$30 off During Our Annual Pro Sale. View Details »

Honey Dripping From The Cloud | BSides BHAM

Kumar Ashwin
October 15, 2021
Education
0
210

Honey Dripping From The Cloud | BSides BHAM

This talk was given by Kumar Ashwin and Hrushikesh Kakade at a virtual conference at BSides Birmingham.

Abstract
---
Migrating to the cloud opens up new possibilities for an organization, but at the same time, it also increases the attack vectors for an adversary. In the cloud, the perimeter security alone won't help in keeping the bad actors away. Organisations too need to think out of the box.

Cloud is mostly secure by default, so if we see the responsibility matrix, most of the activities are being handled by the cloud provider but there are certain things that fall on the tenant. The majority of the vulnerabilities are found because of the misconfiguration issues in these three sections.

- Everything Client Side
- Data in Transit and Rest
- Identity and Access Management

This talk will be about looking at a cloud infrastructure from an attacker's point of view and discovering how honeypots can help the defenders, keeping the bad actors away from the cloud infrastructure of your organisation.

We will be covering:
- Attacker's point of view on attacking AWS infrastructure.
- Deployment of some luring components (like Honeypots and Honey Tokens)
- Benefits of this deployment from a defender's perspective.

Kumar Ashwin

October 15, 2021
Tweet

More Decks by Kumar Ashwin

See All by Kumar Ashwin
Securing Containers From Day One | null Ahmedabad Meetup
0xcardinal
0
440
Getting Started with DFIR | Payatu Webinar
0xcardinal
0
180
Dive In With Git
0xcardinal
0
25
Hacking is not Black & White
0xcardinal
0
17

Other Decks in Education

See All in Education
「教育課程・授業時数特例校制度で取り組む特色ある情報・テクノロジー教育事例について」
codeforeveryone
0
240
Enablement Bootcampを終えて -Enablement Bootcamp for Gopherizing 〜業務で使えるGoを学ぼう〜
uhzz
0
110
XML and Related Technologies - Lecture 7 - Web Technologies (1019888BNR)
signer
PRO
0
1.9k
JavaScript - Lecture 6 - Web Technologies (1019888BNR)
signer
PRO
0
1.9k
Semantic Web and Web 3.0 - Lecture 9 - Web Technologies (1019888BNR)
signer
PRO
1
1.9k
HCI and Interaction Design - Lecture 2 - Human-Computer Interaction (1023841ANR)
signer
PRO
0
330
CSS3 and Responsive Web Design - Lecture 5 - Web Technologies (1019888BNR)
signer
PRO
1
1.9k
summary of CEO factory
mady6902
0
160
Consagração 23 #2 - Necessidade da Devoção a Nossa Senhora
cm_manaus
0
180
Moodle 4.3 : les nouveautés et le plugin Ludimoodle+
pimenko
0
220
Requirements Analysis and Prototyping - Lecture 3 - Human-Computer Interaction (1023841ANR)
signer
PRO
0
300
条件制御能力を測定するコンピュータ適応型テストの開発
arumakan
0
110

Featured

See All Featured
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
26
5.7k
Art, The Web, and Tiny UX
lynnandtonic
286
19k
Streamline your AJAX requests with AmplifyJS and jQuery
dougneiner
130
9.8k
5 minutes of I Can Smell Your CMS
philhawksworth
199
19k
Art Directing for the Web. Five minutes with CSS Template Areas
malarkey
197
11k
Happy Clients
brianwarren
91
6.1k
StorybookのUI Testing Handbookを読んだ
zakiyama
9
4.1k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
54
33k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
219
21k
Fontdeck: Realign not Redesign
paulrobertlloyd
74
4.7k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
52
19k
GitHub's CSS Performance
jonrohan
1021
440k

Transcript

  1. Honey Dripping from the Cloud
    Attacking and Defending Cloud Infrastructure
    Hrushikesh Kakade | Kumar Ashwin
    BsidesBHAM

    View Slide

  2. About Us
    Hrushikesh Kakade (Security Engineer @ MPL)
    ● Cloud & Cloud Native Security
    ● Application Security
    ● DevSecOps
    ● Twitter Handle: @hkh4cks
    Kumar Ashwin (Security Consultant @ Payatu)
    ● Cloud Security
    ● Web Security
    ● DevSecOps
    ● Twitter Handle: @0xCardinal

    View Slide

  3. What are we going to cover?
    ➔ Common Misconfigurations In Cloud
    ➔ Defensive Techniques To Secure Cloud Infrastructure
    ➔ What Are “Honeypots”?
    ➔ How HoneyPots Can Be Helpful?
    ➔ Different Implementation Techniques
    ➔ Demo
    ➔ QnA?

    View Slide

  4. Common Misconfigurations In Cloud
    ➔ EC2 Instance Misconfiguration
    ➔ S3 Misconfiguration
    ➔ Misconfigured Security Groups
    ➔ Bad AWS IAM Policies

    View Slide

  5. EC2 Instance Misconfiguration
    ➔ Public Snapshots
    ➔ Vulnerable Web Apps Hosted on EC2 leading to SSRF
    ➔ Firewall Misconfiguration
    Common Misconfigurations In Cloud

    View Slide

  6. Examples

    View Slide

  7. S3 Misconfiguration
    https://hackerone.com/reports/998981
    https://hackerone.com/reports/764243
    https://blog.detectify.com/2017/07/13/aws-s3-misconfiguration-explained-fix/
    https://labs.detectify.com/2017/07/13/a-deep-dive-into-aws-s3-access-controls-taking-full-control-over-your-assets/
    Common Misconfigurations In Cloud
    ➔ Defining “Full Control” access to Authenticated AWS Users.
    ➔ Enabling “write” access to “Everyone” group.
    ➔ Misconfiguring object and bucket ACLs.
    ➔ And many more...

    View Slide

  8. Misconfigured Security Groups
    Common Misconfigurations In Cloud
    ➔ Security Groups are the virtual firewall for your AWS resources. It
    defines what comes in and what goes out.
    ➔ Over-exposure of your AWS resources.
    ➔ Exposing to all interfaces.
    ➔ If it works, don’t touch it.
    Source: Google

    View Slide

  9. Bad IAM Policies
    Common Misconfigurations In Cloud
    ➔ IAM policies are the objects when associated with the object, defines
    their permissions.
    https://kloudle.com/blog/iam-bad-privilege-escalation-using-misconfigured-policies-in-aws-iam-webinar

    View Slide

  10. Common Misconfigurations In Cloud
    Defence Against

    View Slide

  11. Source: NotSoSecure

    View Slide

  12. EC2 Instance Misconfiguration
    ➔ Keep a close look on the resources you own and what you make public
    ➔ Use IDMSv2 or Deny access to Metadata service
    ➔ Only allow the least that is required
    Defense Against Common Misconfigurations In Cloud
    https://blog.appsecco.com/server-side-request-forgery-ssrf-and-aws-ec2-instances-after-instance-meta-data-service-version-38fc1ba1a28a
    https://summitroute.com/blog/2017/08/13/defensive_options_when_using_aws_iam_roles/

    View Slide

  13. S3 Misconfiguration
    https://medium.com/geekculture/defending-in-depth-s3-buckets-66883620ea4c
    ➔ Define the least privileged access to the bucket and review those
    permissions on a regular basis across all buckets.
    ➔ Enable Encryption
    ➔ Enable Bucket Versioning
    ➔ Enable “Block Public Access” for buckets that should never be public
    ➔ Ensure the logging access is enabled to track access requests
    Defense Against Common Misconfigurations In Cloud

    View Slide

  14. Misconfigured Security Groups
    Defense Against Common Misconfigurations In Cloud
    ➔ Limit the ingress and egress rules
    ➔ Remove unused security groups

    View Slide

  15. Bad IAM Policies
    ➔ Restrict access based on Condition Keys like SourceIp, SourceVpc,
    etc.
    ➔ Limit the AWS privileges granted
    Defense Against Common Misconfigurations In Cloud
    https://summitroute.com/blog/2017/08/13/defensive_options_when_using_aws_iam_roles/

    View Slide

  16. Defense Against Common Misconfigurations In Cloud
    AWS Services for Security
    ➔ GuardDuty
    ➔ Inspector
    ➔ Macie
    GuardDuty
    Inspector

    View Slide

  17. Out Of The Box Security Strategies
    Before getting into that - let’s understand what are HoneyPots?

    View Slide

  18. What are HoneyPots?

    Honeypots are decoy systems or servers deployed alongside
    production systems within your network. When deployed as enticing
    targets for attackers, honeypots can add security monitoring
    opportunities for blue teams and misdirect the adversary from their
    true target.
    Source: Rapid7

    View Slide

  19. How can HoneyPots be helpful?
    ➔ They break the attacker kill chain and slow attackers down.
    ➔ They are straightforward and low-maintenance
    ➔ They help you test your incident response processes

    View Slide

  20. Out Of The Box Security Strategies
    ➔ HoneyPots have been seen to have high benefits in the on-prem
    infrastructure, so why not implement those on the cloud.
    ➔ Fo doing so, we have different strategies that we can implement.
    ➔ Deployment of honeypots is highly based on creativity and
    requirement.
    ➔ But more than that it is based on constant logging and monitoring.

    View Slide

  21. Demo

    View Slide

  22. View Slide

  23. Questions?

    View Slide

  24. Thanks BsidesBHAM! :)
    0xCardinal - Kumar Ashwin | hkh4cks - Hrushikesh Kakade

    View Slide