Time de Segurança Defensivo ou os chamados Blue Team, sempre tiveram uma superfície de ataque enorme com muitos vetores e desafios. Ter visibilidade do ambiente nunca foi uma tarefa fácil, porém, com a adoção do uso em massa da Nuvem essas equipes ganharam novas formas de monitorar e também uma nova superfície de ataque. A idéia dessa palestra é comentar sobre esses novos desafios, como obter visibilidade e monitorar os atacantes, mostrando facilitadores e novas ameaças, além de comentar de um caso ocorrido recentemente.
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Novos paradigmas para Blue Team com a adoção de Cloud
1. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.
Novos Paradigmas para
Blue Team com a adoção de
Cloud
Rodrigo "Sp0oKeR" Montoro, Senior Researcher
@spookerlabs
Florianópolis 20 de Novembro de 2019
2. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.
2
Sobre mim
● Former Co-Founder BlueOps (acquired by Tenchi)
● Senior Cloud Researcher & Consultant @ Tenchi Security
● Speaker / CTF organizer (BlueWars)
● Author of 2 patents (http headers and detecting malicious docs)
● Living in Florianópolis (Silicon Island)
● Triathlon
● Crossfit
● Beer
3. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.
Motivation
3
4. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.
Agenda
1. On premises versus Nuvem
2. Visibilidade / Novos vetores
3. Case de exemplo
4. Conclusões
4
5. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.
On Premises versus Nuvem
5
6. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.
6
Diferenças
7. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.
7
First a common language
8. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.
8
On premises
9. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.
9
Tipo Nuvem
10. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.
10
Nuvem
11. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.
Visibilidade / Novos vetores
11
12. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.
1. Maior superfície
2. Metadata / API
3. Chaves
4. Denial of Wallet
12
Alguns dos novos vetores da Nuvem
13. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.
13
Mitre ATT&CK Cloud
14. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.
14
15. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.
15
16. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.
16
Core AWS (IMHO)
17. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.
● 6128 actions
● Hundreds conditionals (global & service
level)
● Deny por default
● Manual 1600+ páginas
17
IAM (1 / 2 )
18. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.
18
IAM (2 / 2 )
19. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.
19
Cloudtrail (1/3)
20. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.
20
Cloudtrail (2/3)
21. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.
21
Cloudtrail (3/3)
22. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.
1. GuardDuty
2. Inspector
3. Athena
4. Config
5. Command Line Interface (CLI)
22
Outros Serviços (AWS)
23. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.
Case
23
24. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.
FBI report
25. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.
25
Mapping with ATT&CK
source:"Microsoft Tech Community"
26. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.
26
Cloud ATT&CK (T1522)
27. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.
27
Metadata
28. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.
28
Exploração
source:"Microsoft
Tech Community"
29. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.
29
Demo
30. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.
30
Bonus Info
31. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.
Conclusões
1. Baselines / Melhores práticas
2. Monitoramento contínuo Nuvem
3. Estude, estude, estude - IAM / Cloudtrail
4. Eventos gerais dos ativos
5. Red (Cloud) Team automation
6. Utilize serviços do provedor de Nuvem
7. Segmente acessos
8. Compre muito redbull e aspirina =)
31
32. Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.Tenchi Security confidential and proprietary. Unauthorized disclosure, reproduction or other use prohibited.
Q&A
rmontoro@tenchisecurity.com
@spookerlabs
@tenchisecurity