Cloudy With a Chance of Purple Rain: Leveraging Stratus Red Team to Secure Your Clouds

Luciano Avendano uh with a Code 42 based out of Minneapolis uh his talk is uh Cloudy with a Chance of Purple Rain just magnificent color scheme um but essentially a presentation on using uh the stratus red team and Vector to automate and do like a purple team assessments would you say that's fair like in your own well he's the authority I'm gonna shut up awesome thanks thank you thank you what's uh besides Portland thank you very much for the opportunity to come over here and and talk a little bit about pen testing in the cloud uh for the purpose of the talk I'm kind of focused on in AWS mostly but the tool that I'll be talking about does apply to some of the other Cloud vendors like as Azure and gcp and um there's some stuff in there for kubernetes as well too but for the purpose of the talk just Amazon AWS um what I got on the agenda so I'll talk a little I'll give a shout out to my purple team at Code 42 we've been over the last few months they've been you know sort of the inspiration for putting the presentation together we've had several exercises where we just learned so much about our Cloud environment right and we figured that at the end when you know we started putting a lot of these uh findings a lot of the the stuff that we were kind of working through the challenges we're like you know what this would be really awesome if we put it together into a presentation and and you know kind of put it out there to the community and hopefully others can learn from it as well so ultimately the my goal is to kind of give this as another resource for pen testers red teamers blue teamers um that are using the cloud as as they're either their cicd pipeline to host their products whatever your company is using the cloud for this uh this can hopefully hopefully help you I'll give a little bit of background and context on what we will discuss um a little bit of the preparation and execution that kind of goes into the exercise uh you know what after I kind of started going through this I realized that this could have been a workshop as well rather than a talk because a lot of it is obviously Hands-On keyboard uh working through some of the uh the the actual exercises and executing you know the binary uh at your at your terminal uh then I'll talk a little bit about detection and what we use to document it and detect detection and documentation could um kind of be and can be used in the same sense Lessons Learned and then I'll just conclude it with that but ultimately I hope that you learned a little bit about cloud pen testing okay all right so shout out to Laura and Zach they have been instrumental in working so they're my blue teamers I'm the only red team right now currently with the company they've been super instrumental in helping me put these exercises together and getting a lot of value from them as as we go through them so we've been working on this for the last several months now and a lot of value has come out of it so shout out to them all right a little bit of background on modeling attacker Behavior especially in the cloud I'll talk a little bit about threat Intel detecting your ioas iocs or indicators of compromise indicators of attacks a little bit about purple teaming in case for the in case there's some of you that don't understand the the concept of purple teaming and then I'll talk about or mention a little bit of complexities in the cloud and how Stratus can kind of help solve some of those complexities so modeling attacker behavior I'm sure if you've all seen the Cyber kill chain whether it be Lockheed Martin the unified kill chain this is the an example of the Manion targeted attack life cycle I wanted something simple so I kind of use this the idea behind here is that you wanna model attacker Behavior especially in the cloud there's not too many resources that can kind of help you um you know figure out how a lot of attackers are are gaining or compromising cloud cloud environments for uh Stratus doesn't really cover the entire life cycle what you'll notice is that Stratus is more of a post compromised tool that can help you after there's been a breach right but the idea with strategies is that it'll recreate a lot of that attacker Behavior so that your blue team can be respond to it more efficiently so I use this more as just a model not only that but it can also help you develop more of a full chain uh or full kill chain sorry full kill chain exercise where your red team can obviously do a lot of the initial Recon a lot of part of the initial compromise and then use Stratus as a post compromise tool uh I'm sure you've all seen the minor attack Matrix as well too there's a really good section in there for cloud Matrix I wanted to mention that as well too this was a really good resource for uh developing some of our exercises right because you can go through them as part of each one of those phases of the kill chain and see which one of those can apply to Stratus from there we can just kind of organize it and um you know more so use it as a blueprint so just kind of putting it up there for reference uh threat insulin detecting I OAS you'll notice that the stratus can also help you and I'll talk a little bit more about stress I know I'm just mentioning it right now uh it'll help you start building a catalog of iOS and iocs right if you don't have that right now it's such a great way to Baseline that right because if you get asked that question is like okay what kind of iOS or iocs are we looking for in the cloud and if you don't really have a quick answer to that this will help you build that catalog so that um you know when you ultimately build detection detections or alerts out of it this can become a good reference now I put a good you know some seam s-i-e-m Solutions out here because these are a good way to start collecting a lot of that data right and I know some of these are pricey especially um when you know you work in a small to medium medium-sized business um but they ultimately help you collect a lot of that activity stored into you know an appliance like Splunk or Sumo Sumo logic and start building off those queries right to build your the text uh your detection or alerting from it so again for the purpose of the talk I'm using AWS right there there's a small little cloud trail snippet of a log entry you could then either keep it in cloudtrail which I don't recommend because it's much harder to parse through all a lot of that cloud the cloud trail activity instead you want to send it off to a you know a law collection some some block collection system I could have pulled uh put elk up here too as well too that that would have suffice it as a good solution all right concept on purple teaming to buzzword right that's kind of been around for for a little while now uh We've adopted the methodology at our at our company it's been working really well the the program just continues to mature right the more the more and more that we run these exercises the better it helps us in um you know testing these attack techniques improving you know it's definitely helping improve our Defenders improve our communication it obviously Fosters collaboration and Lessons Learned this model will probably not work for everyone right but it's a good model if you have a good team if you have a good team good attitude right a good um a good sense of collaboration and just the whole communication aspect of it but the more and more you do this the better you get at it right so I'm up here telling you that that this works this works if if you have a good solid team that will help you improve it uh what I didn't mention though is that the whole concept of purple team right you have your red team which is your attackers or your offensive security and you have your blue team which is your Defenders right so when you combine both of them and you work together obviously you get purple and that's that's the uh the naming behind it all right complexities in the cloud uh difficulty in setting up with testing environment it can be right and the reason why I bring that up is because you have several Cloud providers each one of those Cloud providers has hundreds of services right yeah some of them are similar you know they can kind of you know there's some overlap between AWS and Azure for example right and concept but naming may not may not be the same the naming or you know just the way the authentication authorization mechanisms work you know completely totally different they're vendors they're you know their their idea is to you know build a much better model than their their um their counterpart or so that's what makes it complex is when you build a testing environment like what what cloud provider do I use what cloud provider is your organization using or which cloud provider do they intend on utilizing for their services uh emerging through emerging threat landscape that's another big one because there's so many Cloud providers and and uh cloud services that threat landscape becomes much bigger the attack surface becomes much bigger right so having a good understanding of that can help help out uh different and I just mentioned different Cloud providers and different requirements uh that's true especially in authentication and authorization the each cloud provider can have a different mechanism for that security controls can be challenging yes they can I just mentioned that each one of those Cloud providers can have hundreds of services how do you protect every one of those right and um you go to AWS they have something like cloudwatch that'll help you monitor a lot a lot of your services Azure has something completely different uh gcp Google cloud provider has our platform has a completely different different one so it becomes a huge challenge uh I mentioned on new tools and Technologies can also present a challenge right so when you when you incorporate or you adapt a new Tool uh especially if it's a new tool that nobody has you know you know played around with or had time to like actually try out uh it can be challenging because you have to learn how to deploy it you have to learn how to teach others how to deploy it and use it um it may require several dependencies rather either software Hardware it may require support maintenance right like all these things that kind of go into implementing a new tool um and for some it could become a roadblock especially in lean security teams where your security team is only like maybe three or four people right and they're all doing every all those security things so I present you Stratus Red Team all right I'm gonna give a huge shout out a shout out to Christoph Stefani the reaper he's an employee at datadog he's the one that currently is maintaining it and there's a several it's open source right so there's several um people that are kind of contributing to it uh what it is is just a collection of cloud native attacks currently AWS has the most um attacks as part of the Tool uh they just started adding more for gcp there are some attacks for kubernetes and Azure as well too very similar concept to Atomic red team by Red Canary if you if you're all familiar with it all right it's just a collection of attacks that you can deploy in your own corporate Network or or Corp or corporate system and infrastructure uh that can help you you know run these attack attacks exploit a system or exploit some file system and you know gather passwords and help The Blue Team detect those very similar concept that's exactly what Stratus is doing so when you run Stratus it it will launch an attack it'll generate all of the activity and allow the Defenders to then look at that activity so they can build your ioas and iocs out of that right or your detection rules and detect alerts uh it easily maps to miter attack and it's executed via CLI so there's no complex like systems that you have to set up for it it's a go binary that I'll mention in the next slide here it's a go binary that you can easily pull down from the GitHub uh repo and deployed in any Linux Windows or Mac OS endpoint right the the easiest way that I found my personally to to deploy it is just download the binary because then I can just kind of move it around or not even that just you know make it easier it's already it's already compiled uh for your operating system and you don't have any other dependencies to to install with it uh there is you could also use Brew install on Mac OS if you want to go that route or you can also just pull down the docker image as well too it does have one third-party dependency but it is part of Stratus and that's the beauty of it uh it's hashicorps terraform if you haven't heard of terraform it's an awesome basically instrumentation tool right it has an AWS CLI uh API that's able to you know connect to your AWS and kind of set up a lot of the infrastructure the prerequisite infrastructure as part of the attack and we'll kind of dive into it a little bit a little bit later but there's no extra installation for it the first time you run Stratus it actually pulls down the terraform binary from um from the correct Source right it doesn't actually go out anywhere else to pull it down so that if you're running terraform already in your environment it doesn't mess with that version of terraform right like this is a sort of a self-contained locally controlled on your file system right it has nothing to do with with any other version of it some of the key Concepts so four main key concepts for Stratus right there's a warm-up uh where you run the warm-up command and that's where it sets up your pre-rec infrastructure without detonating so it doesn't actually launch the attack yet it has to make sure that that uh prerequisite infrastructure exists and what I mean by that for example if we are going to try and exfiltrate an S3 bucket well that it won't mess with any existing S3 buckets currently in your AWS environment it's going to create one as part of the warm-up that's the one that we're going to mess with as part of the test that's why I kind of point out that it's good to have a good testing environment right whether it be like a free you know free account that you get with AWS that way you're not messing with anything production all we're getting from Strat running status is the log activity that's what we're interested in right like what when we run one of these techniques what does it actually look like on the log and we're gonna we're gonna see that right now detonate actually executes the attack revert can put you back to a state where you can re-uh re-detonate an attack right so if you wanted to you know rerun the same attack multiple times uh the revert connect and kind of put you into that into that state where you can rerun it again and then clean up here's a this is my one of my favorite features from this tool is that a cleanup will basically leave everything back the way it started so if it created an S3 bucket it'll delete remove that S3 bucket so that you don't have any dangling resources left over behind that's that's awesome not a lot of tools do that um if if you all are familiar with um you know pen testing pen testing tools for the cloud there's a framework called paku which is very similar except that Paco doesn't actually create any prereq infrastructure for it right like with Paco you're just you're pen testing your production environment essentially if that's the route you go with Stratus it creates the prereq environment for you so that it doesn't mess with any of your production um resources um so he's it's as easy as having an AWS account ready to go you can list all the attack techniques that are available and you just detonate it that's as easy as as it gets there's no like extra fluff that you have to add to it under the hood so here's what it does I mentioned warm-up to create that prereq right so on the on the left frame we have our terraform main TF file Stratus creates this for you right it says okay uh I'm going to for this one I'm uh I'm launching I can't even see my own slides ah this one was this attack technique is going to grab ec2 password data for Windows ec2 instances all right you don't have to have ec2 instances already set up in your environment terraform is going to create it for you right so this first file as you run warm up it's going to create that infrastructure for you it's going to add the necessary rows to it right and then it's just going to sit there and it's going to wait for you to detonate it once you're ready to do the attack your blue team is ready like all right we're ready to parse those logs look you know start sitting through those lugs you hit detonate and it does the attack and this one specifically um I'm running a get a password function so that's what you would be seeing on the other end so I use cloudtrail as the as sort of the log activity that's happening um what Stratus did what the developer did which is a great design right so instead of just having tons of like this activity and kind of sifting through it and trying to figure out well which is you know which are the events that I'm interested in that Stratus created he pre-pended a user agent with Stratus on it with just a uuid that's you know just kind of arbitrary but as as your blue team is going through the logs and looking for this activity they just search for Stratus right and it'll find all the activity that strategy uh detonation that's when you actually execute it all right so once you execute the attack you can only have two more minutes all right Vector those are the other two so this is a tool that we use for actually you know collecting and documenting that data so vectors are currently developed by security risk advisors it's a free free documentation tool it's really good for purple teaming as well you use it I have the no more spreadsheets little you know cancellation over here because when we started these exercises we were using spreadsheets very easily very quickly that got very unmanageable so we started using Vector right it's a web-based GUI it basically collects all that information um quick concept so you have an assessment you can start the assessment you have a campaign which is a group of tests right under the assessment and then all your test cases and these are your attack techniques so it basically organizes all this information for you I'm going to forward this and here's where we start our actual purple team in Vector we can create a new assessment a new campaign that's the uh the cool little GUI window where you you actually enter your attack technique and you know start documenting that the left side is your red team the the right side is your blue team right here I'm using a uh I'm going I'm going yeah so a few years ago 20 20 21 uh ubiquity had an Insider uh incident where an Insider employee uh was basically impersonating an attacker right and they used a they they were managing an AWS account and one of the things that they did to cover their tracks is they set a life cycle rule in their AWS policy to delete any logs after one day right so there's an attack technique for that and if you wanted to see what that looked like you could use Stratus to kind of run that attacks for this example that's exactly what I'm using um and there it is I kind of highlighted it right there so I ran that attack using uh Stratus I go over to cloudtrail I'm using just cloudtrail for this example and that's what that activity would look like I have the um the API the lifecycle configuration there's you know some of the parameters that are that are part of it and the expiration date is set to one right so that's the activity that I'm interested in so when I share that uh when I share that with the blue team or The Blue Team actually finds that that's what they would be looking for from there they can obviously create an alert or you know document it so here I walk thro