Portal Kombat : extension du réseau de propagande russe
Stu Hirst - Thinking Out cLoud 2020
1. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
Thinking Out cLOUD 2020
@stuhirstinfosec
2. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
Disclaimers;
I like memes & gifs.
I’m not an ‘expert’ or a
‘thought leader’, but I’ve
learned some stuff along the
way.
@stuhirstinfosec
3. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
Who Am I?
@stuhirstinfosec
4. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
You’re going to be in
one of two camps….
5. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
1. Thinking of going
Cloud
2. Already there
6. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
7. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
If you’re not in Cloud
yet, but about to get
there…
8. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
9. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
If you’re already IN
Cloud, you’ll be in
one of two states…
10. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
11. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
12. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
e Path To Securing The Clo
13. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
What do you care
about?!
(Risk!)
14. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
There are existing frameworks that can help;
• CIS Benchmarking
• NIST
• ISACA
• Cloud Security Alliance
15. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
CIS:
• AWS, Azure, Google Cloud
• Docker, Kubernetes
• Security Metrics
• Also desktop apps, network devices, mobile
devices, servers, operating systems
16. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
Threats/Risks In The Cloud
17. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
18. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
Cryptojacking /
Bitcoin Mining
Accessing resources you own to leverage computing power to
mine for cryptocurrency
19. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
Data Breaches
Open buckets
Open databases
General misconfiguration
20. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
Denial Of Service
Though if major Cloud providers are down - everyone has a
problem!
21. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
Insider Threats
Malicious or mistake
22. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
Hijacking of
Accounts
To log on and access resources and data
23. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
Lack of awareness &
training
Cloud is still new and complex!
24. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
25. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
eps To Protect Your AWS En
26. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
Look out
for…
27. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
ROOT ACCOUNT
28. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE@stuhirstinfosec
Give your Root Account physical
MFA token to someone non-technical
They’re less likely to kill your
business
29. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
30. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
BANANA
SKIN
ALERT!
31. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE@stuhirstinfosec
Advice:
Delete your Root Account Access
Key and Secret Key ID - you don’t
need them!
32. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
MFA
33. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
Ensure EVERY user
has MFA - no
excuses!
Or SAML…
34. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE@stuhirstinfosec
Advice:
You can stipulate in IAM policies that
an action CANNOT take place without
MFA!
35. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE@stuhirstinfosec
So perhaps you can perform:
DescribeInstances and RunInstances with no
checks
But TerminateInstance can only be where
aws:MultiFactorAuthAge is < X
minutes
36. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
IAM
37. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
Check your IAM password policy
Automate checks for unused
passwords or access keys
ALERT FOR ROOT USAGE!!!
38. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
BANANA
SKIN
ALERT!
39. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
40. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
Over time, you have probably
created too many roles!
IAM Access Advisor - service last
accessed
41. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
LOGGING
42. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
LOG. ALL. THE. THINGS!
43. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
Cloudtrail
S3 Access
VPC Flow
Cloudwatch
API Gateway
44. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
At WORST - make sure you’re
logging Cloudtrail events in every
account.
ALERT IF YOU’RE NOT!
45. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
BANANA
SKIN
ALERT!
46. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
If you log to a central account, be
wary you might be charged twice
for Cloudtrail logs!
47. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
48. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
S3 BUCKETS
49. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
Still arguably the easiest mistake
to make and most impactful
50. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
51. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
BANANA
SKIN
ALERT!
52. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
53. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
54. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
SECURITY GROUPS
55. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
SG’s act like a firewall for your
instances….
But they’re easy to misconfigure
56. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
BANANA
SKIN
ALERT!
57. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
58. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
• Restrict traffic to internal IPs for protocols such as
SSH
• Use NACL’s to block ports
• Avoid the dreaded 0.0.0.0/0
• Use ELB's SGs wisely to restrict EC2’s access to the
Internet
• Trusted Advisor will help you!
60. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
INCIDENT
RESPONSE
61. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
Behaviour
Alert
Slack
62. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
63. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
Create playbooks for incident
response
Even if they just say who to
contact!!!
64. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
ENCRYPTION
65. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
Are you encrypting
by default?
If not, why not?!
S3, EBS, RDS etc
66. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
KEY ROTATION &
CREDS
67. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
68. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
North Carolina State University
examined accidental leakage of
authentication secrets to
GitHub…..
69. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
1. Secrets in over
100,000
repositories
2. Over 1000
committed daily
70. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
Other helpful tips!
71. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
Well Architected
Reviews with
AWS/GCP/Azure
Use your Technical
Account Managers!
72. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
Manually audit your
accounts - looking
for gaps, misconfigs,
permissions
73. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
Or leverage….
Open Source Goodies!
74. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
75. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
76. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
77. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
78. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
79. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
Q: What’s the most
important aspect of
securing the Cloud?
80. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
RECRUIT!
RECRUIT!
RECRUIT!
81. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
KEY TAKEAWAYS
(see what I did
there?!)
82. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
• Start with basics
• Establish a risk framework
• Look out for the banana skins!
• Automate as much as you can
• Leverage the tooling
• Have fun!
• RECRUIT!
83. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
So what have I learnt these last 2-3 years?
* Your journey has to start somewhere!
* Changing businesses takes real time and graft. And it’s
painful!
* Try and get the major stakeholders around the table regularly
to collaborate - this takes effort!
* Cloud is HARD and often COMPLEX
* Recruitment is absolutely KEY!
* TEACHING EACH OTHER IS KEY ALSO!!!
84. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
Before I leave you…
85. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
86. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
87. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
Want to know more?
Cloud Security Forum on Slack - DM ME ON TWITTER!
AWS Arsenal - open source tools
https://github.com/stuhirst/awssecurity
AWS Vulnerability & Risk list
https://github.com/stuhirst/awssecurity/blob/master/risksandvulns.md
88. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
SHOUT OUTS:
• Scott Piper (CloudMapper, FLAWS & more)
• Toni De La Fuente (Prowler)
• Tash Norris (Cloud Threat Modeling)
• Rhino Labs
AND MY INCREDIBLE TEAM!
89. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
90. Stu Hirst - Thinking Out Cloud 2020
ADD YOUR
BRAND HERE
FANKS!
@stuhirstinfosec