Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

ATTACKing the Cloud: Hopping Between the Matrices

From MITRE ATT&CKcon Power Hour November 2020

By Anthony Randazzo, Global Response Lead, Expel

The team at Expel has been migrating to the cloud for the last 10 years, but as usual, security has lagged behind. Which means we don't have a comprehensive detection and response framework for cloud like we do with the Enterprise ATT&CK matrix. Cloud has evolved into a complex beast as technologies and concepts – like Infrastructure As Code, Containers, Kubernetes and so forth – have emerged. These new attack surfaces have been added that introduce additional challenges to detection and response in our cloud environments. We don't know what we don't know about attack life cycles in the cloud. In this presentation from the MITRE ATT&CKcon Power Hour session on November 12, 2020, Anthony shares some interesting lessons learned so far when it comes to finding bad guys in the cloud.

  • Be the first to comment

  • Be the first to like this

ATTACKing the Cloud: Hopping Between the Matrices

  1. 1. � 2020 Expel, Inc.� 2020 Expel, Inc. ATT&CKing the Cloud: Hopping Between the Matrices November 12, 2020 | Anthony Randazzo
  2. 2. � 2020 Expel, Inc. GetCallerIdentity ~ 1.5 years leading response @ Expel 12+ years of SecOps iSIGHT/FireEye Fortune 25 Detection & Response Disclaimer: not a cloud expert but frequent AWS D&R blog contributor Kids, LEGO, whiskey
  3. 3. � 2020 Expel, Inc. Agenda ATT&CK for Cloud as we see it Defending the control plane Real world incident Other applications of ATT&CK for Cloud Takeaways
  4. 4. � 2020 Expel, Inc. So what exactly is ATT&CK for Cloud? Infra-as-a-Service Software-as-a-Service
  5. 5. � 2020 Expel, Inc. How is this different from Enterprise ATT&CK? Enterprise Matrices Cloud Matrices Very different attack surfaces!
  6. 6. � 2020 Expel, Inc. Control/Management Plane And many more...
  7. 7. � 2020 Expel, Inc. A shared responsibility... Source: AWS
  8. 8. � 2020 Expel, Inc. We have to protect this control plane, right? Informs our detection strategy for this cloud attack surface What do we detect? Where do we even start? How many AWS APIs are available in this control plane? Almost 10,000, you say?
  9. 9. � 2020 Expel, Inc. How'd we build detections? Using OSTs, of course! Source: Rhino Security Labs
  10. 10. � 2020 Expel, Inc. What did an attack look like? An unconventional coin miner...
  11. 11. � 2020 Expel, Inc. What did the ATT&CK look like? AWS [IaaS] Cloud
  12. 12. � 2020 Expel, Inc. What did the ATT&CK look like? Enterprise Linux
  13. 13. � 2020 Expel, Inc. More examples of hopping between matrices! AWS CLI access from multiple compromised keys > SSH access into EC2 boto3 SDK access of AWS SSM > sudo linux access (red team) SSRF exploitation > EC2 instance credential access to control plane RDS database ransom > used CloudTrail to identify when weak password change occured
  14. 14. � 2020 Expel, Inc. AWS mind map for investigations and incidents MITRE ATT&CK Tactics Sign up for an advanced copy of our cheat sheet and AWS mind map:
  15. 15. � 2020 Expel, Inc. Takeaways With lots of attack surface in the cloud, understanding both cloud and enterprise ATT&CK will help. attacks in the cloud than in an enterprise [Windows] environment. Cloud control planes are a target for automated attacks. This is the trend