Slide 1

Slide 1 text

@ramimacisabird Cloud Security Orienteering Rami McCarthy

Slide 2

Slide 2 text

@ramimacisabird Reformed Security Consultant (NCC Group) AWS Certified Security, Specialty + CCSKv4 Rami McCarthy Staff Security Engineer, Cedar

Slide 3

Slide 3 text

@ramimacisabird Background

Slide 4

Slide 4 text

@ramimacisabird Orienteering

Slide 5

Slide 5 text

@ramimacisabird How is this relevant to you? ● New job, or new team ● Consulting engagement ● Merger or acquisition ● See your own environment, with fresh eyes

Slide 6

Slide 6 text

@ramimacisabird Cloud Adoption Patterns Characteristics Developer Led Data Center Transformation Snap Migration Native New Build Speed Fast then slow Slow (2-3 years+) 18-24 months Fast as DevOps Risk High Low(er) High Variable Security Late Early Trailing Mid to late Network Ops Late Early Early to mid Late (developers manage) Tooling New + old when forced Culturally influenced; old + new Panic (a lot of old) New, unless culturally forced to old https://securosis.com/blog/defining-the-journey-the-four-cloud-adoption-patterns

Slide 7

Slide 7 text

@ramimacisabird Cloud Adoption Patterns Characteristics Developer Led Data Center Transformation Snap Migration Native New Build Speed Fast then slow Slow (2-3 years+) 18-24 months Fast as DevOps Risk High Low(er) High Variable Security Late Early Trailing Mid to late Network Ops Late Early Early to mid Late (developers manage) Tooling New + old when forced Culturally influenced; old + new Panic (a lot of old) New, unless culturally forced to old https://securosis.com/blog/defining-the-journey-the-four-cloud-adoption-patterns

Slide 8

Slide 8 text

@ramimacisabird You walk into a cloud environment...

Slide 9

Slide 9 text

@ramimacisabird What Does Good Look Like?

Slide 10

Slide 10 text

@ramimacisabird Cloud Architecture ● Emergent standards ● High complexity ceiling ● Endless configurability and complexity (200+ number of services) ○ July 2020: “Over 150 AWS services now have a security chapter”

Slide 11

Slide 11 text

@ramimacisabird Note: From here on out, I’m going to use AWS for all examples. However, we’re going to be talking principles, nothing that shouldn’t be applicable to other cloud providers (even Oracle)

Slide 12

Slide 12 text

@ramimacisabird What Does Good Look Like? In

Slide 13

Slide 13 text

@ramimacisabird ?

Slide 14

Slide 14 text

@ramimacisabird The AWS Security Reference Architecture? https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/architecture.html

Slide 15

Slide 15 text

@ramimacisabird AWS Control Tower?

Slide 16

Slide 16 text

@ramimacisabird A history of AWS Architectures ● 2010: Multiple AWS Accounts + Consolidated Billing ● 2017: AWS Organizations 1.0: account management and billing ● 2020: AWS Organizations 2.0: services are operating at an organization level https://cloudonaut.io/aws-account-structure-think-twice-before-using-aws-organizations/

Slide 17

Slide 17 text

@ramimacisabird 2017 -> 20181 ● Use GuardDuty ● Use Athena to search and analyze logs (not ElasticSearch, EMR) ● Use Shield, WAF, and Firewall Manager ● CloudFormation as a key service ● No more Macie 2018 -> 2020 1. Courtesy of Scott Piper: https://summitroute.com/blog/2018/07/31/aws_security_pillar_whitepaper_updates/ ● Account Management and Seperation top level - AWS Organizations ● Federated identity provider ● AWS Security Hub (+ Config Rules) ● Automatic remediation with EventBridge and Config->Lambda ● Systems Manager, Software integrity ● SCPs for data protection ● More Macie ● Significantly expanded IR section

Slide 18

Slide 18 text

@ramimacisabird What Does Good Look Like in 1. Configuration: AWS CIS Benchmark 2. Architecture: AWS Well-Architected Security Pillar 3. Maturity: Summit Route’s AWS Security Maturity Roadmap

Slide 19

Slide 19 text

@ramimacisabird Let’s get orienteering

Slide 20

Slide 20 text

@ramimacisabird Some assumptions: ● Cooperative (but not omniscient) help ● Good intentions - but no prior security architecture ● Not talking multi-cloud - you’re on your own ● Requisite access has been established ● No expectation of an active or historic compromise ○ This is not an Incident Response guide

Slide 21

Slide 21 text

@ramimacisabird Principles of Orienteering ● Breadth, then depth ○ Avoid rabbit holes ● Anomaly detection ○ Every region, every project, every account ● Inside out ○ Leverage credentialed access to query and enumerate ● Outside in ○ Only way to get unknown unknown ○ Lots of existing guides on how to do this Known Known Known Unknown Unknown Known Unknown Unknown

Slide 22

Slide 22 text

@ramimacisabird Corporate archeology: Putting the “Information” in “Information security”

Slide 23

Slide 23 text

Sources of data: ● Asset inventory ● Infrastructure/Configuration as Code ● Data classification ● Documentation ● Subject matter experts ● Standardized tagging (check out Yor!) ● Cloud security tools (vendor, OSS) Corporate Archeology Eventually need: ● Architecture diagrams or documentation of intended workloads ● Definition of crown jewels ● Information on intended authentication and identity approach

Slide 24

Slide 24 text

@ramimacisabird Hierarchy of discovery Resources Services Regions Workloads Collections of accounts Environments AWS Accounts, Azure Subscriptions, GCP Projects AWS Organizations, Azure Account, GCP Account https://disruptops.com/aws-vs-azure-vs-gcp-a-security-pros-quick-cloud-comparison

Slide 25

Slide 25 text

@ramimacisabird Discovering your environments (accounts) https://summitroute.com/blog/2018/06/18/how_to_inventory_aws_accounts/ ● Ask your Technical Account Manager for all accounts linked to your company domain ● Ask your finance team to find all expenses and payments to cloud providers ● Search the company emails for account setup notifications ● Search network and DNS logs ● Put out a public request to company employees ● Offer incentives for centralized management ○ Expensing the costs of development environments, budget ownership ○ Centralized and automated default configuration ○ Ownership and responsibility for maintenance, stability

Slide 26

Slide 26 text

@ramimacisabird Discovering your workloads ● Work backwards from documentation ● Monthly billing report (check consistency) ○ This can call out architectural patterns - for example is there a huge usage of EC2s, or are managed container services a core element of the cost ○ https://www.lastweekinaws.com/blog/the-key-to-unlock-the-aws-billing-puzzle-is-archite cture/ ● Infrastructure as code

Slide 27

Slide 27 text

@ramimacisabird Discovering your resources ● You can’t really do this manually ○ I’ve done it, it’s slow + painful + failiable ■ It doesn’t scale beyond “small” environments ● Automation is key, and there are really two paths: ○ The company has something in place that works (CSPM, native CSP services) ■ Be wary of exceptions + configuration ■ May not be applied to all discovered accounts ■ Does not cover unknown unknowns ○ You run a tool - likely open source due to timeline ■ https://github.com/nccgroup/aws-inventory ■ Steampipe, Prowler, ScoutSuite - targeted at misconfigurations

Slide 28

Slide 28 text

@ramimacisabird Prioritization

Slide 29

Slide 29 text

@ramimacisabird What’s important

Slide 30

Slide 30 text

@ramimacisabird What’s important - in the cloud Identity is the new perimeter … but the (network) perimeter is also the perimeter

Slide 31

Slide 31 text

@ramimacisabird

Slide 32

Slide 32 text

@ramimacisabird Kill chains - https://disruptops.com/stop-todays-top-10-cloud-attack-killchains/ Threat Initial Access Cloud-specific Impact Static API Credential Exposure to Account Hijack Yes Yes High Compromised Server via Exposed Remote Access Ports Yes Yes High Compromised Database via Inadvertent Exposure Yes Yes High Object Storage Public Data Exposure Yes Yes High Server Side Request Forgery Yes No High

Slide 33

Slide 33 text

@ramimacisabird Kill chains - https://disruptops.com/stop-todays-top-10-cloud-attack-killchains/ Threat Initial Access Cloud-specific Impact Cryptomining No ~ Medium Network Attack Yes No High Compromised Secrets No No Low Novel Cloud Data Exposure and Exfiltration Yes Yes High Subdomain Takeover Yes ~ Medium

Slide 34

Slide 34 text

@ramimacisabird https://speakerdeck.com/ramimac/learning-from-aws-customer-security-incidents

Slide 35

Slide 35 text

@ramimacisabird Environments and Collections of Environments ● Inventory relationship between Accounts and Organizations ● Start thinking about target state ○ Is there a need for multiple Organizations? ○ Are there accounts that are unused or minimally used? ○ Who is the proper business owner

Slide 36

Slide 36 text

@ramimacisabird Workloads ● Check oldest and longest running workloads ○ Ask after their current usage and necessity ○ Generally, these have the most drift from current best practices, and may predate many controls ○ Focus security analysis here first

Slide 37

Slide 37 text

@ramimacisabird Identity perimeter ● Management plane access model ○ SSO, users, IAM Users, Federated Users, IAM Identity account and cross-account roles (MFA) ● SSH/Server access model ○ Bastion ○ Direct SSH ○ SSM-only ○ Tooling

Slide 38

Slide 38 text

@ramimacisabird Identity perimeter - what ● Least Privilege and IAM security ○ Securing the root user ○ Unused roles - but be careful ○ Cross account trusts (Cloudmapper)

Slide 39

Slide 39 text

@ramimacisabird Identity perimeter - how ● Native tools ○ IAM credential report ■ Great for unused IAM principals ○ Trusted advisor, Security Hub, AWS Config all have IAM ● Open source tools ○ Cloudsplaining ○ PMapper

Slide 40

Slide 40 text

@ramimacisabird Cloudsplaining - Kinnaird McQuade @Salesforce

Slide 41

Slide 41 text

@ramimacisabird PMapper - Erik Steringer @NCC Group

Slide 42

Slide 42 text

@ramimacisabird Network Perimeter ● Public resources ○ List of exposable ○ Scan findings ○ Trusted advisor ● Wildcard security groups ● Default resources (VPCs, Security groups) ○ Launch-wizard sgs

Slide 43

Slide 43 text

@ramimacisabird Hosted applications and services ● Out of date, Known vulnerabilities ● Unauthenticated ● Sensitive or internal services/tools (CI/CD, config management)

Slide 44

Slide 44 text

@ramimacisabird Other concerns … but less actionable or less impactful Exposed secrets: ● CloudFormation parameter defaults ● Unencrypted Lambda environment variables ● EC2 instance data scripts with hardcoded secrets ● ECS task definitions with exposed environment variables ● Sensitive files on S3 ● Dockerfiles/container images ● Code repositories, compromised credentials Secret management pattern ● Secrets manager ● Vault ● Etc. Supply chain ● Vendors - how are they granted access? ● AMIs - how are they sourced?

Slide 45

Slide 45 text

@ramimacisabird

Slide 46

Slide 46 text

@ramimacisabird 1. Congratulations! Please proceed 1. Sorry :( 2. Focus on compliance-impacting, documented exceptions, and compensating controls. You can’t avoid fiddling with encryption Working in a regulated industry? No Yes

Slide 47

Slide 47 text

@ramimacisabird https://www.chrisfarris.com/post/cloud-encryption/

Slide 48

Slide 48 text

@ramimacisabird Misconfigurations "Through 2025, more than 99% of cloud breaches will have a root cause of preventable misconfigurations or mistakes by end users." - Gartner (h/t https://twitter.com/anton_chuvakin/status/1421165415699337216?s=20) So, errors are caused by misconfigurations … but what is a misconfiguration?

Slide 49

Slide 49 text

@ramimacisabird Misconfigurations - defense in depth

Slide 50

Slide 50 text

@ramimacisabird

Slide 51

Slide 51 text

@ramimacisabird Prioritization of misconfigurations Take Security Hub’s AWS Foundational Security Best Practices controls as a case study ● Launched 07 MAY 2020 w/ 31 fully-automated security controls ● Update Sep 23, 2020 w/ 14 new controls ● Updated Mar 08, 2021 w/ 25 new controls ● Updated Jun 04, 2021 w/ 16 new controls ● Updated July 30, 2021 w/ 10 new controls ● 141 security controls total

Slide 52

Slide 52 text

@ramimacisabird Onward and upward

Slide 53

Slide 53 text

@ramimacisabird Blanket AWS hardening recommendations ● Guardduty ● Cloudtrail ○ Turn on optional security features, including encryption at-rest and file validation ○ Centralize and back up logs ● Access analyzer ● Security visibility to all accounts ● S3 block public access, EBS and all other default encryption

Slide 54

Slide 54 text

@ramimacisabird What does fixing things look like Seven steps to engage your organization: 1. Cultivate relationships 2. Ensure alignment 3. Focus on key security domains to build program foundation 4. Create an evangelism plan 5. Give away your legos 6. Build your team 7. Measure what matters

Slide 55

Slide 55 text

@ramimacisabird What does fixing things look like

Slide 56

Slide 56 text

@ramimacisabird Maturity curves can help - there are many maturity models Cloud Security Maturity Model (CSMM) - IANS, CSA, Securosis 1. No Automation 2. SecOps (Simple Automation) 3. Manually executed scripts 4. Guardrails 5. Centrally managed automation https://www.iansresearch.com/resources/cloud-security-maturity-model/what-is-the-csmm

Slide 57

Slide 57 text

@ramimacisabird Marco Lancini’s https://roadmap.cloudsecdocs.com/ 5 levels, 7 domains:

Slide 58

Slide 58 text

@ramimacisabird More, Broader, Deeper ● Marco Lancini, On Establishing a Cloud Security Program ● Scott Piper/Summit Route, AWS Security Maturity Roadmap 2021 ● Matt Fuller, So You Inherited an AWS Account ● DisruptOps, AWS Cloud Security Checklist ● CSA Top Threats, Cloud Penetration Testing Playbook ● Dave Walker & Chris Astley, Security @ Scale on AWS

Slide 59

Slide 59 text

@ramimacisabird Come work with me at Cedar! We’re hiring Product Security Engineers: https://grnh.se/d1b1db2a1us Thank you Questions? and thanks to the organizers! Find this, and all my talks, at: https://speakerdeck.com/ramimac