CLOUD NATIVE APPLICATION THREAT MODELING AND ADVERSARY EMULATION : TECHNIQUES AND TOOLS

Transcript

1. #BHMEA2 www.blackhatmea.co | | 14 - 16 NOVEMBER 2023 RIYADH,

   SAUDI ARABIA ORGANISED BY: IN ASSOCIATION WITH: Cloud Native Application Threat Modeling and Adversary Emulation: Techniques and Tools Rafik Harabi, Sysdig 1

2. #BHMEA2 www.blackhatmea.co | | Who Am I? • Senior Solution

   Architect at Sysdig, Cloud Security Advocate • Focus on Cloud Native Security • Previously working on go to Cloud programmes (Deloitte, NTT Data..) @rafik8_ rafikharabi

3. #BHMEA2 www.blackhatmea.co | | Agenda • Cloud Native Application building

   blocks • The multitude of Cloud attack surfaces and it challenges • Threat modeling technique for Cloud Native Applications • Adversary Emulation for Cloud Native Applications • Tooling • Takeaways

4. #BHMEA2 www.blackhatmea.co | | Once, there was a perimeter You

   had a perimeter guarded by a firewall Detecting intrusions was your breach indicator

5. #BHMEA2 www.blackhatmea.co | | Now, there is no perimeter in

   the cloud Cloud providers own external connections Cloud is exposed to the outside world You need to control access to services your team uses You need to detect unusual activity

6. #BHMEA2 www.blackhatmea.co | | Cloud Native Application building blocks Cloud

   Infrastructure Cloud Provider Management Logs & Monitoring Messaging Service Identity and Access IAM Workload Instance Serverless Containers Network / Security Cloud Load Balancer Security Groups Audit logs Platforms Kubernetes Container as a Service Data Storage Object storage Database Managed SQL

7. #BHMEA2 www.blackhatmea.co | | Cloud Security layers Code Container Cluster

   Cloud

8. #BHMEA2 www.blackhatmea.co | | CNA Security Challenges • Dynamic attack

   surface, • Threat actors are using your tools today, • Distributed systems and microservices enlarge attack surface, • Number of calls generated by distributed systems, • Lack of visibility, • Cloud delivery vs security process speed.

9. #BHMEA2 www.blackhatmea.co | | Attacker vs Defender mindset "Defenders think

   in lists, attackers think in graphs; as long as this is true, attackers win." John Lambert - Microsoft Security Research

10. #BHMEA2 www.blackhatmea.co | | Definitions Threat Modeling: “Threat Modeling works

    to identify, communicate and understand threats and mitigations within the context of protecting something of value.” OWASP Goal: improving security by identifying threats and provide mitigation. Adversary Emulation: “Simulating the tactics, techniques, and procedures (TTPs) employed by real-world threat actors to test an organisation's resilience against diffrents type of attacks.” Goal: understand how an adversary would attempt to compromise an organization.

11. #BHMEA2 www.blackhatmea.co | | Threat Modeling Techniques Methodologies: • STRIDE:

    created at Microsoft, defines 6 categories of threats. • Attack Tree: multi-leveled diagrams consisting of one root, leaves, and children. when the root is satisfied, the attack is complete. • Dataflow: graphical representations of your system and should specify each element, their interactions and helpful context. Pillars: • Systems Architecture • Actors • Threats • Mitigations Threat Modeling Explore and listing potential threats. System design and Architecture Define system components, their interactions and boundaries Threat List Categorization, Prioritization and Mitigation

12. #BHMEA2 www.blackhatmea.co | | STRIDE Approach Decompose the system into

    components, modules and identify relationship between them. Threats Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privilege

13. #BHMEA2 www.blackhatmea.co | | Threat Modeling Personas Business Owner App/Service

    Developer The Adversary The Defender Security Architect • Facilitates design brainstorming • implement mitigations Simulate an unauthorized user to find Threats Defines security controls to mitigate the threats • Balances business requirements with the mitigations proposed to address threats Provides security guidance 13

14. #BHMEA2 www.blackhatmea.co | | Threat Modeling for Cloud Native

15. #BHMEA2 www.blackhatmea.co | | Container Threats Threats Access other Containers

    Network Compromised Secret Container outbreak Kernel Exploit Public Ports Vulnerability Image DoS OWASP Docker threats: https://github.com/OWASP/Docker-Security/blob/main/001%20-%20Threats.md Parameters Public Access Infected App Infected Images Outdated Images Processes as root Usage of SETUID / SETGID Network Filesystem RAM CPU

16. #BHMEA2 www.blackhatmea.co | | Container Container Data Flow Diagram Container

    Registry Kernel & OS Hardware Container Engine Container Host Container DOCKER.SOCK 6 7 8 9 Developer Code + Container Manifest Source Code Repo Build and Push Container image Pull and Run Container image 1 2 3 4 5

17. #BHMEA2 www.blackhatmea.co | | Container Container Threat Vectors Container Registry

    Kernel & OS Hardware Container Engine Container Host Container DOCKER.SOCK 6 7 8 8 Developer Code + Container Manifest Source Code Repo Build and Push Container image Pull and Run Container image 1 2 3 4 5 Vulnerable OS/Container engine 1 Vulnerable application 2 Exposed Container engine 3 Insecure image registry 4 Misconfigured container 6 Privileged containers 5 Privilege escalation on host 7 Insufficient Network isolation 8 1 2 3 4 5 6 7 8

18. #BHMEA2 www.blackhatmea.co | | Container Threat Analysis (STRIDE) Spoofing Tampering

    Repudiation Information Disclosure Elevation of Privilege Denial of Service Spoofing Source Repository Spoofing Container Registry Tampering Application source code Tampering image the CI / CD pipeline during build Disabling logs for container or container engine Modifying log data under /var/lib/docker/containers Overwriting log disk space Run Container as Root Gain root access via misconfigured networking Use of system calls to gain privilege Inaccessibility of Container Registry Service disruption at host via OS kernel

19. #BHMEA2 www.blackhatmea.co | | CLUSTER NODE Kubernetes Threat Modeling •

    Kubernetes default Security Boundaries NODE NAMESPACE POD Container Container

20. #BHMEA2 www.blackhatmea.co | | Control Plane Worker Node Kubernetes Attack

    Surface Image Registry Dataflow Trust Boundary Machine Segregation API Server Process or Component Data Store ETCD Scheduler Controller USER Image Repository Image Repository Data Store Kublet Kube Proxy Containe rD RunC Image Cache Pod Conta iner IP Tables

21. #BHMEA2 www.blackhatmea.co | | Control Plane Worker Node Kubernetes Data

    Flow Diagram Image Registry Dataflow Trust Boundary Machine Segregation API Server Process or Component Data Store ETCD Scheduler Controller USER Image Repository Image Repository Data Store Kublet Kube Proxy Containe rD RunC Image Cache Pod Conta iner IP Tables 1 Apply Deployment 2 Apply/Mutate Deployment Read / Write 3 4 5 6 Poll for Current / Desired state Manage Replica, Service Accounts,... Schedule Pod Poll for new pod 7 Poll for new pod 8 Docker run 9 Image Available ? 10 No 11 12 13 14 Get Image Load Image Image Image Manifest + blob 15 Run 16 Update 16 Poll for service / endpoints

22. #BHMEA2 www.blackhatmea.co | | Kubernetes Attack Vectors Access K8S API

    Server / ETCD API Control Plane Worker Node Image Registry API server Dashboard ETCD Server Controller Scheduler Kublet Kube proxy App 1 Secret Container runtime 1 2 4 3 6 1 Dashboard misconfiguration 2 Malicious container image in registry 3 Application with exploitable vulnerability 4 Docker daemon misconfiguration 6 5 Gain access to secrets 5 1

23. #BHMEA2 www.blackhatmea.co | | Cloud Threat Modeling • We will

    be using the same threat modeling STRIDE • We will take Google Cloud Storage as example Google Cloud Platform Organization Project

24. #BHMEA2 www.blackhatmea.co | | Cloud Threat Modeling Cloud Storage Cloud

    IAM KMS Bucket Logging Monitoring Cloud Console Cloud API Admin User Storage User GCP Projects External Service Organizatio n Policies VPC Service Controls GCP Service Users GCP Org Project Other GCP Services

25. #BHMEA2 www.blackhatmea.co | | Cloud Threat Modeling Cloud Storage Cloud

    IAM KMS Bucket Logging Monitoring Cloud Console Cloud API Admin User Storage User GCP Projects External Service Organizatio n Policies VPC Service Controls GCP Service Users GCP Org Project 1 Console Access 2 Admin Access 3 Policies 4 4 4 Bucket Access Log Event Alert Event Other GCP Services

26. #BHMEA2 www.blackhatmea.co | | Cloud Threat Modeling Cloud Storage Cloud

    IAM KMS Bucket Logging Monitoring Cloud Console Cloud API Admin User Storage User GCP Projects External Service Organizatio n Policies VPC Service Controls GCP Service Users GCP Org Project Console Access Admin Access Policies Bucket Access Log Event Alert Event Direct User Access Other GCP Projects Non GCP Services Admin Access Other GCP Services Admin Access Admin Access Admin Access Key Access API ACL Admin Access GCP Service Access To Storage Key Access Indirect User Access RBAC RBAC

27. #BHMEA2 www.blackhatmea.co | | Cloud Threat Modeling Cloud Storage Cloud

    IAM KMS Bucket Logging Monitoring Cloud Console Cloud API Admin Users Storage Users GCP Projects External Service Organizatio n Policies VPC Service Controls GCP Service Users GCP Org Project Other GCP Services Auth Tokens Bucket Object Data Log Data

28. #BHMEA2 www.blackhatmea.co | | Cloud Threat Modeling Cloud Storage Cloud

    IAM KMS Bucket Logging Monitori ng Cloud Console Cloud API Admin Users Storage Users GCP Projects External Service Organiza tion Policies VPC Service Controls GCP Service Users GCP Org Project Other GCP Services Auth Tokens Bucket Object Data Log Data Compromised Internal User Internal Attacker Internal Malicious user Compromised External User Cloud provider Infrastructure Engineer External Attacker over internet

29. #BHMEA2 www.blackhatmea.co | | Cloud Threat Modeling Cloud Storage Cloud

    IAM KMS Bucket Logging Monitori ng Cloud Console Cloud API Admin Users Storage Users GCP Projects External Service Organiza tion Policies VPC Service Controls GCP Service Users GCP Org Project Other GCP Services Auth Tokens Bucket Object Data Log Data Threat: Theft of credentials or access tokens Threat Actors: Internal attacker | Internal malicious user | External attacker over the Internet Asset: Bucket STRIDE Category: Spoofing, EoP Impact: bucket read/write permissions | Modify bucket security setting (Admin)

30. #BHMEA2 www.blackhatmea.co | | Threat Mitigation Threat Theft of credentials

    or access tokens Threat Actors • Internal attacker • Internal malicious user • External attacker over the Internet Asset Bucket Impact • Bucket read/write permissions • Modify bucket security setting (Admin) STRIDE Category Spoofing, EoP • Enable MFA • Strong password policy • Ensure roles are granted to principals than using primitive roles. • Restrict VPC Service Controls with trusted IP addresses. • Configure Google Security Command Center for cloud storage. • Configure logs and enable alerting.

31. #BHMEA2 www.blackhatmea.co | | Cloud Native Adversary

32. #BHMEA2 www.blackhatmea.co | | Mitre ATT&CK framework • Mitre ATT&CK

    framework: The framework provides a common language and understanding of adversary behavior, which can help organizations defend against potential cyber attacks, and improve their overall security posture. • ATT&CK is maintained by MITRE, a non-profit organization that operates research and development centers for the U.S. government.

33. #BHMEA2 www.blackhatmea.co | | https://mitre-attack.github.io/attack-navigator/ Mitre ATT&CK framework Techniques Tactics

    { Sub-techniques

34. #BHMEA2 www.blackhatmea.co | | Containers Adversary Mitre Containers Matrix: https://attack.mitre.org/matrices/enterprise/containers/

35. #BHMEA2 www.blackhatmea.co | | Kubernetes Adversary https://microsoft.github.io/Threat-Matrix-for-Kubernetes/

36. #BHMEA2 www.blackhatmea.co | | Cloud Adversary ATT&CK Cloud https://attack.mitre.org/matrices/enterprise/cloud/

37. #BHMEA2 www.blackhatmea.co | | Cloud Attack Emulation Workflow Choose the

    Mitre ATT&CK technique STEP 1 Implement mitigation STEP 5 Execute the test procedure STEP 3 Analyze the detection of the procedure STEP 4 Choose a test for the technique STEP 2

38. #BHMEA2 www.blackhatmea.co | | Tools

39. #BHMEA2 www.blackhatmea.co | | Tooling: Atomic Red Team • Atomic

    Red Team™(https://github.com/redcanaryco/atomic-red-team): ◦ An open source framework ◦ A library of tests mapped to the MITRE ATT&CK® framework Coverage Cloud Infrastructure AWS, Azure and GCP Kubernetes Containers

40. #BHMEA2 www.blackhatmea.co | | Atomic Red Team - Example T1098.001:

    Additional Cloud Credentials CREATE THE KEY SAVE THE KEY DISPLAY THE KEY

41. #BHMEA2 www.blackhatmea.co | | https://kubernetes-threat-matrix.redguard.ch/persistence/backdoor-container/ Kubernetes Threat Matrix

42. #BHMEA2 www.blackhatmea.co | | Tooling: CALDERA • MITRE Caldera™ (https://github.com/mitre/caldera)

    is an automated adversary emulation tool: ◦ Built-in behaviors mapped to ATT&CK techniques ◦ Automate sequences of behaviors

43. #BHMEA2 www.blackhatmea.co | | ATT&CK Workbench https://github.com/center-for-threat-informed-defense/attack-workbench-frontend An application allowing

    users to explore, create, annotate, and share extensions of the MITRE ATT&CK® knowledge base.

44. #BHMEA2 www.blackhatmea.co | | Mitre DeTT&CT https://github.com/rabobank-cdc/DeTTECT Detect Tactics, Techniques

    & Combat Threats. It helps Blue Team using the MITRE ATT&CK framework: • Detect gaps in detection coverage or visibility. • Prioritize the ingestion of new log sources.

45. #BHMEA2 www.blackhatmea.co | | Tooling: AWS Threat Composer https://github.com/awslabs/threat-composer https://awslabs.github.io/threat-composer/workspaces/default/dashboard?mode=Full

46. #BHMEA2 www.blackhatmea.co | | Tooling: AWS Threat Composer

47. #BHMEA2 www.blackhatmea.co | | Stratus Red Team • Stratus Red

    Team™: A Granular, Actionable Adversary Emulation for the Cloud ◦ https://github.com/DataDog/stratus-red-team ◦ Attack techniques mapped to MITRE ATT&CK Coverage AWS GCP Azure Kubernetes Detonate attack techniques

48. #BHMEA2 www.blackhatmea.co | | Stratus Red Team

49. #BHMEA2 www.blackhatmea.co | | Cloud Offensive Toolkits Pacu: AWS exploitation

    framework, designed for offensive security testing. https://github.com/RhinoSecurityLabs/pacu CloudGoat: Vulnerable by design AWS based application for learning purposes https://github.com/RhinoSecurityLabs/cloudgoat Microburst: A PowerShell Toolkit for Attacking Azure. https://github.com/NetSPI/MicroBurst PoweZure: PowerShell framework to assess Azure security https://github.com/hausec/PowerZure Google Cloud Platform Security Control Mappings to MITRE ATT&CK® https://center-for-threat-informed-defense.github.io/security-sta ck-mappings/GCP/README.html

50. #BHMEA2 www.blackhatmea.co | | Takeaways • Security needs to be

    automated in the cloud the same way you automate cloud infrastructure with Infrastructure-as-Code (Policy as Code) => Policy Driven Security. • Use cloud native tools to enhance threat modeling: observability and tracing tools, …. • Translating policies into consistent, effective, and actionable tasks. • Think in graphs, not lists!

51. #BHMEA2 www.blackhatmea.co | | Further Reading • Defenders think in

    lists. Attackers think in graphs. As long as this is true, attackers win, John Lambert • https://explore.skillbuilder.aws/learn/course/13274/play/81716/threat-modeling-for-builders, AWS Threat Modeling workshop. • https://github.com/center-for-threat-informed-defense/cloud-analytics, Cloud Analytics Blueprint • https://research.nccgroup.com/2023/01/31/threat-modelling-cloud-platform-services-by-exam ple-google-cloud-storage/, Google Cloud Storage Threat Modeling • https://github.com/cncf/financial-user-group/tree/main/projects/k8s-threat-model , Kubernetes Threat Modeling CNCF financial user group

52. #BHMEA2 www.blackhatmea.co | | Thank you!