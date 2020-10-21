Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Detecting AWS control plane abuse in an actionable way using Det{R}ails Felipe “Pr0teus” Esposito @pr0teusBR Rodrigo “Sp0o...
About us
1. AWS Threats 2. CloudTrail overview 3. Det{R}ails Structure 4. Scenarios Simulation 5. Conclusions / Future Agenda
AWS Threats Control Plane
Control Plane Threats 5 Anywhere
6 Lateral Movement, Pivoting everywhere IaaS PaaS SaaS FaaS Application Control Plane On Premises Cloud
Threat Mindmap
CloudTrail Overview
Logs activity across regions and accounts and organizations into a centralized location. Simple format (JSON). Records all...
10 Cloudtrail
Det{r}ails Structure
Elastic Stack Det{R}ails Enrichments
Cloudsplaining ● AWS IAM Security Assessment Tool ● Author Kinnaird McQuade (SalesForce) ● Released in 30/04/2020 ● Curren...
Enrichment Flow
● CloudSplaining mapping: ○ # infrastructure modiﬁcation actions ○ # data exﬁltration actions ○ # privilege escalation act...
Detection Dashboards (1/2)
Detection Dashboards (2/2)
Use Case Examples
There is a policy rolling back Scenario One
Exploitation Route Source: https://github.com/appsecco/attacking-cloudgoat2/blob/master/documentation/src/scenario1-iam_pr...
Exploitation Route Detection geoip “whoami” Detection geoip risk_level Detection geoip user_level risk_level Uncommon acti...
Exploitation Detection Power Actions before privesc Power Actions after privesc
Catching PACU Scenario Two
Exploitation Route SSRF Metadata Pacu Profile Use Pacu Enumeration Pacu PrivEsc Cloud Admin
Exploitation Route Detection Application Log Detection Super Power actions Detection SSRF Metadata Pacu Profile Use Pacu E...
STS Key sources IP Analysis User-Agent Detection Risk Level Access Level Behavior Detection Super Power actions Detection ...
● Improve use cases tests and detection ● Create Jupyter Playbooks ● More enrichments ● Analyze more Services ● Create Ela...
Thank you! @pr0teusbr @spookerlabs @tenchisecurity Questions?
Upcoming SlideShare
Loading in …5
×

Detecting AWS control plane abuse in an actionable way using Det{R}ails

27 views

Published on

Monitoring events will always be a big challenge for defensive teams. Now, with the increasing adoption of cloud by enterprises, new data sources are needed to monitor these services and detect security incidents. In the AWS Cloud ecosystem, the primary source of visibility of the control plane activities is called CloudTrail. Leveraging CloudTrail allows you to observe any action that happens in AWS services you use, with a small set of exceptions. The AWS service APIs provide around 7,000 different actions (and growing!) that, when logged, give a lot of extra info that can be correlated and used to find malicious activities. However, as with most data sources, it is very noisy. Plus, it fails to include in its events critical contextual information that threat hunters need. Security analysts and incident responders need to triage and act upon suspected incidents quickly. Additionally, since it is focused on logging API calls on a very complicated kind of environment, there is a big learning curve for traditional security staff without extensive cloud expertise. In this talk, we will present a proposed methodology to perform security incident detection using CloudTrail logs. We will cover event enrichment, simple alerts, and how to use Sigma rules, Jupyter, TheHive, and the Elastic Stack to perform more in-depth detection, exploration, and visualization of the data. This work we are developing is a project called Det{R}ails, which will become open-sourced shortly. Det{R}ails can operate in real-time or used to investigate some incident standalone. All it requires is necessary access to the S3 bucket where you are saving your Cloudtrail events. Besides that, we have some schemas to enrich data with your company context, which makes your visualization much more accurate, and as the first goal makes prioritization better.

Published in: Technology
no profile picture user

  • Be the first to comment

  • Be the first to like this

Detecting AWS control plane abuse in an actionable way using Det{R}ails

  1. 1. Detecting AWS control plane abuse in an actionable way using Det{R}ails Felipe “Pr0teus” Esposito @pr0teusBR Rodrigo “Sp0oKeR” Montoro @spookerlabs
  2. 2. About us
  3. 3. 1. AWS Threats 2. CloudTrail overview 3. Det{R}ails Structure 4. Scenarios Simulation 5. Conclusions / Future Agenda
  4. 4. AWS Threats Control Plane
  5. 5. Control Plane Threats 5 Anywhere
  6. 6. 6 Lateral Movement, Pivoting everywhere IaaS PaaS SaaS FaaS Application Control Plane On Premises Cloud
  7. 7. Threat Mindmap
  8. 8. CloudTrail Overview
  9. 9. Logs activity across regions and accounts and organizations into a centralized location. Simple format (JSON). Records all the AWS Control Plane API requests. Saves logs to S3 roughly every 15 min. Hundreds of diﬀerent ﬁelds. Cloudtrail Who? What? When? From where?
  10. 10. 10 Cloudtrail
  11. 11. Det{r}ails Structure
  12. 12. Elastic Stack Det{R}ails Enrichments
  13. 13. Cloudsplaining ● AWS IAM Security Assessment Tool ● Author Kinnaird McQuade (SalesForce) ● Released in 30/04/2020 ● Current version 0.2.2 (06/10/2020)
  14. 14. Enrichment Flow
  15. 15. ● CloudSplaining mapping: ○ # infrastructure modiﬁcation actions ○ # data exﬁltration actions ○ # privilege escalation actions ○ # resource exposure actions ○ Services Aﬀected ● Geo Location ● Login Time ● ATT&CK Mapping ● Actions : ○ Access Level ○ Risk Level ○ Severity ● Browser / OS data based on user agent Det{R}ails Enrichment Databases
  16. 16. Detection Dashboards (1/2)
  17. 17. Detection Dashboards (2/2)
  18. 18. Use Case Examples
  19. 19. There is a policy rolling back Scenario One
  20. 20. Exploitation Route Source: https://github.com/appsecco/attacking-cloudgoat2/blob/master/documentation/src/scenario1-iam_privesc_by_rollback.md
  21. 21. Exploitation Route Detection geoip “whoami” Detection geoip risk_level Detection geoip user_level risk_level Uncommon actions Detection Compare “malicious” actions Detection
  22. 22. Exploitation Detection Power Actions before privesc Power Actions after privesc
  23. 23. Catching PACU Scenario Two
  24. 24. Exploitation Route SSRF Metadata Pacu Profile Use Pacu Enumeration Pacu PrivEsc Cloud Admin
  25. 25. Exploitation Route Detection Application Log Detection Super Power actions Detection SSRF Metadata Pacu Profile Use Pacu Enumeration Pacu PrivEsc Cloud Admin Endpoint Monitoring Detection STS Key sources IP Analysis User-Agent Detection Risk Level Access Level Behavior Detection PrivEsc Actions User Level Detection
  26. 26. STS Key sources IP Analysis User-Agent Detection Risk Level Access Level Behavior Detection Super Power actions Detection PrivEsc Actions User Level Detection Exploitation Detection
  27. 27. ● Improve use cases tests and detection ● Create Jupyter Playbooks ● More enrichments ● Analyze more Services ● Create ElastAlert rules ● Enrich with CSPM tool results ● Publish code somewhere in near future =) Future Work
  28. 28. Thank you! @pr0teusbr @spookerlabs @tenchisecurity Questions?

×