Cloud providers continue to increase in usage for the next generation of internet services. Dynamic and ephemeral exposures are being created on an unprecedented level and your old generation of internet scanners can’t find them. Let us show you how they can be found and what it means for the future of unwanted internet exposures. Right now, at the click of a button, can you answer the question “What in my cloud environments is internet-facing?”. For most security teams the answer to this question would be a sigh and then “No.” We know that complexity is the enemy of security. We also know a comprehensive asset inventory is step one to any capable security program. How can we monitor for unnecessary exposures without knowing what’s on the internet? In this presentation we will look at the most pragmatic ways to continuously analyze your cloud environments and operationalize that information to identify vulnerabilities. Through examination of exposure patterns and analysis of passive DNS data, we explore real-world examples of global cloud breaches waiting to happen. There are thousands of vulnerable systems for the commonly used services (e.g. ElasticSearch) and more from the up and coming services you may not even know your organization is using yet. Main Takeaways: * Most security orgs are maintaining their inventory the old way (i.e. IP ranges) which doesn’t cut it in a dynamic cloud world * IPv4 scanners can’t find virtual host services that are ephemeral or require specific paths in the request to function properly * Global exposures are only going to increase unless we look at the solution differently and understand the patterns for these breaches waiting to happen

1. EXPOSEYOURSELF
WITHOUT INSECURITY
ARTINTOSCIENCE–JAN162020

2. DO YOU KNOW YOUR
EXPOSURE?
INTRO

3. QUESTIONHOW DO YOU DETERMINE
WHAT IS EXPOSED TO THE
INTERNET IN YOUR
CLOUD ENVIRONMENT?
4

4. Focused on Continuous Attack
Surface Testing (CAST)
• Techniques
• Procedures
• Tools
Continuously learning new
techniques for offensive testing
INTRO
WHO ARE WE?
5
ROB RAGAN
OSCAR SALAZAR
Principal Researcher
Principal Researcher

5. INVENTORY SUCCESS CRITERIA
What do we want from our asset inventory? (i.e. Targets):
ACCURACY
Through curation of
multiple data sources
(external & internal)
UPDATED
ENDPOINTS
Through continuous
and frequent analysis
ACTIONABLE
INTELLIGENCE
Through
maintained visibility
(metadata & screenshots)
OPERATIONALIZE
IMPACT OF EXPOSURES
6

6. BUILDING A BASELINE
TARGETS METHODOLOGY
8
• Organization Structure
• Business Units
• Products
• Services
• Mergers & Acquisitions
• Primary Domains
associated with BUs
• Subdomains
• IP Address Space
• Active Services
• Continuously updated
dataset of DNS and IP
based Targets

7. Master records are your advantage as defenders
Emulate real-attackers but where possible, be several steps ahead of them
Our goal is to inventory the entire attack surface, we should utilize all the things:
MORE SUCCESSFUL APPROACH
INVENTORY MAINTENANCE
9
• Domain registrars
• DNS records
• Certificate Authorities
• BGP Prefix
• Internet Scan Archives
• Cloud account metadata
• …and anything and everything
attackers
and your internal IT uses

8. METHODOLOGY
02

9. USING DIFFERENT LENSES
INSIDE LOOKING OUT
OUTSIDE LOOKING IN

10. INSIDE LOOKING OUT (IT/ENG Configurations)
• When and where possible, always leverage the master records
• Go to the source of truth
• Someone at your organization has to setup and maintain a configuration for
each asset and systematically there is evidence of this system in your master
DNS records and router tables (e.g. DHCP)
OUTSIDE LOOKING IN (OSINT)
• Shadow IT will always exist
• Use techniques from outside your environment to see what the rest of the
world can see
• Attackers scan the internet, they monitor for changes to internet
infrastructure, and can mine massive datasets using OSINT to find what
they’re looking for, i.e. a weakness
• Adopt similar approaches. whois data, registrar data, reverse DNS
USING DIFFERENT LENSES
12

11. 1/19/20 14
ATTACK SURFACE MAPPING

12. HOW DO YOU IDENTIFY CLOUD ACCOUNTS
Follow the money $$$
Partner with finance to monitor corporate credit
card usage
Whose corporate credit card is accruing charges
from AWS, Azure, GCP, etc? this is your best lead
to identify unknown accounts.
Establish review process and track security
team visibility into these accounts
BEWARE of IaaS/PaaS/SaaS that mask popular
providers (e.g. refinery.io) and hide inventory

13. WHY NOT ADD ONE MORE AWS ACCOUNT?
Security team should have
an account
One account to read them all
from a monitoring perspective
Establish a parent org account
with engineering
Assume role access or Security Auditor
read-only access to all other accounts
identified at the organization
INSIDE LOOKING OUT LENS

14. Which accounts have publicly facing systems and services?
How are those specific services externally accessible? (DNS/IP/Port)
Access Levels:
• Internal
• AWS Resource Relationships (IAM Access Analyzer helps here)
• Internet
ACCOUNT ACCESS ESTABLISHED*
NEXT STEPS
17
* Assuming you identified all accounts established a program and a policy to detect future accounts and have executed access controls properly.

15. Publicly available services should have:
• Scheme/Protocol
• Host (DNS or IP)
• Port
• URI (relative path)
• Anonymous internet-facing access
Internet scale scanners will find these services
• May not route correctly for AWS services and error
without DNS/VHOST info
OPERATIONALIZING DATA
IMPACTFUL EXPOSURES
18

16. STATE OF THE ART
03
AVAILABLE TOOLS & TECHNIQUES

17. AWS IN 2011
WHAT SERVICES
DO WE NEED
TO CONSIDER?
20

18. 21
AWS IN 2017
WHAT SERVICES
DO WE NEED
TO CONSIDER?

19. PACE OF INNOVATION
EXPONENTIAL
22
0
50
100
150
200
250
2011 2013 2015 2017 2019
AWS Features & Services

20. 23
TOO MANY TO LIST!
AWS IN 2020
WHAT SERVICES
DO WE NEED
TO CONSIDER?

21. What was already available when we tried to solve this problem?
• Cloudmapper
• https://summitroute.com/blog/2018/06/13/cloudmapper_public/
• https://github.com/duo-labs/cloudmapper
• AWS Public IPs
• https://github.com/arkadiyt/aws_public_ips
• IAM Access Analyzer (codename Tiros released at Re:Invent 2019)
• July 2019 https://aws.amazon.com/blogs/security/aws-security-profile-john-backes-senior-software-
development-engineer/
• https://docs.aws.amazon.com/IAM/latest/UserGuide/what-is-access-analyzer.html
• https://d1.awsstatic.com/whitepapers/Security/Reachability_Analysis_for_AWS-based_Networks.pdf
• Cartography
• https://github.com/lyft/cartography
EXPOSED SERVICES: STATE OF THE ART
AVAILABLE TOOLS
24

22. Cloudmapper
• "public" - Command to identify public hosts and ports
• The metadata format is valuable for our inventory efforts
• LIMITATIONS:
• Not comprehensive - Does not support IPv6
currently, and only looks at TCP and UDP ports. It
ignores ICMP or any other protocols. It does not
consider network ACL rules.
• Small subset of AWS services covered - currently
only supports the services EC2, ELB, ELBv2, and RDS
• Documentation pointed us to another project
aws_public_ips
EXPOSED SERVICES: STATE OF THE ART
@0XDABBAD00
25

23. AWS Public IPs
• Fetch all public IP addresses tied to your AWS account. Works with
IPv4/IPv6, Classic/VPC networking, and across all AWS services
• LIMITATIONS:
• Only provides IP addresses – not ports or protocols
• Not comprehensive – does not support dynamically generated
infrastructure as publicly accessible
• Subset of AWS services covered - currently only supports
APIGateway, CloudFront, EC2 (and as a result: ECS, EKS,
Beanstalk, Fargate, Batch, & NAT Instances), ElasticSearch, ELB
(Classic ELB), ELBv2 (ALB/NLB), Lightsail, RDS, Redshift
EXPOSED SERVICES: STATE OF THE ART
@ARKADIYT
26

24. IAM Access Analyzer
• AWS IAM Access Analyzer helps you
identify the resources in your account,
such as Amazon S3 buckets or IAM roles,
that are shared with an external entity.
• LIMITATIONS:
• Resource-policy based – designed to
report when a resource is accessible.
Knows nothing about the state of users,
roles, service control policies (SCP), and
other relevant configurations
• Per region analyzer required - must create
an analyzer to enable Access Analyzer in
each Region
EXPOSED SERVICES: STATE OF THE ART
@AWS
27

25. Cartography
• Python tool that consolidates
infrastructure assets and the
relationships between them in an
intuitive graph view powered by a
Neo4j database
• LIMITATIONS:
• Larger setup overhead – seems like it
has a lot of use cases above and
beyond what we were focused on
accomplishing. May not be suited to
multiple organizations
• Not comprehensive – only supports
ELBs, EC2, ElasticSearch, S3 for
determining internet exposure
EXPOSED SERVICES: STATE OF THE ART
@ALEXCHANTAVY
28

26. EXPOSED SERVICES: STATE OF THE ART
LIMITATION OF AVAILABLE TOOLS
29
CLOUDMAPPER AWS PUBLIC IPS
IAM ACCESS
ANALYZER
CARTOGRAPHY
PUBLICLY ACCESSIBLE
INFRASTRUCTURE ASSETS
Yes No No Yes
IP ADDRESSES
Yes, but
IPv6 not supported
IPv4 – IPv6
Classic / VPC networking
No No
PORTS TCP, UDP No No Yes
PROTOCOLS No No No Yes
NETWORK ACL RULES No No No Yes
AWS SERVICES COVERED EC2 – ELBs – RDS
EC2 - ELBs - RDS - RDC
APIGateway, CloudFront,
ElasticSearch, Lightsail
Redshift
S3
IAM roles
EC2 - ELBs - S3
ElasticSearch
COMPREHENSIVE No No No No

27. OUR SOLUTION
04
YET ANOTHER TOOL

28. APIs-Guru OpenAPI Directory
🌐 Wikipedia for Web APIs. Directory of REST API
definitions in OpenAPI 2.0/3.0 format
Identified patterns in AWS Service
DNS records from documentation
https://github.com/APIs-guru/openapi-
directory/tree/master/APIs/amazonaws.com
Cross referenced with passive DNS
data to understand real-world usage
AWS EXPOSURE ENDPOINTS
ONGOING RESEARCH
31

29. s3 https://{user_provided}.s3.amazonaws.com
cloudfront https://{random_id}.cloudfront.net
ec2 ec2-{ip-seperated}.compute-1.amazonaws.com
es https://{user_provided}-{random_id}.{region}.es.amazonaws.com
elb
http://{user_provided}-{random_id}.{region}.elb.amazonaws.com:80
https://{user_provided}-{random_id}.{region}.elb.amazonaws.com:443
elbv2 https://{user_provided}-{random_id}.{region}.elb.amazonaws.com
rds
mysql://{user_provided}.{random_id}.{region}.rds.amazonaws.com:3306
postgres://{user_provided}.{random_id}.{region}.rds.amazonaws.com:5432
route53 {user-specified}
AWS EXPOSURE PATTERNS
Beware of misconfigurations that expose your content with these CNAME patterns:
32

30. execute-api https://{random_id}.execute-api.{region}.amazonaws.com/{user_provided}
cloudsearch https://doc-{user_provided}-{random_id}.{region}.cloudsearch.amazonaws.com
transfer sftp://s-{random_id}.server.transfer.{region}.amazonaws.com
iot
mqtt://{random_id}.iot.{region}.amazonaws.com:8883
https://{random_id}.iot.{region}.amazonaws.com:8443
https://{random_id}.iot.{region}.amazonaws.com:443
mq
https://b-{random_id}-{1,2}.mq.{region}.amazonaws.com:8162
ssl://b-{random_id}-{1,2}.mq.{region}.amazonaws.com:61617
kafka
b-{1,2,3,4}.{user_provided}.{random_id}.c{1,2}.kafka.{region}.amazonaws.com
{user_provided}.{random_id}.c{1,2}.kafka.useast-1.amazonaws.com
cloud9 https://{random_id}.vfs.cloud9.{region}.amazonaws.com
mediastore https://{random_id}.data.mediastore.{region}.amazonaws.com.
kinesisvideo https://{random_id}.kinesisvideo.{region}.amazonaws.com
mediaconvert https://{random_id}.mediaconvert.{region}.amazonaws.com
mediapackage
https://{random_id}.mediapackage.{region}.amazonaws.com/in/v1/{random_id}/channel
AWS EXPOSURE PATTERNS
Beware of misconfigurations that expose your content with these CNAME patterns:
33

31. 34
DOMAINS > IP ADDRESSES

32. 35
Note: This was a sample of us-east-1 and not comprehensive analysis of
exposures across all regions
AWS
ELASTICSEARCH
EXPOSED
INDICES
• Found 59 exposed instances
• Found 1706 multi-MB exposed indices
REDACTED
REDACTED
REDACTED

33. 36
Note: This was a sample of us-east-1 and not comprehensive analysis of
exposures across all regions
AWS
ELASTICSEARCH
EXPOSED
INDICES
• Found 59 exposed instances
• Found 1706 multi-MB exposed indices
• IPv4 scanners cannot find this
REDACTED
REDACTED
REDACTED
REDACTED
REDACTED

34. 37
Note: Samsung TV Plus is only available on 2016 - 2019 Samsung Smart
TV's in select territories and an internet connection is required.
AWS MEDIASTORE
SAMSUNG
TV PLUS
• Found Samsung TV Plus streams
• Samsung TV Plus delivers free TV.
Get instant access to news, sports,
entertainment, and more. No
download, additional device, or
credit card needed.

35. 38
Note: Samsung TV Plus is only available on 2016 - 2019 Samsung Smart
TV's in select territories and an internet connection is required.
AWS MEDIASTORE
SAMSUNG
TV PLUS
• Found Samsung TV Plus streams
• Samsung TV Plus delivers free TV.
Get instant access to news, sports,
entertainment, and more. No
download, additional device, or
credit card needed.
• IPv4 scanners cannot find this
REDACTED

36. Introducing Smog
Identifying The Cloud
That No One Wantshttps://github.com/BishopFox/smogcloud
39

37. RUNNING AWS CLI COMMANDS ACROSS ALL ACCOUNTS IN AN AWS ORGANIZATION
• https://alestic.com/2019/12/aws-cli-across-organization-accounts/
• Collection of bash functions to help run aws-cli commands across roles in multiple accounts with MFA
Ø https://github.com/alestic/aws-cli-multi-account-sessions
ADDITIONAL REFERENCES & TECHNIQUES
RESOURCES
40

38. THANK
YOU
@bishopfox | contact@bishopfox.com