Cloud Security Orienteering

Rami McCarthy @ramimacisabird

 Rami McCarthy
Staff Security Engineer, Cedar

Reformed Security Consultant (NCC Group)

AWS Certified Security, Specialty + CCSKv4

@ramimacisabird
Background
@ramimacisabird
Orienteering

@ramimacisabird
How is this relevant to you?
● New job, or new team
● Consulting engagement
● Merger or acquisition
● See your own environment, with fresh eyes

@ramimacisabird
Cloud Adoption Patterns
Characteristics Developer Led Data Center Snap Migration Native New Build
Transformation

Speed Fast then slow Slow (2-3 years+) 18-24 months Fast as DevOps

Risk High Low(er) High Variable

Security Late Early Trailing Mid to late

Network Ops Late Early Early to mid Late (developers manage)

Tooling New + old when Culturally Panic (a lot of New, unless culturally
forced influenced; old + old) forced to old
new

https://securosis.com/blog/defining-the-journey-the-four-cloud-adoption-patterns @ramimacisabird
Cloud Adoption Patterns
Characteristics Developer Led Data Center Snap Migration Native New Build
Transformation

Speed Fast then slow Slow (2-3 years+) 18-24 months Fast as DevOps

Risk High Low(er) High Variable

Security Late Early Trailing Mid to late

Network Ops Late Early Early to mid Late (developers manage)

Tooling New + old when Culturally Panic (a lot of New, unless culturally
forced influenced; old + old) forced to old
new

https://securosis.com/blog/defining-the-journey-the-four-cloud-adoption-patterns @ramimacisabird
You walk into a cloud environment...

@ramimacisabird
What Does Good Look
Like?

@ramimacisabird
Cloud Architecture

● Emergent standards
● High complexity ceiling
● Endless configurability and complexity (200+ number of services)
○ July 2020: “Over 150 AWS services now have a security chapter”

@ramimacisabird
Note: From here on out, I’m going to use AWS for all examples.

However, we’re going to be talking principles, nothing that

shouldn’t be applicable to other cloud providers

(even Oracle)

@ramimacisabird
What Does Good Look
Like?
In

@ramimacisabird
 ?
@ramimacisabird
 The AWS Security Reference Architecture?

https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/architecture.html

@ramimacisabird
AWS Control Tower?

@ramimacisabird
A history of AWS Architectures

● 2010: Multiple AWS Accounts + Consolidated Billing

● 2017: AWS Organizations 1.0: account management and billing
● 2020: AWS Organizations 2.0: services are operating at an organization level

https://cloudonaut.io/aws-account-structure-think-twice-before-using-aws-organizations/

@ramimacisabird
 2017 -> 20181 2018 -> 2020
● Use GuardDuty ● Account Management and Seperation
● Use Athena to search and analyze logs top level - AWS Organizations
(not ElasticSearch, EMR) ● Federated identity provider
● Use Shield, WAF, and Firewall Manager ● AWS Security Hub (+ Config Rules)
● CloudFormation as a key service ● Automatic remediation with
● No more Macie EventBridge and Config->Lambda
● Systems Manager, Software integrity
● SCPs for data protection
● More Macie
● Significantly expanded IR section
1. Courtesy of Scott Piper:
https://summitroute.com/blog/2018/07/31/aws_security_pillar_whitepaper_updates/ @ramimacisabird
What Does Good Look Like in

1. Configuration: AWS CIS Benchmark

2. Architecture: AWS Well-Architected Security Pillar
3. Maturity: Summit Route’s AWS Security Maturity Roadmap

@ramimacisabird
Let’s get orienteering
@ramimacisabird
Some assumptions:

● Cooperative (but not omniscient) help

● Good intentions - but no prior security architecture
● Not talking multi-cloud - you’re on your own
● Requisite access has been established
● No expectation of an active or historic compromise
○ This is not an Incident Response guide

@ramimacisabird
Principles of Orienteering
● Breadth, then depth
○ Avoid rabbit holes Known Known Known Unknown
● Anomaly detection
○ Every region, every project, every account
● Inside out
○ Leverage credentialed access to query and
enumerate Unknown Known Unknown Unknown
● Outside in
○ Only way to get unknown unknown
○ Lots of existing guides on how to do this

@ramimacisabird
Corporate archeology: Putting the “Information” in “Information security”
@ramimacisabird
Corporate Archeology

Sources of data: Eventually need:

● Asset inventory ● Architecture diagrams or

● Infrastructure/Configuration as documentation of intended
Code workloads
● Data classification ● Definition of crown jewels
● Documentation ● Information on intended
● Subject matter experts
authentication and identity
● Standardized tagging (check out
Yor!) approach
● Cloud security tools (vendor, OSS)
 Hierarchy of discovery
Resources

Services

Regions

Workloads

Environments AWS Accounts, Azure Subscriptions, GCP Projects

Collections of accounts AWS Organizations, Azure Account, GCP Account

https://disruptops.com/aws-vs-azure-vs-gcp-a-security-pros-quick-cloud-comparison
@ramimacisabird
Discovering your environments (accounts)
https://summitroute.com/blog/2018/06/18/how_to_inventory_aws_accounts/
● Ask your Technical Account Manager for all accounts linked to your company domain
● Ask your finance team to find all expenses and payments to cloud providers
● Search the company emails for account setup notifications
● Search network and DNS logs
● Put out a public request to company employees

● Offer incentives for centralized management

○ Expensing the costs of development environments, budget ownership
○ Centralized and automated default configuration
○ Ownership and responsibility for maintenance, stability

@ramimacisabird
Discovering your workloads

● Work backwards from documentation

● Monthly billing report (check consistency)
○ This can call out architectural patterns - for example is there a huge usage of EC2s, or are
managed container services a core element of the cost
○ https://www.lastweekinaws.com/blog/the-key-to-unlock-the-aws-billing-puzzle-is-archite
cture/
● Infrastructure as code

@ramimacisabird
Discovering your resources

● You can’t really do this manually

○ I’ve done it, it’s slow + painful + failiable
■ It doesn’t scale beyond “small” environments
● Automation is key, and there are really two paths:
○ The company has something in place that works (CSPM, native CSP services)
■ Be wary of exceptions + configuration
■ May not be applied to all discovered accounts
■ Does not cover unknown unknowns
○ You run a tool - likely open source due to timeline
■ https://github.com/nccgroup/aws-inventory
■ Steampipe, Prowler, ScoutSuite - targeted at misconfigurations

@ramimacisabird
Prioritization
@ramimacisabird
What’s important

@ramimacisabird
What’s important - in the cloud
Identity is the new perimeter

… but the (network) perimeter is also the perimeter

@ramimacisabird
@ramimacisabird
Kill chains - https://disruptops.com/stop-todays-top-10-cloud-attack-killchains/

Threat Initial Access Cloud-specific Impact

Static API Credential Exposure to Account Hijack Yes Yes High

Compromised Server via Exposed Remote Access Yes Yes High

Ports

Compromised Database via Inadvertent Exposure Yes Yes High

Object Storage Public Data Exposure Yes Yes High

Server Side Request Forgery Yes No High

@ramimacisabird
Kill chains - https://disruptops.com/stop-todays-top-10-cloud-attack-killchains/

Threat Initial Access Cloud-specific Impact

Cryptomining No ~ Medium

Network Attack Yes No High

Compromised Secrets No No Low

Novel Cloud Data Exposure and Exfiltration Yes Yes High

Subdomain Takeover Yes ~ Medium

@ramimacisabird
https://speakerdeck.com/ramimac/learning-from-aws-customer-security-incidents @ramimacisabird
Environments and Collections of Environments

● Inventory relationship between Accounts and Organizations

● Start thinking about target state
○ Is there a need for multiple Organizations?
○ Are there accounts that are unused or minimally used?
○ Who is the proper business owner

@ramimacisabird
Workloads

● Check oldest and longest running workloads

○ Ask after their current usage and necessity
○ Generally, these have the most drift from current best practices, and
may predate many controls
○ Focus security analysis here first

@ramimacisabird
Identity perimeter

● Management plane access model

○ SSO, users, IAM Users, Federated Users, IAM Identity account and cross-account
roles (MFA)
● SSH/Server access model
○ Bastion
○ Direct SSH
○ SSM-only
○ Tooling

@ramimacisabird
Identity perimeter - what

● Least Privilege and IAM security

○ Securing the root user
○ Unused roles - but be careful
○ Cross account trusts (Cloudmapper)

@ramimacisabird
Identity perimeter - how

● Native tools
○ IAM credential report
■ Great for unused IAM principals
○ Trusted advisor, Security Hub, AWS Config all have IAM
● Open source tools
○ Cloudsplaining
○ PMapper

@ramimacisabird
Cloudsplaining - Kinnaird McQuade @Salesforce

@ramimacisabird
PMapper - Erik Steringer @NCC Group

@ramimacisabird
Network Perimeter
● Public resources
○ List of exposable
○ Scan findings
○ Trusted advisor
● Wildcard security groups
● Default resources (VPCs, Security groups)
○ Launch-wizard sgs

@ramimacisabird
Hosted applications and services
● Out of date, Known vulnerabilities
● Unauthenticated
● Sensitive or internal services/tools (CI/CD, config management)

@ramimacisabird
Other concerns … but less actionable or less impactful
Exposed secrets:
Secret management pattern
● CloudFormation parameter defaults
● Unencrypted Lambda environment ● Secrets manager
variables ● Vault
● EC2 instance data scripts with hardcoded
secrets
● Etc.
● ECS task definitions with exposed
Supply chain
environment variables
● Sensitive files on S3 ● Vendors - how are they granted access?
● Dockerfiles/container images
● Code repositories, compromised ● AMIs - how are they sourced?
credentials

@ramimacisabird
@ramimacisabird
 1. Congratulations! Please proceed

No
Working in a
regulated industry?
Ye
s

1. Sorry :(
2. Focus on compliance-impacting, documented
exceptions, and compensating controls. You can’t
avoid fiddling with encryption

@ramimacisabird
https://www.chrisfarris.com/post/cloud-encryption/
@ramimacisabird
Misconfigurations
"Through 2025, more than 99% of cloud breaches will have a root cause of preventable
misconfigurations or mistakes by end users."
- Gartner (h/t https://twitter.com/anton_chuvakin/status/1421165415699337216?s=20)

So, errors are caused by misconfigurations … but what is a misconfiguration?

@ramimacisabird
Misconfigurations - defense in depth

@ramimacisabird
@ramimacisabird
Prioritization of misconfigurations
Take Security Hub’s AWS Foundational Security Best Practices controls as a case study

● Launched 07 MAY 2020 w/ 31 fully-automated security controls

● Update Sep 23, 2020 w/ 14 new controls
● Updated Mar 08, 2021 w/ 25 new controls
● Updated Jun 04, 2021 w/ 16 new controls
● Updated July 30, 2021 w/ 10 new controls
● 141 security controls total

@ramimacisabird
Onward and upward
@ramimacisabird
Blanket AWS hardening recommendations

● Guardduty
● Cloudtrail
○ Turn on optional security features, including encryption at-rest and file
validation
○ Centralize and back up logs
● Access analyzer
● Security visibility to all accounts
● S3 block public access, EBS and all other default encryption

@ramimacisabird
What does fixing things look like
Seven steps to engage your organization:
1. Cultivate relationships
2. Ensure alignment
3. Focus on key security domains to build
program foundation
4. Create an evangelism plan
5. Give away your legos
6. Build your team
7. Measure what matters

@ramimacisabird
What does fixing things look like

@ramimacisabird
Maturity curves can help - there are many maturity models
Cloud Security Maturity Model (CSMM) - IANS, CSA, Securosis

1. No Automation
2. SecOps (Simple Automation)
3. Manually executed scripts
4. Guardrails
5. Centrally managed automation

https://www.iansresearch.com/resources/cloud-security-maturity-model/what-is-the-csmm

@ramimacisabird
Marco Lancini’s https://roadmap.cloudsecdocs.com/
5 levels, 7 domains:

@ramimacisabird
More, Broader, Deeper
● Marco Lancini, On Establishing a Cloud Security Program
● Scott Piper/Summit Route, AWS Security Maturity Roadmap 2021
● Matt Fuller, So You Inherited an AWS Account
● DisruptOps, AWS Cloud Security Checklist
● CSA Top Threats, Cloud Penetration Testing Playbook
● Dave Walker & Chris Astley, Security @ Scale on AWS

@ramimacisabird
 Thank you
and thanks to the organizers!
Questions?
Find this, and all my talks, at:
https://speakerdeck.com/ramimac

Come work with me at Cedar!

We’re hiring Product Security Engineers: https://grnh.se/d1b1db2a1us

@ramimacisabird