Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Honey Dripping From The Cloud | BSides BHAM

Honey Dripping From The Cloud | BSides BHAM

This talk was given by Kumar Ashwin and Hrushikesh Kakade at a virtual conference at BSides Birmingham.

Abstract
---
Migrating to the cloud opens up new possibilities for an organization, but at the same time, it also increases the attack vectors for an adversary. In the cloud, the perimeter security alone won't help in keeping the bad actors away. Organisations too need to think out of the box.

Cloud is mostly secure by default, so if we see the responsibility matrix, most of the activities are being handled by the cloud provider but there are certain things that fall on the tenant. The majority of the vulnerabilities are found because of the misconfiguration issues in these three sections.

- Everything Client Side
- Data in Transit and Rest
- Identity and Access Management

This talk will be about looking at a cloud infrastructure from an attacker's point of view and discovering how honeypots can help the defenders, keeping the bad actors away from the cloud infrastructure of your organisation.

We will be covering:
- Attacker's point of view on attacking AWS infrastructure.
- Deployment of some luring components (like Honeypots and Honey Tokens)
- Benefits of this deployment from a defender's perspective.

D442eb8cd66b1f088a1c83a7567599d8?s=128

Kumar Ashwin

October 15, 2021
Tweet

Transcript

  1. Honey Dripping from the Cloud Attacking and Defending Cloud Infrastructure

    Hrushikesh Kakade | Kumar Ashwin BsidesBHAM
  2. About Us Hrushikesh Kakade (Security Engineer @ MPL) • Cloud

    & Cloud Native Security • Application Security • DevSecOps • Twitter Handle: @hkh4cks Kumar Ashwin (Security Consultant @ Payatu) • Cloud Security • Web Security • DevSecOps • Twitter Handle: @0xCardinal
  3. What are we going to cover? ➔ Common Misconfigurations In

    Cloud ➔ Defensive Techniques To Secure Cloud Infrastructure ➔ What Are “Honeypots”? ➔ How HoneyPots Can Be Helpful? ➔ Different Implementation Techniques ➔ Demo ➔ QnA?
  4. Common Misconfigurations In Cloud ➔ EC2 Instance Misconfiguration ➔ S3

    Misconfiguration ➔ Misconfigured Security Groups ➔ Bad AWS IAM Policies
  5. EC2 Instance Misconfiguration ➔ Public Snapshots ➔ Vulnerable Web Apps

    Hosted on EC2 leading to SSRF ➔ Firewall Misconfiguration Common Misconfigurations In Cloud
  6. Examples

  7. S3 Misconfiguration https://hackerone.com/reports/998981 https://hackerone.com/reports/764243 https://blog.detectify.com/2017/07/13/aws-s3-misconfiguration-explained-fix/ https://labs.detectify.com/2017/07/13/a-deep-dive-into-aws-s3-access-controls-taking-full-control-over-your-assets/ Common Misconfigurations In Cloud

    ➔ Defining “Full Control” access to Authenticated AWS Users. ➔ Enabling “write” access to “Everyone” group. ➔ Misconfiguring object and bucket ACLs. ➔ And many more...
  8. Misconfigured Security Groups Common Misconfigurations In Cloud ➔ Security Groups

    are the virtual firewall for your AWS resources. It defines what comes in and what goes out. ➔ Over-exposure of your AWS resources. ➔ Exposing to all interfaces. ➔ If it works, don’t touch it. Source: Google
  9. Bad IAM Policies Common Misconfigurations In Cloud ➔ IAM policies

    are the objects when associated with the object, defines their permissions. https://kloudle.com/blog/iam-bad-privilege-escalation-using-misconfigured-policies-in-aws-iam-webinar
  10. Common Misconfigurations In Cloud Defence Against

  11. Source: NotSoSecure

  12. EC2 Instance Misconfiguration ➔ Keep a close look on the

    resources you own and what you make public ➔ Use IDMSv2 or Deny access to Metadata service ➔ Only allow the least that is required Defense Against Common Misconfigurations In Cloud https://blog.appsecco.com/server-side-request-forgery-ssrf-and-aws-ec2-instances-after-instance-meta-data-service-version-38fc1ba1a28a https://summitroute.com/blog/2017/08/13/defensive_options_when_using_aws_iam_roles/
  13. S3 Misconfiguration https://medium.com/geekculture/defending-in-depth-s3-buckets-66883620ea4c ➔ Define the least privileged access to

    the bucket and review those permissions on a regular basis across all buckets. ➔ Enable Encryption ➔ Enable Bucket Versioning ➔ Enable “Block Public Access” for buckets that should never be public ➔ Ensure the logging access is enabled to track access requests Defense Against Common Misconfigurations In Cloud
  14. Misconfigured Security Groups Defense Against Common Misconfigurations In Cloud ➔

    Limit the ingress and egress rules ➔ Remove unused security groups
  15. Bad IAM Policies ➔ Restrict access based on Condition Keys

    like SourceIp, SourceVpc, etc. ➔ Limit the AWS privileges granted Defense Against Common Misconfigurations In Cloud https://summitroute.com/blog/2017/08/13/defensive_options_when_using_aws_iam_roles/
  16. Defense Against Common Misconfigurations In Cloud AWS Services for Security

    ➔ GuardDuty ➔ Inspector ➔ Macie GuardDuty Inspector
  17. Out Of The Box Security Strategies Before getting into that

    - let’s understand what are HoneyPots?
  18. What are HoneyPots? “ Honeypots are decoy systems or servers

    deployed alongside production systems within your network. When deployed as enticing targets for attackers, honeypots can add security monitoring opportunities for blue teams and misdirect the adversary from their true target. Source: Rapid7
  19. How can HoneyPots be helpful? ➔ They break the attacker

    kill chain and slow attackers down. ➔ They are straightforward and low-maintenance ➔ They help you test your incident response processes
  20. Out Of The Box Security Strategies ➔ HoneyPots have been

    seen to have high benefits in the on-prem infrastructure, so why not implement those on the cloud. ➔ Fo doing so, we have different strategies that we can implement. ➔ Deployment of honeypots is highly based on creativity and requirement. ➔ But more than that it is based on constant logging and monitoring.
  21. Demo

  22. None
  23. Questions?

  24. Thanks BsidesBHAM! :) 0xCardinal - Kumar Ashwin | hkh4cks -

    Hrushikesh Kakade