PW - Cloud Attack: Dissecting Attack Paths with Graph-Mode

so first of all it's a pleasure to be here thank you for the staff team for this opportunity and um yeah let's talk about this uh topic that I like a lot and uh I was watching yesterday some talks here you know uh the people talk about you know the passwords secrets and something like this and today my idea during this morning is to share more I will divide this presentations in two part actually the first part is more let's say [ __ ] part it's a theoric part I I know that you don't like this but is necessary you know and the second part is more you know the technical part and practical is more sexy part I know

that is okay let me introduce myself again so I'm working now creating this uh business unit I'm director of the tread research and Advocate at sansur sansur it's kind of different name because it's a Brazilian name and by the way I'm Brazilian but I live in Portugal and I hope in the next few months to move to live here in us and butura is it means password safe you know so makes sense with the with the the track here but they are this compan is responsible for providing some identity solution and stuff like that but my idea is not to talk about this company is talk about some uh research okay and I'm very active in different communities as you

can see here so you know I'm speaking red team Village adversary Village Cloud Village and I'm sneak Ambassador the open source part of course not the Enterprise and I'm one of the advocate of the hack is not a crime someone or hear heard about the hack is not a crime or one person so that's the idea behind of this project is to spread the message about the hacking because when you talk about you know the the hacking is not really a bad guy or a thread actor because you want sit on TV newspaper you see something related to a bad guy but the hacker is when you're using your creative mind you discover something and

you help some companies you know that's the idea behind of this concept that's the idea and I'm instructor right review this those those three magazine Europe so if You' like to share some you know article probably you review this and that's me good picture for my mother okay anyway so that's the idea to create the identity threat lab so to discover new uh how the the attackers are using identity to explore vulnerability you know to investigate how they using token Secrets how the M works and how they are using this secrets to explore vulnerability if think about the for example the attacks that happened for the last few years you cannot see nothing about the zero day usually it's

about the third party that someone explored or you know library in the code or even misconfiguration you know so that's the idea to establish this idea to understand how to create it this A Research Center so if you have some you know content about that so I would like to talk with you understand more how you do your research and learn with you about that okay so nice let's talk about our main topic if you are you know uh an expert if you are a principal sorry but I need to put every people in the same page so I will talk about something Bas and after that we go for some terms what is thread simple like this is not my

definition Accord is ISO is a potential incident that cause something in your organization or system so we need to understand about the threats okay so it's a software attack theft of intellectual property or even identity the so we are talking about you know password Secrets token and Identity or human identity so we need to understand those difference okay but when you talk about the identity theft is a kind of thread sabotage and information Distortion Like a ramsar it's a kind of threat so this is one third very simple probably you already heard about that it's your first time here so this is means thread okay the other term is high value Target this is interesting because

probably if you more um if you have more experience in the Cyber secur field you know how this terms works when you talk about the domain controller usually when you think about the high value Target in this scenario you understand that the the domain controller is the high value Target but what is exactly high value Target it's coming to the military terminology when you know to need to Define any specifically person resarch that enic commanders requires to complete a specifically Mission okay so when you think about the organizations so we need to think who is the person that can be my my high value Target but when you talk about the cloud remember the title of this conversation is cloud

remember so it's not exactly one single identity but you have many possibilities in the cloud so if this identity was exposed what is the impact so think about that okay so when you talk about the high value Target in the in the in our field we can think maybe is a a g or more board member or as active but on the other hand if you see here it's a kind of uh people that has elevated privilege so if you think about the cloud so if you divide this room in two parts here so we have here one group and this another one another side another group so here we have many identities many permissions many rules and maybe each

person here is inside of the group permission right and they can be Associated to another group they have a kind of relationship this important to understand okay so that's thing when you talk about the cloud we have one single identity this identity has a permissions both this you have a group you have a rule and you have many people you know connected between each identity so in this case so when you talk about the cloud everyone can be a high value Target why because the identity access management the permissions in the cloud can give the access and specifically research in the cloud I will explain more so this another term attack vectory attack path so attack Vector B basically

is the method using for the Cyber attackers or attackers or thread actors not a hacker okay so that they using to compromise specifically systems okay so it's very common talk about M you know handser fishing is a kind of you know strategy that you're using so if you think about saue chain but when you talk about the human erors you can see weak credentials we talk about passwords and tokens and whatever poor encryption md5 sh one and misconfiguration that's the main point here in our conversation today okay and of course all those things allow people to access Sensi sensitive data in the cloud another term is attack path basically is the graph graph mode remember the title is the way

the visualization that attacking using in the specific environment so this is a very interesting picture from oasi explain in this case more security risk but you can see here for example the thread agent the attack Vector you can use it for example misconfiguration or even if you explore some vulnerability like in any specific application when this thing happen is because for example the application is vulnerable or they have some file upload vulnerability or some you know attack path um traversal path direct paath or anything like this you can use it for a command injection whatever vulnerability but you gain the access usually in the web you know user you need to scalate privilege in the

cloud so you when you explore some weakness when you gain the access you have the control of this kind of system you can you know impact a specifically function you gain the access uh or you can impact the business in this organization okay now okay sorry this is the bushed part I know but now we talk about more sexy part okay so who works with AWS here in this room okay I don't need to talk more sorry no sorry I'm joking so but that's the point here so if you don't work with AWS or if you work for example gcp Azure or even oci or or other another cloud provider the concept behind of these

ideas is quite the same of course when you talk about for example Azure they have a subscription it's quite different gcp you you need to understand if you using for example gcp workspace or Google workspace or something like this but for example C is quite similar to AWS uh and other Cloud providers is a good opportunity to make the research with me okay so nice just to putting every people in the same page so again AWS am basically is the services responsible for managing the ident in the cloud uh talking talk about the AWS specifically so they will centralize the the different permissions and how you can provide the access and this research who is can you know who uh is

responsible for authenticating this in this case or he uh or who is authorized to go inside of the service remember when you talk about the cloud is different about the virtualization okay so I like to explain this because in the past we have a virtualization so when you talk about the cloud we have a Services connected like a puzzle so for this puzzle Works in a right way you need to have this we need to configure this basically the I am so the I am is will be responsible for give the access or not the or not the access okay so when you enable some ec2 instance for example you need to attach some storage

behind of the2 to works it's different when you configure some VM or because of virtual machine let's say uh when you configure some for example virtual machine you just set you know CPU memory and dis but when you configure Some Cloud we need to connect those uh resource there those service and for those service works you need to configure this [ __ ] service I don't know I I cannot using [ __ ] not polite right okay sorry I can use here and besides I can use thank you sir I'm relaxed now good good good good good okay so this is the version this is the some um how the AWS works when you talk about permissions okay how you

create in specifically polic because it's when you if you work with a cloud mainly WS you security guy you need to configure something you should you should actually we should looking for the AWS well architecture right who knows this we architecture framework man it's so bad because when I ask who works with AWS I think 93% of this room you know hands up when I ask about the AWS a architecture I just see three people so we have a problem here because we architecture is a kind of guidance to implement security stuffs in the cloud focus in AWS so if you don't know we have a problem here Houston you know that's the big problem that's the

key because here is how the permission works okay we have a kind of statement you know is a kind of part of the information that you can put inside of this element this is the St statement of the permission inws so for this attack happen basically you need to looking from this effective it means allow or deny and the action is a bunch of list of action that this policy that you create allow or deny okay because again is this is the simple if you see here this a simple e read only access this is this permission is Thea is a standard from AWS as you can see when you configure something in AWS you just go

to the permission and you have a possibility to using those standard you know policies like administrator access uh i r only access you know whatever you know Buck ch3 permissions whatever you have many different standard permissions from thews but the key is here effect is allow take a look this action it just list and get those informations about the am so and the research if you see here the asterisk is safe yeah yeah that's that's a good point because I should when you enable this usually the AWS give you some warning because you should you know uh specify the the r the AWS research name responsible for receive this permission so that's the key but for the security

or for the management it's more easy to put why the asterisk it's enough okay but take a look this so my I have a question to you this is just read the only access so this permission is safe or not why not I cannot write nothing

water so what do you think good I don't understand many's explanation because I cannot hear you but I agree with both with everyone probably those three people explain the same thing we can read because you can list you know let's say pii information right so you can list users you can list groups you can list policies so for the attacker perspective if they gain the access because basically the only information the attacker needs to have in this case is one secret and one key and after that they can connect it to the AWS console CLI in this case console command line interface they can connect and this account because this is the two main requirements the others you can

just click and enter because it's Thea okay like a region and time zone and another don't remember but the only information to go inside of the AWS is secret and key remember that okay so after that if you have this permission you can list everything it's maybe not to dangers because you cannot write in the cloud but for the you know for the compliance or stuff like that is is is complicated because you can list Parts you can you can do the enumeration okay in the cloud that's the key just but if you see we just can see here only two actions remember that okay so let's think about some this is kind of challenge that we

have in our days developer team access many application devop team access many systems database team Cloud teams this guy like to using the uh you know Cloud I don't know why but they like they like to have a permission I don't know why but they like okay so in the past we have a admin guy but nowadays everyone access the cloud even the market team no one's no one here works with market right it's good you know someone works with marketing sorry but no actually they need to use it sometimes because they need to create some you know advertisement it's [ __ ] advertisement okay and they request the developer to create an specifically Ling

page and they request for the developer creating this the develop do what they create a Luma service okay they they run the code and after the advertisement campaign they delete the code everything is safe but now because the user to work this they should be you know a service account User it's continue to be there because they don't delete the user they just delete the code because you know the user when they create an AM they don't need to pay for it that's the key yeah so because of that so L access the cloud so I don't want ask if there are some level here because can be I like everyone by the way okay so we have remote workers uh

this is now nowadays it's quite you know hybrid but some companies continue to be you know remote workers and Insider [ __ ] threads okay they you know gain the access inside of the environment and that's a interesting point when you talk about Insider thread because sometimes some people you know imagine that inside there is the guy that work in the dark you know but no it's someone that's a neor specifically misconfiguration pay attention that the marke guy oh yes the marketing guy that's it's it's the movie guy exactly it's the no one marketing here right just C I know okay so that's the key is the marketing guy so the move but nowadays they're using some they

don't disable all policies they just set some misconfiguration you know oh there a kind of error here that's the inside of thread works and what is the impact if someone is attacked just think about that okay let's talk about the other sex part so to happen this to do this attack actually we need to again have the access key and the secret or the key and secret to connect remember when I mention it so let's suppose that I gain the access and this is specifically AWS console so I try to use in this list user as I asked you before remember so just this guy don't have a for example read only aess because the aess denied so good

point for you know for the security team I try to list some Poli and access deny and I try list groups deny okay the security team works good here in this case for the specifically secret and token that I had so let's suppose now if I have new or I would like to show you the impact about one single action so I create here a have you create a specifically policy and take a look this I just putting two specifically policy here not policy two actions if you see here one is inside of this permission management so AWS basically has a three groups one is write another read and another is permission management and inside of each

group we have a bunch of actions so when you enable some standard permissions in the cloud remember standard policy in AWS there are a bunch of actions inside of this policy so because of that it's important to look inside of each action why Philip because I will explain now what is the impact okay so I put in asterisk here take a look the color you know this color is quite what you know I don't know orange yellow I don't know whatever but it's a warning okay okay take a look this I call attack module and I Us in the custom management it means I create my own police okay and if you see here actually I just enable one

single action create policy version you see then research I create for all policy here the aster risk this a this is a kind of you know remember the statement that I mention it so what is the effect allow in the action create policy version so let's see the impact uh by the way I I wrote an article and I'm publishing in the in pest magazine I think this article is in my my uh LinkedIn as well so I explain these attacks in details but to gain this information I just type in the Google how I can create the full AIS in AWS using CLI and they suggest me this code if I am you know newbie so I just

copy and paste this code if you see here the actions is a so asterisk so I can access everything and let's you know I'm I don't have any knowledgement about the cloud so they suggest me some organization stuffs here so if you don't know organization is is the main account not main account but when sometimes the company has an organization in behind of this organization they have they can have more than 50 100 accounts if the company is too large usually they use a different account in you know um uh behind of this specific organization so remember I just type in on Google and ask how how I can access how I can have the full access in AWS

and they suggest me here but on the other hand if I don't know how I can type in CLI you can ask it to Google how I can create a policy version and they suggest you the AWS code well actually they had AWS common so in the article I put how I discovered this information basically if you see AWS aam the service create policy version because I will create a new policy I I need to set here the r n the attack the Pok attack module and I can set the policy document as you can see here and this is the document attacker exploitation remember the file that I created here this is the document

here attack exploitation and I set here and if you see here I putting set as a default what happened in this case bam I had this permission only one single action but after that I can escalate privilege and I can have not only the one account remember so I have one single account so now I have an access to organization level I like the expression yeah that's it you know this the point here is the misconfiguration this case but it's not Mi is Mis configuration but the you know the security guy should look from each action inside of the am server but it's too much flip I know in AWS you have more than 6,000 permissions it's a good challenge

but you know that's the key so here the attacker can escalate privilege just because you set in the end set as a default so after that we can list you can do many things just a simple example how works okay how I can see how I can uh you know not only investigate this but how I can mitigate this or if I'm a if I work with a offensive side for example how I can how I can explore this so this is one of the tool that I would like to share with you is an open source tool called it um cograph basically uh if you see here this is the graph okay they use a

neo4j it's very know when you talk about the graphs uh the graphs mode you have here for example this in in blue color we have a policy you have here the principle and or even a statement in this case and here you can see the AWS groups and here you can see the users so basically this this uh Cipher query you can match the AWS principle it's a kind of high value Target that the to use they will set or call actually the policy they will you know search for inside of the policy statement remember the statement and they will try to find where create policy create policy is another action create policy version is

one action and create policy version is another dire action but if you set the flag set as a default you can again do the same attack that's the key because you set as a default the only Point here to not uh give the success in this case that if you have more than five polic in this custom policy because AWS just allow five different full policies okay then that's the key and after that we return this information in the graph mode in other hands we have another tool called AWS PX and I like this picture because you can see how complex is to work with Cloud because if you see here how many actions you have

here I have here by the way I think the here I have AWS SPX so we can set from any place for example you can set here the effective admin it's a kind of high value Target they use here it's very similar when you think about who knows uh um Blood Hound here in this room okay it's very similar the graph mode how you can use and how you can set how you can see sems basically so if you see here so we have some users those users here's work with cyber secur let's suppose I think no not suppose because this guy this guy here our C Level in this room and uh they have administrator

access this is the standard policy you know from AWS by the way I didn't I I don't do nothing here in this case it's just administrator access standard from thews and uh here I create another permission Thor lab and I create another group level here the user default that we have here T James and Bill just names okay and if you see here this is the path and take a look this one here I would like to see for example people like a Thor here the name Thor so in B the actions so we can see here where's the Thor here it's no not hor I like this one an oh Jesus where are you Anna by the way Anna

is the name of my wife she will kill me because could I us her name oh yeah on top yeah take a look this one here so let's see this actions let's see the impact that she has my wife definitely she will kill me okay take a look this lady so we have here create login oh we have a change Pol password here why she needs to have this action but Philip is the full for it for administrator access that's the key you know this is is the impact so we have this one and this is the explanation using the tool you know grants permission for am user to change their own password so imagine if this this AWS

key or secret was exposed the attack can change the password and the user is is done is gone basically okay um nice so how we can help in the community how my company again can help this the the community here I would like to share with you some Community product okay that you can see in the graph modes it's the same case okay and how you can use in this this totally free charge it's Community version I will do a demo here if the Lords of demo help me but I will try with this internet connection problem let's see what happen but I will try but I have here the the demo as well recorded okay basically let me go to the

demo so you can access here after you do the the registration in this uh web page you have here the access the cloud entitlements is a community here it's just free you can integrate with three different uh you know Cloud providers again um you just the mainly when you connect to here you can see some recommendations about the you know the identities how you can manage it for example how you can change in the administrator access how you can change the MFA some recommendation based on those actions okay so we talk about the graphs so I develop in this to the attack path mode here so I just show you the example so here this user can have

this attack attack path based on the attach polic this is another action so if you have this action enabled for each or whatever user that you have in your organization this user it's possible to attach another policy so if they have some you know no high access no sensitive you know permission in the cloud but if they have some attached polic they can attach another polic or rule here is the basically if you see here the description of the how the we can use it this is the requirements that you need to have and this is the impact privilege escalation credential compromised and operational interference basically you can see here and you can using this again it's totally free

community and um we we are developing this tool and not only this but basically the people are using if you see here sendbox mode you see here in the in the orange color so you don't need integrate anything okay you just when you receive the access you have many datas populate there is a fake data of course but if you'd like to use in your lab your environment whatever you want you just disable that flag here and you can integrate your environment like this one here I have my own lab let's see our my lady my wife in this case internet problem and uh you can see here you can do the integration but just

again the idea here is to you know spread the message about the identity security and how you can using this product it's again it's totally community and one of the things that we created this for the Improvement for the future is to work with AI ji here in this case if you see so so we should enable for many users to change these actions about MFA so we have here this SEC intelligence you just click here and they use suggesting the code as you can you know see you can use it so how I can change this action in my environment just that you generate in cloud formation or Tera form for example and after that you just copy this content

create the file and that's it okay it's not enable now but the feature of this project is to have this apply remediation it's a kind of automati process okay so we have here seven uh fix and if you apply remediation they will start to connect in the cloud and works and they will remediation this environment okay so you can see for the attacker perspective if you work with offensive security you can using you know how many users you have in your environment with this policies you can see how we can explore those guys and if you work with defensive site you you can see this big big picture you can watch in this again it's free and how you can

help in the community because we receive a lot of things from the community basically okay I record it if I have some problem but it's not necessary and I finish here the presentation uh I think 10 minutes before so I don't know if someone have a questions not difficult questions no difficult questions sir go ahead so there are one question no difficult questions sir

please you know it's difficult the mic doesn't

Works ahead

uh let me talk with every people Everyone question yeah one second yeah the question is about attack PF is is related to the am how it is connected about that right the attack PF basically is the how the attacker can see uh who is you know vulnerable to um attack the environment so for example if you gain the access in the environment uh we have two two visions here we have for example the defensive side and the offensive side so the attack path is totally related to the actions because to give you this in graph mode I need to have the you know the identities I need to have the user but for each user when I do the rediscovery

we need to see how many each user has each actions for example the attach polic they need to have three actions mainly okay the attach rule attach atachi group and atachi user so we have in this moment this project has for example uh four attack attack module but I will create more attack module for example so there are specifically uh actions for the buck test tree for example like a puty object inside of the bug test tree so I can create an attack specifically for on bucket 3 another service that the user need to have for example a bunch of actions but specifically this action put object in buck stre so when I do the discovery

when we find for example 10 users I saw okay I see this 10 users can suffer in this attack path because this attack module actually so the graph mode is just to facilitate the vision you know but the characteris here is how the action is connected to the the identities you know I answered yeah I think we have a more one more question here or

there thank you uh so I I um I love this talk and I love how uh you talked about AWS gcp um Azure um I think those other two Cloud platforms don't get a lot of love when we talk about Cloud security um to that point and this is a little bit of moving the goalpost but but I I kind of wanted to hear your thoughts on this um there are even more Cloud environments that we kind of have to worry about when it comes to permissions I'll give you an example Cloud flare I consider that a cloud environment and that's something I actively worry about access um one I would ask what are the

tools that you would point me to to start doing this kind of analysis in those kinds of environments and uh to how would you kind of um hypothetically even if there isn't a tool um where would you start uh good question I I thank you for asking actually uh when you talk about that you mention that more than Cloud providers you mentioned other platforms and I have a one of my challenge here in this identity threat Labs is to understand how the attack are using for example GI hubby actions or GE Hub or G lab so you can see think with me imagine for Imagine for the defensive perspective so if you I can just run I

discover in my environment and I can see the whole path comes to you know GitHub and after that they go the access based on cicd the GitHub actions based on this integration they are inside of the kubernetes these kubernetes are inside of the AWS because of the permission in the AWS you can map the whole things that's the idea for the future of this specifically project that I'm working there are another open source project called uh star base from juniper if I remember correctly uh this specifically project the this project is not um focused on security but they are a data source data resource actually so we can integrate with many uh providers like not only Cloud but for example

sometimes a kind of you know uh security solution like you know TR micro or CR strike C strike is not so good menet okay anyway uh that's the point so when you have the big picture that's the good you know delivery for the the companies that's the the idea I have some research uh I I I did some research focus on OCTA because it's identity provider so how they connect with the AWS in other Service uh in the my previous company I created another attack module when the attacker when do you integrate for example the uh active directory with Azure not Azure ID but enter ID I don't know if Microsoft changed the name again

but anyway uh you know when you integrate this active directory with ENT IG so you need to install the agent this agent will be responsible for integrated entry ID and the point is these user need to have the the domain controller permissions from the active the active director and they create a Microsoft online services inside of the the the the domain controller and this account will be responsible for connect with entry ID so when and this Services is entry ID is the high uh the high level permissions I don't remember the name of the high level permission no but the not the owner but whatever it's the Hy permission so if you gain the access

inside of enter ID here you can escalate privilege from the enter ID just if you discover the Microsoft online account because they use when you install you don't usually the administrator didn't change they no he it doesn't change the the standard name of the integration they use a Microsoft online [ __ ] name whatever they don't change because it's it's the standard you know and if you discover if you go inside of the active directory and you discover how many Microsoft online you have you can see how many connect accounts in this specific domain controller you have connected with ENT ID so you can escalate privilege of course you need to you know escalate privilege privilege

you need to broke this user it's quite it's not too simple to gain the access but you can see the way you know like this sync or whatever other attack but that's a super nice we have a many things to research when you talk this topic thank you more questions I think no because of no more questions okay thank you Philippi thank you guys appreciate have a nice day for everyone