While it is quite common practice to do periodic security assessments of your local network, it is really rare to find a company who puts the same effort for testing the security in their cloud. We have to understand what new threats and risks appeared with the cloud and how should we change our attitude to testing cloud security. The goal of my presentation is to show how security assessment of cloud infrastructure it is different from testing environments in classic architecture. I'll demonstrate a hypothetical attack on a company which is fully deployed in the AWS environment. I’m going to show the whole kill chain starting from presenting cloud-applicable reconnaissance techniques. Then I’ll attack the web application server hosted on EC2 instance to access its metadata. Using the assigned role, I’ll access another AWS EC2 instance to escalate privileges to the administrator and then present how to hide fingerprints in CloudTrail service. Finally, I’ll demonstrate various techniques of silent exfiltrating data from AWS environment, setting up persistent access and describe another potential, cloud-specific threats, e.g. cryptojacking or ransomware in the cloud. The presentation shows practical aspects of attacking cloud services and each step of the kill chain will be presented in a form of an interactive, live demo. On the examples of presented attacks, I’ll show how to use AWS exploitation framework Pacu and other handy scripts.
11. What is metadata?
• Data about your instance
• It's a link-local address, accessible ONLY from
your instance!
• May include access keys to Instance Profile:
www.securing.biz
http://169.254.169.254/latest/meta-data/iam/security-credentials/
http://169.254.169.254/latest/meta-data/
34. Persist access
• Bind shell in User Data with backdoor in Security Groups
• Lambda backdoor which creates IAM user when specific
CloudWatch Event occurs
• Backdoor via cross-account Trust Policy
• Add extra keys to existing user
www.securing.biz
44. • Are there any extra,
undocumented resources?
• Is the system architecture
free from design flaws?
Cloud security assessment: architecture review
www.securing.biz
45. Cloud security assessment: configuration review
• Are all cloud services
configured in compliance
with best practices?
www.securing.biz
46. • Are your applications free
from vulnerabilities like
RCE/SSRF/XXE etc.?
• Is the Serverless code
secure (e.g. free from
"event injections")?
Cloud security assessment: pentesting sensitive services
www.securing.biz
47. • Do you monitor sensitive
actions?
• Do you have defined
incident response
procedure?
Cloud security assessment: verifying monitoring processes
www.securing.biz
48. Audit your cloud infrastructure
Harden it.
Repeat.
www.securing.biz
49. 7-Step Guide to SecuRing your
AWS Kingdom
www.securing.biz
https://bit.ly/2EN7yAs