The document discusses reducing attack surfaces in cloud environments. It notes that understanding your attack surface is critical for deploying proper security controls as attack surfaces differ between cloud and on-premises environments. It also states that web application attacks are now the leading cause of data breaches but less than 5% of security budgets are spent on application security. Common cloud misconfigurations are also discussed as a major risk factor.
2. Summary
• Understanding your attack surface is critical to deploying
the right security controls
• Attack surface in cloud environments is significantly
different than on-premises
• Dominant cloud exposures are often misunderstood
3. 2nd attack HVAC vendor application
Result Successful. Never detected.
Vector SQL Injection
Las Vegas
Bethlehem
1st attack Account Brute Force
Result Detected by the SIEM. Blocked
#1 Sands Casino Breach
4. 2nd attack HVAC vendor application
Result Successful. Never detected.
Vector SQL Injection
Las Vegas
Bethlehem
1st attack Account Brute Force
Result Detected by the SIEM. Blocked • Compromised
admin credentials
• Moved laterally
through Windows
AD
• Used malware to
destroy all hosts
on the network
Sands Casino Breach
5. 1
49
56
86
125
155
172
197
525
908
Denial of Service
Crimeware
Physical Theft / Loss
Payment Card Skimmers
Everything Else
Cyber-espionage
Privilege Misuse
Miscellaneous Errors
POS Intrusions
Web App Attacks
Security risk is shifting to unprotected web applications
Web app attacks are now the #1
source of data breaches
But less than 5% of data center security
budgets are spent on app security
Source: Verizon
UP 500% SINCE 2014
$23 to $1
Percentage of Breaches
10% 20% 30% 40%
Source: Gartner
Web App Attacks
6. 1
49
56
86
125
155
172
197
525
908
Denial of Service
Crimeware
Physical Theft / Loss
Payment Card Skimmers
Everything Else
Cyber-espionage
Privilege Misuse
Miscellaneous Errors
POS Intrusions
Web App Attacks
Security risk is shifting to unprotected web applications
Web app attacks are now the #1
source of data breaches
But less than 5% of data center security
budgets are spent on app security
Source: Verizon
UP 500% SINCE 2014
$23 to $1
Percentage of Breaches
10% 20% 30% 40%
Source: Gartner
Web App Attacks
Underreported. Misunderstood.
7. What Drives This Awareness Disconnect?
• Breach disclosure in a number of states is mandatory,
but technical details are not in disclosure scope
• News media naturally gravitates towards human interest security stories
• Mobile phones
• Endpoint malware
• Email theft Ransomware
Malware
All other terms: SQL injection,
web application attack, Wordpress vulnerability,
PHP vulnerability, Apache Struts vulnerability
8. Our Perspective on Cloud Attack Surface
• 4,000+ customers
• 80% of deployments in data centers
• 50% of deployments in
public and hybrid cloud
• Dominant workload: business
critical web applications
10. #2 Yahoo
Impact
Number of exposed accounts increased
from 1B to 3B.
How it happened
Phishing Email
Where are they now?
Sold to Verizon. Valuation revised by
$350M
11. Meet “M4g” AKA Alexsey Belan
• One of the most prolific
hackers between 2013 -
2015
• Estimated to have
compromised 1.2 billion
user accounts
• Prime suspect in
numerous breaches
12. Alexsey Belan’s Techniques
1. Identified peripheral sites and key people via Google and
LinkedIn
2. Initial compromise via CVE-2011–4106 WordPress
vulnerability. Modified authentication mechanisms to
capture credentials
3. Used NMAP & internal Wiki to learn the environment and
move laterally
4. Reused cookies from development staging systems, client
certificates from emails and trouble tickets
5. Used developer credentials to introduce backdoors into code
Source: https://medium.com/@chrismcnab/alexseys-ttps-1204d9050551
13. Why WordPress?
Used in 28% of all web
sites on the internet
• WP CVE-2011–4106 vulnerability in resulted in 1.2 million compromised sites
• 53 similar vulnerabilities in last 10 years (CVSS 6+)
14. #3 RNC breach
Impact
200M voter records exposed
How it happened
Misconfiguration in Amazon Web Services
S3 service
Where are they now?
Survived the breach. Operational impact
unclear.
16. #4 Code Spaces
Impact
Nearly all customer data, including
backups, deleted.
How it happened
Credential compromise.
Where are they now?
Closed down immediately after event.
17. 60 Most Common AWS Configuration Remediations
Unencrypted AMI Discovered
Unencrypted EBS Volume
S3 Logging not Enabled
Unrestricted Outbound Access on All Ports
User not configured to use MFA
User Access Key not configured with Rotation
IAM Policies are attached directly to User
Dangerous User Privileged Access to S3
Dangerous IAM Role for S3
Dangerous User Privileged Access to RDS
Disable Automatic Access Key Creation
Dangerous User Privileged Access to DDB
Dangerous User Privileged Access to IAM
IAM Access Keys Unused for 90 Days
ELB Listener Security (2 of 4)
ELB Listener Security (1 of 4)
Dangerous IAM Role for RDS
RDS Encryption is not Enabled
Dangerous IAM Role for DDB
Unrestricted Inbound Access - Specific Ports 2
Dangerous IAM Role for IAM
Unrestricted Inbound Access to SSH Port 22/tcp
Unrestricted Inbound Access to HTTP Port 80/tcp
Amazon S3 Bucket Permissions (2 of 2)
Inactive user account
Ensure AWS CloudTrail is Enabled in All Regions
ELB Listener Security (4 of 4)
Unrestricted Inbound Access
Publicly Accessible RDS Database Instance
Passwords not set to enforce complexity
ACL permissions enabled for Authenticated Users in an S3 Bucket
CloudTrail Logging Disabled
Passwords not configured to expire
Ensure Hardware Multi-Factor Authentication is Enabled for the Root Account
Unrestricted Inbound Access to Windows RDP Port 3389/tcp
Enable Amazon GuardDuty on AWS Account
Unrestricted Inbound Access to PostgreSQL Port 5432/tcp
Global View ACL permissions enabled in an S3 Bucket
Unrestricted Inbound Access to mySQL Port 3306/tcp
Unrestricted Inbound Access to NetBIOS over TCP/IP 137/udp/tcp, 138/udp or
139/udp/tcp
Unrestricted Inbound Access to SMTP Port 25/tcp
Root account not using MFA
Unrestricted Inbound Access to FTP Port 21/tcp
Unrestricted Inbound Access to DNS Port 53/tcp
Unrestricted Inbound Access to SQLServer Port 1433,1434/tcp
Unrestricted Inbound Access to FTP Port 20/tcp
Unrestricted Inbound Access to VNC Port 5500,5900/tcp
Unrestricted Inbound Access to MSQL Port 4333/tcp
Unrestricted Inbound Access to SMTP over TLS/SSL Port 465/tcp
Unrestricted Inbound Access to ElasticSearch Port 9300/tcp
Unrestricted Inbound Access to CIFS/SMB over TCP 445/tcp
Root Account Used Recently
Unrestricted Inbound Access to Windows RPC Port 135/tcp
Publicly Accessible AMI Discovered
Unrestricted Inbound Access to Telnet Port 23/tcp
Unencrypted Redshift Cluster
Unrestricted Inbound Access to DNS Port 53/udp
Publicly Accessible Redshift Cluster Nodes
Dangerous use of Root Access Keys
Unrestricted Inbound Access to CIFS/SMB over TCP 445/udp
Across
31,235 EC2 instances / workloads
155,911 vulnerabilities and
exposures sampled
On 381 VPC’s in Dec 2017
19. Cloud Attack Surface
Attacks
Web App
Attacks
OWASP
top 10
Platform /
library
attacks
App /
System
misconfig
attacks
Web Apps
Server-side Apps
App Frameworks
Dev Platforms
Server OS
Hypervisor
Hardware
The Application Stack
Databases
Attackersaremovingupthestack
1. Wide range of attacks at
every layer of the stack
2. Rapidly changing
codebase can introduces
unknown vulnerabilities
3. Long tail of exposures
inherited from 3rd party
development tools
4. Extreme shortage of cloud
and application security
expertise
20. Attack Surface Factors
Factor Impact Technology Triggers
Custom built complex
web code
Broad attack surface and numerous
opportunities for hidden
vulnerabilities.
Open or commercial
development
frameworks
Vulnerabilities inherited from open
source community or software
vendors.
3-tier architecture
with relational
databases
Increased risk of SQL injection - #1
web attack method in volume and
impact
Open and
Interconnected
Easily accessible from outside world
by valid users and attackers alike
Legacy code Technical debt means increases risk