@ramimacisabird Cloud Security Orienteering Rami McCarthy

@ramimacisabird Reformed Security Consultant (NCC Group) AWS Certified Security, Specialty + CCSKv4 Rami McCarthy Staff Security Engineer, Cedar

@ramimacisabird Background

@ramimacisabird Orienteering

@ramimacisabird How is this relevant to you? ● New job, or new team ● Consulting engagement ● Merger or acquisition ● See your own environment, with fresh eyes

@ramimacisabird Cloud Adoption Patterns Characteristics Developer Led Data Center Transformation Snap Migration Native New Build Speed Fast then slow Slow (2-3 years+) 18-24 months Fast as DevOps Risk High Low(er) High Variable Security Late Early Trailing Mid to late Network Ops Late Early Early to mid Late (developers manage) Tooling New + old when forced Culturally influenced; old + new Panic (a lot of old) New, unless culturally forced to old https://securosis.com/blog/defining-the-journey-the-four-cloud-adoption-patterns

@ramimacisabird Cloud Adoption Patterns Characteristics Developer Led Data Center Transformation Snap Migration Native New Build Speed Fast then slow Slow (2-3 years+) 18-24 months Fast as DevOps Risk High Low(er) High Variable Security Late Early Trailing Mid to late Network Ops Late Early Early to mid Late (developers manage) Tooling New + old when forced Culturally influenced; old + new Panic (a lot of old) New, unless culturally forced to old https://securosis.com/blog/defining-the-journey-the-four-cloud-adoption-patterns

@ramimacisabird You walk into a cloud environment...

@ramimacisabird What Does Good Look Like?

@ramimacisabird Cloud Architecture ● Emergent standards ● High complexity ceiling ● Endless configurability and complexity (200+ number of services) ○ July 2020: “Over 150 AWS services now have a security chapter”

@ramimacisabird Note: From here on out, I’m going to use AWS for all examples. However, we’re going to be talking principles, nothing that shouldn’t be applicable to other cloud providers (even Oracle)

@ramimacisabird What Does Good Look Like? In

@ramimacisabird ?

@ramimacisabird The AWS Security Reference Architecture? https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/architecture.html

@ramimacisabird AWS Control Tower?

@ramimacisabird A history of AWS Architectures ● 2010: Multiple AWS Accounts + Consolidated Billing ● 2017: AWS Organizations 1.0: account management and billing ● 2020: AWS Organizations 2.0: services are operating at an organization level https://cloudonaut.io/aws-account-structure-think-twice-before-using-aws-organizations/

@ramimacisabird 2017 -> 20181 ● Use GuardDuty ● Use Athena to search and analyze logs (not ElasticSearch, EMR) ● Use Shield, WAF, and Firewall Manager ● CloudFormation as a key service ● No more Macie 2018 -> 2020 1. Courtesy of Scott Piper: https://summitroute.com/blog/2018/07/31/aws_security_pillar_whitepaper_updates/ ● Account Management and Seperation top level - AWS Organizations ● Federated identity provider ● AWS Security Hub (+ Config Rules) ● Automatic remediation with EventBridge and Config->Lambda ● Systems Manager, Software integrity ● SCPs for data protection ● More Macie ● Significantly expanded IR section

@ramimacisabird What Does Good Look Like in 1. Configuration: AWS CIS Benchmark 2. Architecture: AWS Well-Architected Security Pillar 3. Maturity: Summit Route’s AWS Security Maturity Roadmap

@ramimacisabird Let’s get orienteering

@ramimacisabird Some assumptions: ● Cooperative (but not omniscient) help ● Good intentions - but no prior security architecture ● Not talking multi-cloud - you’re on your own ● Requisite access has been established ● No expectation of an active or historic compromise ○ This is not an Incident Response guide

@ramimacisabird Principles of Orienteering ● Breadth, then depth ○ Avoid rabbit holes ● Anomaly detection ○ Every region, every project, every account ● Inside out ○ Leverage credentialed access to query and enumerate ● Outside in ○ Only way to get unknown unknown ○ Lots of existing guides on how to do this Known Known Known Unknown Unknown Known Unknown Unknown

@ramimacisabird Corporate archeology: Putting the “Information” in “Information security”

Sources of data: ● Asset inventory ● Infrastructure/Configuration as Code ● Data classification ● Documentation ● Subject matter experts ● Standardized tagging (check out Yor!) ● Cloud security tools (vendor, OSS) Corporate Archeology Eventually need: ● Architecture diagrams or documentation of intended workloads ● Definition of crown jewels ● Information on intended authentication and identity approach

@ramimacisabird Hierarchy of discovery Resources Services Regions Workloads Collections of accounts Environments AWS Accounts, Azure Subscriptions, GCP Projects AWS Organizations, Azure Account, GCP Account https://disruptops.com/aws-vs-azure-vs-gcp-a-security-pros-quick-cloud-comparison

@ramimacisabird Discovering your environments (accounts) https://summitroute.com/blog/2018/06/18/how_to_inventory_aws_accounts/ ● Ask your Technical Account Manager for all accounts linked to your company domain ● Ask your finance team to find all expenses and payments to cloud providers ● Search the company emails for account setup notifications ● Search network and DNS logs ● Put out a public request to company employees ● Offer incentives for centralized management ○ Expensing the costs of development environments, budget ownership ○ Centralized and automated default configuration ○ Ownership and responsibility for maintenance, stability

@ramimacisabird Discovering your workloads ● Work backwards from documentation ● Monthly billing report (check consistency) ○ This can call out architectural patterns - for example is there a huge usage of EC2s, or are managed container services a core element of the cost ○ https://www.lastweekinaws.com/blog/the-key-to-unlock-the-aws-billing-puzzle-is-archite cture/ ● Infrastructure as code

@ramimacisabird Discovering your resources ● You can’t really do this manually ○ I’ve done it, it’s slow + painful + failiable ■ It doesn’t scale beyond “small” environments ● Automation is key, and there are really two paths: ○ The company has something in place that works (CSPM, native CSP services) ■ Be wary of exceptions + configuration ■ May not be applied to all discovered accounts ■ Does not cover unknown unknowns ○ You run a tool - likely open source due to timeline ■ https://github.com/nccgroup/aws-inventory ■ Steampipe, Prowler, ScoutSuite - targeted at misconfigurations

@ramimacisabird Prioritization

@ramimacisabird What’s important

@ramimacisabird What’s important - in the cloud Identity is the new perimeter … but the (network) perimeter is also the perimeter

@ramimacisabird

@ramimacisabird Kill chains - https://disruptops.com/stop-todays-top-10-cloud-attack-killchains/ Threat Initial Access Cloud-specific Impact Static API Credential Exposure to Account Hijack Yes Yes High Compromised Server via Exposed Remote Access Ports Yes Yes High Compromised Database via Inadvertent Exposure Yes Yes High Object Storage Public Data Exposure Yes Yes High Server Side Request Forgery Yes No High

@ramimacisabird Kill chains - https://disruptops.com/stop-todays-top-10-cloud-attack-killchains/ Threat Initial Access Cloud-specific Impact Cryptomining No ~ Medium Network Attack Yes No High Compromised Secrets No No Low Novel Cloud Data Exposure and Exfiltration Yes Yes High Subdomain Takeover Yes ~ Medium

@ramimacisabird https://speakerdeck.com/ramimac/learning-from-aws-customer-security-incidents

@ramimacisabird Environments and Collections of Environments ● Inventory relationship between Accounts and Organizations ● Start thinking about target state ○ Is there a need for multiple Organizations? ○ Are there accounts that are unused or minimally used? ○ Who is the proper business owner

@ramimacisabird Workloads ● Check oldest and longest running workloads ○ Ask after their current usage and necessity ○ Generally, these have the most drift from current best practices, and may predate many controls ○ Focus security analysis here first

@ramimacisabird Identity perimeter ● Management plane access model ○ SSO, users, IAM Users, Federated Users, IAM Identity account and cross-account roles (MFA) ● SSH/Server access model ○ Bastion ○ Direct SSH ○ SSM-only ○ Tooling

@ramimacisabird Identity perimeter - what ● Least Privilege and IAM security ○ Securing the root user ○ Unused roles - but be careful ○ Cross account trusts (Cloudmapper)

@ramimacisabird Identity perimeter - how ● Native tools ○ IAM credential report ■ Great for unused IAM principals ○ Trusted advisor, Security Hub, AWS Config all have IAM ● Open source tools ○ Cloudsplaining ○ PMapper

@ramimacisabird Cloudsplaining - Kinnaird McQuade @Salesforce

@ramimacisabird PMapper - Erik Steringer @NCC Group

@ramimacisabird Network Perimeter ● Public resources ○ List of exposable ○ Scan findings ○ Trusted advisor ● Wildcard security groups ● Default resources (VPCs, Security groups) ○ Launch-wizard sgs

@ramimacisabird Hosted applications and services ● Out of date, Known vulnerabilities ● Unauthenticated ● Sensitive or internal services/tools (CI/CD, config management)

@ramimacisabird Other concerns … but less actionable or less impactful Exposed secrets: ● CloudFormation parameter defaults ● Unencrypted Lambda environment variables ● EC2 instance data scripts with hardcoded secrets ● ECS task definitions with exposed environment variables ● Sensitive files on S3 ● Dockerfiles/container images ● Code repositories, compromised credentials Secret management pattern ● Secrets manager ● Vault ● Etc. Supply chain ● Vendors - how are they granted access? ● AMIs - how are they sourced?

@ramimacisabird

@ramimacisabird 1. Congratulations! Please proceed 1. Sorry :( 2. Focus on compliance-impacting, documented exceptions, and compensating controls. You can’t avoid fiddling with encryption Working in a regulated industry? No Yes

@ramimacisabird https://www.chrisfarris.com/post/cloud-encryption/

@ramimacisabird Misconfigurations "Through 2025, more than 99% of cloud breaches will have a root cause of preventable misconfigurations or mistakes by end users." - Gartner (h/t https://twitter.com/anton_chuvakin/status/1421165415699337216?s=20) So, errors are caused by misconfigurations … but what is a misconfiguration?

@ramimacisabird Misconfigurations - defense in depth

@ramimacisabird

@ramimacisabird Prioritization of misconfigurations Take Security Hub’s AWS Foundational Security Best Practices controls as a case study ● Launched 07 MAY 2020 w/ 31 fully-automated security controls ● Update Sep 23, 2020 w/ 14 new controls ● Updated Mar 08, 2021 w/ 25 new controls ● Updated Jun 04, 2021 w/ 16 new controls ● Updated July 30, 2021 w/ 10 new controls ● 141 security controls total

@ramimacisabird Onward and upward

@ramimacisabird Blanket AWS hardening recommendations ● Guardduty ● Cloudtrail ○ Turn on optional security features, including encryption at-rest and file validation ○ Centralize and back up logs ● Access analyzer ● Security visibility to all accounts ● S3 block public access, EBS and all other default encryption

@ramimacisabird What does fixing things look like Seven steps to engage your organization: 1. Cultivate relationships 2. Ensure alignment 3. Focus on key security domains to build program foundation 4. Create an evangelism plan 5. Give away your legos 6. Build your team 7. Measure what matters

@ramimacisabird What does fixing things look like

@ramimacisabird Maturity curves can help - there are many maturity models Cloud Security Maturity Model (CSMM) - IANS, CSA, Securosis 1. No Automation 2. SecOps (Simple Automation) 3. Manually executed scripts 4. Guardrails 5. Centrally managed automation https://www.iansresearch.com/resources/cloud-security-maturity-model/what-is-the-csmm

@ramimacisabird Marco Lancini’s https://roadmap.cloudsecdocs.com/ 5 levels, 7 domains:

@ramimacisabird More, Broader, Deeper ● Marco Lancini, On Establishing a Cloud Security Program ● Scott Piper/Summit Route, AWS Security Maturity Roadmap 2021 ● Matt Fuller, So You Inherited an AWS Account ● DisruptOps, AWS Cloud Security Checklist ● CSA Top Threats, Cloud Penetration Testing Playbook ● Dave Walker & Chris Astley, Security @ Scale on AWS

@ramimacisabird Come work with me at Cedar! We’re hiring Product Security Engineers: https://grnh.se/d1b1db2a1us Thank you Questions? and thanks to the organizers! Find this, and all my talks, at: https://speakerdeck.com/ramimac