Can't Touch This: Detecting Lateral Movement In Zero Touch Environments
0 likes10 views
The document discusses detecting lateral movement in zero-touch environments, highlighting the evolution from traditional deployment methods that require human interaction to automated, secure processes. It emphasizes the risks associated with manually stored credentials in traditional setups and presents strategies for monitoring network connections to safeguard against unauthorized access. The presentation encourages organizations to adopt zero-touch practices and tailor detection mechanisms to enhance security.
Can't Touch This: Detecting Lateral Movement In Zero Touch Environments
- 1. Can’t Touch This: Detecting Lateral Movement in Zero-Touch Environments Phillip Marlow DEFCON AppSec Village 2020 Approved for Public Release; Distribution Unlimited. Case Number 20-2014
- 2. Disclaimers & Acknowledgements Approved for Public Release; Distribution Unlimited. Case Number 20-2014 ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. The author's affiliation with The MITRE Corporation is provided for identification purposes only, and is not intended to convey or imply MITRE's concurrence with, or support for, the positions, opinions, or viewpoints expressed by the author. Research conducted to fulfill degree requirements for the SANS Technology Institute’s Master of Science degree. Thank you to Tanya Baccam, Faculty Research Advisor Thank you to my wife Madeline, whom I also don’t speak for in this presentation.
- 3. > whoami • Security + DevOps = • Wrote my first vulnerable code in elementary school • Began learning to write exploit code in middle school • First time DEF CON speaker • Learning through hacking
- 4. Why should I care about DevOps? • Running any applications? That’s just the way it is now. • It’s also better for security @redteamwrangler https://teespring.com/shop/my-c2-has-five-nines-front
- 5. Attacker’s Options Internet Workstation Bastion App Server Source Repo Test Servers Configuration Server 1 2 3
- 6. Traditional Application Deployment • Developer gives Ops a deployment package and install instructions • Ops logs in to app server, manually installs software • Time to patch? Another manual login and install
- 7. Traditional Lateral Movement • To login and do configuration, Ops has highly privileged credentials • Often the credentials are stored in plaintext on Ops workstations: • SSH Keys, e.g. ~/.ssh/id_rsa • API Tokens/Keys, e.g. ~/.aws/credentials • Attackers use these to move deeper into the environment to steal data, install malware, steal compute resources, etc
- 8. What is Zero-Touch? • Google defined Zero-Touch Networking/Production • Used by mature DevOps organizations https://www.usenix.org/sites/default/files/conference/ protected-files/srecon19emea_slides_wolafka.pdf https://storage.googleapis.com/pub-tools-public- publication-data/pdf/45687.pdf
- 10. Zero-Touch Deployment Internet Workstation Bastion App Server Source Repo Test Servers Configuration Server 3
- 12. Lateral Movement in a Zero-Touch Network Internet Workstation Bastion App Server Source Repo Test Servers Configuration Server
- 13. Detecting Lateral Movement • Define protected servers • Define human access points • Watch for ANY connections from the manual access points to protected servers • Alert, investigate, etc… • Profit!
- 14. Demo Time
- 15. Next Steps • If you’re not zero-touch yet – do it! • Implement this detection on your platform of choice • Tailor it to your specific environment • Correlate these events with other suspicious traffic
- 16. Lessons Learned • Know your network • Don’t be afraid to look for stupid simple things