ABS2024: Breaching the Cloud: How to Exploit and Mitigate Common Security Risks by Hans-Peter Weiss & Jan Schneider

Transcript

1. Breaching the Cloud How to Exploit and Mitigate Common Cloud

   Security Risks Jan Schneider, Hans-Peter Weiss | Swisscom B2B Cloud Advisory

2. 2 Gartner: Kasey Panetta « « Through 2025, 99% of

   cloud security failures will be the customer’s fault.

3. 3 Shared Responsibility Model Customer Microsoft Shared Responsibility always retained

   by the customer Responsibility varies by type Responsibility transfers to cloud provider Responsibility SaaS PaaS IaaS On- prem Information and data Devices (Mobile and PCs) Accounts and identities Identity and directory infrastructure Applications Network controls Operating system Physical hosts Physical network Physical datacenter

4. Attack! Let’s compromise Azure resources

5. Ersteller, Datum, Dokumentenname, C2 General 5 Just kidding Our target

6. Ersteller, Datum, Dokumentenname, C2 General 6 https://attackme.ch Our real target

7. Ersteller, Datum, Dokumentenname, C2 General 7 First look at the

   target

8. Ersteller, Datum, Dokumentenname, C2 General 8 Scanning for web app

   vulnerabilities

9. Ersteller, Datum, Dokumentenname, C2 General 9 Scanning for web app

   vulnerabilities

10. 10 Application security risks in the cloud

11. Ersteller, Datum, Dokumentenname, C2 General 11 Server-Side Request Forgery Web

    Application Security Risk: A10:2021-SSRF is emerging Typically abused to access sensitive internal endpoints HTTP request with URL custom HTTP request User input with URL HTTP response HTTP response

12. Ersteller, Datum, Dokumentenname, C2 General 12 Server-Side Request Forgery Example

    with internal target endpoint

13. Ersteller, Datum, Dokumentenname, C2 General 13 Enumeration

14. Ersteller, Datum, Dokumentenname, C2 General 14 Server-Side Request Forgery Can

    impact cloud infrastructure security! Possible impact: Access to Managed Identity via Azure Instance Metadata Service

15. Ersteller, Datum, Dokumentenname, C2 General 15 Retrieval of Managed Identity

    access token

16. Ersteller, Datum, Dokumentenname, C2 General 16 Target infrastructure Azure Instance

    Metadata Service 169.254.169.254 Access to auth token http https Azure VM attackme.ch 20.208.228.71 Azure Key Vault https Access to secrets with auth token

17. Ersteller, Datum, Dokumentenname, C2 General 17 Azure Key Vault access

    policy – default settings

18. Ersteller, Datum, Dokumentenname, C2 General 18 Access to Key Vault

19. Ersteller, Datum, Dokumentenname, C2 General 19 Initial access to VM

20. Ersteller, Datum, Dokumentenname, C2 General 20 Target infrastructure Azure Instance

    Metadata Service 169.254.169.254 Access to auth token http https Azure VM secdemo-vm01 10.0.1.4 Azure Key Vault https Access to secrets with auth token ssh

21. Ersteller, Datum, Dokumentenname, C2 General 21 Lateral movement

22. Ersteller, Datum, Dokumentenname, C2 General 22 Lateral movement: Why did

    this work?

23. Ersteller, Datum, Dokumentenname, C2 General 23 Lateral movement: Why did

    this work?

24. Ersteller, Datum, Dokumentenname, C2 General 24 Lateral movement between Subnets

    Spoke virtual network A Subnet 10.0.1.4 secdemo-vm01 B Subnet 10.0.2.4 secdemo-vm02

25. Ersteller, Datum, Dokumentenname, C2 General 25 Lateral movement to the

    on-premises network! Spoke virtual network A Subnet 10.0.1.4 secdemo-vm01 B Subnet 10.0.2.4 secdemo-vm02 VNet Peering Hub virtual network On-premises network Virtual machine Virtual machine VPN Gateway

26. Ersteller, Datum, Dokumentenname, C2 General 26 Attack summary: Identified security

    risks Critical: Server—Side Request Forgery (web app) High: Improper Access Control (Key Vault access policy) High: Insufficient separation of dev/prod environments (Key Vault) Medium: Insecure credential management (SSH key reused) Medium: Insecure default network configuration Medium: Exposed management services

27. Mitigating Cloud Security Risks 27

28. Network Business Infrastructure Application Scope: Skills & Technologies: Certifications: Hans-Peter

    Weiss Cloud Solutions Architect [email protected] and many more…

29. Network Business Infrastructure Application Scope: Skills & Technologies: Certifications: Jan

    Schneider Cloud Solutions Architect [email protected]

30. Application security risks in the cloud

31. 31 Prevent Application Security risks Due diligence before Lift &

    Shift of VMs or containers Scan for vulnerabilites in deployed infrastructure and applications Train DevSecOps practices: SAST, DAST Penetration testing of high-stakes workloads

32. 32 Abuse of exposed legitimate credentials Most common initial access

    vector in cloud security incidents: 36% of cases (IBM, 2023) Examples: • Credentials on user endpoints • Credentials exposed in client-side code • Credentials exposed in public source code repositories Legitimate access to resources harder to identify

33. 33 Prevent exposure of credentials • Scan for secrets in

    source code before build and run • Microsoft monitors GitHub for exposed credentials (CredScan) • Store secrets securely (Azure Key Vault, HashiCorp Vault, etc) • Inject secrets at runtime, where possible • Compartmentalize credentials • Rotate credentials regularly and monitor use • Have a process for emergency revocation of accesses

34. 34 Prevent IAM misconfigurations “Identity is the new perimeter” Permissions

    are inherited

35. 35 Prevent IAM misconfigurations Implement granular Role-Based Access Control >

    Access Policy Define a role matrix for managing least- privilege RBAC Beware of inherited permissions Consider threat modelling to spot risky permissions Apply conditional access policies • MFA • No legacy authentication • Require managed device

36. 36 Prevent privilege escalation via dangerous GraphAPI permissions Application vs.

    delegated permissions Strictly govern dangerous permissions: • AppRoleAssignment.ReadWrite.All • RoleManagement.ReadWrite.Directory • Directory.ReadWrite.All • User.ReadWrite.All • Group.ReadWrite.All • Sites.ReadWrite.All • Mail.Read Identify paths to privilege escalation preventively (Bloodhound)

37. 37 Prevent network misconfigurations Spoke virtual network A Subnet 10.0.1.4

    secdemo-vm01 B Subnet 10.0.2.4 secdemo-vm02 VNet Peering Hub virtual network On-premises network Virtual Machine Virtual Machine VPN Gateway Azure Firewall Move Public IPs of Virtual Machines to the Azure Firewall and protect inbound traffic through DNATing

38. 38 Apply least privilege (deny-by-default) to Network Security Groups Prevent

    network misconfigurations

39. Any questions? 39

40. 40 Thank you Let‘s secure the Cloud together! Jan Schneider,

    Hans-Peter Weiss | Swisscom B2B Cloud Advisory
41. None