The document provides a summary of the top 10 threats to cloud security as presented by James Condon from Lacework. The top threats are: 1) publicly accessible resources, 2) leaked keys, 3) malicious insiders, 4) brute force attacks, 5) remote code execution, 6) container escapes, 7) supply chain attacks, 8) malware, 9) cryptojacking, and 10) ransomware. For each threat, examples are given and mitigations are proposed. The document concludes by introducing Lacework's unified cloud security platform.
9. @laceworklabs
PUBLICLY ACCESSIBLE RESOURCES
• The exposure of sensitive data or
resources through misconfigurations
or similar modes.
• Exposed DBs:
• MongoDB
• Elasticsearch
• Redis
• Exposed storage:
• S3
• Google Cloud Storage
11. @laceworklabs
PUBLICLY ACCESSIBLE RESOURCES MITIGATIONS
• Visibility into internet facing
configurations
• Continuous auditing for open storage
and ports
• Integrate network config tests pre-
deployment (CI/CD)
• Enforce authentication for DBs
• Encrypt sensitive data at rest
12. @laceworklabs
LEAKED ACCESS KEYS
• Programmable IaaS + APIs = need for
keys in many places
• Keys leaked in many ways
• Hardcoded
• Code repo misconfigs
• Code repo hacked
• Phishing
• Exploits
13. @laceworklabs
UBER BREACH
• Oct 2016 two hackers compromised
Uber’s GitHub
• GitHub contained access to keys to
AWS
• Hackers stole PII on 57M individuals
• Held data for ransom
• Publicly disclosed late 2017
14. @laceworklabs
LEAKED ACCESS KEYS MITIGATIONS
• Don’t hard code keys
• Build tests in CI/CD to search for keys
• Use key management solutions and
SDKs from cloud providers
• Audit code repos for misconfigs
• Practice least privilege in code repos
16. @laceworklabs
• IT employee terminated after 4 weeks
• Used former colleges credentials to
access company AWS account
• Terminated 23 servers
• Estimated $700,000 is loses to the
business
• Deleted data was unable to be
recovered
17. @laceworklabs
INSIDER THREAT MITIGATIONS
• Internal training & awareness
• Practice least privileges
• 2FA to minimize chances of stolen
accounts
• Plan for when employees leave
• Physical access
• Account access
• Disaster recovery plan
19. @laceworklabs
BRUTE FORCE ATTACKS
• Repeated attempts to guess
username & password combinations
in an attempt to gain unauthorized
access.
• SSH most common service to brute
force on public cloud workloads
• Popular infection vector and
propagation method for Linux
malware
• Old tactic, still effective
20. @laceworklabs
EXAMPLE – BREAD & BUTTER ATTACKS
• Recent Malware campaign
• Begins with brute force SSH
• Add user “butter”
• Downloads RAT
• RAT communicates with CNC
• RAT downloads XMR miner
• Reported by Gaurdicore
21. @laceworklabs
BRUTE FORCE ATTACKS - MITIGATIONS
• Strong passwords
• Monitor for repeated access attempts
• Key-based auth when possible
• Restrict service port access
• Bastion hosts for access
• WAF for Internet facing apps
22. @laceworklabs
REMOTE CODE EXECUTION
• A vulnerability that allows code to be
executed from a remote attacker.
• A frequent occurrence with so many
technology stacks, new CVEs every
week
• Years old vulnerabilities still a major
issue
• Very common infection vector in the
public cloud
23. @laceworklabs
REDIS EXPLOIT EXAMPLE
• Honeypot running Redis 2.8.4 on
Ubuntu 14.04
• Redis exposed to open internet (TCP
port 6379)
• Redis quickly exploited by LUA
vulnerability CVE-2015-4335
• Exploit contains payload to download
install script
• Install script downloads backdoor, miner,
kills competitive miners, and set ups
persistence
24. @laceworklabs
RCE MITIGATIONS
• Patch early and often
• Control network access to services
• Have incident response plans in place
for 0-days (there will always be new
exploits)
• Reduce size of attack surface
• Minimal code base and OS
25. @laceworklabs
CONTAINER ESCAPES
• A vulnerability that allows escape
from a sandbox or container can
mean access to the host operating
system or hypervisor.
• Biggest concern since popularization
of containers
• Occurs from both misconfigs and
exploits
• Containerized applications share host
resources, escape can lead to attacks
on other containers
• Containers not a full sandbox
26. @laceworklabs
RUNC CONTAINER ESCAPE VULNERABILITY
• CVE-2019-5736: Execution of malicious
containers allows for container escape
and access to host filesystem
• First major container escape of its kind
• Root user in container or specially
crafted container could overwrite runc
binary with new binary of their
choosing
• Runc used in most container platforms,
most notably Docker
27. @laceworklabs
CONTAINER ESCAPE MITIGATIONS
• Follow container best practices to
minimize chance of successful escape
• Privileged container policy
• Read-only root filesystem
• 0-days are very rare and difficult to
detect
• Prepare for rapid response to
updating container platforms and
operating system is vulnerability is
announced
28. @laceworklabs
SUPPLY CHAIN COMPROMISE
• “Trusted” software is compromised
• Common vectors:
• Container image repos
• 3rd party applications
• Open source projects
29. @laceworklabs
DOCKER HUB IMAGES BACKDOORED
• May ‘17 – Feb ’18: 17 malicious
images uploaded to Docker Hub
• Images contained Cryptojacking
capabilities
• Images downloaded over 5M times
• First reported in Sept ‘17, removed in
May ‘18
• Attackers earned $90K
30. @laceworklabs
SUPPLY CHAIN COMPROMISE MITIGATIONS
• Container Images:
• Build your own
• Use official images if needed
• Control access to repo
• Image Scanning
• Use least privileges for integrated
CI/CD tools
• Git signing & image verification
• Be weary of how open source projects
are maintained
• If possible understand security of 3rd
party vendors
32. @laceworklabs
MALWARE
• Any software designed to damage a
computer, server, client, or computer
network.
• RATs, trojans, backdoors,
downloaders, ransomware, etc.
• Recent Linux malware is modular in
nature typically containing backdoor,
propagation, and mining module
• Typical cloud chain of events is exploit
-> install script -> backdoor ->
additional modules
• Shell scripts & ELF binaries for Linux
33. @laceworklabs
EXAMPLE – BREAD & BUTTER ATTACKS
• Prolific malware family reported in 2018
• Targets Linux & Windows
• Attributed to Iron Group
• Ransomware, coinmining, propagation, and
botnet capabilities
• Self propagation by attacking weak password
and application vulnerabilities
• Ransomware is actually data-destroying (no
recovery), attacks databases in Linux
• Developed in Python
• Reported by Unit42
34. @laceworklabs
CRYPTOJACKING
• Using someone else's compute and
resources to mine cryptocurrencies.
• Started taking off in 2017
• Coinhive started wave of new
techniques to scale
• Could be packaged with or without
malware
• Used in public cloud, browsers, PCs,
IoT, phones, and even Industrial OT
• Monero currently most popular coin
to mine illicitly
35. @laceworklabs
CRYPTOJACKING EXAMPLE
• MircoK8s Honeypot
• Open APIs & Dashboards
• Attacker scans API
• Adds ReplicaController
• 5 replicas of CentOS w/ curl
commands to DL XMRig & config
37. @laceworklabs
RANSOMWARE
• Malware that encrypts files and asked for payment to unlock said files.
• Was very prevalent prior to cryptojacking
• Some ransomware doesn’t unlock files
• Used by criminal and APT groups
• Good security posture can mitigate effects, especially in the cloud
38. @laceworklabs
BRIEF HISTORY RANSOMWARE
• CryptoLocker – One of the most notable early ransomware families 2013-14
• TeslaCrypt – Targeted video game files in 2016
• SimpleLocker – Targeted Android in 2015-16
• WannaCry – One of the first malware families to utilize leaked NSA tools in 2017
• NotPetya – Piggy-backed of the WannaCry wave in 2017
• SamSam – Targeted ransomware-as-a-service in 2015, indictments in 2018
• Ryuk – Targeted ransomware with a big hit in 2018-19
42. @laceworklabs
Lacework’s Benefits for Security & DevOps
Security Teams
Automated Security
Eliminates repetitive, labor-intensive
work by completely automating threat
detection, workload security, and
compliance
Accurate & Actionable
Removes false positives and alert fatigue
by only delivering accurate, actionable
security alerts
Single Pane of Glass
Provides a single platform for multicloud
security and eliminates the need to
deploy multiple un-integrated security
products
DevOps
High velocity security
Builds security into the development
pipeline to ensure security operates at
the speed of DevOps
Built for modern
infrastructure
Naively built to support security and
threat detection for containers and
Kubernetes orchestration
Engineered for cloud scale
Designed to support very large cloud
deployments consisting of thousands of
server hosts and hundreds of accounts
43. @laceworklabs
About Lacework
1.5 Trillion+
events analyzed
(24B added per day)
AWS, Azure, GCP
Security Partner
Backed by:
Sutter Hill Ventures
Liberty Global
Ventures
Spike Ventures
WIN
AME Cloud Ventures
2018
"I’m extremely happy with Lacework. I
sleep better at night knowing we have
full visibility into our cloud operations.
It was the ONE tool that checked all my
security boxes.”
| Devin Ertel, Head of Security
44. @laceworklabs
FREE CLOUD RISK & THREAT ASSESSMENT
FREE Cloud Risk & Threat Assessment
Run a free 30-day Lacework deployment
Understand your cloud risk exposure
Detect threats & abnormal cloud behaviors
Get deep security visibility
Improve compliance & security posture
10-minute setup
lacework.com/free
45. @laceworklabs
FINAL THOUGHTS
• Cloud security is still fairly new
• Visibility is difficult
• Shared Responsibility Model
• Is cloud security the wild west?
(think M$ in the early days)
• Moving towards more or less secure
model?
• Sec more Dev savvy or opposite?
46. @laceworklabs
RESOURCES
1. Bread & Butter - https://www.guardicore.com/2018/11/butter-brute-force-ssh-attack-tool-evolution/
2. Xbash - https://unit42.paloaltonetworks.com/unit42-xbash-combines-botnet-ransomware-coinmining-worm-
targets-linux-windows/
3. Top Ransomware Families - https://www.csoonline.com/article/3212260/the-5-biggest-ransomware-attacks-of-
the-last-5-years.html
4. Lucky Ransomware - https://www.lacework.com/elf-of-the-month-new-lucky-ransomware-sample/
5. Anatomy of a Redis Exploit - https://www.lacework.com/anatomy-of-a-redis-exploit/
6. Runc CVE - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5736
7. Sacked IT guy annihilates 23 of his ex-employer’s AWS servers -
https://nakedsecurity.sophos.com/2019/03/22/sacked-it-guy-annihilates-23-of-his-ex-employers-aws-servers/
8. Docker Hub Backdoored Images - https://arstechnica.com/information-technology/2018/06/backdoored-images-
downloaded-5-million-times-finally-removed-from-docker-hub/