$30 off During Our Annual Pro Sale. View Details »

Cloud Security Orienteering

Cloud Security Orienteering

Most of us are not lucky enough to have architected the perfect cloud environment, according to this month's best practices, and without any legacy elements or ""surprise"" assets. Over the course of a career in cloud security, you'll likely find yourself walking into a new environment and needing to rapidly orient yourself to both mitigate the biggest risks and also develop a roadmap towards a sustainable, secure future. As a security consultant, I had the challenge and opportunity to enter blind into a variety of cloud environments. They were across Azure, GCP, and AWS, some well-architected and others organically sprawling, containing a single account/project and hundreds. This gave me a rapid education in how to find the information necessary to familiarize myself with the environment, dig in to identify the risks that matter, and put together remediation plans that address short, medium, and long term goals. This talk will present a cloud and environment agnostic methodology for getting your bearings if tasked with securing a novel cloud environment. We'll learn by applying this to a sample AWS environment in order to cover:
An archeological guide for where and how to find organizational context
How to quickly find and kill the most common attack vectors at the perimeter (both network and identity)
Common architectural and deployment patterns, how to spot them, and their security implications
What you need to know, what you need to prioritize, and what ""best practices"" aren't worth the squeeze when you're in a crunch.

Rami McCarthy

August 08, 2021
Tweet

More Decks by Rami McCarthy

Other Decks in Technology

Transcript

  1. @ramimacisabird
    Cloud Security Orienteering
    Rami McCarthy

    View Slide

  2. @ramimacisabird
    Reformed Security Consultant (NCC Group)
    AWS Certified Security, Specialty + CCSKv4
    Rami McCarthy
    Staff Security Engineer, Cedar

    View Slide

  3. @ramimacisabird
    Background

    View Slide

  4. @ramimacisabird
    Orienteering

    View Slide

  5. @ramimacisabird
    How is this relevant to you?
    ● New job, or new team
    ● Consulting engagement
    ● Merger or acquisition
    ● See your own environment, with fresh eyes

    View Slide

  6. @ramimacisabird
    Cloud Adoption Patterns
    Characteristics Developer Led Data Center
    Transformation
    Snap Migration Native New Build
    Speed Fast then slow Slow (2-3 years+) 18-24 months Fast as DevOps
    Risk High Low(er) High Variable
    Security Late Early Trailing Mid to late
    Network Ops Late Early Early to mid Late (developers manage)
    Tooling New + old when
    forced
    Culturally
    influenced; old +
    new
    Panic (a lot of
    old)
    New, unless culturally
    forced to old
    https://securosis.com/blog/defining-the-journey-the-four-cloud-adoption-patterns

    View Slide

  7. @ramimacisabird
    Cloud Adoption Patterns
    Characteristics Developer Led Data Center
    Transformation
    Snap Migration Native New Build
    Speed Fast then slow Slow (2-3 years+) 18-24 months Fast as DevOps
    Risk High Low(er) High Variable
    Security Late Early Trailing Mid to late
    Network Ops Late Early Early to mid Late (developers manage)
    Tooling New + old when
    forced
    Culturally
    influenced; old +
    new
    Panic (a lot of
    old)
    New, unless culturally
    forced to old
    https://securosis.com/blog/defining-the-journey-the-four-cloud-adoption-patterns

    View Slide

  8. @ramimacisabird
    You walk into a cloud environment...

    View Slide

  9. @ramimacisabird
    What Does Good Look
    Like?

    View Slide

  10. @ramimacisabird
    Cloud Architecture
    ● Emergent standards
    ● High complexity ceiling
    ● Endless configurability and complexity (200+ number of services)
    ○ July 2020: “Over 150 AWS services now have a security chapter”

    View Slide

  11. @ramimacisabird
    Note: From here on out, I’m going to use AWS for all examples.
    However, we’re going to be talking principles, nothing that
    shouldn’t be applicable to other cloud providers
    (even Oracle)

    View Slide

  12. @ramimacisabird
    What Does Good Look
    Like?
    In

    View Slide

  13. @ramimacisabird
    ?

    View Slide

  14. @ramimacisabird
    The AWS Security Reference Architecture?
    https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/architecture.html

    View Slide

  15. @ramimacisabird
    AWS Control Tower?

    View Slide

  16. @ramimacisabird
    A history of AWS Architectures
    ● 2010: Multiple AWS Accounts + Consolidated Billing
    ● 2017: AWS Organizations 1.0: account management and billing
    ● 2020: AWS Organizations 2.0: services are operating at an organization level
    https://cloudonaut.io/aws-account-structure-think-twice-before-using-aws-organizations/

    View Slide

  17. @ramimacisabird
    2017 -> 20181
    ● Use GuardDuty
    ● Use Athena to search and analyze logs
    (not ElasticSearch, EMR)
    ● Use Shield, WAF, and Firewall Manager
    ● CloudFormation as a key service
    ● No more Macie
    2018 -> 2020
    1. Courtesy of Scott Piper:
    https://summitroute.com/blog/2018/07/31/aws_security_pillar_whitepaper_updates/
    ● Account Management and Seperation
    top level - AWS Organizations
    ● Federated identity provider
    ● AWS Security Hub (+ Config Rules)
    ● Automatic remediation with
    EventBridge and Config->Lambda
    ● Systems Manager, Software integrity
    ● SCPs for data protection
    ● More Macie
    ● Significantly expanded IR section

    View Slide

  18. @ramimacisabird
    What Does Good Look Like in
    1. Configuration: AWS CIS Benchmark
    2. Architecture: AWS Well-Architected Security Pillar
    3. Maturity: Summit Route’s AWS Security Maturity Roadmap

    View Slide

  19. @ramimacisabird
    Let’s get orienteering

    View Slide

  20. @ramimacisabird
    Some assumptions:
    ● Cooperative (but not omniscient) help
    ● Good intentions - but no prior security architecture
    ● Not talking multi-cloud - you’re on your own
    ● Requisite access has been established
    ● No expectation of an active or historic compromise
    ○ This is not an Incident Response guide

    View Slide

  21. @ramimacisabird
    Principles of Orienteering
    ● Breadth, then depth
    ○ Avoid rabbit holes
    ● Anomaly detection
    ○ Every region, every project, every account
    ● Inside out
    ○ Leverage credentialed access to query and
    enumerate
    ● Outside in
    ○ Only way to get unknown unknown
    ○ Lots of existing guides on how to do this
    Known Known Known Unknown
    Unknown Known Unknown Unknown

    View Slide

  22. @ramimacisabird
    Corporate archeology: Putting the “Information” in “Information security”

    View Slide

  23. Sources of data:
    ● Asset inventory
    ● Infrastructure/Configuration as
    Code
    ● Data classification
    ● Documentation
    ● Subject matter experts
    ● Standardized tagging (check out
    Yor!)
    ● Cloud security tools (vendor, OSS)
    Corporate Archeology
    Eventually need:
    ● Architecture diagrams or
    documentation of intended
    workloads
    ● Definition of crown jewels
    ● Information on intended
    authentication and identity
    approach

    View Slide

  24. @ramimacisabird
    Hierarchy of discovery
    Resources
    Services
    Regions
    Workloads
    Collections of accounts
    Environments
    AWS Accounts, Azure Subscriptions, GCP Projects
    AWS Organizations, Azure Account, GCP Account
    https://disruptops.com/aws-vs-azure-vs-gcp-a-security-pros-quick-cloud-comparison

    View Slide

  25. @ramimacisabird
    Discovering your environments (accounts)
    https://summitroute.com/blog/2018/06/18/how_to_inventory_aws_accounts/
    ● Ask your Technical Account Manager for all accounts linked to your company domain
    ● Ask your finance team to find all expenses and payments to cloud providers
    ● Search the company emails for account setup notifications
    ● Search network and DNS logs
    ● Put out a public request to company employees
    ● Offer incentives for centralized management
    ○ Expensing the costs of development environments, budget ownership
    ○ Centralized and automated default configuration
    ○ Ownership and responsibility for maintenance, stability

    View Slide

  26. @ramimacisabird
    Discovering your workloads
    ● Work backwards from documentation
    ● Monthly billing report (check consistency)
    ○ This can call out architectural patterns - for example is there a huge usage of EC2s, or are
    managed container services a core element of the cost
    ○ https://www.lastweekinaws.com/blog/the-key-to-unlock-the-aws-billing-puzzle-is-archite
    cture/
    ● Infrastructure as code

    View Slide

  27. @ramimacisabird
    Discovering your resources
    ● You can’t really do this manually
    ○ I’ve done it, it’s slow + painful + failiable
    ■ It doesn’t scale beyond “small” environments
    ● Automation is key, and there are really two paths:
    ○ The company has something in place that works (CSPM, native CSP services)
    ■ Be wary of exceptions + configuration
    ■ May not be applied to all discovered accounts
    ■ Does not cover unknown unknowns
    ○ You run a tool - likely open source due to timeline
    ■ https://github.com/nccgroup/aws-inventory
    ■ Steampipe, Prowler, ScoutSuite - targeted at misconfigurations

    View Slide

  28. @ramimacisabird
    Prioritization

    View Slide

  29. @ramimacisabird
    What’s important

    View Slide

  30. @ramimacisabird
    What’s important - in the cloud
    Identity is the new perimeter
    … but the (network) perimeter is also the perimeter

    View Slide

  31. @ramimacisabird

    View Slide

  32. @ramimacisabird
    Kill chains - https://disruptops.com/stop-todays-top-10-cloud-attack-killchains/
    Threat Initial Access Cloud-specific Impact
    Static API Credential Exposure to Account Hijack Yes Yes High
    Compromised Server via Exposed Remote Access
    Ports
    Yes Yes High
    Compromised Database via Inadvertent Exposure Yes Yes High
    Object Storage Public Data Exposure Yes Yes High
    Server Side Request Forgery Yes No High

    View Slide

  33. @ramimacisabird
    Kill chains - https://disruptops.com/stop-todays-top-10-cloud-attack-killchains/
    Threat Initial Access Cloud-specific Impact
    Cryptomining No ~ Medium
    Network Attack Yes No High
    Compromised Secrets No No Low
    Novel Cloud Data Exposure and Exfiltration Yes Yes High
    Subdomain Takeover Yes ~ Medium

    View Slide

  34. @ramimacisabird
    https://speakerdeck.com/ramimac/learning-from-aws-customer-security-incidents

    View Slide

  35. @ramimacisabird
    Environments and Collections of Environments
    ● Inventory relationship between Accounts and Organizations
    ● Start thinking about target state
    ○ Is there a need for multiple Organizations?
    ○ Are there accounts that are unused or minimally used?
    ○ Who is the proper business owner

    View Slide

  36. @ramimacisabird
    Workloads
    ● Check oldest and longest running workloads
    ○ Ask after their current usage and necessity
    ○ Generally, these have the most drift from current best practices, and
    may predate many controls
    ○ Focus security analysis here first

    View Slide

  37. @ramimacisabird
    Identity perimeter
    ● Management plane access model
    ○ SSO, users, IAM Users, Federated Users, IAM Identity account and cross-account
    roles (MFA)
    ● SSH/Server access model
    ○ Bastion
    ○ Direct SSH
    ○ SSM-only
    ○ Tooling

    View Slide

  38. @ramimacisabird
    Identity perimeter - what
    ● Least Privilege and IAM security
    ○ Securing the root user
    ○ Unused roles - but be careful
    ○ Cross account trusts (Cloudmapper)

    View Slide

  39. @ramimacisabird
    Identity perimeter - how
    ● Native tools
    ○ IAM credential report
    ■ Great for unused IAM principals
    ○ Trusted advisor, Security Hub, AWS Config all have IAM
    ● Open source tools
    ○ Cloudsplaining
    ○ PMapper

    View Slide

  40. @ramimacisabird
    Cloudsplaining - Kinnaird McQuade @Salesforce

    View Slide

  41. @ramimacisabird
    PMapper - Erik Steringer @NCC Group

    View Slide

  42. @ramimacisabird
    Network Perimeter
    ● Public resources
    ○ List of exposable
    ○ Scan findings
    ○ Trusted advisor
    ● Wildcard security groups
    ● Default resources (VPCs, Security groups)
    ○ Launch-wizard sgs

    View Slide

  43. @ramimacisabird
    Hosted applications and services
    ● Out of date, Known vulnerabilities
    ● Unauthenticated
    ● Sensitive or internal services/tools (CI/CD, config management)

    View Slide

  44. @ramimacisabird
    Other concerns … but less actionable or less impactful
    Exposed secrets:
    ● CloudFormation parameter defaults
    ● Unencrypted Lambda environment
    variables
    ● EC2 instance data scripts with hardcoded
    secrets
    ● ECS task definitions with exposed
    environment variables
    ● Sensitive files on S3
    ● Dockerfiles/container images
    ● Code repositories, compromised
    credentials
    Secret management pattern
    ● Secrets manager
    ● Vault
    ● Etc.
    Supply chain
    ● Vendors - how are they granted access?
    ● AMIs - how are they sourced?

    View Slide

  45. @ramimacisabird

    View Slide

  46. @ramimacisabird
    1. Congratulations! Please proceed
    1. Sorry :(
    2. Focus on compliance-impacting, documented
    exceptions, and compensating controls. You can’t
    avoid fiddling with encryption
    Working in a
    regulated industry?
    No
    Yes

    View Slide

  47. @ramimacisabird
    https://www.chrisfarris.com/post/cloud-encryption/

    View Slide

  48. @ramimacisabird
    Misconfigurations
    "Through 2025, more than 99% of cloud breaches will have a root cause of preventable
    misconfigurations or mistakes by end users."
    - Gartner (h/t https://twitter.com/anton_chuvakin/status/1421165415699337216?s=20)
    So, errors are caused by misconfigurations … but what is a misconfiguration?

    View Slide

  49. @ramimacisabird
    Misconfigurations - defense in depth

    View Slide

  50. @ramimacisabird

    View Slide

  51. @ramimacisabird
    Prioritization of misconfigurations
    Take Security Hub’s AWS Foundational Security Best Practices controls as a case study
    ● Launched 07 MAY 2020 w/ 31 fully-automated security controls
    ● Update Sep 23, 2020 w/ 14 new controls
    ● Updated Mar 08, 2021 w/ 25 new controls
    ● Updated Jun 04, 2021 w/ 16 new controls
    ● Updated July 30, 2021 w/ 10 new controls
    ● 141 security controls total

    View Slide

  52. @ramimacisabird
    Onward and upward

    View Slide

  53. @ramimacisabird
    Blanket AWS hardening recommendations
    ● Guardduty
    ● Cloudtrail
    ○ Turn on optional security features, including encryption at-rest and file
    validation
    ○ Centralize and back up logs
    ● Access analyzer
    ● Security visibility to all accounts
    ● S3 block public access, EBS and all other default encryption

    View Slide

  54. @ramimacisabird
    What does fixing things look like
    Seven steps to engage your organization:
    1. Cultivate relationships
    2. Ensure alignment
    3. Focus on key security domains to build
    program foundation
    4. Create an evangelism plan
    5. Give away your legos
    6. Build your team
    7. Measure what matters

    View Slide

  55. @ramimacisabird
    What does fixing things look like

    View Slide

  56. @ramimacisabird
    Maturity curves can help - there are many maturity models
    Cloud Security Maturity Model (CSMM) - IANS, CSA, Securosis
    1. No Automation
    2. SecOps (Simple Automation)
    3. Manually executed scripts
    4. Guardrails
    5. Centrally managed automation
    https://www.iansresearch.com/resources/cloud-security-maturity-model/what-is-the-csmm

    View Slide

  57. @ramimacisabird
    Marco Lancini’s https://roadmap.cloudsecdocs.com/
    5 levels, 7 domains:

    View Slide

  58. @ramimacisabird
    More, Broader, Deeper
    ● Marco Lancini, On Establishing a Cloud Security Program
    ● Scott Piper/Summit Route, AWS Security Maturity Roadmap 2021
    ● Matt Fuller, So You Inherited an AWS Account
    ● DisruptOps, AWS Cloud Security Checklist
    ● CSA Top Threats, Cloud Penetration Testing Playbook
    ● Dave Walker & Chris Astley, Security @ Scale on AWS

    View Slide

  59. @ramimacisabird
    Come work with me at Cedar!
    We’re hiring Product Security Engineers: https://grnh.se/d1b1db2a1us
    Thank you
    Questions?
    and thanks to the organizers!
    Find this, and all my talks, at:
    https://speakerdeck.com/ramimac

    View Slide