Upgrade to Pro — share decks privately, control downloads, hide ads and more …

2022-03-24_Doyensec - Infrastructure Review

2022-03-24_Doyensec - Infrastructure Review

A private talk delivered for the Doyensec's team on 2022-03-24.

The talk is an extract of the blog post: What to look for when reviewing a company's infrastructure

Marco Lancini

March 24, 2022
Tweet

More Decks by Marco Lancini

Other Decks in Technology

Transcript

  1. 1
    securitybite.com
    Marco Lancini / SecurityBite
    Reviewing a
    company’s
    infrastructure?
    What to look for

    View Slide

  2. 2
    securitybite.com
    👋 Hello!
    I am Marco Lancini
    You can find me at @lancinimarco
    https://www.marcolancini.it
    ▪ Work Life
    ○ Started as a pentester at CEFRIEL, MWR
    ○ Built security functions at Mastercard, Thought Machine, GitLab
    ○ Currently, I'm a Staff Cloud Security Engineer at GitLab
    ▪ Outside of Work
    ○ Curator of CloudSecList and CloudSecDocs
    ○ Member of CNCF Security Technical Advisory Group (STAG)
    ○ Maintainer of Cartography
    ○ AWS Community Builder

    View Slide

  3. 3
    securitybite.com
    How to review a
    cloud environment?
    A structured approach

    View Slide

  4. 4
    securitybite.com
    Abstraction works in our favour

    View Slide

  5. 5
    securitybite.com
    3 Phases

    View Slide

  6. 6
    securitybite.com
    Familiarise yourself with a
    new environment
    01
    Organically uncover its
    security risks
    02
    Use the knowledge to inform
    mitigation strategies
    03
    The goal

    View Slide

  7. 7
    securitybite.com
    Cloud Providers
    Phase 1

    View Slide

  8. 8
    securitybite.com
    Stage 1: Identify the primary CSP

    View Slide

  9. 9
    securitybite.com
    Stage 2:
    Understand the
    high-level
    hierarchy
    ▪ How many Organizations does the
    company have?
    ▪ How is each Organization
    designed? (OUs vs Folders)
    ▪ Split between env types?
    ▪ Which are critical?
    ▪ How are new Accounts created?

    View Slide

  10. 10
    securitybite.com
    Stage 2: Understand the hierarchy

    View Slide

  11. 11
    securitybite.com
    Stage 3:
    Understand what is
    running in the
    Accounts
    ▪ Container-heavy? (K8s, ECS,...)
    ▪ Serverless? (Lambda, Cloud Function)
    ▪ VM-based? (EC2, …)

    View Slide

  12. 12
    securitybite.com
    Stage 3: Understand what is
    running in the Accounts

    View Slide

  13. 13
    securitybite.com
    Stage 4:
    Understand the
    network
    architecture
    ▪ What are the main entry points?
    ▪ What components are Internet-facing?
    ▪ How do customers get access?
    ▪ How do engineers get access?
    ▪ How are Accounts connected to each
    other?
    ▪ How is firewalling implemented?
    ▪ How is the edge protected?
    ▪ How is DNS managed?
    ▪ Any hybrid connectivity?

    View Slide

  14. 14
    securitybite.com
    Stage 5:
    Understand the
    current IAM setup
    ▪ Where are identities defined?
    ▪ Is an Identity Provider being used?
    ▪ Are identities federated?
    ▪ Is SSO being used?
    ▪ Are named users a common practice, or
    roles with short-lived tokens
    ▪ How is authorization enforced? Principle of
    least privilege? RBAC?
    ▪ Processes for access requests and
    deprovisioning?

    View Slide

  15. 15
    securitybite.com
    Stage 6:
    Understand the
    current monitoring
    setup
    ▪ Are security-related logs collected?
    ▪ Which cloud services are being used?
    ▪ What kind of logs are ingested?
    ▪ Where are logs collected?
    ▪ How are logs analyzed? SIEM?
    ▪ Who has access?

    View Slide

  16. 16
    securitybite.com
    Stage 7: Understand
    the secrets
    management setup
    ▪ How are new secrets generated?
    ▪ Where are they stored?
    ▪ Is a secrets management solution being
    used
    ▪ Processes around secrets management?
    Rotation? Revocation?

    View Slide

  17. 17
    securitybite.com
    Stage 8: Identify
    existing security
    controls
    ▪ Security boundaries?
    ▪ Off-the-shelf services from cloud providers
    ▪ Other custom or 3rd party solutions?

    View Slide

  18. 18
    securitybite.com
    Stage 9: Get the
    low-hanging
    fruits

    View Slide

  19. 19
    securitybite.com
    Workloads
    Phase 2

    View Slide

  20. 20
    securitybite.com
    Stage 1: Understand
    the high-level
    business offerings
    ▪ How many key functionalities?
    ▪ How are they designed?
    ▪ Which ones are critical?

    View Slide

  21. 21
    securitybite.com
    Stage 1: Understand
    the high-level
    business offerings
    ▪ Which ones are Internet-facing?
    ▪ Customer-facing?
    ▪ Time-critical
    ▪ Stateful? Stateless?
    ▪ Batch processing?
    ▪ Back-office support?

    View Slide

  22. 22
    securitybite.com
    Stage 2: Identify
    the primary tech
    stack
    ▪ Container-based (K8s, ECS, etc.)?
    ▪ Serverless (Lambda)
    ▪ VM-based (EC2)?

    View Slide

  23. 23
    securitybite.com
    Stage 3:
    Understand the
    network
    architecture
    Kubernetes
    ▪ How many clusters?
    ▪ Managed or self-hosted?
    ▪ Network boundaries?
    ▪ Single or multi-tenant?
    ▪ Exposed to the Internet?
    ▪ How do engineers connect?

    View Slide

  24. 24
    securitybite.com
    Stage 3:
    Understand the
    network
    architecture
    Serverless
    ▪ Data stores?
    ▪ App workers
    ▪ API Gateway?
    ▪ Decoupling systems?

    View Slide

  25. 25
    securitybite.com
    Stage 3:
    Understand the
    network
    architecture
    VMs
    ▪ Exposed to the Internet?
    ▪ Which OS?
    ▪ How are hosts hardened?
    ▪ How do engineers connect?
    ▪ Pet vs cattle?

    View Slide

  26. 26
    securitybite.com
    Stage 4:
    Understand the
    current IAM setup
    ▪ How are devs troubleshooting?
    ▪ How is authz enforced?
    ▪ RBAC?
    ▪ Federation with cloud-natives services?
    OIDC?
    ▪ Federation with third party services?

    View Slide

  27. 27
    securitybite.com
    Stage 5:
    Understand the
    current monitoring
    setup
    ▪ Are security-related logs collected at all?
    ▪ What kind of logs are being ingested?
    ▪ How are logs collected?
    ▪ Where are the logs forwarded?
    Kubernetes
    ▪ Are audit logs collected?
    ▪ Are System Calls and Kubernetes Audit
    Events collected via Falco?
    ▪ Is a data collector like fluentd used to
    collect logs?
    ▪ Is the data collector deployed as a Sidecar
    or Daemonset?

    View Slide

  28. 28
    securitybite.com
    Stage 6: Understand
    the current secrets
    management setup
    ▪ Where are secrets fetched from?
    ▪ How are secrets made available?
    ▪ Is there a practice of hardcoding secrets?
    ▪ Secrets management solution?
    ▪ Are secrets bound to a specific workload?
    ▪ Processes around secret management
    defined? Revocation of secrets?

    View Slide

  29. 29
    securitybite.com
    Stage 7: Identify existing security
    controls
    ▪ Which controls have already been implemented?
    ▪ Highly dependent on the actual workloads
    Stage 8: Get the low-hanging fruits
    ▪ Tactical scan / benchmark suite

    View Slide

  30. 30
    securitybite.com
    Code
    Phase 3

    View Slide

  31. 31
    securitybite.com
    Stage 1:
    Understand the
    code’s structure
    ▪ Monorepo vs multi-repos?
    ▪ CODEOWNERS?
    ▪ Protected branches?
    ▪ Code reviews via Pull Requests?
    ▪ Linters?
    ▪ Static analysis tools?
    ▪ Secrets detection tools?

    View Slide

  32. 32
    securitybite.com
    Stage 2: Understand the
    adoption of
    Infrastructure as Code
    ▪ Infrastructure as Code (IaC)
    frameworks?
    ▪ What is managed via IaC? What is not?
    ▪ How are third party modules sourced
    and vetted?

    View Slide

  33. 33
    securitybite.com
    Stage 3: Understand
    how CI/CD is setup
    ▪ Which CI/CD platform?
    ▪ IaC deployed via CI/CD
    ▪ IaC tested and validated?
    ▪ Code provenance?
    ▪ Other security controls?
    ▪ SSDLC?

    View Slide

  34. 34
    securitybite.com
    Stage 4: Understand how the CI/CD
    platform is secured

    View Slide

  35. 35
    securitybite.com
    You’ve made it!

    View Slide

  36. 36
    securitybite.com

    View Slide

  37. 37
    securitybite.com
    This talk has been extracted from a (lengthy)
    blog post being released today:
    What to look for when reviewing a company's
    infrastructure
    Place your screenshot here
    More on this…

    View Slide

  38. Thanks!
    Any questions?
    You can find me at:
    @lancinimarco

    View Slide