Professional Documents
Culture Documents
Individual was caught and arrested because they bragged on chat boards
Result: an $80M fine was levied by the Office of the Comptroller of
the Currency (Treasury)
python aws_inventory.py
Ref: Rich Mogull / Disrupt Ops and Shawn Harris / StarBucks; CheckPoint; CSO Online.
Dig In: Static Credential Exposure
Average time from leak to usage is very short.
Break this Cyber Attack Kill Chain
Search/Scan GitHub, BitBucket, images, your internal network, shell history, apps,
and any other place where your code is published/stored
Static analysis tools should search in the CI/CD pipeline
Minimize the use of static credentials – use secret managers
Tooling: eDiscovery, PoSH, AWS MACIE, GitLab secret detection, ...
AWS: Tightly manage AWS IAM roles and federation
Azure
Implement Managed Service Identities
Keep Primary Key tokens in key vault, use managed service identity for access
Applications can use managed identities to obtain Azure AD tokens without having
to manage any credential
Time-Based Security : Critical for CSP’s
Reproducible method to understand how much security a
product or technology provides
How long are systems exposed?
How long before we detect a compromise?
How long before we respond?
P – how long our protection works
D – how long it takes us to detect
R – how long it takes us to react
While
If the
prevention
attacker
works,
steals the
detecting and
safe and
responding
brings it
early help to
home, he
mitigate
eventually
impact.
wins. It’s a
matter of
time.
So why this so important? Turns out …
It takes hackers 1 minute to find and abuse credentials
exposed on GitHub.
PAUL BISCHOFF Set up a honeypot by publishing AWS
credentials in public GitHub repositories to find out how
attackers find and abuse them.
DescribeInstances and GetAccountAuthorizationDetails API calls
547 unique source IP’s
Ref: article @pabischoff
October 1, 2020 on
www.comparitech.com
Detection Engineering Defined Sort of...
Humio:
Detection engineering is the process of identifying threats before they can
do significant damage.
SpectreOps:
In detection engineering, we define high-value entities as classified
intellectual property or critical portions of production infrastructure. With
this definition in mind, detection engineers can focus on the high-risk or
high-value objects within an environment to narrow the focus of detection
to a specific scope of unique objects within the environment.
Florian Roth:
Detection engineering transforms an idea of how to detect a specific
condition or activity into a concrete description of how to detect it.
Don’s Working Definition
Data is contained
in the “AuditData”
field when you
download the CSV
You might like this instead...
Use PowerShell to get the logs into a CSV
Search-UnifiedAuditLog -StartDate 5/1/2018 -EndDate 5/8/2018
-SessionId "UnifiedAuditLogSearch 05/08/17" -SessionCommand
ReturnLargeSet
Or Better Yet
# Outputs json AuditData strings (un-parsed) for the past
week, using an interval window of 120 minutes.:
Activity Spikes
Sudden uptick in OWA Bind (MailAccessType) can indicate a compromised
user’s mail is being read en masse by an attacker
Business Email Compromise: Find the deviation from “normal”
Users normally use the same UserAgent (phone, Outlook)
Home/Office users access messaging platforms from the same ASN, network
range, city, country from one or two devices (Outlook, smartphone).
Geographically improbable travel, multiple devices are key for BEC
BEC actor will install a forwarding rule (Set-Mailbox,
ForwardingSMTPAddress), and will “re-read” the mail as they consume it
(spike in Operation=MailItemAccessed, from an E5 license
More Example Detections (2/2)
Excessive permissions that lead to compromise ALCE events
Attacker gains some sort of access, creates a new user, adds users to
roles/groups, pulls down / discovers the email list (like Outlook does)
Then grants access (*.All, *.ReadWrite). and then creates forwarding rules,
or other message rules
Establish Persistence for a privileged Cloud application
Application changes as well w/ “UpdateApplication” with a NewValue that
begins with “Certificate”, allowing an attacker to leverage OAuth
Running a memory snapshot via Microsoft’s AVML via SSM
Investigating Cloud App Integration : Graph API
Registration Process: These should occur infrequently
Setup: Register app, configure permissions, Get Global Admin Approval (to
enable).
Action: App requests access token, calls graph API’s.
Operation_Name: Records quite a bit of information
Be aware of risky permissions granted to the service principal
Global Admin: “Consent to Application”
These events should be rare
Should trigger an alert so that the Sec Team has awareness, the App
Portfolio is updated, and new access grants can be integrated in to Sec
Program
Graph Records for Incident Detection
Azure App Registration Process
SolarWinds: a compromised certificate was added to a privileged app, which
facilitated oAuth token generation and usage to monitor email through Graph API
App Reg generates many events:
Adding a service principal, application, generating a client secret, and Global Admin consent
operationName = “Add Service Principle”
Permissions Assignment
AppRoleAssignment.ReadWrite.All and RoleManagement.ReadWrite.Directory are considered
extremely dangerous
And permissions that end with an “ * ”
Assigning Permissions that end with an “ * ” or “.All” may be risky Changes to roles that have
“administrator” in the name (like Global administrator)
Tools: CISA’s Sparrow & Hawk tools help to assess this area
Amazon Web Services
Log Sources and What they Cover
Cloud Trail Tenant console/API audit Log (90d)
Cloud Trail Insights API usage outside of baseline
Cloud Watch Forwarded logs from apps, endpoints
CloudWatch Log Insights Metric/Pattern
GuardDuty High Value Anomaly detection
VPC Flow VPC flow (multiple points / levels)
S3 Server Access Logs from web based object storage
Route 53 DNS Resolver logs
Load balancer From Internet/Front end (you want XFF)
IR Preparation in AWS
AWS Org – What is outside of the Org structure?
Nearly all accounts must be in the Org structure, Policies can be applied to sub orgs
Must be aware of root org accounts and how they are used in sub orgs!
AWS has an ready to use IR framework that can present an acct outside of the org for
an “IR Org” specific account, outside o/t Org structure
Granting “Read Only” is significantly easier within an Org structure
Accounts can (and should) be configured to centrally log
Cloud trail, API, etc.
Investigation Process: What keys/accounts were used -> what did their policies
allow them to do -> What did they do (by user, by key ID)
Use the Policy Simulator to see what the subject’s effective rights are
Roles are a common target of abuse
Drop a SANS SIFT system for quick deployment
Must Get Scripting!