whoami
• Security + DevOps =
• Wrote my first vulnerable code in
elementary school
• Began learning to write exploit code in
middle school
• First time DEF CON speaker
• Learning through hacking

Why Should I Care About DevOps?
• Running any applications? That’s
just the way it is now.
• Cloud native
• It’s also better for security
@redteamwrangler
https://teespring.com/shop/my-c2-has-five-nines-front

Attacker’s Options
Internet
Workstation
Bastion
App Server
Source Repo
Test
Servers
Configuration
Server
1 2
3

Traditional Application Deployment
• Developer gives Ops a deployment package and install instructions
• Ops logs in to app server, manually installs software
• Time to patch? Another manual login and install

Traditional Lateral Movement
• To log in and do configuration, Ops has highly privileged credentials
• Often the credentials are stored in plaintext on Ops workstations:
• SSH Keys, e.g. ~/.ssh/id_rsa
• API Tokens/Keys, e.g. ~/.aws/credentials
• Attackers use these to move deeper into the environment to steal
data, install malware, steal compute resources, etc

What Is Zero-Touch?
• Google defined Zero-Touch Networking/Production
• Used by mature DevOps organizations
https://www.usenix.org/sites/default/files/conference/
protected-files/srecon19emea_slides_wolafka.pdf
https://storage.googleapis.com/pub-tools-public-
publication-data/pdf/45687.pdf

Zero-Touch Deployment
https://www.usenix.org/sites/default/files/conference/protected-files/srecon19emea_slides_wolafka.pdf
No Humans

Zero-Touch Deployment
Internet
Workstation
Bastion
App Server
Source Repo
Test
Servers
Configuration
Server
3

Traditional Lateral Movement
Internet
Workstation
Bastion
App Server

Lateral Movement in a Zero-Touch Network
Internet
Workstation
Bastion
App Server
Source Repo
Test
Servers
Configuration
Server

Detecting Lateral Movement
• Define protected servers
• Define human access points
• Watch for ANY connections from the manual access points to
protected servers
• Alert, investigate, etc…
• Profit!

But What About Cloud?!
• Traffic Mirroring/Virtual Network Tap/Packet Mirroring
• Flow Logs
• Tagging/Asset Inventory is important
• But… there are visibility challenges

Next Steps
• If you’re not zero-touch yet – do it!
• Implement this detection on your platform of choice
• Tailor it to your specific environment
• Correlate these events with other suspicious traffic

Lessons Learned
• Know your network
• Don’t be afraid to look for stupid simple things

This webinar series is designed to help internal auditors looking to equip themselves with competencies and confidence to handle audit of IT controls and information security, and learn about the emerging technologies and their underlying risks The series focuses on contemporary IT audit approaches relevant to Internal Auditors and the processes underlying risk based IT audits. Session 3 of 10 This Webinar focuses on Malware Defense • Types of Malware • Blended Threats • Infection Mechanisms • Semantic, or Heuristics Based Malware Detection • Polymorphic Malware • Metamorphic Malware • Hiding techniques and Detection of Malware

Zero Trust And Best Practices for Securing Endpoint Apps on May 24th 2021

Teemu Tiainen

The great cyber security expert Sami Laiho returned as a keynote speaker with the theme of Zero Trust, but this time from the point of view of securing endpoint applications. Sami Laiho is an internationally renowned and recognized specialist in access rights and endpoint security. In this webinar, Laiho and Centero's Juha Haapsaari discussed the Zero Trust model and securing endpoint applications – even in environments of over 100,000 workstations. These are some of the themes we covered: • How to ease your workload with allow-listing. • Is allow-listing difficult? (A hint: it is not.) • Implementing AppLocker to trim down your application portfolio. • Restricting admin rights to control your IT environment. • Managing and updating applications after allow-listing operations. Zero Trust is a new paradigm for cyber security in organizations. Modern IT environments are complex by nature, and both users and devices are constantly on the move. Traditional methods are not sufficient to properly secure this kind of environment, and that’s where Zero Trust comes in.

Make Every Spin Count: Putting the Security Odds in Your Favor

David Perkins

Cerdant’s Director of Engineering, Joshua Skeens, presented the best ‘bets’ to increase your security odds. Josh warned customers to stop gambling with their data, and cautioned against weak, guessable passwords stating, “Use 2-Factor Authentication everywhere!” The first step in creating the best security posture possible for your business will always be just getting started, and to keep momentum Josh suggests implementing 1 new security practice each week.

Secure Application Development InfoShare 2022

Radu Vunvulea

So Your Company Hired A PentesterNorthBayWeb

Users awarness programme for Online Privacy

Kazi Sarwar Hossain

We are surrounding with technology. The more we surround and integrate with technology the more we will be in risk our privacy data/online/internet/cyber. Not only you are in risk, your family and friend alos in risk. If we think I am not important person then that would be your great mistake. You are important to someone in somewhere in this world. Mind it your daily life is watched by someone. So be conscious… remember Prevention is Better than cure.

"Running enterprise workloads with sensitive data in AWS is hard and requires an in-depth understanding about software-defined security risks. At re:Invent 2014, Intuit and AWS presented ""Enterprise Cloud Security via DevSecOps"" to help the community understand how to embrace AWS features and a software-defined security model. Since then, we've learned quite a bit more about running sensitive workloads in AWS. We've evaluated new security features, worked with vendors, and generally explored how to develop security-as-code skills. Come join Intuit and AWS to learn about second-year lessons and see how DevSecOps is evolving. We've built skills in security engineering, compliance operations, security science, and security operations to secure AWS-hosted applications. We will share stories and insights about DevSecOps experiments, and show you how to crawl, walk, and then run into the world of DevSecOps."

Elementary-Information-Security-PracticesOctogence

Security For Humans

conjur_inc

Finding Security a Home in a DevOps World

Shannon Lietz

Intro to INFOSEC

Sean Whalen

Tietoturvallisuuden_kevatseminaari_2013_Jarno_Niemela

Valtiokonttori / Statskontoret / State Treasury of Finland

Protecting Microsoft Teams from Cyber Security Threats - a Practical Guide

Benedek Menesi

While Microsoft Teams adoption is growing incredibly fast with over 80 million active daily users in 2020, some highly regulated organizations are often hesitant to deploy Teams or limit the deployment of Teams due to information security concerns and possible cyber security threats. Supporting any platform with that many daily users you can be sure that hackers are watching closely and will do everything they can to gain a foothold in your environment. During this presentation we will cover real-world cyber security threats as well as strategies for hardening your security configurations to protect your Teams deployment. We will also cover the available Microsoft add-on solutions to improve security, including Advanced Threat Protection (ATP), increased logging options, and Azure AD P1 licenses that improve Teams governance capabilities. Some of the topics we'll discuss: - Credential theft campaigns - Identity spoofing for user impersonation - Man-in-the-middle attacks - Locking down 3rd party application implementations - Conditional access policies - Permission management settings - Information boundary configurations - And more…  You'll learn how hackers think, and how you can gain the upper hand by preparing and training your users for the most common cyber security exploits as well as leveraging the best Microsoft tools available to mitigate both external and internal security risks.

Where To Start When Your Environment is Fucked

Amanda Berlin

Scalar Security Roadshow - Vancouver Presentation

Scalar Decisions

Gartner recently released a report on IT security priorities for the remainder of 2014. Amongst respondents, network security, application security, endpoint security, and security services all ranked highly. In this quick-fire, half-day roadshow, Scalar brings you solutions to these problems from three of our most strategic security vendors, as well as a full presentation on our managed security services portfolio.

Asset Discovery in India – Redhunt Labs

RedhuntLabs2

Leading Asset Discovery Company Redhunt Labs provides a variety of solutions to assist companies in India in securing their online assets and guarding against cyber threats. Our Agent less Platform NVADR has been successful for many of our customers in locating significant data leaks across publicly exposed Docker containers. NVADR has the capability to continually monitor your exposed Docker Assets from across the globe. We also provide a Free Scan if you'd like to examine the Attack Surface of your company. Here to visit our page for more information.

Scalar Security Roadshow - Calgary Presentation

Scalar Decisions

Security and Your Salesforce Org

Salesforce Admins

Wfh security risks - Ed Adams, President, Security Innovation

Priyanka Aash

Our security practices need to evolve in order to address the new challenges propped up by the rapid adoption of technologies and products to enable the world to WFH. The mantra of the attacker remains consistent -- attack that which yields maximum result -- and that is usually something used by a very very large number of users. This webinar will discuss the Top 10 Security Gaps that CISOs should be aware of as they brace for long WFH periods. What will you learn : -New Attack techniques hackers are using targeting WFH -How to handle decentralisation of IT and technology decisions? -Application risks as enterprises pivot to online/new business model(s) -New risks in the Cloud and due to Shadow IT -Security risks due to uninformed employees & their home infrastructure -How to handle Misconfigurations & Third party risks -How to build a robust breach response and recovery program? Full video - https://youtu.be/bQLfnmhDnQs

LIFT OFF 2017: Ransomware and IR Overview

Robert Herjavec

Bug Bounty #Defconlucknow2016

Shubham Gupta

How to-become-secure-and-stay-secure

IIMBNSRCEL

zero trust - how to build zero trust.pdf

AliAlwesabi

GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...

Neo4j

Leonard Jayamohan, Partner & Generative AI Lead, Deloitte This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...

James Anderson

Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management. The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM). Speakers: Bob Boule Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle. Gopinath Rebala Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.

Similar to Can't Touch This: Detecting Lateral Movement In Zero Touch Environments

Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd

Nipun Jaswal

Security for Humans

Dustin Collins

Onlinesecurityrecomendations2014 141230081030-conversion-gate02amiinaaa

(SEC402) Enterprise Cloud Security via DevSecOps 2.0

Amazon Web Services

Elementary-Information-Security-PracticesOctogence

Security For Humans

conjur_inc

Finding Security a Home in a DevOps World

Shannon Lietz

Intro to INFOSEC

Sean Whalen

Tietoturvallisuuden_kevatseminaari_2013_Jarno_Niemela

Valtiokonttori / Statskontoret / State Treasury of Finland

Protecting Microsoft Teams from Cyber Security Threats - a Practical Guide

Benedek Menesi

Where To Start When Your Environment is Fucked

Amanda Berlin

Scalar Security Roadshow - Vancouver Presentation

Scalar Decisions

Asset Discovery in India – Redhunt Labs

RedhuntLabs2

Scalar Security Roadshow - Calgary Presentation

Scalar Decisions

Security and Your Salesforce Org

Salesforce Admins

Wfh security risks - Ed Adams, President, Security Innovation

Priyanka Aash

LIFT OFF 2017: Ransomware and IR Overview

Robert Herjavec

Bug Bounty #Defconlucknow2016

Shubham Gupta

How to-become-secure-and-stay-secure

IIMBNSRCEL

zero trust - how to build zero trust.pdf

AliAlwesabi

Similar to Can't Touch This: Detecting Lateral Movement In Zero Touch Environments (20)

Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd

Security for Humans

Onlinesecurityrecomendations2014 141230081030-conversion-gate02

(SEC402) Enterprise Cloud Security via DevSecOps 2.0

Elementary-Information-Security-Practices

Security For Humans

Finding Security a Home in a DevOps World

Intro to INFOSEC

Tietoturvallisuuden_kevatseminaari_2013_Jarno_Niemela

Protecting Microsoft Teams from Cyber Security Threats - a Practical Guide

Where To Start When Your Environment is Fucked

Scalar Security Roadshow - Vancouver Presentation

Asset Discovery in India – Redhunt Labs

Scalar Security Roadshow - Calgary Presentation

Security and Your Salesforce Org

Wfh security risks - Ed Adams, President, Security Innovation

LIFT OFF 2017: Ransomware and IR Overview

Bug Bounty #Defconlucknow2016

How to-become-secure-and-stay-secure

zero trust - how to build zero trust.pdf

Recently uploaded

GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...

Neo4j

GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...

James Anderson

20240605 QFM017 Machine Intelligence Reading List May 2024

Matthew Sinclair

20240607 QFM018 Elixir Reading List May 2024

Matthew Sinclair

Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf

Paige Cruz

Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack. While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack. I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:

Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx

nkrafacyberclub

GridMate - End to end testing is a critical piece to ensure quality and avoid...

ThomasParaiso2

Securing your Kubernetes cluster_ a step-by-step guide to success !

KatiaHIMEUR1

Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster. However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks. In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf

FIDO Alliance

Transcript: Selling digital books in 2024: Insights from industry leaders - T...

BookNet Canada

The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more. Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/ Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.

GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024

Neo4j

GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...

Neo4j

Dr. Sean Tan, Head of Data Science, Changi Airport Group Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.

Introduction to CHERI technology - Cybersecurity

mikeeftimakis1

Video Streaming: Then, Now, and in the Future

Alpen-Adria-Universität

In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.

State of ICS and IoT Cyber Threat Landscape Report 2024 preview

Prayukth K V

The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development. The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers: State of global ICS asset and network exposure Sectoral targets and attacks as well as the cost of ransom Global APT activity, AI usage, actor and tactic profiles, and implications Rise in volumes of AI-powered cyberattacks Major cyber events in 2024 Malware and malicious payload trends Cyberattack types and targets Vulnerability exploit attempts on CVEs Attacks on counties – USA Expansion of bot farms – how, where, and why In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East Why are attacks on smart factories rising? Cyber risk predictions Axis of attacks – Europe Systemic attacks in the Middle East Download the full report from here: https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf

FIDO Alliance

Epistemic Interaction - tuning interfaces to provide information for AI support

Alan Dix

Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024 https://alandix.com/academic/papers/synergy2024-epistemic/ As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.

Monitoring Java Application Security with JDK Tools and JFR Events

Ana-Maria Mihalceanu

FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf

FIDO Alliance

Generative AI Deep Dive: Advancing from Proof of Concept to Production

Aggregage

Recently uploaded (20)