Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Cloud Native Application Threat Modeling and Ad...

Rafik Harabi
November 25, 2023
0
81

Cloud Native Application Threat Modeling and Adversary Emulation : Techniques and Tools

The cloud has fundamentally changed how teams develop and deploy applications. By designing Cloud Native Applications, teams eliminate a lot of risks associated with legacy applications. On the other hand, the attack surface of cloud applications can change dynamically and frequently. Threat modeling and adversary emulation are crucial practices for proactively identifying and mitigating threats. We will begin by discussing the importance of threat modeling and adversary emulation. We will delve into various threat modeling methodologies such as data flow diagrams, and attack surface analysis in addition to different techniques to identify threats and select mitigation strategies. We will explore the open source tools that help visualizing threats, assessing risks and simulating realistic attacks to generate actionable insights. By the end of this talk, you will have a comprehensive understanding of cloud-native application threat modeling and adversary emulation techniques and tools.

Rafik Harabi

November 25, 2023
Tweet

More Decks by Rafik Harabi

See All by Rafik Harabi
Enhancing Cyber Resilience Through Zero Trust Chaos Experiments in Cloud Native Environments
rafik8
0
6
CLOUD NATIVE APPLICATION THREAT MODELING AND ADVERSARY EMULATION : TECHNIQUES AND TOOLS
rafik8
0
45
APPLICATION MODERNIZATION STRATEGIES: A LOOK THROUGH THE LENS OF SECURITY
rafik8
0
33
Cloud Native Security 101: Building Blocks, Patterns and Best Practices
rafik8
0
510
Managing Microservices with Istio Service Mesh
rafik8
0
310
Managing microservices with Istio Service Mesh
rafik8
1
370

Featured

See All Featured
Why You Should Never Use an ORM
jnunemaker
PRO
55
9.2k
Making the Leap to Tech Lead
cromwellryan
133
9.1k
Building Your Own Lightsaber
phodgson
104
6.2k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
160
15k
KATA
mclloyd
29
14k
The Pragmatic Product Professional
lauravandoore
32
6.4k
A Modern Web Designer's Workflow
chriscoyier
693
190k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
174
51k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
30
4.6k
Git: the NoSQL Database
bkeepers
PRO
427
64k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
33
2.8k
The Cost Of JavaScript in 2023
addyosmani
47
7.3k

Transcript

  1. Rafik Harabi - Sysdig Cloud Native Application Threat Modeling and

    Adversary Emulation: Techniques and Tools 1

  2. Who Am I? • Senior Solution Architect at Sysdig, Cloud

    Security Advocate • Focus on Cloud Native Security • Previously working on go to Cloud programmes (Deloitte, NTT Data..) @rafik8_ rafikharabi 2

  3. Agenda • Cloud Native Application building blocks • The multitude

    of Cloud attack surfaces and it challenges • Threat modeling technique for Cloud Native Applications • Adversary Emulation for Cloud Native Applications • Tooling • Takeaways 3

  4. Once, there was a perimeter You had a perimeter guarded

    by a firewall Detecting intrusions was your breach indicator 4

  5. Now, there is no perimeter in the cloud Cloud providers

    own external connections Cloud is exposed to the outside world You need to control access to services your team uses You need to detect unusual activity 5

  6. Cloud Native Application building blocks Cloud Infrastructure Cloud Provider Management

    Logs & Monitoring Messaging Service Identity and Access IAM Workload Instance Serverless Containers Network / Security Cloud Load Balancer Security Groups Audit logs Platforms Kubernetes Container as a Service Data Storage Object storage Database Managed SQL 6

  7. Cloud Security layers 7 Code Container Cluster Cloud

  8. CNA Security Challenges • Dynamic attack surface, • Threat actors

    are using your tools today, • Distributed systems and microservices enlarge attack surface, • Number of calls generated by distributed systems, • Lack of visibility, • Cloud delivery vs security process speed. 8

  9. Attacker vs Defender mindset "Defenders think in lists, attackers think

    in graphs; as long as this is true, attackers win." John Lambert - Microsoft Security Research 9

  10. 10 Definitions Threat Modeling: “Threat Modeling works to identify, communicate

    and understand threats and mitigations within the context of protecting something of value.” OWASP Goal: improving security by identifying threats and provide mitigation. Adversary Emulation: “Simulating the tactics, techniques, and procedures (TTPs) employed by real-world threat actors to test an organisation's resilience against diffrents type of attacks.” Goal: understand how an adversary would attempt to compromise an organization.

  11. Threat Modeling Techniques Methodologies: • STRIDE: created at Microsoft, defines

    6 categories of threats. • Attack Tree: multi-leveled diagrams consisting of one root, leaves, and children. when the root is satisfied, the attack is complete. • Dataflow: graphical representations of your system and should specify each element, their interactions and helpful context. Pillars: • Systems Architecture • Actors • Threats • Mitigations 11 Threat Modeling Explore and listing potential threats. System design and Architecture Define system components, their interactions and boundaries Threat List Categorization, Prioritization and Mitigation

  12. 12 STRIDE Approach Decompose the system into components, modules and

    identify relationship between them. Threats Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privilege

  13. Threat Modeling Personas 13 Business Owner App/Service Developer The Adversary

    The Defender Security Architect • Facilitates design brainstorming • implement mitigations Simulate an unauthorized user to find Threats Defines security controls to mitigate the threats • Balances business requirements with the mitigations proposed to address threats Provides security guidance 13

  14. Threat Modeling for Cloud Native 14

  15. 15 Container Threats Threats Access other Containers Network Compromised Secret

    Container outbreak Kernel Exploit Public Ports Vulnerability Image DoS OWASP Docker threats: https://github.com/OWASP/Docker-Security/blob/main/001%20-%20Threats.md Parameters Public Access Infected App Infected Images Outdated Images Processes as root Usage of SETUID / SETGID Network Filesystem RAM CPU

  16. Container Container Data Flow Diagram Container Registry Kernel & OS

    Hardware Container Engine Container Host Container DOCKER.SOCK 6 7 8 9 16 Developer Code + Container Manifest Source Code Repo Build and Push Container image Pull and Run Container image 1 2 3 4 5

  17. Container Container Threat Vectors Container Registry Kernel & OS Hardware

    Container Engine Container Host Container DOCKER.SOCK 6 7 8 8 17 Developer Code + Container Manifest Source Code Repo Build and Push Container image Pull and Run Container image 1 2 3 4 5 Vulnerable OS/Container engine 1 Vulnerable application 2 Exposed Container engine 3 Insecure image registry 4 Misconfigured container 6 Privileged containers 5 Privilege escalation on host 7 Insufficient Network isolation 8 1 2 3 4 5 6 7 8

  18. 18 Container Threat Analysis (STRIDE) Spoofing Tampering Repudiation Information Disclosure

    Elevation of Privilege Denial of Service Spoofing Source Repository Spoofing Container Registry Tampering Application source code Tampering image the CI / CD pipeline during build Disabling logs for container or container engine Modifying log data under /var/lib/docker/containers Overwriting log disk space Run Container as Root Gain root access via misconfigured networking Use of system calls to gain privilege Inaccessibility of Container Registry Service disruption at host via OS kernel

  19. CLUSTER NODE Kubernetes Threat Modeling • Kubernetes default Security Boundaries

    19 NODE NAMESPACE POD Container Container

  20. 20 Control Plane Worker Node Kubernetes Attack Surface Image Registry

    Dataflow Trust Boundary Machine Segregation API Server Process or Component Data Store ETCD Scheduler Controller USER Image Repository Image Repository Data Store Kublet Kube Proxy Containe rD RunC Image Cache Pod Conta iner IP Tables CNCF financial user group: https://github.com/cncf/financial-user-group/tree/main/projects/k8s-threat-model

  21. 21 Control Plane Worker Node Kubernetes Data Flow Diagram Image

    Registry Dataflow Trust Boundary Machine Segregation API Server Process or Component Data Store ETCD Scheduler Controller USER Image Repository Image Repository Data Store Kublet Kube Proxy Containe rD RunC Image Cache Pod Conta iner IP Tables 1 Apply Deployment 2 Apply/Mutate Deployment Read / Write 3 4 5 6 Poll for Current / Desired state Manage Replica, Service Accounts,... Schedule Pod Poll for new pod 7 Poll for new pod 8 Docker run 9 Image Available ? 10 No 11 12 13 14 Get Image Load Image Image Image Manifest + blob 15 Run 16 Update 16 Poll for service / endpoints

  22. Kubernetes Attack Vectors Access K8S API Server / ETCD API

    Control Plane Worker Node Image Registry API server Dashboard ETCD Server Controller Scheduler Kublet Kube proxy App 1 Secret Container runtime 1 2 4 3 6 1 Dashboard misconfiguration 2 Malicious container image in registry 3 Application with exploitable vulnerability 4 Docker daemon misconfiguration 6 5 Gain access to secrets 5 1 22

  23. Cloud Threat Modeling 23 • We will be using the

    same threat modeling STRIDE • We will take Google Cloud Storage as example Google Cloud Platform Organization Project

  24. Cloud Threat Modeling 24 Cloud Storage Cloud IAM KMS Bucket

    Logging Monitoring Cloud Console Cloud API Admin User Storage User GCP Projects External Service Organizatio n Policies VPC Service Controls GCP Service Users GCP Org Project Other GCP Services

  25. Cloud Threat Modeling 25 Cloud Storage Cloud IAM KMS Bucket

    Logging Monitoring Cloud Console Cloud API Admin User Storage User GCP Projects External Service Organizatio n Policies VPC Service Controls GCP Service Users GCP Org Project 1 Console Access 2 Admin Access 3 Policies 4 4 4 Bucket Access Log Event Alert Event source: https://research.nccgroup.com/2023/01/31/threat-modelling-cloud-platform-services-by-example-google-cloud-storage/ Other GCP Services

  26. Cloud Threat Modeling 26 Cloud Storage Cloud IAM KMS Bucket

    Logging Monitoring Cloud Console Cloud API Admin User Storage User GCP Projects External Service Organizatio n Policies VPC Service Controls GCP Service Users GCP Org Project Console Access Admin Access Policies Bucket Access Log Event Alert Event source: https://research.nccgroup.com/2023/01/31/threat-modelling-cloud-platform-services-by-example-google-cloud-storage/ Direct User Access Other GCP Projects Non GCP Services Admin Access Other GCP Services Admin Access Admin Access Admin Access Key Access API ACL Admin Access GCP Service Access To Storage Key Access Indirect User Access RBAC RBAC

  27. Cloud Threat Modeling 27 Cloud Storage Cloud IAM KMS Bucket

    Logging Monitoring Cloud Console Cloud API Admin Users Storage Users GCP Projects External Service Organizatio n Policies VPC Service Controls GCP Service Users GCP Org Project Other GCP Services Auth Tokens Bucket Object Data Log Data

  28. Cloud Threat Modeling 28 Cloud Storage Cloud IAM KMS Bucket

    Logging Monitori ng Cloud Console Cloud API Admin Users Storage Users GCP Projects External Service Organiza tion Policies VPC Service Controls GCP Service Users GCP Org Project Other GCP Services Auth Tokens Bucket Object Data Log Data Compromised Internal User Internal Attacker Internal Malicious user Compromised External User Cloud provider Infrastructure Engineer External Attacker over internet

  29. Cloud Threat Modeling 29 Cloud Storage Cloud IAM KMS Bucket

    Logging Monitori ng Cloud Console Cloud API Admin Users Storage Users GCP Projects External Service Organiza tion Policies VPC Service Controls GCP Service Users GCP Org Project Other GCP Services Auth Tokens Bucket Object Data Log Data Threat: Theft of credentials or access tokens Threat Actors: Internal attacker | Internal malicious user | External attacker over the Internet Asset: Bucket STRIDE Category: Spoofing, EoP Impact: bucket read/write permissions | Modify bucket security setting (Admin)

  30. 30 Threat Mitigation Threat Theft of credentials or access tokens

    Threat Actors • Internal attacker • Internal malicious user • External attacker over the Internet Asset Bucket Impact • Bucket read/write permissions • Modify bucket security setting (Admin) STRIDE Category Spoofing, EoP • Enable MFA • Strong password policy • Ensure roles are granted to principals than using primitive roles. • Restrict VPC Service Controls with trusted IP addresses. • Configure Google Security Command Center for cloud storage. • Configure logs and enable alerting.

  31. Cloud Native Adversary 31

  32. 32 Mitre ATT&CK framework • Mitre ATT&CK framework: The framework

    provides a common language and understanding of adversary behavior, which can help organizations defend against potential cyber attacks, and improve their overall security posture. • ATT&CK is maintained by MITRE, a non-profit organization that operates research and development centers for the U.S. government.

  33. 33 https://mitre-attack.github.io/attack-navigator/ Mitre ATT&CK framework Techniques Tactics { Sub-techniques

  34. Containers Adversary Mitre Containers Matrix: https://attack.mitre.org/matrices/enterprise/containers/ 34

  35. 35 Kubernetes Adversary https://microsoft.github.io/Threat-Matrix-for-Kubernetes/

  36. Cloud Adversary ATT&CK Cloud https://attack.mitre.org/matrices/enterprise/cloud/ 36

  37. Cloud Attack Emulation Workflow 37 Choose the Mitre ATT&CK technique

    STEP 1 Implement mitigation STEP 5 Execute the test procedure STEP 3 Analyze the detection of the procedure STEP 4 Choose a test for the technique STEP 2

  38. Tools 38

  39. Tooling: Atomic Red Team • Atomic Red Team™(https://github.com/redcanaryco/atomic-red-team): ◦ An

    open source framework ◦ A library of tests mapped to the MITRE ATT&CK® framework Coverage Cloud Infrastructure AWS, Azure and GCP Kubernetes Containers 39

  40. Atomic Red Team - Example T1098.001: Additional Cloud Credentials CREATE

    THE KEY SAVE THE KEY DISPLAY THE KEY 40

  41. 41 https://kubernetes-threat-matrix.redguard.ch/persistence/backdoor-container/ Kubernetes Threat Matrix

  42. Tooling: CALDERA • MITRE Caldera™ (https://github.com/mitre/caldera) is an automated adversary

    emulation tool: ◦ Built-in behaviors mapped to ATT&CK techniques ◦ Automate sequences of behaviors 42

  43. ATT&CK Workbench https://github.com/center-for-threat-informed-defense/attack-workbench-frontend An application allowing users to explore, create,

    annotate, and share extensions of the MITRE ATT&CK® knowledge base. 43

  44. Mitre DeTT&CT Source: https://github.com/rabobank-cdc/DeTTECT Detect Tactics, Techniques & Combat Threats.

    It helps Blue Team using the MITRE ATT&CK framework: • Detect gaps in detection coverage or visibility. • Prioritize the ingestion of new log sources. 44

  45. Tooling: AWS Threat Composer https://github.com/awslabs/threat-composer https://awslabs.github.io/threat-composer/workspaces/default/dashboard?mode=Full 45

  46. Tooling: AWS Threat Composer 46

  47. Stratus Red Team • Stratus Red Team™: A Granular, Actionable

    Adversary Emulation for the Cloud ◦ https://github.com/DataDog/stratus-red-team ◦ Attack techniques mapped to MITRE ATT&CK 47 Coverage AWS GCP Azure Kubernetes Detonate attack techniques

  48. Stratus Red Team ◦ 48

  49. Cloud Offensive Toolkits 49 Pacu: AWS exploitation framework, designed for

    offensive security testing. https://github.com/RhinoSecurityLabs/pacu CloudGoat: Vulnerable by design AWS based application for learning purposes https://github.com/RhinoSecurityLabs/cloudgoat Microburst: A PowerShell Toolkit for Attacking Azure. https://github.com/NetSPI/MicroBurst PoweZure: PowerShell framework to assess Azure security https://github.com/hausec/PowerZure Google Cloud Platform Security Control Mappings to MITRE ATT&CK® https://center-for-threat-informed-defense.github.io/security-sta ck-mappings/GCP/README.html

  50. Takeaways • Security needs to be automated in the cloud

    the same way you automate cloud infrastructure with Infrastructure-as-Code (Policy as Code) => Policy Driven Security. • Use cloud native tools to enhance threat modeling: observability and tracing tools, …. • Translating policies into consistent, effective, and actionable tasks. • Think in graphs, not lists! 50

  51. Further Reading • Defenders think in lists. Attackers think in

    graphs. As long as this is true, attackers win, John Lambert • https://explore.skillbuilder.aws/learn/course/13274/play/81716/threat-modeling-for-builders, AWS Threat Modeling workshop. • https://github.com/center-for-threat-informed-defense/cloud-analytics, Cloud Analytics Blueprint • https://research.nccgroup.com/2023/01/31/threat-modelling-cloud-platform-services-by-exam ple-google-cloud-storage/, Google Cloud Storage Threat Modeling 51

  52. Session QR Codes will be sent via email before the

    event Please scan the QR Code above to leave feedback on this session 52 Thank you! Any questions?