BSides Berlin 2023: Hannah Suarez - Guardians of the Data Galaxy

s us thanks cette for the introduction it's really great to be here and thank you to Cena and also Natalie for organizing this really great conference I'm looking forward to the rest of the talks no my name is Hannah I'm external SEO focusing on cloud security and also third party supply chains for the Telecommunications industry marketing and also so in aviation Airlines but the story starts before in 2016 2016 I was working as a cure file transfer admin in technical support and what I've noticed during that time is the focus and the move away from on premise to Cloud now keep in mind this was 2016 the year before 2015 only 15% of company data is in the

cloud now let's move on to the to 2018 our was technical evangelist for a logging and security events company and again it's also very interesting because there has been some new products and features on the market which was all about Cloud logging and so there has been move away on premise to more hybrid Cloud models this SAS and also pure public cloud and this is where we at right now Trends in managing cloud-based risks let's take a look at it from the threat landscape perspective the threat landscape is the entirety of potential and identified threats affecting a particular sector group of users and time and so on let's take a look at it from the sector perspective from

different Industries in my day-to-day software Airlines Aviation a telecommunications in software we have the use of Shadow SAS what do I mean by Shadow SS well it's not just your intern using zapier it's also legit applications in your company it could be Fred from it talking to Karen from HR she wants to use this as application but it hasn't gone through the relevant security requirements now I've seen that these contracts get signed nobody knows what the trust boundary is or the data flow model and then what is interesting here is SAS space attacks and techniques we'll go into that later and again for you know software it's also the fact that you have different sources of data

that needs to be analyzed with Airlines it's a little bit different with Airlines they are not really so Innovative who here flew to Berlin nope we're all in Berlin oh someone here well you know if you've had to book an airline ticket it's really terrible the GUI they can't really innovate they have to go through a third party supplier service provider to innovate and you know what that brings in third-party supply chain risks and another thing with Airlines is that in addition to a large attack service is also the fact that they are more focused on the business data side of things for example loyalty program data and we'll get to that and how that

relates to Caesars for example American Airlines the Loyalty program is worth $131.2 billion and some people say that even worth more than the airline itself then let's move on to telecommunications in telecommunications we have this expanding threat surface due to really large digital transformation initiatives you know move to Cloud AI automation all the buzzwords the press releases and that is in addition to the the coexisting threats and vulnerabilities in technologies that have existed in 10 15 years and that also makes it interesting here is that you also have regulated data so it's not just confidential data it's also things like subscriber data content data and so on that's the situation right now so here we have the sasch techniques

targeting risks of floud in Services the fact that the increase in tax surface is targeting the data and the other item that I haven't mentioned yet is the unclear shared responsibilities so that's also a people issue here now let's take a look at you know what's happening in the news any SAS spased attack recently in the news like I mentioned Caesars MGM OCTA even so maybe you you know you've heard of OCTA in the news well here we what we have here is not just the fact that there are growing St attacks but also these techniques are being um being contextualized in the framework I went to London 44 Con in London two months ago so if you went

there as well you may have heard of this project push security which is based on the M attack framework what they have done is they've gone through the 10 tactics and from the techniques they've identified which of these are SAS based it's a really interesting project if you look up their GitHub repos story you can make a pull request you can add in your own opinions you can read what the case studies are and so on another one is from the maer framework so if you have used some merer attack framework here they have the assass Matrix they have 11 different tactics so from left to right we have initial access execution persistence privilege escalation defense evation

credential access there's seven techniques and credential access there's Discovery leral movement collection exfiltration and impact what's interesting here is yes there there's seven techniques related to credential access there's one technique called valid accounts and it's appearing in a few different tactics here in the end you've got exfiltration so exfiltration through um web services and through alternative protocols then what's interesting also is you have collection so collection automated collection collection through information repositories so there's a talk here which talks about you know um going through the G repositories later on and also collection through cloud data storage objects so that's the SAS Matrix and how does it look like in the wild for for OCTA the attackers use the technique

steel application access token and from there they can pivot on to customers customer Data customer instances then following on that is cloud flare so the sirt cloudfare to the attempt and here we have the technique use alternative authentication material and that was also the case with one password where there was the attempt on the um OCTA instance for one password and on the user side we have 23 andme um if anyone here has read to the news from 23 andme so you have the credential stuffing attack that was from push Security First diagram where password breach information was used which then led to to more personal information so in this case it's to the DNA relatives application where the

technique app user directory look up with use you know earlier on I mentioned Caesars so who here went to Defcon blackhead as well in August sat Caesar MGM okay you know so I mean what happened in Vegas didn't really stay in Vegas because we all know what happened with MGM and cus so who refused to pay Ransom MGM yes that's correct so they absorbed $100 million in operational costs and who paid Ransom the other one Caesars how much do they pay and how much in millions 10 five about 15 M they paid $50 million in Ransom and um you know the the new thing here is this SEC filing so Caesars they had to file um they had to do an SEC

filing and in it which you can read online The attackers had a copy of the Loyalty program database and we get on we'll get onto exensive data but they had a copy of the program database it was established in 1998 it's about there's about 25 years of customer data on it ssns confidential data and so on and it's it was worth like1 million 1 billion in 2015 I don't know how much it costs no but but the next item here in terms of managing cloudbased risks is security of sensitive data so what's the situation right now with sensitive data when more data is moving to the cloud 75% of businesses have 40% of sensitive data stored in the

cloud and this is up by 26% in 2022 so we'll have more and more of this in fact Microsoft I think there's someone here from Microsoft they recently two days ago are moving about $25 billion of customer car transactions to the public aure instance so this is what's going on very recently as well however unfortunately on average 45% of sensitive data is encrypted and that's from this year's report so why are we talking about encryption incens data one of the items here is that usually when we are talking about protecting confidentiality and integrity it's usually true looking at what is encrypted at rest and what is encrypted at in transit but what about encryption of data in

use um I recently downloaded a stock 2 type 2 report it was open AI chat GPT the Enterprise Edition so I had to look at see okay so what statements are they making about encryption here so they have encryption of data and Transit at rest but it didn't find information about what the encryption of data is like in use so this is where we at so unclear shared responsibility so it's finding out for example what's the situation is like for encryption of data in use in transit another item here in terms of managing cloud-based risks is that that responsibilities are unclear what do I mean by that we know that some responsibilities like when you're using zapier or AWS that some of

it are is covered by the cloud provider which is at the top some of the security requirements are covered by the service as service provider Service as a service application as a service provider and then others are covered by the cloud customer so it's things like for ex it's the um it's the contract owner for example it's you know Fred from it and he's deciding to use this application without going to the security requirements and then there's also the cloud operator so the cloud operator is you know the cloud integrator in some cases is the same entity or the same department but in major projects the cloud operator is you know a thirdparty mssp for example so in

this case when the cloud customer is making a purchase say of a new you know something as a service it's not known or it's not clear that the cloud operator or the cloud integrator have secured the requirements that they need to meet and then there's the cloud user which is us so it's like you it's me and usually this entity this character appears in breach news for example like it's completely your fault that you've reused this password all over again that's that's where they appear That's when they put the responsibility onto the cloud user without going down the upper levels to the cloud provider who is responsible for that the servic as the as a service provider Cloud customer

and also the cloud operator now let's get on to the personas so how can we as an industry work to manage these cloud-based risks so we've got blue red and then compliance okay what does this look like from The Blue Team well in the blue team they would perhaps want to implement or enforce confidential competing I'll do a quick primer of what is confidential competing one of the talks later on today which is at I think 5:00 pm um has um it's a little bit more about confidential competing which is the Tesla talk so it's a lot more in- depth and Technical so it's about unauthorized entities cannot view data while it is in use and for integrity so it has to meet

three minimum properties so the second one is data integrity so an authorized entities cannot remove alter or add data while is while it is in use in the te and then for code Integrity it's where unauthorized entities cannot add remove or alter code executing in the te and what I mean by authorized entities not just attackers it's also the cloud service provider the S provider as well and also a little bit more detail about what we mean by the trust boundaries so we have here just the source there if you want to see but we have at the top layer a scenario with without confidential Computing so you see all of the elements here that has

potential to access confidential data then we move down to just VM isolation and then moving down to application of process isolation then library and functional isolation so we have different scenarios of confidential Computing and for blue team what they can do is for example at the top to you know adjust the threat model and also making sure to maintain the cloud security posture and also to enforce security requirements so that's things like knowing who is responsible for what in the in the cloud stack so from cloud provider to Cloud customer Cloud user and so on and then that's also enforcing data protection requirements which then brings us to data sovereignty so enforcing data sovereignty so it's things like

ensuring that the encryption keys are independent from the CSP or from the application itself and also to build on or to assess on te on confidential Computing now from Red Team side so has anyone here you know done or commissioned or analyzed a pen test or penetration test for software as a service you did okay I'm I'm not a pentester but I'm only I'm mainly in the commission and Analysis side but what I've noticed from pentests in the reports that I've seen with the software as a service is that it should be useful to know what is in scope so usually you have the white box methodology that's mentioned in the report but it's useful to know what csps

is in use what configurations are in use the other item is to retain data structure so we know that test data have to be used used but the question that I have is whether or not this data structure is retained and another one that I really like from the reports is to see what is the attack complexity of this so in this case for example you have the usel report where you have the findings the CVSs scores how it was found um the maybe even the mitigation and so on but the attack complexity is something like an add-on from some of the reports theyve analyzed and also seen another one that would be interesting to see is how it looks like

with the miter attack Matrix especially with the SAS based attacks so it would be interesting to see oops sorry accidentally would be interesting to see how it works when you add in you know the miter attack framework here so in this way I as the one that is reading and analyzing this is useful to be able to move for it forwards to move the report find finding forwards to the to the it owner to the business owner to the contract owner so that they can make sense of it so it is not just a CVSs score so I can make a story out of it as

well and also just a little primer about attacking confidential Computing there's a lot more later on today with the Tesla talk here yes um just you know a quick one so software attacks cryptographic attacks supply chain attacks so that's about you know abusing the supply chain of The Trusted execution environment basic physical attacks um in this case for example um I was reading a report by the NCC and the NCC worked with the AWS to do a third party attestation of the AWS Nitro API keys and from that finding they've only just made a note that yes it's under basic it's um the the risk here is just basic physical attacks which is very interesting and then

protocol attacks are protocols on involve with the attestation of the te okay compliance and audit so what's the situation like now with compliance and audit and how can you know compliance and audit teams work well if you've participated in a third party security audit or if you've had to implement it um you may know that you have to involve the red team blue team for it and in this case one of the ways here is that the SAS in in this in this way there are unique challenges related to sass attacks and the way to do it is to do to change the risk management approaches so things like knowing what the responsibilities are across a stack so

from the cloud provider the cloud service provider the cloud customer the cloud integrator as well so you're being able to explicitly Define who is responsible for what and then the next one is to seek out or to upgrade at the stations so previously I've mentioned that there's the NCC and AWS ad station report there's also other ones like the CSA Cloud security Alliance psych assessments ESO certificates as well sock 2 type 2 the current state with compliance is that you have the BSI the bonus amp for cure height and informations technique so you have the C5 controls here and by finding out which of the data center has the C5 at the station you know that it not only

does it meet the basic requirements but also requirements above it so not all data Center say AWS has C5 at the station like Frankfurt Paris Stockholm only has it and Edge locations around Germany and then in the eso standards you have some specific standards around cloud services like the 2701 2718 and then 27036 which is more to do with cloud with Supply chains there are some upgrades with the easer standard so that you can enforce um and managing cloud-based risks for example in the 2022 upgrade there's two new controls for managing ICT so it's not necessarily actually with Cloud but it's just the IC supply chain now has this involved and then there's also information security for use of cloud

services so you may already be assessing cloud services but in this case they're actually wanting to explicitly get more information from the organization that has to be certified to this ISO standard standards and then there's also this growing importance to secure sensitive data so there's three new controls around it data leakage prevention data masking and also security of personally in of pii yeah that's where we are right right now it's currently there's there are major initiatives to move to Cloud to move to hybrid move away from on premise about 44% of it decision makers they are focusing on cloud data storage and in information security the thing here is that with the decisions are being made

only something like 20% or 30% would only would have a security way so they would maybe prioritize the ability to move the market maybe they could prioritize usability but in these cases not really prioritizing security so in this way we can try to move it forward so that these decision makers are able to make the more secure decision and I've read that in 2025 we're looking at about you know 185 to 7 200 zabt of data so we have more and more Sensi sensitive data to protect and to manage these risks thank you