Cloud Security Orienteering

Transcript

1. @ramimacisabird Cloud Security Orienteering Rami McCarthy

2. @ramimacisabird Reformed Security Consultant (NCC Group) AWS Certified Security, Specialty

   + CCSKv4 Rami McCarthy Staff Security Engineer, Cedar

3. @ramimacisabird Background

4. @ramimacisabird Orienteering

5. @ramimacisabird How is this relevant to you? • New job,

   or new team • Consulting engagement • Merger or acquisition • See your own environment, with fresh eyes

6. @ramimacisabird Cloud Adoption Patterns Characteristics Developer Led Data Center Transformation

   Snap Migration Native New Build Speed Fast then slow Slow (2-3 years+) 18-24 months Fast as DevOps Risk High Low(er) High Variable Security Late Early Trailing Mid to late Network Ops Late Early Early to mid Late (developers manage) Tooling New + old when forced Culturally influenced; old + new Panic (a lot of old) New, unless culturally forced to old https://securosis.com/blog/defining-the-journey-the-four-cloud-adoption-patterns

7. @ramimacisabird Cloud Adoption Patterns Characteristics Developer Led Data Center Transformation

   Snap Migration Native New Build Speed Fast then slow Slow (2-3 years+) 18-24 months Fast as DevOps Risk High Low(er) High Variable Security Late Early Trailing Mid to late Network Ops Late Early Early to mid Late (developers manage) Tooling New + old when forced Culturally influenced; old + new Panic (a lot of old) New, unless culturally forced to old https://securosis.com/blog/defining-the-journey-the-four-cloud-adoption-patterns

8. @ramimacisabird You walk into a cloud environment...

9. @ramimacisabird What Does Good Look Like?

10. @ramimacisabird Cloud Architecture • Emergent standards • High complexity ceiling

    • Endless configurability and complexity (200+ number of services) ◦ July 2020: “Over 150 AWS services now have a security chapter”

11. @ramimacisabird Note: From here on out, I’m going to use

    AWS for all examples. However, we’re going to be talking principles, nothing that shouldn’t be applicable to other cloud providers (even Oracle)

12. @ramimacisabird What Does Good Look Like? In

13. @ramimacisabird ?

14. @ramimacisabird The AWS Security Reference Architecture? https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/architecture.html

15. @ramimacisabird AWS Control Tower?

16. @ramimacisabird A history of AWS Architectures • 2010: Multiple AWS

    Accounts + Consolidated Billing • 2017: AWS Organizations 1.0: account management and billing • 2020: AWS Organizations 2.0: services are operating at an organization level https://cloudonaut.io/aws-account-structure-think-twice-before-using-aws-organizations/

17. @ramimacisabird 2017 -> 20181 • Use GuardDuty • Use Athena

    to search and analyze logs (not ElasticSearch, EMR) • Use Shield, WAF, and Firewall Manager • CloudFormation as a key service • No more Macie 2018 -> 2020 1. Courtesy of Scott Piper: https://summitroute.com/blog/2018/07/31/aws_security_pillar_whitepaper_updates/ • Account Management and Seperation top level - AWS Organizations • Federated identity provider • AWS Security Hub (+ Config Rules) • Automatic remediation with EventBridge and Config->Lambda • Systems Manager, Software integrity • SCPs for data protection • More Macie • Significantly expanded IR section

18. @ramimacisabird What Does Good Look Like in 1. Configuration: AWS

    CIS Benchmark 2. Architecture: AWS Well-Architected Security Pillar 3. Maturity: Summit Route’s AWS Security Maturity Roadmap

19. @ramimacisabird Let’s get orienteering

20. @ramimacisabird Some assumptions: • Cooperative (but not omniscient) help •

    Good intentions - but no prior security architecture • Not talking multi-cloud - you’re on your own • Requisite access has been established • No expectation of an active or historic compromise ◦ This is not an Incident Response guide

21. @ramimacisabird Principles of Orienteering • Breadth, then depth ◦ Avoid

    rabbit holes • Anomaly detection ◦ Every region, every project, every account • Inside out ◦ Leverage credentialed access to query and enumerate • Outside in ◦ Only way to get unknown unknown ◦ Lots of existing guides on how to do this Known Known Known Unknown Unknown Known Unknown Unknown

22. @ramimacisabird Corporate archeology: Putting the “Information” in “Information security”

23. Sources of data: • Asset inventory • Infrastructure/Configuration as Code

    • Data classification • Documentation • Subject matter experts • Standardized tagging (check out Yor!) • Cloud security tools (vendor, OSS) Corporate Archeology Eventually need: • Architecture diagrams or documentation of intended workloads • Definition of crown jewels • Information on intended authentication and identity approach

24. @ramimacisabird Hierarchy of discovery Resources Services Regions Workloads Collections of

    accounts Environments AWS Accounts, Azure Subscriptions, GCP Projects AWS Organizations, Azure Account, GCP Account https://disruptops.com/aws-vs-azure-vs-gcp-a-security-pros-quick-cloud-comparison

25. @ramimacisabird Discovering your environments (accounts) https://summitroute.com/blog/2018/06/18/how_to_inventory_aws_accounts/ • Ask your Technical

    Account Manager for all accounts linked to your company domain • Ask your finance team to find all expenses and payments to cloud providers • Search the company emails for account setup notifications • Search network and DNS logs • Put out a public request to company employees • Offer incentives for centralized management ◦ Expensing the costs of development environments, budget ownership ◦ Centralized and automated default configuration ◦ Ownership and responsibility for maintenance, stability

26. @ramimacisabird Discovering your workloads • Work backwards from documentation •

    Monthly billing report (check consistency) ◦ This can call out architectural patterns - for example is there a huge usage of EC2s, or are managed container services a core element of the cost ◦ https://www.lastweekinaws.com/blog/the-key-to-unlock-the-aws-billing-puzzle-is-archite cture/ • Infrastructure as code

27. @ramimacisabird Discovering your resources • You can’t really do this

    manually ◦ I’ve done it, it’s slow + painful + failiable ▪ It doesn’t scale beyond “small” environments • Automation is key, and there are really two paths: ◦ The company has something in place that works (CSPM, native CSP services) ▪ Be wary of exceptions + configuration ▪ May not be applied to all discovered accounts ▪ Does not cover unknown unknowns ◦ You run a tool - likely open source due to timeline ▪ https://github.com/nccgroup/aws-inventory ▪ Steampipe, Prowler, ScoutSuite - targeted at misconfigurations

28. @ramimacisabird Prioritization

29. @ramimacisabird What’s important

30. @ramimacisabird What’s important - in the cloud Identity is the

    new perimeter … but the (network) perimeter is also the perimeter

31. @ramimacisabird

32. @ramimacisabird Kill chains - https://disruptops.com/stop-todays-top-10-cloud-attack-killchains/ Threat Initial Access Cloud-specific Impact

    Static API Credential Exposure to Account Hijack Yes Yes High Compromised Server via Exposed Remote Access Ports Yes Yes High Compromised Database via Inadvertent Exposure Yes Yes High Object Storage Public Data Exposure Yes Yes High Server Side Request Forgery Yes No High

33. @ramimacisabird Kill chains - https://disruptops.com/stop-todays-top-10-cloud-attack-killchains/ Threat Initial Access Cloud-specific Impact

    Cryptomining No ~ Medium Network Attack Yes No High Compromised Secrets No No Low Novel Cloud Data Exposure and Exfiltration Yes Yes High Subdomain Takeover Yes ~ Medium

34. @ramimacisabird https://speakerdeck.com/ramimac/learning-from-aws-customer-security-incidents

35. @ramimacisabird Environments and Collections of Environments • Inventory relationship between

    Accounts and Organizations • Start thinking about target state ◦ Is there a need for multiple Organizations? ◦ Are there accounts that are unused or minimally used? ◦ Who is the proper business owner

36. @ramimacisabird Workloads • Check oldest and longest running workloads ◦

    Ask after their current usage and necessity ◦ Generally, these have the most drift from current best practices, and may predate many controls ◦ Focus security analysis here first

37. @ramimacisabird Identity perimeter • Management plane access model ◦ SSO,

    users, IAM Users, Federated Users, IAM Identity account and cross-account roles (MFA) • SSH/Server access model ◦ Bastion ◦ Direct SSH ◦ SSM-only ◦ Tooling

38. @ramimacisabird Identity perimeter - what • Least Privilege and IAM

    security ◦ Securing the root user ◦ Unused roles - but be careful ◦ Cross account trusts (Cloudmapper)

39. @ramimacisabird Identity perimeter - how • Native tools ◦ IAM

    credential report ▪ Great for unused IAM principals ◦ Trusted advisor, Security Hub, AWS Config all have IAM • Open source tools ◦ Cloudsplaining ◦ PMapper

40. @ramimacisabird Cloudsplaining - Kinnaird McQuade @Salesforce

41. @ramimacisabird PMapper - Erik Steringer @NCC Group

42. @ramimacisabird Network Perimeter • Public resources ◦ List of exposable

    ◦ Scan findings ◦ Trusted advisor • Wildcard security groups • Default resources (VPCs, Security groups) ◦ Launch-wizard sgs

43. @ramimacisabird Hosted applications and services • Out of date, Known

    vulnerabilities • Unauthenticated • Sensitive or internal services/tools (CI/CD, config management)

44. @ramimacisabird Other concerns … but less actionable or less impactful

    Exposed secrets: • CloudFormation parameter defaults • Unencrypted Lambda environment variables • EC2 instance data scripts with hardcoded secrets • ECS task definitions with exposed environment variables • Sensitive files on S3 • Dockerfiles/container images • Code repositories, compromised credentials Secret management pattern • Secrets manager • Vault • Etc. Supply chain • Vendors - how are they granted access? • AMIs - how are they sourced?

45. @ramimacisabird

46. @ramimacisabird 1. Congratulations! Please proceed 1. Sorry :( 2. Focus

    on compliance-impacting, documented exceptions, and compensating controls. You can’t avoid fiddling with encryption Working in a regulated industry? No Yes

47. @ramimacisabird https://www.chrisfarris.com/post/cloud-encryption/

48. @ramimacisabird Misconfigurations "Through 2025, more than 99% of cloud breaches

    will have a root cause of preventable misconfigurations or mistakes by end users." - Gartner (h/t https://twitter.com/anton_chuvakin/status/1421165415699337216?s=20) So, errors are caused by misconfigurations … but what is a misconfiguration?

49. @ramimacisabird Misconfigurations - defense in depth

50. @ramimacisabird

51. @ramimacisabird Prioritization of misconfigurations Take Security Hub’s AWS Foundational Security

    Best Practices controls as a case study • Launched 07 MAY 2020 w/ 31 fully-automated security controls • Update Sep 23, 2020 w/ 14 new controls • Updated Mar 08, 2021 w/ 25 new controls • Updated Jun 04, 2021 w/ 16 new controls • Updated July 30, 2021 w/ 10 new controls • 141 security controls total

52. @ramimacisabird Onward and upward

53. @ramimacisabird Blanket AWS hardening recommendations • Guardduty • Cloudtrail ◦

    Turn on optional security features, including encryption at-rest and file validation ◦ Centralize and back up logs • Access analyzer • Security visibility to all accounts • S3 block public access, EBS and all other default encryption

54. @ramimacisabird What does fixing things look like Seven steps to

    engage your organization: 1. Cultivate relationships 2. Ensure alignment 3. Focus on key security domains to build program foundation 4. Create an evangelism plan 5. Give away your legos 6. Build your team 7. Measure what matters

55. @ramimacisabird What does fixing things look like

56. @ramimacisabird Maturity curves can help - there are many maturity

    models Cloud Security Maturity Model (CSMM) - IANS, CSA, Securosis 1. No Automation 2. SecOps (Simple Automation) 3. Manually executed scripts 4. Guardrails 5. Centrally managed automation https://www.iansresearch.com/resources/cloud-security-maturity-model/what-is-the-csmm

57. @ramimacisabird Marco Lancini’s https://roadmap.cloudsecdocs.com/ 5 levels, 7 domains:

58. @ramimacisabird More, Broader, Deeper • Marco Lancini, On Establishing a

    Cloud Security Program • Scott Piper/Summit Route, AWS Security Maturity Roadmap 2021 • Matt Fuller, So You Inherited an AWS Account • DisruptOps, AWS Cloud Security Checklist • CSA Top Threats, Cloud Penetration Testing Playbook • Dave Walker & Chris Astley, Security @ Scale on AWS

59. @ramimacisabird Come work with me at Cedar! We’re hiring Product

    Security Engineers: https://grnh.se/d1b1db2a1us Thank you Questions? and thanks to the organizers! Find this, and all my talks, at: https://speakerdeck.com/ramimac