Cloud Security Orienteering

Transcript

1. @ramimacisabird
   Cloud Security Orienteering
   Rami McCarthy
   

   View Slide

2. @ramimacisabird
   Reformed Security Consultant (NCC Group)
   AWS Certified Security, Specialty + CCSKv4
   Rami McCarthy
   Staff Security Engineer, Cedar
   

   View Slide

3. @ramimacisabird
   Background
   

   View Slide

4. @ramimacisabird
   Orienteering
   

   View Slide

5. @ramimacisabird
   How is this relevant to you?
   ● New job, or new team
   ● Consulting engagement
   ● Merger or acquisition
   ● See your own environment, with fresh eyes
   

   View Slide

6. @ramimacisabird
   Cloud Adoption Patterns
   Characteristics Developer Led Data Center
   Transformation
   Snap Migration Native New Build
   Speed Fast then slow Slow (2-3 years+) 18-24 months Fast as DevOps
   Risk High Low(er) High Variable
   Security Late Early Trailing Mid to late
   Network Ops Late Early Early to mid Late (developers manage)
   Tooling New + old when
   forced
   Culturally
   influenced; old +
   new
   Panic (a lot of
   old)
   New, unless culturally
   forced to old
   https://securosis.com/blog/defining-the-journey-the-four-cloud-adoption-patterns
   

   View Slide

7. @ramimacisabird
   Cloud Adoption Patterns
   Characteristics Developer Led Data Center
   Transformation
   Snap Migration Native New Build
   Speed Fast then slow Slow (2-3 years+) 18-24 months Fast as DevOps
   Risk High Low(er) High Variable
   Security Late Early Trailing Mid to late
   Network Ops Late Early Early to mid Late (developers manage)
   Tooling New + old when
   forced
   Culturally
   influenced; old +
   new
   Panic (a lot of
   old)
   New, unless culturally
   forced to old
   https://securosis.com/blog/defining-the-journey-the-four-cloud-adoption-patterns
   

   View Slide

8. @ramimacisabird
   You walk into a cloud environment...
   

   View Slide

9. @ramimacisabird
   What Does Good Look
   Like?
   

   View Slide

10. @ramimacisabird
    Cloud Architecture
    ● Emergent standards
    ● High complexity ceiling
    ● Endless configurability and complexity (200+ number of services)
    ○ July 2020: “Over 150 AWS services now have a security chapter”
    

    View Slide

11. @ramimacisabird
    Note: From here on out, I’m going to use AWS for all examples.
    However, we’re going to be talking principles, nothing that
    shouldn’t be applicable to other cloud providers
    (even Oracle)
    

    View Slide

12. @ramimacisabird
    What Does Good Look
    Like?
    In
    

    View Slide

13. @ramimacisabird
    ?
    

    View Slide

14. @ramimacisabird
    The AWS Security Reference Architecture?
    https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/architecture.html
    

    View Slide

15. @ramimacisabird
    AWS Control Tower?
    

    View Slide

16. @ramimacisabird
    A history of AWS Architectures
    ● 2010: Multiple AWS Accounts + Consolidated Billing
    ● 2017: AWS Organizations 1.0: account management and billing
    ● 2020: AWS Organizations 2.0: services are operating at an organization level
    https://cloudonaut.io/aws-account-structure-think-twice-before-using-aws-organizations/
    

    View Slide

17. @ramimacisabird
    2017 -> 20181
    ● Use GuardDuty
    ● Use Athena to search and analyze logs
    (not ElasticSearch, EMR)
    ● Use Shield, WAF, and Firewall Manager
    ● CloudFormation as a key service
    ● No more Macie
    2018 -> 2020
    1. Courtesy of Scott Piper:
    https://summitroute.com/blog/2018/07/31/aws_security_pillar_whitepaper_updates/
    ● Account Management and Seperation
    top level - AWS Organizations
    ● Federated identity provider
    ● AWS Security Hub (+ Config Rules)
    ● Automatic remediation with
    EventBridge and Config->Lambda
    ● Systems Manager, Software integrity
    ● SCPs for data protection
    ● More Macie
    ● Significantly expanded IR section
    

    View Slide

18. @ramimacisabird
    What Does Good Look Like in
    1. Configuration: AWS CIS Benchmark
    2. Architecture: AWS Well-Architected Security Pillar
    3. Maturity: Summit Route’s AWS Security Maturity Roadmap
    

    View Slide

19. @ramimacisabird
    Let’s get orienteering
    

    View Slide

20. @ramimacisabird
    Some assumptions:
    ● Cooperative (but not omniscient) help
    ● Good intentions - but no prior security architecture
    ● Not talking multi-cloud - you’re on your own
    ● Requisite access has been established
    ● No expectation of an active or historic compromise
    ○ This is not an Incident Response guide
    

    View Slide

21. @ramimacisabird
    Principles of Orienteering
    ● Breadth, then depth
    ○ Avoid rabbit holes
    ● Anomaly detection
    ○ Every region, every project, every account
    ● Inside out
    ○ Leverage credentialed access to query and
    enumerate
    ● Outside in
    ○ Only way to get unknown unknown
    ○ Lots of existing guides on how to do this
    Known Known Known Unknown
    Unknown Known Unknown Unknown
    

    View Slide

22. @ramimacisabird
    Corporate archeology: Putting the “Information” in “Information security”
    

    View Slide

23. Sources of data:
    ● Asset inventory
    ● Infrastructure/Configuration as
    Code
    ● Data classification
    ● Documentation
    ● Subject matter experts
    ● Standardized tagging (check out
    Yor!)
    ● Cloud security tools (vendor, OSS)
    Corporate Archeology
    Eventually need:
    ● Architecture diagrams or
    documentation of intended
    workloads
    ● Definition of crown jewels
    ● Information on intended
    authentication and identity
    approach
    

    View Slide

24. @ramimacisabird
    Hierarchy of discovery
    Resources
    Services
    Regions
    Workloads
    Collections of accounts
    Environments
    AWS Accounts, Azure Subscriptions, GCP Projects
    AWS Organizations, Azure Account, GCP Account
    https://disruptops.com/aws-vs-azure-vs-gcp-a-security-pros-quick-cloud-comparison
    

    View Slide

25. @ramimacisabird
    Discovering your environments (accounts)
    https://summitroute.com/blog/2018/06/18/how_to_inventory_aws_accounts/
    ● Ask your Technical Account Manager for all accounts linked to your company domain
    ● Ask your finance team to find all expenses and payments to cloud providers
    ● Search the company emails for account setup notifications
    ● Search network and DNS logs
    ● Put out a public request to company employees
    ● Offer incentives for centralized management
    ○ Expensing the costs of development environments, budget ownership
    ○ Centralized and automated default configuration
    ○ Ownership and responsibility for maintenance, stability
    

    View Slide

26. @ramimacisabird
    Discovering your workloads
    ● Work backwards from documentation
    ● Monthly billing report (check consistency)
    ○ This can call out architectural patterns - for example is there a huge usage of EC2s, or are
    managed container services a core element of the cost
    ○ https://www.lastweekinaws.com/blog/the-key-to-unlock-the-aws-billing-puzzle-is-archite
    cture/
    ● Infrastructure as code
    

    View Slide

27. @ramimacisabird
    Discovering your resources
    ● You can’t really do this manually
    ○ I’ve done it, it’s slow + painful + failiable
    ■ It doesn’t scale beyond “small” environments
    ● Automation is key, and there are really two paths:
    ○ The company has something in place that works (CSPM, native CSP services)
    ■ Be wary of exceptions + configuration
    ■ May not be applied to all discovered accounts
    ■ Does not cover unknown unknowns
    ○ You run a tool - likely open source due to timeline
    ■ https://github.com/nccgroup/aws-inventory
    ■ Steampipe, Prowler, ScoutSuite - targeted at misconfigurations
    

    View Slide

28. @ramimacisabird
    Prioritization
    

    View Slide

29. @ramimacisabird
    What’s important
    

    View Slide

30. @ramimacisabird
    What’s important - in the cloud
    Identity is the new perimeter
    … but the (network) perimeter is also the perimeter
    

    View Slide

31. @ramimacisabird
    

    View Slide

32. @ramimacisabird
    Kill chains - https://disruptops.com/stop-todays-top-10-cloud-attack-killchains/
    Threat Initial Access Cloud-specific Impact
    Static API Credential Exposure to Account Hijack Yes Yes High
    Compromised Server via Exposed Remote Access
    Ports
    Yes Yes High
    Compromised Database via Inadvertent Exposure Yes Yes High
    Object Storage Public Data Exposure Yes Yes High
    Server Side Request Forgery Yes No High
    

    View Slide

33. @ramimacisabird
    Kill chains - https://disruptops.com/stop-todays-top-10-cloud-attack-killchains/
    Threat Initial Access Cloud-specific Impact
    Cryptomining No ~ Medium
    Network Attack Yes No High
    Compromised Secrets No No Low
    Novel Cloud Data Exposure and Exfiltration Yes Yes High
    Subdomain Takeover Yes ~ Medium
    

    View Slide

34. @ramimacisabird
    https://speakerdeck.com/ramimac/learning-from-aws-customer-security-incidents
    

    View Slide

35. @ramimacisabird
    Environments and Collections of Environments
    ● Inventory relationship between Accounts and Organizations
    ● Start thinking about target state
    ○ Is there a need for multiple Organizations?
    ○ Are there accounts that are unused or minimally used?
    ○ Who is the proper business owner
    

    View Slide

36. @ramimacisabird
    Workloads
    ● Check oldest and longest running workloads
    ○ Ask after their current usage and necessity
    ○ Generally, these have the most drift from current best practices, and
    may predate many controls
    ○ Focus security analysis here first
    

    View Slide

37. @ramimacisabird
    Identity perimeter
    ● Management plane access model
    ○ SSO, users, IAM Users, Federated Users, IAM Identity account and cross-account
    roles (MFA)
    ● SSH/Server access model
    ○ Bastion
    ○ Direct SSH
    ○ SSM-only
    ○ Tooling
    

    View Slide

38. @ramimacisabird
    Identity perimeter - what
    ● Least Privilege and IAM security
    ○ Securing the root user
    ○ Unused roles - but be careful
    ○ Cross account trusts (Cloudmapper)
    

    View Slide

39. @ramimacisabird
    Identity perimeter - how
    ● Native tools
    ○ IAM credential report
    ■ Great for unused IAM principals
    ○ Trusted advisor, Security Hub, AWS Config all have IAM
    ● Open source tools
    ○ Cloudsplaining
    ○ PMapper
    

    View Slide

40. @ramimacisabird
    Cloudsplaining - Kinnaird McQuade @Salesforce
    

    View Slide

41. @ramimacisabird
    PMapper - Erik Steringer @NCC Group
    

    View Slide

42. @ramimacisabird
    Network Perimeter
    ● Public resources
    ○ List of exposable
    ○ Scan findings
    ○ Trusted advisor
    ● Wildcard security groups
    ● Default resources (VPCs, Security groups)
    ○ Launch-wizard sgs
    

    View Slide

43. @ramimacisabird
    Hosted applications and services
    ● Out of date, Known vulnerabilities
    ● Unauthenticated
    ● Sensitive or internal services/tools (CI/CD, config management)
    

    View Slide

44. @ramimacisabird
    Other concerns … but less actionable or less impactful
    Exposed secrets:
    ● CloudFormation parameter defaults
    ● Unencrypted Lambda environment
    variables
    ● EC2 instance data scripts with hardcoded
    secrets
    ● ECS task definitions with exposed
    environment variables
    ● Sensitive files on S3
    ● Dockerfiles/container images
    ● Code repositories, compromised
    credentials
    Secret management pattern
    ● Secrets manager
    ● Vault
    ● Etc.
    Supply chain
    ● Vendors - how are they granted access?
    ● AMIs - how are they sourced?
    

    View Slide

45. @ramimacisabird
    

    View Slide

46. @ramimacisabird
    1. Congratulations! Please proceed
    1. Sorry :(
    2. Focus on compliance-impacting, documented
    exceptions, and compensating controls. You can’t
    avoid fiddling with encryption
    Working in a
    regulated industry?
    No
    Yes
    

    View Slide

47. @ramimacisabird
    https://www.chrisfarris.com/post/cloud-encryption/
    

    View Slide

48. @ramimacisabird
    Misconfigurations
    "Through 2025, more than 99% of cloud breaches will have a root cause of preventable
    misconfigurations or mistakes by end users."
    - Gartner (h/t https://twitter.com/anton_chuvakin/status/1421165415699337216?s=20)
    So, errors are caused by misconfigurations … but what is a misconfiguration?
    

    View Slide

49. @ramimacisabird
    Misconfigurations - defense in depth
    

    View Slide

50. @ramimacisabird
    

    View Slide

51. @ramimacisabird
    Prioritization of misconfigurations
    Take Security Hub’s AWS Foundational Security Best Practices controls as a case study
    ● Launched 07 MAY 2020 w/ 31 fully-automated security controls
    ● Update Sep 23, 2020 w/ 14 new controls
    ● Updated Mar 08, 2021 w/ 25 new controls
    ● Updated Jun 04, 2021 w/ 16 new controls
    ● Updated July 30, 2021 w/ 10 new controls
    ● 141 security controls total
    

    View Slide

52. @ramimacisabird
    Onward and upward
    

    View Slide

53. @ramimacisabird
    Blanket AWS hardening recommendations
    ● Guardduty
    ● Cloudtrail
    ○ Turn on optional security features, including encryption at-rest and file
    validation
    ○ Centralize and back up logs
    ● Access analyzer
    ● Security visibility to all accounts
    ● S3 block public access, EBS and all other default encryption
    

    View Slide

54. @ramimacisabird
    What does fixing things look like
    Seven steps to engage your organization:
    1. Cultivate relationships
    2. Ensure alignment
    3. Focus on key security domains to build
    program foundation
    4. Create an evangelism plan
    5. Give away your legos
    6. Build your team
    7. Measure what matters
    

    View Slide

55. @ramimacisabird
    What does fixing things look like
    

    View Slide

56. @ramimacisabird
    Maturity curves can help - there are many maturity models
    Cloud Security Maturity Model (CSMM) - IANS, CSA, Securosis
    1. No Automation
    2. SecOps (Simple Automation)
    3. Manually executed scripts
    4. Guardrails
    5. Centrally managed automation
    https://www.iansresearch.com/resources/cloud-security-maturity-model/what-is-the-csmm
    

    View Slide

57. @ramimacisabird
    Marco Lancini’s https://roadmap.cloudsecdocs.com/
    5 levels, 7 domains:
    

    View Slide

58. @ramimacisabird
    More, Broader, Deeper
    ● Marco Lancini, On Establishing a Cloud Security Program
    ● Scott Piper/Summit Route, AWS Security Maturity Roadmap 2021
    ● Matt Fuller, So You Inherited an AWS Account
    ● DisruptOps, AWS Cloud Security Checklist
    ● CSA Top Threats, Cloud Penetration Testing Playbook
    ● Dave Walker & Chris Astley, Security @ Scale on AWS
    

    View Slide

59. @ramimacisabird
    Come work with me at Cedar!
    We’re hiring Product Security Engineers: https://grnh.se/d1b1db2a1us
    Thank you
    Questions?
    and thanks to the organizers!
    Find this, and all my talks, at:
    https://speakerdeck.com/ramimac
    

    View Slide