Zero-touch environments are a product of the fast-moving world of DevOps which is being adopted by an increasing number of successful companies. This session will show that by leveraging the constraints of this environment, we can identify malicious network traffic which would otherwise blend into the noise. First presented at DEF CON 28's AppSec Village.
Breaking the Kubernetes Kill Chain: Host Path Mount
Can't Touch This: Detecting Lateral Movement In Zero Touch Environments
1. Can’t Touch This: Detecting
Lateral Movement in Zero-Touch
Environments
Phillip Marlow
DEFCON AppSec Village 2020
Approved for Public Release; Distribution Unlimited. Case Number 20-2014
3. > whoami
• Security + DevOps =
• Wrote my first vulnerable code in
elementary school
• Began learning to write exploit code in
middle school
• First time DEF CON speaker
• Learning through hacking
4. Why should I care about DevOps?
• Running any applications? That’s
just the way it is now.
• It’s also better for security
@redteamwrangler
https://teespring.com/shop/my-c2-has-five-nines-front
6. Traditional Application Deployment
• Developer gives Ops a deployment package and install instructions
• Ops logs in to app server, manually installs software
• Time to patch? Another manual login and install
7. Traditional Lateral Movement
• To login and do configuration, Ops has highly privileged credentials
• Often the credentials are stored in plaintext on Ops workstations:
• SSH Keys, e.g. ~/.ssh/id_rsa
• API Tokens/Keys, e.g. ~/.aws/credentials
• Attackers use these to move deeper into the environment to steal
data, install malware, steal compute resources, etc
8. What is Zero-Touch?
• Google defined Zero-Touch Networking/Production
• Used by mature DevOps organizations
https://www.usenix.org/sites/default/files/conference/
protected-files/srecon19emea_slides_wolafka.pdf
https://storage.googleapis.com/pub-tools-public-
publication-data/pdf/45687.pdf
12. Lateral Movement in a Zero-Touch Network
Internet
Workstation
Bastion
App Server
Source Repo
Test
Servers
Configuration
Server
13. Detecting Lateral Movement
• Define protected servers
• Define human access points
• Watch for ANY connections from the manual access points to
protected servers
• Alert, investigate, etc…
• Profit!
15. Next Steps
• If you’re not zero-touch yet – do it!
• Implement this detection on your platform of choice
• Tailor it to your specific environment
• Correlate these events with other suspicious traffic