SlideShare una empresa de Scribd logo

Red Team vs Blue Team on AWS - RSA 2018

Descargar como PPTX, PDF
T
Teri Radichel

Red Team vs. Blue Team on AWS - Kolby Allen and Teri Radichel

Tecnología
1 de 40
SESSION ID: #RSAC Teri Radichel RED TEAM VS. BLUE TEAM ON AWS CSV-R12 CEO 2nd Sight Lab @teriradichel Kolby Allen DevOps Engineer Zipwhip @kolbyallen
#RSAC Attacker vs. Defender 2
#RSAC Cloud Admin…Duh Duh Duh. 3
#RSAC Would Be A Boring Talk… 4
#RSAC 5 Instead… Let’s search for buried treasure!
#RSAC Some background 6 Initial Setup Vanilla Account — Single Admin User — Base VPC & defaults AWS Tutorial: Elastic Beanstalk with WordPress — https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/php-hawordpress- tutorial.html AWS Tutorial: Lambda Accessing RDS in VPC — https://docs.aws.amazon.com/lambda/latest/dg/vpc.html
#RSAC Pilfer Credentials ~ Read Only Access 7
#RSAC Look for RDS Databases 8 aws rds describe-db-instances --filter --query DBInstances[].[DBInstanceIdentifier,MasterUsername,DBSubn etGroup.VpcId,Endpoint.Address] --output=table --color off supersecretdb?! That sounds like a good target…
#RSAC Examine Selected Database Subnets 9 aws rds describe-db-instances --filter "Name=db- instance-id,Values=supersecretdb" --query DBInstances[].DBSubnetGroup.Subnets[].Subnet Identifier --output table --color off Hmm… let’s check out: subnet-1ae9df57
#RSAC What Traffic Do NACLs Allow? 10 aws ec2 describe-network-acls --filter "Name=association.subnet-id,Values=subnet-1ae9df57" --query NetworkAcls[].Entries --output table --color off All traffic allowed ~ Sweet.
#RSAC What Traffic Do DB Security Groups Allow? 11 aws ec2 describe-security- groups --filter "Name=group- id,Values=sg-217f3e4a" -- output table --color off Port 3306 172.31.0.0/16
#RSAC Find VPC With Access to Database 12 aws ec2 describe-vpcs --filter "Name=cidrBlock,Values=172.31.0.0/16" --query Vpcs[].VpcId --output table --color off vpc-96c34cfe is assigned to CIDR 172.31.0.0/16
#RSAC VPC Security Groups ~ 3306 Egress 13 aws ec2 describe-security-groups --filter "Name=egress.ip-permission.to-port,Values=3306 Name=vpc-id,Values=vpc-96c34cfe" --output table -- color off None…hmm…
#RSAC Security Groups ~ No Outbound Restrictions 14 aws ec2 describe-security-groups --filter "Name=egress.ip- permission.cidr,Values='0.0.0.0/0',Name=vpc-id,Values=vpc-96c34cfe" --output table --color off --query SecurityGroups[].GroupId Cool. Wide Open Outbound. Let’s see what’s using these.
#RSAC Check Lambda Functions 15 aws lambda list-functions --query Functions[?VpcConfig.SecurityGroupIds== [`sg-93aadef8`]].FunctionName --output table --color off
#RSAC Query Lambda Code Location 16 aws lambda get-function --function- name CreateTableAddRecordsAndRead --query Code.Location Gives us URL to code location in S3…
#RSAC Go To URL…Check out the code 17 Hmm, what’s in this file?
#RSAC About that rds_config file… 18 Oops. Database credentials.
#RSAC Look for Instances That Can Exfil 19 aws ec2 describe-instances --output text --query Reservations[].Instances[].NetworkInterfaces[]. Association.[PublicIp,PublicDnsName] Check the domains in a browser to find web sites.
#RSAC Exploit Web Site and Exfil 20 Scan Site. Exploit Vulnerability. Upload code to connect to DB. Publish to public web site.
#RSAC IAM Best Practices 21 Roles Least Privilege Segregation of Duties IAM Top 10
#RSAC Protecting Credentials 22 User training ~ Phishing and handling of credentials Password policies and rotation MFA!! Require frequent re-auth – especially to sensitive apps Prevent deployment of code with embedded credentials https://github.com/awslabs/git-secrets
#RSAC IAM Configuration 23 WOW THAT IS A LOT OF YAML!! https://github.com/allenk1/2018rsapresentation/ blob/master/Default-IAM-Profile.yaml
#RSAC IAM Master - Initial Roles 24 Sid: AllowUserstoListAccounts Effect: Allow Action: - "iam:ListAccountAliases" - "iam:ListUsers" - "iam:GetAccountPasswordPolicy" - "iam:GetAccountSummary" Resource: "*" • Allows users to view enough information to get into IAM • Can get the PW Policy IMPORTANT so it can apply • List Users – needed in order to find themselves
#RSAC IAM Master - Initial Roles 25 Actions allow users to manage their account – BUT NOT PERMISSIONS Sid: AllowUserstoManageOwnAccount Effect: Allow Action: - "iam:ChangePassword" - "iam:CreateAccessKey" - "iam:CreateLoginProfile" - "iam:DeleteAccessKey" - "iam:DeleteLoginProfile" - "iam:GetLoginProfile" - "iam:ListAccessKeys" - "iam:UpdateAccessKey" - "iam:UpdateLoginProfile" - "iam:ListSigningCertificates" - "iam:DeleteSigningCertificate" - "iam:UpdateSigningCertificate" - "iam:UploadSigningCertificate" - "iam:ListSSHPublicKeys" - "iam:GetSSHPublicKey" - "iam:DeleteSSHPublicKey" - "iam:UpdateSSHPublicKey" - "iam:UploadSSHPublicKey" Resource: "arn:aws:iam::*:user/${aws:username}" Resource only allows them to perform on their username – can’t modify anyone else
#RSAC IAM ~ User Roles 26 Sid: AllowUserstoListOnlyThierMFA Effect: Allow Action: - "iam:ListVirtualMFADevices" - "iam:ListMFADevices" Resource: - "arn:aws:iam::*:mfa/*" - "arn:aws:iam::*:user/${aws:username}" - Sid: AllowUsertoManageThierMFA Effect: Allow Action: - "iam:CreateVirtualMFADevice" - "iam:DeleteVirtualMFADevice" - "iam:EnableMFADevice" - "iam:ResyncMFADevice" Resource: - "arn:aws:iam::*:mfa/${aws:username}" - "arn:aws:iam::*:user/${aws:username}" - Sid: AllowUserstoDeactiveTheirMFAWhenUseingMFA Effect: Allow Action: - "iam:DeactivateMFADevice" Resource: - "arn:aws:iam::*:mfa/${aws:username}" - "arn:aws:iam::*:user/${aws:username}" Condition: Bool: "aws:MultiFactorAuthPresent": "true" • Allows users to manage this MFA • Must login with MFA to remove device
#RSAC IAM ~ Assumed Roles 27 Initial role has no permissions except to assume other roles MFA Required to assume role with temp creds
#RSAC IAM Master 28 Failure due to default policy not having permissions Temporary credential request & setting at environmental variable MFA! Commands work!
#RSAC CloudTrail 29 Monitor all API Actions Feed data to events Respond
#RSAC Scan and Secure 30 Encryption in flight with only specific IAM role with rights Instance retrieves encrypted value Instance IAM Role allows rights to use key to decrypt EC2 Parameter Store for secrets
#RSAC EC2 Parameter Store 31 OLD: Password embedded in rds_config.py New: No password in rds_config.py
#RSAC EC2 Parameter Store 32 Calls AWS SSM
#RSAC Monitoring 33 AWS GuardDuty VPC Flow Logs CloudTrail Config Log shipping Secure log backups Automate Remediation
#RSAC 34
#RSAC WAF Security 35
#RSAC Presentation Layer Application Layer Data Layer Limited NACL & Security Groups between subnets Limit all outbound traffic Network Architecture 36
#RSAC Network Architecture 37 BAD NETWORK NACLs are wide open Wide open inbound rules on security groups Security groups all everything to talk to internet
#RSAC Network Architecture 38 BETTER NETWORK NACLs limit access between subnets Security Groups limiting access to specific servers Blocking internet where not needed
#RSAC Conclusion 39 Red Team: Attackers can use the same tools used by DevOps teams. Cloud APIs provide a means for mapping out an entire account. Read only access can be powerful. Blue Team: Restrict access Automated deployment Architect networks to minimize open ports and pivoting Protect secrets - don't embed in code! Monitor everything
SESSION ID: #RSAC Teri Radichel THANK YOU! CSV-R12 CEO 2nd Sight Lab @teriradichel Kolby Allen DevOps Engineer Zipwhip @kolbyallen

Recomendados

Serverless Attack Vectors
Serverless Attack VectorsServerless Attack Vectors
Serverless Attack Vectors
Teri Radichel
 
Crypto Miners in the Cloud
Crypto Miners in the CloudCrypto Miners in the Cloud
Crypto Miners in the Cloud
Teri Radichel
 
Packet Capture on AWS
Packet Capture on AWSPacket Capture on AWS
Packet Capture on AWS
Teri Radichel
 
AWS Survival Guide
AWS Survival GuideAWS Survival Guide
AWS Survival Guide
Ken Johnson
 
Red Team vs. Blue Team on AWS ~ re:Invent 2018
Red Team vs. Blue Team on AWS ~ re:Invent 2018Red Team vs. Blue Team on AWS ~ re:Invent 2018
Red Team vs. Blue Team on AWS ~ re:Invent 2018
Teri Radichel
 
Automated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSAutomated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWS
Teri Radichel
 
Of CORS thats a thing how CORS in the cloud still kills security
Of CORS thats a thing how CORS in the cloud still kills securityOf CORS thats a thing how CORS in the cloud still kills security
Of CORS thats a thing how CORS in the cloud still kills security
John Varghese
 
Native cloud security monitoring
Native cloud security monitoringNative cloud security monitoring
Native cloud security monitoring
John Varghese
 

Recomendados

Serverless Attack Vectors
Serverless Attack VectorsServerless Attack Vectors
Serverless Attack Vectors
Teri Radichel
 
Crypto Miners in the Cloud
Crypto Miners in the CloudCrypto Miners in the Cloud
Crypto Miners in the Cloud
Teri Radichel
 
Packet Capture on AWS
Packet Capture on AWSPacket Capture on AWS
Packet Capture on AWS
Teri Radichel
 
AWS Survival Guide
AWS Survival GuideAWS Survival Guide
AWS Survival Guide
Ken Johnson
 
Red Team vs. Blue Team on AWS ~ re:Invent 2018
Red Team vs. Blue Team on AWS ~ re:Invent 2018Red Team vs. Blue Team on AWS ~ re:Invent 2018
Red Team vs. Blue Team on AWS ~ re:Invent 2018
Teri Radichel
 
Automated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWSAutomated Intrusion Detection and Response on AWS
Automated Intrusion Detection and Response on AWS
Teri Radichel
 
Of CORS thats a thing how CORS in the cloud still kills security
Of CORS thats a thing how CORS in the cloud still kills securityOf CORS thats a thing how CORS in the cloud still kills security
Of CORS thats a thing how CORS in the cloud still kills security
John Varghese
 
Native cloud security monitoring
Native cloud security monitoringNative cloud security monitoring
Native cloud security monitoring
John Varghese
 
Keeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp VaultKeeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp Vault
Mitchell Pronschinske
 
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
Priyanka Aash
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaults
Matias Korhonen
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
Sunny Neo
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
Chris Gates
 
AWS temporary credentials challenges in prevention detection mitigation
AWS temporary credentials challenges in prevention detection mitigationAWS temporary credentials challenges in prevention detection mitigation
AWS temporary credentials challenges in prevention detection mitigation
John Varghese
 
DevOpsDays - DevOps: Security 干我何事?
DevOpsDays - DevOps: Security 干我何事?DevOpsDays - DevOps: Security 干我何事?
DevOpsDays - DevOps: Security 干我何事?
smalltown
 
Injection flaw teaser
Injection flaw teaserInjection flaw teaser
Injection flaw teaser
NotSoSecure Global Services
 
Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s Vault
AWS Germany
 
Build to Hack, Hack to Build
Build to Hack, Hack to BuildBuild to Hack, Hack to Build
Build to Hack, Hack to Build
CloudVillage
 
Keynote - Cloudy Vision: How Cloud Integration Complicates Security
Keynote - Cloudy Vision: How Cloud Integration Complicates SecurityKeynote - Cloudy Vision: How Cloud Integration Complicates Security
Keynote - Cloudy Vision: How Cloud Integration Complicates Security
CloudVillage
 
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
Lacework
 
Web security for developers
Web security for developersWeb security for developers
Web security for developers
Sunny Neo
 
Docker Security
Docker SecurityDocker Security
Docker Security
antitree
 
Nessus and Reporting Karma
Nessus and Reporting KarmaNessus and Reporting Karma
Nessus and Reporting Karma
n|u - The Open Security Community
 
Vault 1.1: Secret Caching with Vault Agent and Other New Features
Vault 1.1: Secret Caching with Vault Agent and Other New FeaturesVault 1.1: Secret Caching with Vault Agent and Other New Features
Vault 1.1: Secret Caching with Vault Agent and Other New Features
Mitchell Pronschinske
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
ColdFusionConference
 
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
Andrey Devyatkin
 
Hta t07-did-you-read-the-news-http-request-hijacking
Hta t07-did-you-read-the-news-http-request-hijackingHta t07-did-you-read-the-news-http-request-hijacking
Hta t07-did-you-read-the-news-http-request-hijacking
Комсс Файквэе
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015
Chris Gates
 
Defending Serverless Infrastructure in the Cloud RSAC 2020
Defending Serverless Infrastructure in the Cloud RSAC 2020Defending Serverless Infrastructure in the Cloud RSAC 2020
Defending Serverless Infrastructure in the Cloud RSAC 2020
Puma Security, LLC
 
Serverless Security: Are you ready for the Future?
Serverless Security: Are you ready for the Future?Serverless Security: Are you ready for the Future?
Serverless Security: Are you ready for the Future?
James Wickett
 

Más contenido relacionado

La actualidad más candente

DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
Chris Gates
 
Build to Hack, Hack to Build
Build to Hack, Hack to BuildBuild to Hack, Hack to Build
Build to Hack, Hack to Build
CloudVillage
 
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
Andrey Devyatkin
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015
Chris Gates
 

La actualidad más candente (20)

Keeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp VaultKeeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp Vault
 
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
Transfer Learning: Repurposing ML Algorithms from Different Domains to Cloud ...
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaults
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
 
AWS temporary credentials challenges in prevention detection mitigation
AWS temporary credentials challenges in prevention detection mitigationAWS temporary credentials challenges in prevention detection mitigation
AWS temporary credentials challenges in prevention detection mitigation
 
DevOpsDays - DevOps: Security 干我何事?
DevOpsDays - DevOps: Security 干我何事?DevOpsDays - DevOps: Security 干我何事?
DevOpsDays - DevOps: Security 干我何事?
 
Injection flaw teaser
Injection flaw teaserInjection flaw teaser
Injection flaw teaser
 
Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s Vault
 
Build to Hack, Hack to Build
Build to Hack, Hack to BuildBuild to Hack, Hack to Build
Build to Hack, Hack to Build
 
Keynote - Cloudy Vision: How Cloud Integration Complicates Security
Keynote - Cloudy Vision: How Cloud Integration Complicates SecurityKeynote - Cloudy Vision: How Cloud Integration Complicates Security
Keynote - Cloudy Vision: How Cloud Integration Complicates Security
 
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
 
Web security for developers
Web security for developersWeb security for developers
Web security for developers
 
Docker Security
Docker SecurityDocker Security
Docker Security
 
Nessus and Reporting Karma
Nessus and Reporting KarmaNessus and Reporting Karma
Nessus and Reporting Karma
 
Vault 1.1: Secret Caching with Vault Agent and Other New Features
Vault 1.1: Secret Caching with Vault Agent and Other New FeaturesVault 1.1: Secret Caching with Vault Agent and Other New Features
Vault 1.1: Secret Caching with Vault Agent and Other New Features
 
Csp and http headers
Csp and http headersCsp and http headers
Csp and http headers
 
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
 
Hta t07-did-you-read-the-news-http-request-hijacking
Hta t07-did-you-read-the-news-http-request-hijackingHta t07-did-you-read-the-news-http-request-hijacking
Hta t07-did-you-read-the-news-http-request-hijacking
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015
 

Similar a Red Team vs Blue Team on AWS - RSA 2018

대용량 데이타 쉽고 빠르게 분석하기 :: 김일호 솔루션즈 아키텍트 :: Gaming on AWS 2016
대용량 데이타 쉽고 빠르게 분석하기 :: 김일호 솔루션즈 아키텍트 :: Gaming on AWS 2016대용량 데이타 쉽고 빠르게 분석하기 :: 김일호 솔루션즈 아키텍트 :: Gaming on AWS 2016
대용량 데이타 쉽고 빠르게 분석하기 :: 김일호 솔루션즈 아키텍트 :: Gaming on AWS 2016
Amazon Web Services Korea
 
AWS re:Invent 2016: ↑↑↓↓←→←→ BA Lambda Start (SVR305)
AWS re:Invent 2016: ↑↑↓↓←→←→ BA Lambda Start (SVR305)AWS re:Invent 2016: ↑↑↓↓←→←→ BA Lambda Start (SVR305)
AWS re:Invent 2016: ↑↑↓↓←→←→ BA Lambda Start (SVR305)
Amazon Web Services
 
.NET Developer Days - Launching Patterns for Containers
.NET Developer Days - Launching Patterns for Containers.NET Developer Days - Launching Patterns for Containers
.NET Developer Days - Launching Patterns for Containers
Michele Leroux Bustamante
 
Puppet at Pinterest
Puppet at PinterestPuppet at Pinterest
Puppet at Pinterest
Puppet
 

Similar a Red Team vs Blue Team on AWS - RSA 2018 (20)

Defending Serverless Infrastructure in the Cloud RSAC 2020
Defending Serverless Infrastructure in the Cloud RSAC 2020Defending Serverless Infrastructure in the Cloud RSAC 2020
Defending Serverless Infrastructure in the Cloud RSAC 2020
 
Serverless Security: Are you ready for the Future?
Serverless Security: Are you ready for the Future?Serverless Security: Are you ready for the Future?
Serverless Security: Are you ready for the Future?
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slides
 
Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018
Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018
Red Team vs. Blue Team on AWS (DVC304) - AWS re:Invent 2018
 
Practical Approaches to Cloud Native Security
Practical Approaches to Cloud Native SecurityPractical Approaches to Cloud Native Security
Practical Approaches to Cloud Native Security
 
(BAC404) Deploying High Availability and Disaster Recovery Architectures with...
(BAC404) Deploying High Availability and Disaster Recovery Architectures with...(BAC404) Deploying High Availability and Disaster Recovery Architectures with...
(BAC404) Deploying High Availability and Disaster Recovery Architectures with...
 
HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...
HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...
HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...
 
A Practitioners Guide to Securing Your Cloud
A Practitioners Guide to Securing Your CloudA Practitioners Guide to Securing Your Cloud
A Practitioners Guide to Securing Your Cloud
 
대용량 데이타 쉽고 빠르게 분석하기 :: 김일호 솔루션즈 아키텍트 :: Gaming on AWS 2016
대용량 데이타 쉽고 빠르게 분석하기 :: 김일호 솔루션즈 아키텍트 :: Gaming on AWS 2016대용량 데이타 쉽고 빠르게 분석하기 :: 김일호 솔루션즈 아키텍트 :: Gaming on AWS 2016
대용량 데이타 쉽고 빠르게 분석하기 :: 김일호 솔루션즈 아키텍트 :: Gaming on AWS 2016
 
My First Big Data Application
My First Big Data ApplicationMy First Big Data Application
My First Big Data Application
 
AWS re:Invent 2016: ↑↑↓↓←→←→ BA Lambda Start (SVR305)
AWS re:Invent 2016: ↑↑↓↓←→←→ BA Lambda Start (SVR305)AWS re:Invent 2016: ↑↑↓↓←→←→ BA Lambda Start (SVR305)
AWS re:Invent 2016: ↑↑↓↓←→←→ BA Lambda Start (SVR305)
 
DevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise SecurityDevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise Security
 
.NET Developer Days - Launching Patterns for Containers
.NET Developer Days - Launching Patterns for Containers.NET Developer Days - Launching Patterns for Containers
.NET Developer Days - Launching Patterns for Containers
 
Puppet at Pinterest
Puppet at PinterestPuppet at Pinterest
Puppet at Pinterest
 
Asec r01-resting-on-your-laurels-will-get-you-pwned
Asec r01-resting-on-your-laurels-will-get-you-pwnedAsec r01-resting-on-your-laurels-will-get-you-pwned
Asec r01-resting-on-your-laurels-will-get-you-pwned
 
AWSug.nl Meetup @ New10 - SAM
AWSug.nl Meetup @ New10 - SAMAWSug.nl Meetup @ New10 - SAM
AWSug.nl Meetup @ New10 - SAM
 
Hands-on Lab: Comparing Redis with Relational
Hands-on Lab: Comparing Redis with RelationalHands-on Lab: Comparing Redis with Relational
Hands-on Lab: Comparing Redis with Relational
 
Serverless Architectural Patterns & Best Practices
Serverless Architectural Patterns & Best PracticesServerless Architectural Patterns & Best Practices
Serverless Architectural Patterns & Best Practices
 
How I Learned to Stop Worrying and Love the Cloud - Wesley Beary, Engine Yard
How I Learned to Stop Worrying and Love the Cloud - Wesley Beary, Engine YardHow I Learned to Stop Worrying and Love the Cloud - Wesley Beary, Engine Yard
How I Learned to Stop Worrying and Love the Cloud - Wesley Beary, Engine Yard
 

Más de Teri Radichel

Más de Teri Radichel (16)

So You Want a Job in Cybersecurity
So You Want a Job in CybersecuritySo You Want a Job in Cybersecurity
So You Want a Job in Cybersecurity
 
Cloud Offense Informs Cloud Defense.pptx
Cloud Offense Informs Cloud Defense.pptxCloud Offense Informs Cloud Defense.pptx
Cloud Offense Informs Cloud Defense.pptx
 
Underrated AWS Security Controls ~ AWS Atlanta Summit 2022
Underrated AWS Security Controls ~ AWS Atlanta Summit 2022Underrated AWS Security Controls ~ AWS Atlanta Summit 2022
Underrated AWS Security Controls ~ AWS Atlanta Summit 2022
 
Real World Cloud Compromise
Real World Cloud CompromiseReal World Cloud Compromise
Real World Cloud Compromise
 
Top Priorities for Cloud Application Security
Top Priorities for Cloud Application SecurityTop Priorities for Cloud Application Security
Top Priorities for Cloud Application Security
 
Azure for Auditors
Azure for AuditorsAzure for Auditors
Azure for Auditors
 
How the Cloud Changes Cyber Security
How the Cloud Changes Cyber SecurityHow the Cloud Changes Cyber Security
How the Cloud Changes Cyber Security
 
Are you ready for a cloud pentest? AWS re:Inforce 2019
Are you ready for a cloud pentest? AWS re:Inforce 2019Are you ready for a cloud pentest? AWS re:Inforce 2019
Are you ready for a cloud pentest? AWS re:Inforce 2019
 
Are You Ready for a Cloud Pentest?
Are You Ready for a Cloud Pentest?Are You Ready for a Cloud Pentest?
Are You Ready for a Cloud Pentest?
 
Top 5 Priorities for Cloud Security
Top 5 Priorities for Cloud SecurityTop 5 Priorities for Cloud Security
Top 5 Priorities for Cloud Security
 
Locking Down Your Cloud
Locking Down Your CloudLocking Down Your Cloud
Locking Down Your Cloud
 
The Threat Is Real. Protect Yourself.
The Threat Is Real. Protect Yourself.The Threat Is Real. Protect Yourself.
The Threat Is Real. Protect Yourself.
 
Security for Complex Networks on AWS
Security for Complex Networks on AWSSecurity for Complex Networks on AWS
Security for Complex Networks on AWS
 
AWS Security Ideas - re:Invent 2016
AWS Security Ideas - re:Invent 2016AWS Security Ideas - re:Invent 2016
AWS Security Ideas - re:Invent 2016
 
Critical Controls Might Have Prevented the Target Breach
Critical Controls Might Have Prevented the Target BreachCritical Controls Might Have Prevented the Target Breach
Critical Controls Might Have Prevented the Target Breach
 
AWS Security Strategy
AWS Security StrategyAWS Security Strategy
AWS Security Strategy
 

Último

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 

Último (20)

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 

Red Team vs Blue Team on AWS - RSA 2018

  • 1. SESSION ID: #RSAC Teri Radichel RED TEAM VS. BLUE TEAM ON AWS CSV-R12 CEO 2nd Sight Lab @teriradichel Kolby Allen DevOps Engineer Zipwhip @kolbyallen
  • 4. #RSAC Would Be A Boring Talk… 4
  • 6. #RSAC Some background 6 Initial Setup Vanilla Account — Single Admin User — Base VPC & defaults AWS Tutorial: Elastic Beanstalk with WordPress — https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/php-hawordpress- tutorial.html AWS Tutorial: Lambda Accessing RDS in VPC — https://docs.aws.amazon.com/lambda/latest/dg/vpc.html
  • 7. #RSAC Pilfer Credentials ~ Read Only Access 7
  • 8. #RSAC Look for RDS Databases 8 aws rds describe-db-instances --filter --query DBInstances[].[DBInstanceIdentifier,MasterUsername,DBSubn etGroup.VpcId,Endpoint.Address] --output=table --color off supersecretdb?! That sounds like a good target…
  • 9. #RSAC Examine Selected Database Subnets 9 aws rds describe-db-instances --filter "Name=db- instance-id,Values=supersecretdb" --query DBInstances[].DBSubnetGroup.Subnets[].Subnet Identifier --output table --color off Hmm… let’s check out: subnet-1ae9df57
  • 10. #RSAC What Traffic Do NACLs Allow? 10 aws ec2 describe-network-acls --filter "Name=association.subnet-id,Values=subnet-1ae9df57" --query NetworkAcls[].Entries --output table --color off All traffic allowed ~ Sweet.
  • 11. #RSAC What Traffic Do DB Security Groups Allow? 11 aws ec2 describe-security- groups --filter "Name=group- id,Values=sg-217f3e4a" -- output table --color off Port 3306 172.31.0.0/16
  • 12. #RSAC Find VPC With Access to Database 12 aws ec2 describe-vpcs --filter "Name=cidrBlock,Values=172.31.0.0/16" --query Vpcs[].VpcId --output table --color off vpc-96c34cfe is assigned to CIDR 172.31.0.0/16
  • 13. #RSAC VPC Security Groups ~ 3306 Egress 13 aws ec2 describe-security-groups --filter "Name=egress.ip-permission.to-port,Values=3306 Name=vpc-id,Values=vpc-96c34cfe" --output table -- color off None…hmm…
  • 14. #RSAC Security Groups ~ No Outbound Restrictions 14 aws ec2 describe-security-groups --filter "Name=egress.ip- permission.cidr,Values='0.0.0.0/0',Name=vpc-id,Values=vpc-96c34cfe" --output table --color off --query SecurityGroups[].GroupId Cool. Wide Open Outbound. Let’s see what’s using these.
  • 15. #RSAC Check Lambda Functions 15 aws lambda list-functions --query Functions[?VpcConfig.SecurityGroupIds== [`sg-93aadef8`]].FunctionName --output table --color off
  • 16. #RSAC Query Lambda Code Location 16 aws lambda get-function --function- name CreateTableAddRecordsAndRead --query Code.Location Gives us URL to code location in S3…
  • 17. #RSAC Go To URL…Check out the code 17 Hmm, what’s in this file?
  • 18. #RSAC About that rds_config file… 18 Oops. Database credentials.
  • 19. #RSAC Look for Instances That Can Exfil 19 aws ec2 describe-instances --output text --query Reservations[].Instances[].NetworkInterfaces[]. Association.[PublicIp,PublicDnsName] Check the domains in a browser to find web sites.
  • 20. #RSAC Exploit Web Site and Exfil 20 Scan Site. Exploit Vulnerability. Upload code to connect to DB. Publish to public web site.
  • 21. #RSAC IAM Best Practices 21 Roles Least Privilege Segregation of Duties IAM Top 10
  • 22. #RSAC Protecting Credentials 22 User training ~ Phishing and handling of credentials Password policies and rotation MFA!! Require frequent re-auth – especially to sensitive apps Prevent deployment of code with embedded credentials https://github.com/awslabs/git-secrets
  • 23. #RSAC IAM Configuration 23 WOW THAT IS A LOT OF YAML!! https://github.com/allenk1/2018rsapresentation/ blob/master/Default-IAM-Profile.yaml
  • 24. #RSAC IAM Master - Initial Roles 24 Sid: AllowUserstoListAccounts Effect: Allow Action: - "iam:ListAccountAliases" - "iam:ListUsers" - "iam:GetAccountPasswordPolicy" - "iam:GetAccountSummary" Resource: "*" • Allows users to view enough information to get into IAM • Can get the PW Policy IMPORTANT so it can apply • List Users – needed in order to find themselves
  • 25. #RSAC IAM Master - Initial Roles 25 Actions allow users to manage their account – BUT NOT PERMISSIONS Sid: AllowUserstoManageOwnAccount Effect: Allow Action: - "iam:ChangePassword" - "iam:CreateAccessKey" - "iam:CreateLoginProfile" - "iam:DeleteAccessKey" - "iam:DeleteLoginProfile" - "iam:GetLoginProfile" - "iam:ListAccessKeys" - "iam:UpdateAccessKey" - "iam:UpdateLoginProfile" - "iam:ListSigningCertificates" - "iam:DeleteSigningCertificate" - "iam:UpdateSigningCertificate" - "iam:UploadSigningCertificate" - "iam:ListSSHPublicKeys" - "iam:GetSSHPublicKey" - "iam:DeleteSSHPublicKey" - "iam:UpdateSSHPublicKey" - "iam:UploadSSHPublicKey" Resource: "arn:aws:iam::*:user/${aws:username}" Resource only allows them to perform on their username – can’t modify anyone else
  • 26. #RSAC IAM ~ User Roles 26 Sid: AllowUserstoListOnlyThierMFA Effect: Allow Action: - "iam:ListVirtualMFADevices" - "iam:ListMFADevices" Resource: - "arn:aws:iam::*:mfa/*" - "arn:aws:iam::*:user/${aws:username}" - Sid: AllowUsertoManageThierMFA Effect: Allow Action: - "iam:CreateVirtualMFADevice" - "iam:DeleteVirtualMFADevice" - "iam:EnableMFADevice" - "iam:ResyncMFADevice" Resource: - "arn:aws:iam::*:mfa/${aws:username}" - "arn:aws:iam::*:user/${aws:username}" - Sid: AllowUserstoDeactiveTheirMFAWhenUseingMFA Effect: Allow Action: - "iam:DeactivateMFADevice" Resource: - "arn:aws:iam::*:mfa/${aws:username}" - "arn:aws:iam::*:user/${aws:username}" Condition: Bool: "aws:MultiFactorAuthPresent": "true" • Allows users to manage this MFA • Must login with MFA to remove device
  • 27. #RSAC IAM ~ Assumed Roles 27 Initial role has no permissions except to assume other roles MFA Required to assume role with temp creds
  • 28. #RSAC IAM Master 28 Failure due to default policy not having permissions Temporary credential request & setting at environmental variable MFA! Commands work!
  • 29. #RSAC CloudTrail 29 Monitor all API Actions Feed data to events Respond
  • 30. #RSAC Scan and Secure 30 Encryption in flight with only specific IAM role with rights Instance retrieves encrypted value Instance IAM Role allows rights to use key to decrypt EC2 Parameter Store for secrets
  • 31. #RSAC EC2 Parameter Store 31 OLD: Password embedded in rds_config.py New: No password in rds_config.py
  • 33. #RSAC Monitoring 33 AWS GuardDuty VPC Flow Logs CloudTrail Config Log shipping Secure log backups Automate Remediation
  • 36. #RSAC Presentation Layer Application Layer Data Layer Limited NACL & Security Groups between subnets Limit all outbound traffic Network Architecture 36
  • 37. #RSAC Network Architecture 37 BAD NETWORK NACLs are wide open Wide open inbound rules on security groups Security groups all everything to talk to internet
  • 38. #RSAC Network Architecture 38 BETTER NETWORK NACLs limit access between subnets Security Groups limiting access to specific servers Blocking internet where not needed
  • 39. #RSAC Conclusion 39 Red Team: Attackers can use the same tools used by DevOps teams. Cloud APIs provide a means for mapping out an entire account. Read only access can be powerful. Blue Team: Restrict access Automated deployment Architect networks to minimize open ports and pivoting Protect secrets - don't embed in code! Monitor everything
  • 40. SESSION ID: #RSAC Teri Radichel THANK YOU! CSV-R12 CEO 2nd Sight Lab @teriradichel Kolby Allen DevOps Engineer Zipwhip @kolbyallen