Speaker
奧義智慧
Boik Su、aka. Dange
Outline
- Introduction
- Case Study
- AWS: Identity Perimeter
- Azure: Network Perimeter
- GCP: Hosted Application …
- 藍隊工具
雲端服務的利用是新的標準
- Shared Responsibility Model
- Responsibility always retained by the customer
- Responsibility varies by type
- Responsibility transfers to cloud provider
Through 2025 , more than 99% of cloud breaches will have a root cause of preventalbe …
雲端威脅 – CSA 的觀點
共11點
- Data Breaches
- Misconfiguration and Inadequate Change Control
- Lack of Cloud Security
…
Identity Perimeter
- 身份與存取管理系統(IAM)過於複雜
- 平台預設權限過高
- CSA Ref
- Data breaches
- Insufficient identity, Credential, access and key management
- account hijacking
- limited cloud …
雲端事件統計
Initial Access
- Vaild Accounts 佔最多
- Trusted Relationshop
- Phishing
- Exploit Public-Facing Application
- Drive-by Compromise
Escalation/ Persistence
IAM > EC2
2020 幾乎都在IAM,而且埋後門比較划算
Network Perimeter
- 企業防禦邊界模糊化
- 雲地混合,信任關係
- CSA Ref:
- Data Braches
- Lack of Cloud Security Architecture and Strategy
- Insufficient Identity …
Hosted Applications/Services
- 複雜的應用程式設定
- 非原生雲端應用程式與雲端整合的問題(K8s)
- CSA Ref:
- Data Breaches
- Misconfiguration
- …
AWS Identity and Access Management
- Identity
- User
- Group
- Service Account
- Permission
- Owner
- Editor
- Reader
- Resource
- VM
- Bucket
- …
三大平台IAM差異
- AWS
- IAM Group
- IAM Role
- GCP
- google group
- google workspace domain
- cloud identity domain
- service account
- Azure
- …
Attack Mindset
- Credentials Harvest
Credentials Harvest
- Internet-Facing Sensitive Data (goolge hacking)
- Config Files on Disk
- Control Files on Disk
- Control Plane Interface
- Codebase
- Environmental Variables
Cloud Matrix 對於 IAM的利用過於粗略
- Initial Access
- Vaid Accounts
- …
Cloud Matrix is big 方向的建議
IAM Attack Pattern
Identity -> Permission -> Resource -> Permission -> Identity
S3 Resource Exposure / Sub-Domain Takeover
…
Credentials Harvest + LM
hacker assumrole succeeded -> Cloud Platform
提升手法用PassRole 到 Lamda 至 Role 2
修改自身 Permission
- Shadow Admin
- setDefaultPolicy to Role
- Admin Access
透過本身權限修改另一個權限提權
IPI
- 導出別的使用者access key
- …
Privilege Escalation
- hacker access group …
ROI
SSRF to metadata Service
Sub-Domain Takeover + SSRF
Normal Request -> VM Instance -> External Site
Private, Public and Hybrid Cloud
關鍵基礎設施
- Hybrid Identity for
- Cross-realm application Access
- Simplified account access and management
Active Directory vs. Azure AD
| Active Directory | Azure AD |
|---|---|
| LDAP | REST API’s |
… 太快寫不完
Password hash synchronization (PHS)
Attack – DCSync
- On-Prem 密碼砸受同不需要特定權限
- DS-Replication-Get-Changes
- DS-Replication-Get-Changes-All
- DCSync 攻擊的必備條件
Real Workd Case
- Microsoft Security Advisory 4056318
Guidance for securing AD DS account used by Azure …
Pass-through authentication(PTA)
- “Azure Agent” On-Prem
- PKI (encrypt/decrypt)
- LogonUserW API
LogonUserW
BOOL LogonUserW
輸入是明碼唷!
Attack – 密碼竊聽
Attack – Azure Skeleton Key
Federation (AD FS)
大部分企業會選得方案
Federation (AD FS)
- 微軟跨雲端、地端的身份驗證機制
- 原生支援SAML 2.0
SAML 2.0
- 開放式聯合標準
Attack – Golden SAML
- 攻擊者若能拿下AD FS hosts,that it can sign any SAML Response and 偽造 to any user
Real World Case – Solorigate
Reak World Case – FoggyWeb
Best Practice
微軟說現在不推薦AD FS
應改用Azure AD
GCP – Hosted Applications/Services
Service Side Request Forgery
Hacker use SSRF to Metadata Service if access Denied
Root Cause
- Oracle( Instance Metadata Service) 缺乏身份驗證
Kubernetes
- Master(control Plane)
- Worker(Node) ,Container Runtime, Pod
Kuberneters on GCP
- GCP GKE Service (GCP代理k8s)
- GCP Compute Engine
Instance Metadata Service ?
無法區分請求
Secret in Metadata Service
- Kube-env
- KUBELET_CERT
- KUBELET_KEY
TLS bootstrapping
Instance Meta data Service ?
透過上述方法讓node 可以擴展一個惡意的container
Real World Case
SSRF in Exchange leads to ROOT access in all instances
how to prevnet in GCP
- DEST: avoid pods get Boot…
Metadata concealment & Workload Identity
Workload identity
container auth 會向gcp IAM Service 要資料
Pod -> Daeminset
Misconfig (Host Network ) -> Bypass
Pod container to Metadata Service
Shielded GKE nodes
- Shielded VMs: use vTPM to authorize intergity of VM
- prevent rootkit
放棄治療
Google 沒提到的限制 但是我們發現的問題
如果tpm不小心給了太高的權限或把他mount到其他地方,那還是能被碰到meta data
config 出錯
Demo
取得key cert
ls /var/lib/kubelet/pli
kubelet-client.lock
lubectl --certificate-authority ...
Defense
NIST CSF _ the five function
- Identify
- Rule
- Scount Suite
- SkyArk
- Cloudsplaining
- Prowler
- Graph
- Principal Mapper
- CloudMapper
- awspx
- SAST for IaC
- terrascan
- checkov
- Rule
- Protect
- MFA
- fail2ban
- IAM
- Policy Sentry
- IAM Access Analyzer
- iamlive
- Repokid
- Detect
- Falco
- API Log
- AWS CloudTrail
- CloudTracker
- Config
- Security
- Monkey
- AWS Config
- API Log
- Falco
- Resonse
- SOAR
- IR Tool
- Recover
- AWS Backup
IAM attack Pattern & awspx
- awspx 堪稱 aws 的 blood…
好文推薦
- Cloud Security Orienteering
How to rapidly understand and secure a cloud environment
Conclusion
- Identity Perimeter
- Network Perimeter
- Hosted Applications/Services
- 以NIST CSF為基準提供藍隊工具
