SESSION ID: CSV-T08 Break the Top 10 Cloud Attack Killchains Rich Mogull Shawn Harris Analyst/Securosis CISO/DisruptOps @rmogull Managing Principal Security Architect Starbucks @infotechwarrior #RSAC #RSAC Kill Chains and ATT&CK’s Lockheed Martin’s Cyber Kill Chain represents a standard attack pattern from recon to action MITRE’s ATT&CK framework is knowledge base of attack patterns in structured phases Both are to help you threat model and plan defenses This session includes 10 specific cloud kill chains most commonly used (in our experience) 2 #RSAC Objectives Provide you with detailed information on the most common real world cloud attacks AND 3 And the most effective ways to prevent them #RSAC Static API Credential Exposure to Account Hijack Category Attack (Scripted or Targeted) Severity High Liklihood High Primary CSA Top Threat 4. Security Issue: Insufficient Identity, Credential, Access and Key Management 5.Security Issue: Account Hijacking Primary Mitre ATT&CK Valid Accounts #RSAC Static API Credential Exposure to Account Hijack Access key created for IAM user Key saved in insecure storage or transmitted insecurely Attacker obtains key Kill Chain Presenter’s Company Logo – replace or delete on master slide Attacker uses key from a host/ platform under their control Attacker executes API calls for malicious action or privilege escalation #RSAC Common sources of credential exposure GitHub/BitBucket Shared images Snapshots Compromised instance -> embedded code Compromised instance or dev/admin system - > – Shell history – Config/Credentials file – Local code 6 #RSAC Static API Credential Exposure to Account Hijack Access key created for IAM user • Minimize or eliminate use of IAM users (use IAM Roles) Presenter’s Company Logo – replace or delete on master slide Key saved in insecure storage or transmitted insecurely • Scan for credentials on commit • Scan code repositories • Federation + MFA for devs/admins Attacker obtains key Attacker uses key from a host/ platform under their control Attacker executes API calls for malicious action or privilege escalation • Use IAM conditionals that restrict based on IP/VPC • Alert based on unusual location of API calls • Least privilege IAM policies • Assess for potential IAM priv escalation • Activity alerts • Many options/ environment specific #RSAC Static API Credential Exposure to Account Hijack Access key created for federated user Key saved in insecure storage or transmitted insecurely • Minimize or eliminate use of user context accounts by implementing g Managed Service Identities • Primary Access tokens saved in key vault with federated service principal or Managed Service Identity with access to retrieve Presenter’s Company Logo – replace or delete on master slide Attacker obtains key Attacker uses key from a host/ platform under their control Attacker executes API calls for malicious action or privilege escalation • Use access controls that restrict based on IP/VNET • Correlation to anomalous GeoIP access from flow logs in correlation engine • Least privilege access policies via Azure API Management #RSAC Compromised Server via Exposed SSH/RDP/Remote Access Category Misconfiguration (Common) Severity High Liklihood High Primary CSA Top Threat 2: Misconfiguration and Inadequate Change Control Primary Mitre ATT&CK Exploit Public-Facing Application Compromised Server via Exposed SSH/RDP/Remote Access Find ports 22/3389 or other admin exposed to Internet Presenter’s Company Logo – replace or delete on master slide Identify target resource behind exposed port Brute force password or exploit vulnerability Escalate privileges, pivot, and/or extract data #RSAC Compromised Server via Exposed SSH/RDP/Remote Access Find ports 22/3389 or other admin exposed to Internet • Assess Network security groups for public exposure of known admin ports • Azure bastion Presenter’s Company Logo – replace or delete on master slide Identify target resource behind exposed port • JIT access policy in Azure Security Center Brute force password or exploit vulnerability • Azure Security Center vulnerability assessment Escalate privileges, pivot, and/or extract data • Host image hardening (CIS) • NIC service segmentation via NSG #RSAC Compromised Server via Exposed SSH/RDP/Remote Access Find ports 22/3389 or other admin exposed to Internet • Assess security groups for public exposure of know