UNDERSTANDING YOUR
CLOUD ATTACK SURFACE
LIVE HACK
Oliver Pinson-Roxburgh
2
Hacking doesn’t look like this
3
It Doesn’t look like this
4
Technology Innovation – We want things fast
Reaching
50 Million
Users
75 years
35 days
38 years
WWW 4 years
3.5 years
5
Cloud Has Disrupted Traditional Security
Agility & automation Hyper-scalability
6
Attack Surface
21 80 25
3389
22
143
3
7
The Cloud Attack Surface /s
443
8
Alert Logic Cloud Security Report 2017
550 DAYS
AUG 1, 2015 –JAN 31 2017
2,207,795
TOTAL TRUE POSITIVE SECURITY
INCIDENTS ANALYZED
32.5 MILLION
EVENTS DRIVING ESCALATED
INCIDENTS
147 PETABYTES
OF DATA ANALYZED
3807 CUSTOMERS
ANALYZED
452
INDUSTRIES ACROSS 3 CONTINENTS
9
Web App Attacks – King of the Hill
WEB APP
ATTACK
Recon
5%
Server-side
Malware
2%
DoS / DDoS
1% Other
1%
75%
DOS/DDOS
1% OTHER
1%
SERVER-SIDE
MALWARE
2%
RECON
5%
BRUTE
FORCE
5%
SQL INJECTION
55%
SECURITY INCIDENT TYPES ESCALATED
10
Web App Attacks – King of the Hill
WEB APP
ATTACK
ute Force
16%
Recon
5%
Server-side
Malware
2%
DoS / DDoS
1% Other
1%
75%
DOS/DDOS
1% OTHER
1%
SERVER-SIDE
MALWARE
2%
RECON
5%
BRUTE
FORCE
5%
SQL INJECTION
55% REMOTE
CODE
EXECUTION
22%
XXE
3%
APACHE
STRUTS
RCE
6%
WEB APP
ATTACK
RECON
5%
FILE
UPLOAD
6%
OTHER
4%
SECURITY INCIDENT TYPES ESCALATED
11
Workload Environments Impact Incident Volumes
2.5x
more security incidents
observed in Hybrid vs
Public Cloud
51%
higher rate of
security incidents in
on premises vs Cloud
AVERAGE PER CUSTOMER SECURITY INCIDENT COUNTS
12
Covering all layers of your stack is complex
Vulnerabilities
in
YOUR CODE
Vulnerabilities
in
YOUR
CONFIGS
Vulnerabilitie
s
YOU INHERIT
Today’s Attacks are Becoming More Complex
THE CYBER KILL CHAIN¹ THE IMPACT
Financial loss
Harm brand and reputation
Scrutiny from regulators
IDENTIFY
& RECON
INITIAL
ATTACK
COMMAND &
CONTROL
DISCOVER
& SPREAD
EXTRACT &
EXFILTRATE
• Attacks are multi-stage using multiple threat vectors
• Takes organizations months to identify they have been compromised
• 205 days on average before detection of compromise1
• Over two-thirds of organizations find out from a 3rd party they have been
compromised2
1 – IDC Worldwide Security and Vulnerability Management 2014–2018 Forecast
2 – M-Trends 2015: A View from the Front Lines
14
Enter Machine Learning
Over nine months :
8-10% of the customers we
monitored were targeted by
actors with better-than-
average levels of skill and
determination
Each attack
had a High
degree of
complexity
Identified,
approx. 231
attacks
15
Behind the Data
Web apps can be the final destination…or initial entry point
Perimeter AND Network
AND System /log-based
Detection defend your
hosts
see N / S / E / W in all of
your protected
environments
WAF blocking/virtual
patching, IDS, and log
monitoring as air cover as
you burn down your web
app vulnerabilities
• Redistribute malware directly / indirectly (exploit
kits / watering hole)
• Monetization through fraud (SEO, Coin Mining,
Spam)
• Entry point into Infrastructure
• Lateral movement, privilege escalation
• Steal data (exfiltration of information from
databases)
16
Multi-stage Attacks
Time: Day 1
Event: Early stage recon event
Criticality: Medium
Time: Day 3
Event: SQL Injection recon
Criticality: Medium
Time: Day 4
Event: SQL table enumeration
Criticality: High
Time: Day 4
Event: Injection
Criticality: Critical
Situation: Multiple address spaces and disparate unrelated events over days
17
Surgical Exfiltration
1 IP Address
Duration: 7 minutes
Surgical Exfiltration
1 IP Address
Duration: 2 minutes
Precision Recon
1 IP Address
Duration: 12 minutes
Precision Recon
1 IP Address
Duration: 8 minutes
Precision Recon
1 IP Address
Duration: 1 minute
Precision Recon
1 IP Address
Duration: 11 minutes
Sustained, Multi-stage Attack for Intellectual Property Theft
September2016 2017AprilOctober November December January February March
Jan 16th
Jan 3rd
Nov 2nd
Feb 6th
Continuous SQLi Reconnaissance to Better Understand the Environment (49 Unique IPs)
Continuous General SQLi Testing (172 Unique IPs)
18
Zooming Into Adversary Activity
19
Attack Progression Timeline Over 6+ Months
20
Zoomed View of a Single SQLi Exfiltration Attempt
1) Tables belonging to specific owner
exist?
2) Enumerate table names for owner
3) Count the number of columns for a specific table of interest
4) Enumerate column names for
specific table
5) Count the rows of
data within the table
of interest
6) Enumerate column values from
specific table (exfiltration event)
Time
Attackspecificity
New Approach
The Principles of security do not change but your
Approach to security needs to change
STORAGE DB NETWORKCOMPUTE
Logical network segmentation
Perimeter security services
External DDoS, spoofing, and scanning prevented
Hardened hypervisor
System image library
Root access for customer
Secure coding and best practices
Software and virtual patching
Configuration management
Access management
Application-level attack monitoring
Cloud Security Is A Shared, But Not Equal, Responsibility
Access management
Patch management
Configuration hardening
Security monitoring
Log analysis
Network threat detection
Security monitoring
Configuration best practices
CUSTOMER RESPONSIBILITY
APPS
HOSTS
NETWORKS
FOUNDATION
SERVICES
• SQLi
• Cross-site scripting
• Web app exploits
• Middleware exploits
• Brute force attacks
• Recon
• Web shells
• Command & Control
• Service Misconfiguration
• Suspicious IAM Activity
Live Hack – Getting closer
Live Hack – Much more like it
PRAY TO THE
LIVE HACK –
GODS!!!!

Cloud security live hack - final meetup

  • 1.
    UNDERSTANDING YOUR CLOUD ATTACKSURFACE LIVE HACK Oliver Pinson-Roxburgh
  • 2.
  • 3.
  • 4.
    4 Technology Innovation –We want things fast Reaching 50 Million Users 75 years 35 days 38 years WWW 4 years 3.5 years
  • 5.
    5 Cloud Has DisruptedTraditional Security Agility & automation Hyper-scalability
  • 6.
    6 Attack Surface 21 8025 3389 22 143 3
  • 7.
    7 The Cloud AttackSurface /s 443
  • 8.
    8 Alert Logic CloudSecurity Report 2017 550 DAYS AUG 1, 2015 –JAN 31 2017 2,207,795 TOTAL TRUE POSITIVE SECURITY INCIDENTS ANALYZED 32.5 MILLION EVENTS DRIVING ESCALATED INCIDENTS 147 PETABYTES OF DATA ANALYZED 3807 CUSTOMERS ANALYZED 452 INDUSTRIES ACROSS 3 CONTINENTS
  • 9.
    9 Web App Attacks– King of the Hill WEB APP ATTACK Recon 5% Server-side Malware 2% DoS / DDoS 1% Other 1% 75% DOS/DDOS 1% OTHER 1% SERVER-SIDE MALWARE 2% RECON 5% BRUTE FORCE 5% SQL INJECTION 55% SECURITY INCIDENT TYPES ESCALATED
  • 10.
    10 Web App Attacks– King of the Hill WEB APP ATTACK ute Force 16% Recon 5% Server-side Malware 2% DoS / DDoS 1% Other 1% 75% DOS/DDOS 1% OTHER 1% SERVER-SIDE MALWARE 2% RECON 5% BRUTE FORCE 5% SQL INJECTION 55% REMOTE CODE EXECUTION 22% XXE 3% APACHE STRUTS RCE 6% WEB APP ATTACK RECON 5% FILE UPLOAD 6% OTHER 4% SECURITY INCIDENT TYPES ESCALATED
  • 11.
    11 Workload Environments ImpactIncident Volumes 2.5x more security incidents observed in Hybrid vs Public Cloud 51% higher rate of security incidents in on premises vs Cloud AVERAGE PER CUSTOMER SECURITY INCIDENT COUNTS
  • 12.
    12 Covering all layersof your stack is complex Vulnerabilities in YOUR CODE Vulnerabilities in YOUR CONFIGS Vulnerabilitie s YOU INHERIT
  • 13.
    Today’s Attacks areBecoming More Complex THE CYBER KILL CHAIN¹ THE IMPACT Financial loss Harm brand and reputation Scrutiny from regulators IDENTIFY & RECON INITIAL ATTACK COMMAND & CONTROL DISCOVER & SPREAD EXTRACT & EXFILTRATE • Attacks are multi-stage using multiple threat vectors • Takes organizations months to identify they have been compromised • 205 days on average before detection of compromise1 • Over two-thirds of organizations find out from a 3rd party they have been compromised2 1 – IDC Worldwide Security and Vulnerability Management 2014–2018 Forecast 2 – M-Trends 2015: A View from the Front Lines
  • 14.
    14 Enter Machine Learning Overnine months : 8-10% of the customers we monitored were targeted by actors with better-than- average levels of skill and determination Each attack had a High degree of complexity Identified, approx. 231 attacks
  • 15.
    15 Behind the Data Webapps can be the final destination…or initial entry point Perimeter AND Network AND System /log-based Detection defend your hosts see N / S / E / W in all of your protected environments WAF blocking/virtual patching, IDS, and log monitoring as air cover as you burn down your web app vulnerabilities • Redistribute malware directly / indirectly (exploit kits / watering hole) • Monetization through fraud (SEO, Coin Mining, Spam) • Entry point into Infrastructure • Lateral movement, privilege escalation • Steal data (exfiltration of information from databases)
  • 16.
    16 Multi-stage Attacks Time: Day1 Event: Early stage recon event Criticality: Medium Time: Day 3 Event: SQL Injection recon Criticality: Medium Time: Day 4 Event: SQL table enumeration Criticality: High Time: Day 4 Event: Injection Criticality: Critical Situation: Multiple address spaces and disparate unrelated events over days
  • 17.
    17 Surgical Exfiltration 1 IPAddress Duration: 7 minutes Surgical Exfiltration 1 IP Address Duration: 2 minutes Precision Recon 1 IP Address Duration: 12 minutes Precision Recon 1 IP Address Duration: 8 minutes Precision Recon 1 IP Address Duration: 1 minute Precision Recon 1 IP Address Duration: 11 minutes Sustained, Multi-stage Attack for Intellectual Property Theft September2016 2017AprilOctober November December January February March Jan 16th Jan 3rd Nov 2nd Feb 6th Continuous SQLi Reconnaissance to Better Understand the Environment (49 Unique IPs) Continuous General SQLi Testing (172 Unique IPs)
  • 18.
  • 19.
  • 20.
    20 Zoomed View ofa Single SQLi Exfiltration Attempt 1) Tables belonging to specific owner exist? 2) Enumerate table names for owner 3) Count the number of columns for a specific table of interest 4) Enumerate column names for specific table 5) Count the rows of data within the table of interest 6) Enumerate column values from specific table (exfiltration event) Time Attackspecificity
  • 21.
    New Approach The Principlesof security do not change but your Approach to security needs to change
  • 22.
    STORAGE DB NETWORKCOMPUTE Logicalnetwork segmentation Perimeter security services External DDoS, spoofing, and scanning prevented Hardened hypervisor System image library Root access for customer Secure coding and best practices Software and virtual patching Configuration management Access management Application-level attack monitoring Cloud Security Is A Shared, But Not Equal, Responsibility Access management Patch management Configuration hardening Security monitoring Log analysis Network threat detection Security monitoring Configuration best practices CUSTOMER RESPONSIBILITY APPS HOSTS NETWORKS FOUNDATION SERVICES • SQLi • Cross-site scripting • Web app exploits • Middleware exploits • Brute force attacks • Recon • Web shells • Command & Control • Service Misconfiguration • Suspicious IAM Activity
  • 23.
    Live Hack –Getting closer
  • 24.
    Live Hack –Much more like it
  • 25.
    PRAY TO THE LIVEHACK – GODS!!!!

Editor's Notes

  • #5 It took about 75 years for the telephone to connect 50 million people. Today a simple iPhone app Cn reach that milestone in a matter of days. In the past 10 years the rate of adoption of new technologies has accelerated at dizzying speed. Can we keep up with it all?
  • #7 Ports, old school, quite easy to understand, tiered approach, firewalls between each As we’ve transitioned from this model into a new one of APIs and interconnected services much of IT have been prepared for the new world order, security sometimes prefers to operate within these same patterns In my previous role and since joining Alert Logic I’ve come to understand that often the from the security perspective the cloud kind of looked like this
  • #8 Which I can empathise with, in my experience security and network teams alike are used to dealing in ports and directions. I know I have at times – though as a developer and architect we often deal more with the logical. hence the need to express our security measures in other ways that relate to todays threats
  • #13 Goal Demonstrate why full-stack security is needed by showing how different vectors in each layer are attacked show huge scope of growing attack surface – too much to cover in-house Key Talking Pts Why are web apps the #1 source of breaches? Because attackers can use any layer of the application and infrastructure stack to today gain access, build footholds, and laterally move within your system.   From the top of the stack Web application attacks like SQL injection and cross-site scripting are hard to prevent and detect because they are look innocent to the host and network and use the application’s own functionality and flaws to trick the application into giving up control. Ideally all applications would be carefully built according to all secure coding best practices. Of course most developers will say their apps are secure. Maybe so, but it’s also human nature to think we are better than we actually are. In one study, 94% of professors rated themselves above average relative to their peers. If you look at the facts, the failure rate of applications to pass audits just fpr the OWASP Top 10 is 61% Developers are in for a tough battle getting those numbers up since development cycles are only getting faster and web applications are getting more complex.   At the bottom of the stack Will AWS hardening at the bottom of the stack get us off the hook? Well from what we see at least exploits like Wannacry and NotPetya seem to be non-issues in the cloud. But what we see in cloud infrastructure layers are cloud services being mis-configured by users, such as open S3 buckets leaving data up for grabs at Verizon, Republican National Committee and the World Wrestling Federation. These are very easy mistakes to prevent, so why worry about them? There number of cloud services being configured on a given day is going up, and they are going faster, so less time to double check your work. Not to mention the fact that new AWS services are being launched all the time, so there is a lot to learn.   All across the entire stack We see applications being made of more and more components and APIs, each of which can have their own plug-ins and servlets, especially content management systems like Joomla, Magento, Wordpress & Drupal. Quarterly scanning for compliance isn’t enough. Attackers can come out in droves as soon as they hear a patch has been released, racing to breach your system before you can find and fix it yourself. For example, after Joomla announced two patches for its systems in 2016 the number of exploits in the wild raced from a few hundred on the first day to over 27,000 in just 2 more days.   So, you need to protect all layers of the application stack from a variety of vectors, otherwise you are leaving a door open for attackers.   Trying to pull this all together yourself would mean not only tracking the growing number of vulnerabilities in your environment but also continuously developing your own signatures and rules and analytics for detection and blocking. Discovery What can you share about breaches you may have had? What might a shorter dwell time have meant to you? Tips Treat as a build slide: pace as if it were one slide with multiple builds
  • #14 Kill Chain Discuss what it is and how it relates to the anatomy of an attack Discuss how we will show each stage of this being enacted as we run through the live hack RevSlider Exploit   Discuss that we’re going to demonstrate an exploit in a popular Plugin as an example of what we’ve been discussing earlier in the presentation. Show the Plugin in Action and what it is/does on the WP Site - https://vuldb.com/?id.76139