ABS2024: Breaching the Cloud: How to Exploit and Mitigate Common Security Risks by Hans-Peter Weiss & Jan Schneider

Slide 1

Slide 1 text

Breaching the Cloud How to Exploit and Mitigate Common Cloud Security Risks Jan Schneider, Hans-Peter Weiss | Swisscom B2B Cloud Advisory

Slide 2

Slide 2 text

2 Gartner: Kasey Panetta « « Through 2025, 99% of cloud security failures will be the customer’s fault.

Slide 3

Slide 3 text

3 Shared Responsibility Model Customer Microsoft Shared Responsibility always retained by the customer Responsibility varies by type Responsibility transfers to cloud provider Responsibility SaaS PaaS IaaS On- prem Information and data Devices (Mobile and PCs) Accounts and identities Identity and directory infrastructure Applications Network controls Operating system Physical hosts Physical network Physical datacenter

Slide 4

Slide 4 text

Attack! Let’s compromise Azure resources

Slide 5

Slide 5 text

Ersteller, Datum, Dokumentenname, C2 General 5 Just kidding Our target

Slide 6

Slide 6 text

Ersteller, Datum, Dokumentenname, C2 General 6 https://attackme.ch Our real target

Slide 7

Slide 7 text

Ersteller, Datum, Dokumentenname, C2 General 7 First look at the target

Slide 8

Slide 8 text

Ersteller, Datum, Dokumentenname, C2 General 8 Scanning for web app vulnerabilities

Slide 9

Slide 9 text

Ersteller, Datum, Dokumentenname, C2 General 9 Scanning for web app vulnerabilities

Slide 10

Slide 10 text

10 Application security risks in the cloud

Slide 11

Slide 11 text

Ersteller, Datum, Dokumentenname, C2 General 11 Server-Side Request Forgery Web Application Security Risk: A10:2021-SSRF is emerging Typically abused to access sensitive internal endpoints HTTP request with URL custom HTTP request User input with URL HTTP response HTTP response

Slide 12

Slide 12 text

Ersteller, Datum, Dokumentenname, C2 General 12 Server-Side Request Forgery Example with internal target endpoint

Slide 13

Slide 13 text

Ersteller, Datum, Dokumentenname, C2 General 13 Enumeration

Slide 14

Slide 14 text

Ersteller, Datum, Dokumentenname, C2 General 14 Server-Side Request Forgery Can impact cloud infrastructure security! Possible impact: Access to Managed Identity via Azure Instance Metadata Service

Slide 15

Slide 15 text

Ersteller, Datum, Dokumentenname, C2 General 15 Retrieval of Managed Identity access token

Slide 16

Slide 16 text

Ersteller, Datum, Dokumentenname, C2 General 16 Target infrastructure Azure Instance Metadata Service 169.254.169.254 Access to auth token http https Azure VM attackme.ch 20.208.228.71 Azure Key Vault https Access to secrets with auth token

Slide 17

Slide 17 text

Ersteller, Datum, Dokumentenname, C2 General 17 Azure Key Vault access policy – default settings

Slide 18

Slide 18 text

Ersteller, Datum, Dokumentenname, C2 General 18 Access to Key Vault

Slide 19

Slide 19 text

Ersteller, Datum, Dokumentenname, C2 General 19 Initial access to VM

Slide 20

Slide 20 text

Ersteller, Datum, Dokumentenname, C2 General 20 Target infrastructure Azure Instance Metadata Service 169.254.169.254 Access to auth token http https Azure VM secdemo-vm01 10.0.1.4 Azure Key Vault https Access to secrets with auth token ssh

Slide 21

Slide 21 text

Ersteller, Datum, Dokumentenname, C2 General 21 Lateral movement

Slide 22

Slide 22 text

Ersteller, Datum, Dokumentenname, C2 General 22 Lateral movement: Why did this work?

Slide 23

Slide 23 text

Ersteller, Datum, Dokumentenname, C2 General 23 Lateral movement: Why did this work?

Slide 24

Slide 24 text

Ersteller, Datum, Dokumentenname, C2 General 24 Lateral movement between Subnets Spoke virtual network A Subnet 10.0.1.4 secdemo-vm01 B Subnet 10.0.2.4 secdemo-vm02

Slide 25

Slide 25 text

Ersteller, Datum, Dokumentenname, C2 General 25 Lateral movement to the on-premises network! Spoke virtual network A Subnet 10.0.1.4 secdemo-vm01 B Subnet 10.0.2.4 secdemo-vm02 VNet Peering Hub virtual network On-premises network Virtual machine Virtual machine VPN Gateway

Slide 26

Slide 26 text

Ersteller, Datum, Dokumentenname, C2 General 26 Attack summary: Identified security risks Critical: Server—Side Request Forgery (web app) High: Improper Access Control (Key Vault access policy) High: Insufficient separation of dev/prod environments (Key Vault) Medium: Insecure credential management (SSH key reused) Medium: Insecure default network configuration Medium: Exposed management services

Slide 27

Slide 27 text

Mitigating Cloud Security Risks 27

Slide 28

Slide 28 text

Network Business Infrastructure Application Scope: Skills & Technologies: Certifications: Hans-Peter Weiss Cloud Solutions Architect hans-peter.weiss1@swisscom.com and many more…

Slide 29

Slide 29 text

Network Business Infrastructure Application Scope: Skills & Technologies: Certifications: Jan Schneider Cloud Solutions Architect jan.schneider2@swisscom.com

Slide 30

Slide 30 text

Application security risks in the cloud

Slide 31

Slide 31 text

31 Prevent Application Security risks Due diligence before Lift & Shift of VMs or containers Scan for vulnerabilites in deployed infrastructure and applications Train DevSecOps practices: SAST, DAST Penetration testing of high-stakes workloads

Slide 32

Slide 32 text

32 Abuse of exposed legitimate credentials Most common initial access vector in cloud security incidents: 36% of cases (IBM, 2023) Examples: • Credentials on user endpoints • Credentials exposed in client-side code • Credentials exposed in public source code repositories Legitimate access to resources harder to identify

Slide 33

Slide 33 text

33 Prevent exposure of credentials • Scan for secrets in source code before build and run • Microsoft monitors GitHub for exposed credentials (CredScan) • Store secrets securely (Azure Key Vault, HashiCorp Vault, etc) • Inject secrets at runtime, where possible • Compartmentalize credentials • Rotate credentials regularly and monitor use • Have a process for emergency revocation of accesses

Slide 34

Slide 34 text

34 Prevent IAM misconfigurations “Identity is the new perimeter” Permissions are inherited

Slide 35

Slide 35 text

35 Prevent IAM misconfigurations Implement granular Role-Based Access Control > Access Policy Define a role matrix for managing least- privilege RBAC Beware of inherited permissions Consider threat modelling to spot risky permissions Apply conditional access policies • MFA • No legacy authentication • Require managed device

Slide 36

Slide 36 text

36 Prevent privilege escalation via dangerous GraphAPI permissions Application vs. delegated permissions Strictly govern dangerous permissions: • AppRoleAssignment.ReadWrite.All • RoleManagement.ReadWrite.Directory • Directory.ReadWrite.All • User.ReadWrite.All • Group.ReadWrite.All • Sites.ReadWrite.All • Mail.Read Identify paths to privilege escalation preventively (Bloodhound)

Slide 37

Slide 37 text

37 Prevent network misconfigurations Spoke virtual network A Subnet 10.0.1.4 secdemo-vm01 B Subnet 10.0.2.4 secdemo-vm02 VNet Peering Hub virtual network On-premises network Virtual Machine Virtual Machine VPN Gateway Azure Firewall Move Public IPs of Virtual Machines to the Azure Firewall and protect inbound traffic through DNATing

Slide 38

Slide 38 text

38 Apply least privilege (deny-by-default) to Network Security Groups Prevent network misconfigurations

Slide 39

Slide 39 text

Any questions? 39

Slide 40

Slide 40 text

40 Thank you Let‘s secure the Cloud together! Jan Schneider, Hans-Peter Weiss | Swisscom B2B Cloud Advisory

Slide 41

Slide 41 text

No content