Beyond Ethical Hacking By Nipun Jaswal , CSA HCF Infosec Pvt. Ltd
Seu SlideShare está sendo baixado.
×
Confira estes a seguir
Recomendadas
Mais Conteúdo rRelacionado
Semelhante a Can't Touch This: Detecting Lateral Movement In Zero Touch Environments (20)
Mais recentes (20)
Can't Touch This: Detecting Lateral Movement In Zero Touch Environments
- 1. Can’t Touch This: Detecting Lateral Movement in Zero-Touch Environments Phillip Marlow DEF CON Cloud Village 2020 Approved for Public Release; Distribution Unlimited. Case Number 20-2069
- 2. Disclaimers & Acknowledgements Approved for Public Release; Distribution Unlimited. Case Number 20-2069 ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. The author's affiliation with The MITRE Corporation is provided for identification purposes only, and is not intended to convey or imply MITRE's concurrence with, or support for, the positions, opinions, or viewpoints expressed by the author. Research conducted to fulfill degree requirements for the SANS Technology Institute’s Master of Science degree. Thank you to Tanya Baccam, Faculty Research Advisor Thank you to my wife Madeline, whom I also don’t speak for in this presentation.
- 3. > whoami • Security + DevOps = • Wrote my first vulnerable code in elementary school • Began learning to write exploit code in middle school • First time DEF CON speaker • Learning through hacking
- 4. Why Should I Care About DevOps? • Running any applications? That’s just the way it is now. • Cloud native • It’s also better for security @redteamwrangler https://teespring.com/shop/my-c2-has-five-nines-front
- 5. Attacker’s Options Internet Workstation Bastion App Server Source Repo Test Servers Configuration Server 1 2 3
- 6. Traditional Application Deployment • Developer gives Ops a deployment package and install instructions • Ops logs in to app server, manually installs software • Time to patch? Another manual login and install
- 7. Traditional Lateral Movement • To log in and do configuration, Ops has highly privileged credentials • Often the credentials are stored in plaintext on Ops workstations: • SSH Keys, e.g. ~/.ssh/id_rsa • API Tokens/Keys, e.g. ~/.aws/credentials • Attackers use these to move deeper into the environment to steal data, install malware, steal compute resources, etc
- 8. What Is Zero-Touch? • Google defined Zero-Touch Networking/Production • Used by mature DevOps organizations https://www.usenix.org/sites/default/files/conference/ protected-files/srecon19emea_slides_wolafka.pdf https://storage.googleapis.com/pub-tools-public- publication-data/pdf/45687.pdf
- 9. Zero-Touch Deployment https://www.usenix.org/sites/default/files/conference/protected-files/srecon19emea_slides_wolafka.pdf No Humans
- 10. Zero-Touch Deployment Internet Workstation Bastion App Server Source Repo Test Servers Configuration Server 3
- 11. Traditional Lateral Movement Internet Workstation Bastion App Server
- 12. Lateral Movement in a Zero-Touch Network Internet Workstation Bastion App Server Source Repo Test Servers Configuration Server
- 13. Detecting Lateral Movement • Define protected servers • Define human access points • Watch for ANY connections from the manual access points to protected servers • Alert, investigate, etc… • Profit!
- 14. Demo Time
- 15. But What About Cloud?! • Traffic Mirroring/Virtual Network Tap/Packet Mirroring • Flow Logs • Tagging/Asset Inventory is important • But… there are visibility challenges
- 16. Next Steps • If you’re not zero-touch yet – do it! • Implement this detection on your platform of choice • Tailor it to your specific environment • Correlate these events with other suspicious traffic
- 17. Lessons Learned • Know your network • Don’t be afraid to look for stupid simple things
- 18. Thank You! Phillip Marlow @wolramp
