Upgrade to Pro — share decks privately, control downloads, hide ads and more …

ABS2024: Breaching the Cloud: How to Exploit an...

ABS2024: Breaching the Cloud: How to Exploit and Mitigate Common Security Risks by Hans-Peter Weiss & Jan Schneider

⭐️ Breaching the Cloud: How to Exploit and Mitigate Common Security Risks#
The session will concentrate on typical cloud security risks relevant to Azure environments that fall under the customer’s responsibility. We will then demonstrate how an attacker could exploit these risks to gain unauthorised access to cloud infrastructure. Finally, we will propose preventive measures to mitigate these risks.
🙂 HANS-PETER WEISS ⚡️ Cloud Solution Architect @ Swisscom
🙂 JAN SCHNEIDER ⚡️ Cloud Solution Architect @ Swisscom

More Decks by Azure Zurich User Group

Other Decks in Technology

Transcript

  1. Breaching the Cloud How to Exploit and Mitigate Common Cloud

    Security Risks Jan Schneider, Hans-Peter Weiss | Swisscom B2B Cloud Advisory
  2. 2 Gartner: Kasey Panetta « « Through 2025, 99% of

    cloud security failures will be the customer’s fault.
  3. 3 Shared Responsibility Model Customer Microsoft Shared Responsibility always retained

    by the customer Responsibility varies by type Responsibility transfers to cloud provider Responsibility SaaS PaaS IaaS On- prem Information and data Devices (Mobile and PCs) Accounts and identities Identity and directory infrastructure Applications Network controls Operating system Physical hosts Physical network Physical datacenter
  4. Ersteller, Datum, Dokumentenname, C2 General 11 Server-Side Request Forgery Web

    Application Security Risk: A10:2021-SSRF is emerging Typically abused to access sensitive internal endpoints HTTP request with URL custom HTTP request User input with URL HTTP response HTTP response
  5. Ersteller, Datum, Dokumentenname, C2 General 14 Server-Side Request Forgery Can

    impact cloud infrastructure security! Possible impact: Access to Managed Identity via Azure Instance Metadata Service
  6. Ersteller, Datum, Dokumentenname, C2 General 16 Target infrastructure Azure Instance

    Metadata Service 169.254.169.254 Access to auth token http https Azure VM attackme.ch 20.208.228.71 Azure Key Vault https Access to secrets with auth token
  7. Ersteller, Datum, Dokumentenname, C2 General 20 Target infrastructure Azure Instance

    Metadata Service 169.254.169.254 Access to auth token http https Azure VM secdemo-vm01 10.0.1.4 Azure Key Vault https Access to secrets with auth token ssh
  8. Ersteller, Datum, Dokumentenname, C2 General 24 Lateral movement between Subnets

    Spoke virtual network A Subnet 10.0.1.4 secdemo-vm01 B Subnet 10.0.2.4 secdemo-vm02
  9. Ersteller, Datum, Dokumentenname, C2 General 25 Lateral movement to the

    on-premises network! Spoke virtual network A Subnet 10.0.1.4 secdemo-vm01 B Subnet 10.0.2.4 secdemo-vm02 VNet Peering Hub virtual network On-premises network Virtual machine Virtual machine VPN Gateway
  10. Ersteller, Datum, Dokumentenname, C2 General 26 Attack summary: Identified security

    risks Critical: Server—Side Request Forgery (web app) High: Improper Access Control (Key Vault access policy) High: Insufficient separation of dev/prod environments (Key Vault) Medium: Insecure credential management (SSH key reused) Medium: Insecure default network configuration Medium: Exposed management services
  11. 31 Prevent Application Security risks Due diligence before Lift &

    Shift of VMs or containers Scan for vulnerabilites in deployed infrastructure and applications Train DevSecOps practices: SAST, DAST Penetration testing of high-stakes workloads
  12. 32 Abuse of exposed legitimate credentials Most common initial access

    vector in cloud security incidents: 36% of cases (IBM, 2023) Examples: • Credentials on user endpoints • Credentials exposed in client-side code • Credentials exposed in public source code repositories Legitimate access to resources harder to identify
  13. 33 Prevent exposure of credentials • Scan for secrets in

    source code before build and run • Microsoft monitors GitHub for exposed credentials (CredScan) • Store secrets securely (Azure Key Vault, HashiCorp Vault, etc) • Inject secrets at runtime, where possible • Compartmentalize credentials • Rotate credentials regularly and monitor use • Have a process for emergency revocation of accesses
  14. 35 Prevent IAM misconfigurations Implement granular Role-Based Access Control >

    Access Policy Define a role matrix for managing least- privilege RBAC Beware of inherited permissions Consider threat modelling to spot risky permissions Apply conditional access policies • MFA • No legacy authentication • Require managed device
  15. 36 Prevent privilege escalation via dangerous GraphAPI permissions Application vs.

    delegated permissions Strictly govern dangerous permissions: • AppRoleAssignment.ReadWrite.All • RoleManagement.ReadWrite.Directory • Directory.ReadWrite.All • User.ReadWrite.All • Group.ReadWrite.All • Sites.ReadWrite.All • Mail.Read Identify paths to privilege escalation preventively (Bloodhound)
  16. 37 Prevent network misconfigurations Spoke virtual network A Subnet 10.0.1.4

    secdemo-vm01 B Subnet 10.0.2.4 secdemo-vm02 VNet Peering Hub virtual network On-premises network Virtual Machine Virtual Machine VPN Gateway Azure Firewall Move Public IPs of Virtual Machines to the Azure Firewall and protect inbound traffic through DNATing
  17. 40 Thank you Let‘s secure the Cloud together! Jan Schneider,

    Hans-Peter Weiss | Swisscom B2B Cloud Advisory