Upgrade to Pro — share decks privately, control downloads, hide ads and more …

2022-03-24_Doyensec - Infrastructure Review

2022-03-24_Doyensec - Infrastructure Review

A private talk delivered for the Doyensec's team on 2022-03-24.

The talk is an extract of the blog post: What to look for when reviewing a company's infrastructure

A87dd450496fa9c95cc16f7d77c340a3?s=128

Marco Lancini

March 24, 2022
Tweet

More Decks by Marco Lancini

Other Decks in Technology

Transcript

  1. 1 securitybite.com Marco Lancini / SecurityBite Reviewing a company’s infrastructure?

    What to look for
  2. 2 securitybite.com 👋 Hello! I am Marco Lancini You can

    find me at @lancinimarco https://www.marcolancini.it ▪ Work Life ◦ Started as a pentester at CEFRIEL, MWR ◦ Built security functions at Mastercard, Thought Machine, GitLab ◦ Currently, I'm a Staff Cloud Security Engineer at GitLab ▪ Outside of Work ◦ Curator of CloudSecList and CloudSecDocs ◦ Member of CNCF Security Technical Advisory Group (STAG) ◦ Maintainer of Cartography ◦ AWS Community Builder
  3. 3 securitybite.com How to review a cloud environment? A structured

    approach
  4. 4 securitybite.com Abstraction works in our favour

  5. 5 securitybite.com 3 Phases

  6. 6 securitybite.com Familiarise yourself with a new environment 01 Organically

    uncover its security risks 02 Use the knowledge to inform mitigation strategies 03 The goal
  7. 7 securitybite.com Cloud Providers Phase 1

  8. 8 securitybite.com Stage 1: Identify the primary CSP

  9. 9 securitybite.com Stage 2: Understand the high-level hierarchy ▪ How

    many Organizations does the company have? ▪ How is each Organization designed? (OUs vs Folders) ▪ Split between env types? ▪ Which are critical? ▪ How are new Accounts created?
  10. 10 securitybite.com Stage 2: Understand the hierarchy

  11. 11 securitybite.com Stage 3: Understand what is running in the

    Accounts ▪ Container-heavy? (K8s, ECS,...) ▪ Serverless? (Lambda, Cloud Function) ▪ VM-based? (EC2, …)
  12. 12 securitybite.com Stage 3: Understand what is running in the

    Accounts
  13. 13 securitybite.com Stage 4: Understand the network architecture ▪ What

    are the main entry points? ▪ What components are Internet-facing? ▪ How do customers get access? ▪ How do engineers get access? ▪ How are Accounts connected to each other? ▪ How is firewalling implemented? ▪ How is the edge protected? ▪ How is DNS managed? ▪ Any hybrid connectivity?
  14. 14 securitybite.com Stage 5: Understand the current IAM setup ▪

    Where are identities defined? ▪ Is an Identity Provider being used? ▪ Are identities federated? ▪ Is SSO being used? ▪ Are named users a common practice, or roles with short-lived tokens ▪ How is authorization enforced? Principle of least privilege? RBAC? ▪ Processes for access requests and deprovisioning?
  15. 15 securitybite.com Stage 6: Understand the current monitoring setup ▪

    Are security-related logs collected? ▪ Which cloud services are being used? ▪ What kind of logs are ingested? ▪ Where are logs collected? ▪ How are logs analyzed? SIEM? ▪ Who has access?
  16. 16 securitybite.com Stage 7: Understand the secrets management setup ▪

    How are new secrets generated? ▪ Where are they stored? ▪ Is a secrets management solution being used ▪ Processes around secrets management? Rotation? Revocation?
  17. 17 securitybite.com Stage 8: Identify existing security controls ▪ Security

    boundaries? ▪ Off-the-shelf services from cloud providers ▪ Other custom or 3rd party solutions?
  18. 18 securitybite.com Stage 9: Get the low-hanging fruits

  19. 19 securitybite.com Workloads Phase 2

  20. 20 securitybite.com Stage 1: Understand the high-level business offerings ▪

    How many key functionalities? ▪ How are they designed? ▪ Which ones are critical?
  21. 21 securitybite.com Stage 1: Understand the high-level business offerings ▪

    Which ones are Internet-facing? ▪ Customer-facing? ▪ Time-critical ▪ Stateful? Stateless? ▪ Batch processing? ▪ Back-office support?
  22. 22 securitybite.com Stage 2: Identify the primary tech stack ▪

    Container-based (K8s, ECS, etc.)? ▪ Serverless (Lambda) ▪ VM-based (EC2)?
  23. 23 securitybite.com Stage 3: Understand the network architecture Kubernetes ▪

    How many clusters? ▪ Managed or self-hosted? ▪ Network boundaries? ▪ Single or multi-tenant? ▪ Exposed to the Internet? ▪ How do engineers connect?
  24. 24 securitybite.com Stage 3: Understand the network architecture Serverless ▪

    Data stores? ▪ App workers ▪ API Gateway? ▪ Decoupling systems?
  25. 25 securitybite.com Stage 3: Understand the network architecture VMs ▪

    Exposed to the Internet? ▪ Which OS? ▪ How are hosts hardened? ▪ How do engineers connect? ▪ Pet vs cattle?
  26. 26 securitybite.com Stage 4: Understand the current IAM setup ▪

    How are devs troubleshooting? ▪ How is authz enforced? ▪ RBAC? ▪ Federation with cloud-natives services? OIDC? ▪ Federation with third party services?
  27. 27 securitybite.com Stage 5: Understand the current monitoring setup ▪

    Are security-related logs collected at all? ▪ What kind of logs are being ingested? ▪ How are logs collected? ▪ Where are the logs forwarded? Kubernetes ▪ Are audit logs collected? ▪ Are System Calls and Kubernetes Audit Events collected via Falco? ▪ Is a data collector like fluentd used to collect logs? ▪ Is the data collector deployed as a Sidecar or Daemonset?
  28. 28 securitybite.com Stage 6: Understand the current secrets management setup

    ▪ Where are secrets fetched from? ▪ How are secrets made available? ▪ Is there a practice of hardcoding secrets? ▪ Secrets management solution? ▪ Are secrets bound to a specific workload? ▪ Processes around secret management defined? Revocation of secrets?
  29. 29 securitybite.com Stage 7: Identify existing security controls ▪ Which

    controls have already been implemented? ▪ Highly dependent on the actual workloads Stage 8: Get the low-hanging fruits ▪ Tactical scan / benchmark suite
  30. 30 securitybite.com Code Phase 3

  31. 31 securitybite.com Stage 1: Understand the code’s structure ▪ Monorepo

    vs multi-repos? ▪ CODEOWNERS? ▪ Protected branches? ▪ Code reviews via Pull Requests? ▪ Linters? ▪ Static analysis tools? ▪ Secrets detection tools?
  32. 32 securitybite.com Stage 2: Understand the adoption of Infrastructure as

    Code ▪ Infrastructure as Code (IaC) frameworks? ▪ What is managed via IaC? What is not? ▪ How are third party modules sourced and vetted?
  33. 33 securitybite.com Stage 3: Understand how CI/CD is setup ▪

    Which CI/CD platform? ▪ IaC deployed via CI/CD ▪ IaC tested and validated? ▪ Code provenance? ▪ Other security controls? ▪ SSDLC?
  34. 34 securitybite.com Stage 4: Understand how the CI/CD platform is

    secured
  35. 35 securitybite.com You’ve made it!

  36. 36 securitybite.com

  37. 37 securitybite.com This talk has been extracted from a (lengthy)

    blog post being released today: What to look for when reviewing a company's infrastructure Place your screenshot here More on this…
  38. Thanks! Any questions? You can find me at: @lancinimarco