Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Cloud Security Orienteering

Cloud Security Orienteering

Most of us are not lucky enough to have architected the perfect cloud environment, according to this month's best practices, and without any legacy elements or ""surprise"" assets. Over the course of a career in cloud security, you'll likely find yourself walking into a new environment and needing to rapidly orient yourself to both mitigate the biggest risks and also develop a roadmap towards a sustainable, secure future. As a security consultant, I had the challenge and opportunity to enter blind into a variety of cloud environments. They were across Azure, GCP, and AWS, some well-architected and others organically sprawling, containing a single account/project and hundreds. This gave me a rapid education in how to find the information necessary to familiarize myself with the environment, dig in to identify the risks that matter, and put together remediation plans that address short, medium, and long term goals. This talk will present a cloud and environment agnostic methodology for getting your bearings if tasked with securing a novel cloud environment. We'll learn by applying this to a sample AWS environment in order to cover:
An archeological guide for where and how to find organizational context
How to quickly find and kill the most common attack vectors at the perimeter (both network and identity)
Common architectural and deployment patterns, how to spot them, and their security implications
What you need to know, what you need to prioritize, and what ""best practices"" aren't worth the squeeze when you're in a crunch.

A431674e1b362e40786876211b77455e?s=128

Rami McCarthy

August 08, 2021
Tweet

Transcript

  1. @ramimacisabird Cloud Security Orienteering Rami McCarthy

  2. @ramimacisabird Reformed Security Consultant (NCC Group) AWS Certified Security, Specialty

    + CCSKv4 Rami McCarthy Staff Security Engineer, Cedar
  3. @ramimacisabird Background

  4. @ramimacisabird Orienteering

  5. @ramimacisabird How is this relevant to you? • New job,

    or new team • Consulting engagement • Merger or acquisition • See your own environment, with fresh eyes
  6. @ramimacisabird Cloud Adoption Patterns Characteristics Developer Led Data Center Transformation

    Snap Migration Native New Build Speed Fast then slow Slow (2-3 years+) 18-24 months Fast as DevOps Risk High Low(er) High Variable Security Late Early Trailing Mid to late Network Ops Late Early Early to mid Late (developers manage) Tooling New + old when forced Culturally influenced; old + new Panic (a lot of old) New, unless culturally forced to old https://securosis.com/blog/defining-the-journey-the-four-cloud-adoption-patterns
  7. @ramimacisabird Cloud Adoption Patterns Characteristics Developer Led Data Center Transformation

    Snap Migration Native New Build Speed Fast then slow Slow (2-3 years+) 18-24 months Fast as DevOps Risk High Low(er) High Variable Security Late Early Trailing Mid to late Network Ops Late Early Early to mid Late (developers manage) Tooling New + old when forced Culturally influenced; old + new Panic (a lot of old) New, unless culturally forced to old https://securosis.com/blog/defining-the-journey-the-four-cloud-adoption-patterns
  8. @ramimacisabird You walk into a cloud environment...

  9. @ramimacisabird What Does Good Look Like?

  10. @ramimacisabird Cloud Architecture • Emergent standards • High complexity ceiling

    • Endless configurability and complexity (200+ number of services) ◦ July 2020: “Over 150 AWS services now have a security chapter”
  11. @ramimacisabird Note: From here on out, I’m going to use

    AWS for all examples. However, we’re going to be talking principles, nothing that shouldn’t be applicable to other cloud providers (even Oracle)
  12. @ramimacisabird What Does Good Look Like? In

  13. @ramimacisabird ?

  14. @ramimacisabird The AWS Security Reference Architecture? https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/architecture.html

  15. @ramimacisabird AWS Control Tower?

  16. @ramimacisabird A history of AWS Architectures • 2010: Multiple AWS

    Accounts + Consolidated Billing • 2017: AWS Organizations 1.0: account management and billing • 2020: AWS Organizations 2.0: services are operating at an organization level https://cloudonaut.io/aws-account-structure-think-twice-before-using-aws-organizations/
  17. @ramimacisabird 2017 -> 20181 • Use GuardDuty • Use Athena

    to search and analyze logs (not ElasticSearch, EMR) • Use Shield, WAF, and Firewall Manager • CloudFormation as a key service • No more Macie 2018 -> 2020 1. Courtesy of Scott Piper: https://summitroute.com/blog/2018/07/31/aws_security_pillar_whitepaper_updates/ • Account Management and Seperation top level - AWS Organizations • Federated identity provider • AWS Security Hub (+ Config Rules) • Automatic remediation with EventBridge and Config->Lambda • Systems Manager, Software integrity • SCPs for data protection • More Macie • Significantly expanded IR section
  18. @ramimacisabird What Does Good Look Like in 1. Configuration: AWS

    CIS Benchmark 2. Architecture: AWS Well-Architected Security Pillar 3. Maturity: Summit Route’s AWS Security Maturity Roadmap
  19. @ramimacisabird Let’s get orienteering

  20. @ramimacisabird Some assumptions: • Cooperative (but not omniscient) help •

    Good intentions - but no prior security architecture • Not talking multi-cloud - you’re on your own • Requisite access has been established • No expectation of an active or historic compromise ◦ This is not an Incident Response guide
  21. @ramimacisabird Principles of Orienteering • Breadth, then depth ◦ Avoid

    rabbit holes • Anomaly detection ◦ Every region, every project, every account • Inside out ◦ Leverage credentialed access to query and enumerate • Outside in ◦ Only way to get unknown unknown ◦ Lots of existing guides on how to do this Known Known Known Unknown Unknown Known Unknown Unknown
  22. @ramimacisabird Corporate archeology: Putting the “Information” in “Information security”

  23. Sources of data: • Asset inventory • Infrastructure/Configuration as Code

    • Data classification • Documentation • Subject matter experts • Standardized tagging (check out Yor!) • Cloud security tools (vendor, OSS) Corporate Archeology Eventually need: • Architecture diagrams or documentation of intended workloads • Definition of crown jewels • Information on intended authentication and identity approach
  24. @ramimacisabird Hierarchy of discovery Resources Services Regions Workloads Collections of

    accounts Environments AWS Accounts, Azure Subscriptions, GCP Projects AWS Organizations, Azure Account, GCP Account https://disruptops.com/aws-vs-azure-vs-gcp-a-security-pros-quick-cloud-comparison
  25. @ramimacisabird Discovering your environments (accounts) https://summitroute.com/blog/2018/06/18/how_to_inventory_aws_accounts/ • Ask your Technical

    Account Manager for all accounts linked to your company domain • Ask your finance team to find all expenses and payments to cloud providers • Search the company emails for account setup notifications • Search network and DNS logs • Put out a public request to company employees • Offer incentives for centralized management ◦ Expensing the costs of development environments, budget ownership ◦ Centralized and automated default configuration ◦ Ownership and responsibility for maintenance, stability
  26. @ramimacisabird Discovering your workloads • Work backwards from documentation •

    Monthly billing report (check consistency) ◦ This can call out architectural patterns - for example is there a huge usage of EC2s, or are managed container services a core element of the cost ◦ https://www.lastweekinaws.com/blog/the-key-to-unlock-the-aws-billing-puzzle-is-archite cture/ • Infrastructure as code
  27. @ramimacisabird Discovering your resources • You can’t really do this

    manually ◦ I’ve done it, it’s slow + painful + failiable ▪ It doesn’t scale beyond “small” environments • Automation is key, and there are really two paths: ◦ The company has something in place that works (CSPM, native CSP services) ▪ Be wary of exceptions + configuration ▪ May not be applied to all discovered accounts ▪ Does not cover unknown unknowns ◦ You run a tool - likely open source due to timeline ▪ https://github.com/nccgroup/aws-inventory ▪ Steampipe, Prowler, ScoutSuite - targeted at misconfigurations
  28. @ramimacisabird Prioritization

  29. @ramimacisabird What’s important

  30. @ramimacisabird What’s important - in the cloud Identity is the

    new perimeter … but the (network) perimeter is also the perimeter
  31. @ramimacisabird

  32. @ramimacisabird Kill chains - https://disruptops.com/stop-todays-top-10-cloud-attack-killchains/ Threat Initial Access Cloud-specific Impact

    Static API Credential Exposure to Account Hijack Yes Yes High Compromised Server via Exposed Remote Access Ports Yes Yes High Compromised Database via Inadvertent Exposure Yes Yes High Object Storage Public Data Exposure Yes Yes High Server Side Request Forgery Yes No High
  33. @ramimacisabird Kill chains - https://disruptops.com/stop-todays-top-10-cloud-attack-killchains/ Threat Initial Access Cloud-specific Impact

    Cryptomining No ~ Medium Network Attack Yes No High Compromised Secrets No No Low Novel Cloud Data Exposure and Exfiltration Yes Yes High Subdomain Takeover Yes ~ Medium
  34. @ramimacisabird https://speakerdeck.com/ramimac/learning-from-aws-customer-security-incidents

  35. @ramimacisabird Environments and Collections of Environments • Inventory relationship between

    Accounts and Organizations • Start thinking about target state ◦ Is there a need for multiple Organizations? ◦ Are there accounts that are unused or minimally used? ◦ Who is the proper business owner
  36. @ramimacisabird Workloads • Check oldest and longest running workloads ◦

    Ask after their current usage and necessity ◦ Generally, these have the most drift from current best practices, and may predate many controls ◦ Focus security analysis here first
  37. @ramimacisabird Identity perimeter • Management plane access model ◦ SSO,

    users, IAM Users, Federated Users, IAM Identity account and cross-account roles (MFA) • SSH/Server access model ◦ Bastion ◦ Direct SSH ◦ SSM-only ◦ Tooling
  38. @ramimacisabird Identity perimeter - what • Least Privilege and IAM

    security ◦ Securing the root user ◦ Unused roles - but be careful ◦ Cross account trusts (Cloudmapper)
  39. @ramimacisabird Identity perimeter - how • Native tools ◦ IAM

    credential report ▪ Great for unused IAM principals ◦ Trusted advisor, Security Hub, AWS Config all have IAM • Open source tools ◦ Cloudsplaining ◦ PMapper
  40. @ramimacisabird Cloudsplaining - Kinnaird McQuade @Salesforce

  41. @ramimacisabird PMapper - Erik Steringer @NCC Group

  42. @ramimacisabird Network Perimeter • Public resources ◦ List of exposable

    ◦ Scan findings ◦ Trusted advisor • Wildcard security groups • Default resources (VPCs, Security groups) ◦ Launch-wizard sgs
  43. @ramimacisabird Hosted applications and services • Out of date, Known

    vulnerabilities • Unauthenticated • Sensitive or internal services/tools (CI/CD, config management)
  44. @ramimacisabird Other concerns … but less actionable or less impactful

    Exposed secrets: • CloudFormation parameter defaults • Unencrypted Lambda environment variables • EC2 instance data scripts with hardcoded secrets • ECS task definitions with exposed environment variables • Sensitive files on S3 • Dockerfiles/container images • Code repositories, compromised credentials Secret management pattern • Secrets manager • Vault • Etc. Supply chain • Vendors - how are they granted access? • AMIs - how are they sourced?
  45. @ramimacisabird

  46. @ramimacisabird 1. Congratulations! Please proceed 1. Sorry :( 2. Focus

    on compliance-impacting, documented exceptions, and compensating controls. You can’t avoid fiddling with encryption Working in a regulated industry? No Yes
  47. @ramimacisabird https://www.chrisfarris.com/post/cloud-encryption/

  48. @ramimacisabird Misconfigurations "Through 2025, more than 99% of cloud breaches

    will have a root cause of preventable misconfigurations or mistakes by end users." - Gartner (h/t https://twitter.com/anton_chuvakin/status/1421165415699337216?s=20) So, errors are caused by misconfigurations … but what is a misconfiguration?
  49. @ramimacisabird Misconfigurations - defense in depth

  50. @ramimacisabird

  51. @ramimacisabird Prioritization of misconfigurations Take Security Hub’s AWS Foundational Security

    Best Practices controls as a case study • Launched 07 MAY 2020 w/ 31 fully-automated security controls • Update Sep 23, 2020 w/ 14 new controls • Updated Mar 08, 2021 w/ 25 new controls • Updated Jun 04, 2021 w/ 16 new controls • Updated July 30, 2021 w/ 10 new controls • 141 security controls total
  52. @ramimacisabird Onward and upward

  53. @ramimacisabird Blanket AWS hardening recommendations • Guardduty • Cloudtrail ◦

    Turn on optional security features, including encryption at-rest and file validation ◦ Centralize and back up logs • Access analyzer • Security visibility to all accounts • S3 block public access, EBS and all other default encryption
  54. @ramimacisabird What does fixing things look like Seven steps to

    engage your organization: 1. Cultivate relationships 2. Ensure alignment 3. Focus on key security domains to build program foundation 4. Create an evangelism plan 5. Give away your legos 6. Build your team 7. Measure what matters
  55. @ramimacisabird What does fixing things look like

  56. @ramimacisabird Maturity curves can help - there are many maturity

    models Cloud Security Maturity Model (CSMM) - IANS, CSA, Securosis 1. No Automation 2. SecOps (Simple Automation) 3. Manually executed scripts 4. Guardrails 5. Centrally managed automation https://www.iansresearch.com/resources/cloud-security-maturity-model/what-is-the-csmm
  57. @ramimacisabird Marco Lancini’s https://roadmap.cloudsecdocs.com/ 5 levels, 7 domains:

  58. @ramimacisabird More, Broader, Deeper • Marco Lancini, On Establishing a

    Cloud Security Program • Scott Piper/Summit Route, AWS Security Maturity Roadmap 2021 • Matt Fuller, So You Inherited an AWS Account • DisruptOps, AWS Cloud Security Checklist • CSA Top Threats, Cloud Penetration Testing Playbook • Dave Walker & Chris Astley, Security @ Scale on AWS
  59. @ramimacisabird Come work with me at Cedar! We’re hiring Product

    Security Engineers: https://grnh.se/d1b1db2a1us Thank you Questions? and thanks to the organizers! Find this, and all my talks, at: https://speakerdeck.com/ramimac