Detecting Malicious Cloud Account Behavior

3y ago
55 Views
6 Downloads
3.66 MB
86 Pages
Last View : 1m ago
Last Download : 2m ago
Upload by : Carlos Cepeda
Transcription

Detecting Malicious Cloud Account Behavior:A Look at the New Native Platform Capabilities@bradgeesaman

BioPreviously Network Security EngineerPenetration Tester/Security ConsultantTwitter: @bradgeesamanPast 8 Years Cloud Infrastructure Administrator“DevOps” practitioner *Ethical Hacking Educator CTF Scenario design Running CTF competition workloads inside public clouds using containers **Past Two Years Researching Cloud Security Issues with Containers and Container Orchestrators Hacking and Hardening Kubernetes Clusters by Example: https://youtu.be/vTgQLzeBfRU Independent Consulting - Securing Containers and Kubernetes* Sorry** Not recommended. It seemed like a good idea then.

Detecting Malicious Cloud Account BehaviorGetting visibility of allrelevant account activity.to determine if it’s the desired.usage of data, resources, workloads, and APIsinside a public cloud environment.

This Talk is Aimed atAttackersHow malicious activity is beingdetected with the latest servicesenabled.Business LeadersUnderstand the cloud-specific threatlandscape, the cloud sharedresponsibility model, and where tofocus detection efforts.DefendersKnow more about cloud-specificattack indicators and how to gainbetter visibility of that activity.Security Architects/Ops/BuildersHow and when to best leverage theircloud provider’s security serviceofferings.

RoadmapCloud Detection Challenges and Example Scenario Differences from Traditional Environments The Cloud Shared Responsibility Model The Cloud-Specific Attack Lifecycle Public Cloud Detection Data Sources Example Attack ScenarioThe Latest “Native” Cloud Security Services Microsoft Azure Security Center Amazon GuardDuty (and CloudTrail) - DEMO! Google Cloud Security Command CenterKey Takeaways Benefits of the New Capabilities Areas for Improvement Adoption Recommendations Parting Perspectiveshttps://flic.kr/p/afRuwn

What makes detecting malicious behavior in thecloud different from traditional environments?

Cloud Environments Change Fundamental AssumptionsHighly Dynamic InventorySystems come and go in secondsHeavy Focus on AutomationAmplifies Human ErrorShared Responsibility with ProviderPotential Detection Gaps“Everything” is an APITraditional approaches no longer“Fit”

Pace of Innovation Leaves A WakeIncreasing business competitionFocus on shipping features first,outsourcing non-core capabilities.An explosion of cloud servicesWhat “Perimeter”?A renaissance of infrastructure anddeployment toolingNew environments with new securitymodels and attack surfaces.Always a security expertise shortageAmplified with all the newly releasedfeatures and services.

Understanding the responsibility boundary

AWS Shared Responsibility malware

AWS Shared Responsibility Model (Adapted)Service API EndpointsAdapted from re/Implied

Shared Responsibility Model - Customer’s ViewService API UsageService API EndpointsAdapted from re/Shared

Shared Responsibility Model - Cloud Provider’s ViewAPI UsersService API UsageAdapted from re/Shared

Protecting those shared APIs arechallenging and nuanced,but very necessary.

What does an attack lifecycle look like in a cloudenvironment?

Traditional Attack Path/Lifecycle (Simplified)InitialCompromisePersistencePriv. Escalation& LateralMovementDataExfiltrationAttack FlowReconnaissance

Cloud Attack Path/Lifecycle (Adapted)InitialCompromiseLeaked / StolenCredentialsPersistenceAttack onCredentialCollection Operations /AccessCover Tracks

Escalation, Enumeration, Persistence, Covering TracksEscalation n -after-pwning-it-ff629c2aae39Persistence nt-da007d36f8f9Covering Tracks 42e437d6594* Concepts apply to all cloud providers

What detection methods are available?

Cloud Account Behavior Data Detection Sources*Network Activity to/from known-bad IPs Unusual changes to traffic patterns Unusual outbound port usageDNS Queries to known-bad domains (CnC,bots, malware, crypto-mining, etc) orembed data in the lookupHost-based OS, Application, Security/Audit logs Endpoint security eventsNetwork-Device based FW/IDS/IPS “drop-in” solution logs/alertsCloud Provider API Activity Multiple failed logins Simultaneous API access from differentcountries Attempted activity from terminatedaccounts/credentials/keys Uncommon service/API usage Credential/permission enumeration Changes to user accounts/logging/detectionconfigurations Sensitive changes to user permissions Internal IAM credentials used from externalsourcesService Access Logs Web/User Access logs* Not an exhaustive list.

Cloud Account Behavior Data Detection Sources*Network Activity to/from known-bad IPs Unusual changes to traffic patterns Unusual outbound port usageDNS Queries to known-bad domains (CnC,bots, malware, crypto-mining, etc) orembed data in the lookupHost-based OS, Application, Security/Audit logs Endpoint security eventsNetwork-Device based FW/IDS/IPS “drop-in” solution logs/alertsCloud Provider API Activity Multiple failed logins Simultaneous API access from differentcountries Attempted activity from terminatedaccounts/credentials/keys Uncommon service/API usage Credential/permission enumeration Changes to user accounts/logging/detectionconfigurations Sensitive changes to user permissions Internal IAM credentials used from externalsourcesService Access Logs Web/User Access logs* Not an exhaustive list.

Example Attack Walkthrough

An Electric Car ManufacturerExposed Kubernetes Dashboard Kubernetes Cluster on AWS Installed CPU-throttled crypto-miningworkers Tight integration with AWS Access Keys ledto S3 data exfiltration Masked their sources behind a CDNNot Alone Multiple other Companies had the amazon-cloud-cryptocurrency-mining/

An Electric Car ManufacturerPossible Detection Methods Instance IAM credentials usage from anon-cloud instance DNS logs of malware/crypto-miningsoftware Dashboard Application Logs Netflow Logs of Docker image download Netflow Logs of reports into mining n-cloud-cryptocurrency-mining/

Note: A Direct Compromise May Not Be NeededCredential theft Phishing Malware BackdooredMalicious Outsiders Compromise of 3rdParty Services withintegrated access Source Control CI/CD Mail Deliverylibraries/tools Passwordguessing/weakpasswords Failure to disable,delete, rotatecredentials postterminationCredential Leaks Checked into sourcecode Technical supporttickets Public Q&A TechHelp chat/forums Applications transmitkeys in headers,messages, or logs ofAPI calls

The Latest “Native” Cloud Security Services

Services In ScopeMicrosoft AzureSecurity Center,Advanced ThreatProtectionAWS GuardDuty(and CloudTrail,CloudWatch)Google Cloud SecurityCommand Center

Service Launch DatesAzure LaunchAWS EC2 Launch200720092011GoogleCloudAzureAdvanced AWS SecurityGCE LaunchGuard CommandAzure ThreatSecurity Detection Duty CenterAWSCenterCloudTrail20132015201720Very Recently Released19

Questions Asked During This Review? What data sources do they use?How do they operate on that data?What visibility does that data provide?What is not covered in the service?What is needed for onboarding?What’s the cost structure?How does it integrate with other internal services andpartners?How accessible are these services to customization?How do you validate the detection capabilities?

Different Questions for Different RolesAttackers DefendersWhat methods andtactics need to change toremain undetected?Business Leaders What’s my exposure?What’s the ROI? What can be covered?What still isn’t covered?Security Architects/Ops/Builders How does this change myinfrastructure design?What do I no longer haveto build?

Azure Security Center

Azure Security CenterReleased Initial - Fall 2015 Generally Available - Spring/Summer 2016 Advanced Threat Detection - Summer 2017Description Azure Security Center provides unified security management and advanced threatprotection across hybrid cloud workloads. With Security Center, you can applysecurity policies across your workloads, limit your exposure to threats, and detect andrespond to attacks. Cost: 15/system/monthLinks and Documentation nter/

Key FeaturesUnified / Hybrid Security Dashboard Common Windows-style management experience in thecloud and on-premise in a single place.Security Recommendation Engine Suggests security hygiene items to address proactively.Offers customizable policy (XML) for user-supplied checks.Microsoft Provided Agent OS, Application, Security/Audit logs, missing patches, weakconfigurations and more supplement network-baseddetections. Can be automatically enabled for all VMs.

Key Features (Cont’d)Third-Party Security Tool Integration Marketplace Centrally integrate your choice of multiple security endpoint solutions,host-based vulnerability management agents, and network-security devices witha few clicks and some license keys.Custom Alert Rules Custom queries on all log event types to trigger notification alerts.File Integrity Monitoring (Preview) Validates the integrity of Windows files, Windows registry, and Linux filesREST API Integration with your existing security systems and workflows for insertingand pulling events.

Detection Data SourcesMicrosoft Agent Operating SystemsVMsPartnerSolutionsAgent(s)“Network”API Audit Logs Windows Server (of course)Amazon Linux 2012.09 -- 2017CentOS Linux 5,6, and 7Oracle Linux 5,6, and 7Red Hat Enterprise Linux Server 5,6and 7Debian GNU/Linux 6, 7, 8, and 9Ubuntu 12.04, 14.04, 16.04 LTSSUSE Linux Enterprise Server 11/ 12

Simplified ities

DetectionsThreat Intelligence Outbound communication to a malicious IP address/Domains Threat intelligence monitoring and signal sharing across all their servicesBehavioral Analytics Suspicious process execution: models processes behaviors and monitors process executions todetect outliers Hidden malware and exploitation attempts: memory analysis, crash dump analysis Lateral movement and internal reconnaissance: monitors process and login activities such asremote command execution network probing, and account enumeration Malicious PowerShell Scripts: inspects PowerShell activity for evidence of suspicious activity Outgoing attacks: take part in brute force, scanning, DDoS, and Spam sending campaignsAnomaly Detection Inbound RDP/SSH brute force rity-center/security-center-detection-capabilities

Dashboard

Dashboard

Dashboard

Agent Reports Missing Patches

Agent Reports Missing Patches

All Agent Logs are Searchable

Value AddedHybrid-first approach Leverages the vast amount of enterprise management features andcapabilities applied to Azure resources.Provides a Microsoft-supported Windows/Linux Agent Supported OSes get enhanced detection capabilities (logs, processmonitoring, crash dump analysis)Integrated, Self-Service Partner Marketplace Adding a solution is a few clicks and a license away in many cases.Leverages the Azure Log Analytics Service Mature integrations, advanced querying, and full-featured REST API

Areas for ImprovementAreas for Improvement A detailed list of anomalous detection capabilities is not yetavailable. Ability to tune detection parameters. Potential delay from agent deployment to it reporting in theDashboard. The ability to supply custom threat/IP feeds to aid in improvingdetection accuracy.

Amazon GuardDuty et al

Amazon GuardDuty et alReleased AWS CloudTrail: Spring 2013 AWS VPC Flow Logs: Summer 2015 Amazon GuardDuty: Winter 2017Description Amazon GuardDuty offers threat detection that enables you tocontinuously monitor and protect your AWS accounts and workloads. 30-day free trial. North America: 0.25- 1 per GB of VPC/DNS, 4 per 1M Cloudtrail EventsLinks and Documentation https://aws.amazon.com/guardduty/

Key FeaturesWatches Data Streams AWS CloudTrail Events, Amazon VPC Flow Logs, and DNS Logs.Integrates Threat Intelligence Feeds and Machine Learning Feeds with known malicious IP addresses and domains. Environment specific baselining. You can supply your own IP lists for “good” and “bad” hosts.Generates Findings Creation action creates CloudWatch events useful for triggering Lambdafunctions for further processing and sending notifications.Cross-Account Visibility Events can be centralized across multiple “member” accounts to acentralized “master” account.

How CloudTrail WorksAmazon CloudTrailAccount activityoccursCloudTrailrecords aCloudTrail EventYou canview/downloadyour activity inthe CloudTrailEvent HistoryYou can set upCloudTrail anddefine an AmazonS3 bucket forstorageA log ofCloudTrail Eventsis delivered to anS3 bucket andoptionally toCloudWatch Logsand CloudWatchEvents

How GuardDuty WorksAmazon GuardDuty

Detections“Threat Purposes” (Types of Findings) Backdoor - Compromised AWS resource contacting its C&C server. Behavior - Activity patterns that are different from the established baseline. Cryptocurrency - Detecting software that is associated with cryptocurrencies. Pentest - Potential attack activity generated by known pen testing tools. Persistence - An IAM user is behaving differently from the established baseline. Recon - Reconnaissance attack underway probing ports, listing users, database tables, etc. Resource Consumption - An IAM user is behaving differently from the established baseline to create newresources, such as EC2 instances. Stealth - Detects attacks leveraging an anonymizing proxy server, disguising the true nature of the activity. Trojan - Malicious activity associated with certain Trojan applications. Unauthorized Access - A suspicious activity pattern by an unauthorized atest/ug/guardduty finding-types.html

Dashboard

Dashboard

Dashboard - Finding

Dashboard - Finding

Dashboard - Finding

Demo!Rhino Security Labs - Cloud Goat (Slightly Modified)Safe, practice environment for learning how to collect keys, move laterally,escalate privileges, and more. .com/RhinoSecurityLabs/cloudgoat

Demo!Attack Path Steps1.2.3.4.5.6.7.8.Server-Side Request Forgery to steal EC2 IAM instance credentialsEnumerate API access unsuccessfullyEscalate to Administrator using attach-role-policyEnumerate API access successfullyFind and exfiltrate PII from an S3 bucketAdd a permanent Administrative userCover our tracksReview the IAM, Cloudtrail, and GuardDuty logs/alerts

Value AddedZero-Impact Setup Nearly a “one-click” installation process.Clear Listing of GuardDuty Detections You know what AWS is monitoring for you.Broad Partner Ecosystem Many options to choose from in many different areas of security, not justdetection.Detects Multiple Forms of API Misuse Several key detections for behaviors associated with compromisedcredentials.

Areas for ImprovementAreas for Improvement Ability to tune parameters for all settings and detections Ability to add custom detections into the native analytics engine/flow API ability to create custom findings, not just view them. Unified security dashboard and workflow for all AWS Security services AWS ConfigAWS InspectorAWS CloudTrailAWS GuardDuty

Google Cloud Security Command Center

Google Cloud Security Command CenterReleased Google StackDriver: Spring 2016 Google Cloud VPC Flow logs: Spring 2018 Google Cloud Security Command Center (Alpha): Spring 2018Description The Cloud Security Command Center (Cloud SCC) is the canonical security anddata risk database for Google Cloud Platform (GCP). Cloud SCC enables you tounderstand your security and data attack surface by providing asset inventory,discovery, search, and management.Links and Documentation https://cloud.google.com/security-command-center/

Key FeaturesAsset Discovery/Inventory Across App Engine, Compute Engine, Cloud Storage, and Cloud DatastoreAnomaly Detection Identifies threats like botnets, cryptocurrency mining, anomalous reboots, andsuspicious network traffic. Cost: Unknown. Free during Alpha period.Centralized Finding Dashboard Web application vulnerability scans - Cloud Security Scanner Sensitive data on storage bucket scans - DLP API Access control and policy scans - Forseti All third party security solution findings/results

Key Features (Cont’d)Real-Time Notifications Receive Cloud SCC alerts via Gmail, SMS, and Jira with Cloud Pub/Subnotification integration.REST API Integration with your existing security systems and workflows.

Detection Data FlowVirtual Machines“Network”IAM / API Audit LogsPartnerIntegrationsGoogleCSCC API /DashboardAlerting /Notification

DetectionsAs Listed but not Detailed Botnets Cryptocurrency mining Anomalous reboots Suspicious/anomalous network traffic

Dashboard

Dashboard

Dashboard

Dashboard

Dashboard

Dashboard

Dashboard

Dashboard

Value AddedZero-Impact Setup Setup does not affect any running workflows.Partner Focus The API and Interface feature partner solutions and integrate their outputstreams into a single management interface.Framework-Oriented Similar to the Stackdriver logging service in that it’s a framework for handlingall security events across all applicable services.

Limitations and SuggestionsLimitations Still in Alpha, so anomalous detection capabilities are still in theearly stages. Not yet a comprehensive or detailed list of detection capabilities.Suggestions Ability to tune all settings and detections Ability to add custom detections into the native flow Integrated security detections for all managed GCP services Integrate native notification and alerting functionality

Key Takeaways and Looking Ahead

Common Areas for ImprovementDetections Visibility dependent on implementation Detection capability listings Customization / Tuning ML/AI in use, but how exactly?Integrations Wide range of ease of integration A small selection of vendors that integrate natively into the newservices.Education Clearer guidelines needed.

Are the provider-native threat detectionservices all I need?

Should I Adopt These Services Now?

The Framework is Important

Wherever possible, avoidundifferentiated heavy lifting

Watch this space closely

Security solution vendors -- Take note

Additional Learning and ExplorationCloud Goat - Rhino Security Labs https://github.com/RhinoSecurityLabs/cloudgoat "Vulnerable by Design" AWS infrastructure setup and testing environmentFlAWS.Cloud - Scott Piper http://flaws.cloudDetecting Credential Compromise in AWS - Will Bengston cting-credential-compromise-in-awsCloud Security Trends Reports 018 report-2018

Thank you!Questions?@bradgeesaman

Microsoft Agent Operating Systems Windows Server (of course) Amazon Linux 2012.09 -- 2017 CentOS Linux 5,6, and 7 Oracle Linux 5,6, and 7 Red Hat Enterprise Linux Server 5,6 and 7 Debian GNU/Linux 6, 7, 8, and 9 Ubuntu 12.04, 14.04, 16.04 LTS SUSE Linux Enterprise Server 11/ 12 Partner Solutions

Related Documents:

on malicious Facebook apps that focuses on quantifying, profiling, and understanding malicious apps, and synthesizes this information into an effective detection approach. Our work makes the following key contributions: 13% of the observed apps are malicious. We show that mali-cious apps are prevalent in Facebook and reach a large number of users.

sites cloud mobile cloud social network iot cloud developer cloud java cloud node.js cloud app builder cloud cloud ng cloud cs oud database cloudinfrastructureexadata cloud database backup cloud block storage object storage compute nosql

scale study on the topological relations among hosts in the malicious Web infrastructure. Our study reveals the existence of a set of topologically dedicated malicious hosts that play orchestrating roles in malicious activities. They are well con-nected to other malicious hosts and do not receive traffic from legitimate sites.

Verbal Behavior Verbal Behavior (V) is a class of behavior that is reinforced through the mediation of other persons (Skinner, 1957, p.2). Verbal Behavior is the application of behavior principles to language. Verbal Behavior categorizes language responses into different categories based on the function of the response Verbal Behavior is a subset of the science of Behavior Analysis

FlexPod Hybrid Cloud for Google Cloud Platform with NetApp Cloud Volumes ONTAP and Cisco Intersight TR-4939: FlexPod Hybrid Cloud for Google Cloud Platform with NetApp Cloud Volumes ONTAP and Cisco Intersight Ruchika Lahoti, NetApp Introduction Protecting data with disaster recovery (DR) is a critical goal for businesses continuity. DR allows .

Account B. Account A is decremented by 100 to 400 and a request for 100 credit to Account B is sent on Channel C12 to site S2. Account A 400, Account B (iii) Site S2 initiates a transfer of 50 from Account B to Account A. Account B is decremented by 50 to 150 and a request for 50 credit to Account A is sent on Channel Czl to site S1.

Cloud Foundry Foundation Going Cloud Native with Cloud Foundry. Why does Cloud Native matter? Since 2000, 52% of the Fortune . Continuous Innovation. There is a rough consensus on many Cloud Native traits. Containers as an atomic unit, for example. Micro-services as the means of both construction and communication. Platform independence .

Cloud bursting is the simplest and most common hybrid/multi-cloud cloud model scenario, in which an application that is executing in a private cloud bursts into a public cloud when the demand for computing capacity spikes. The advantage of such a hybrid cloud deployment from a cloud