SlideShare a Scribd company logo

Can't Touch This: Detecting Lateral Movement In Zero Touch Environments

Phillip Marlow, profile picture
Phillip Marlow

The document discusses detecting lateral movement in zero-touch environments, highlighting its importance for security in modern applications. It explains how traditional deployment allows attackers to use privileged credentials while zero-touch deployment minimizes human interaction, thereby enhancing security. Key recommendations include defining protected servers, monitoring access points, and adapting detection strategies to specific environments.

Technology
1 of 18
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Can’t Touch This: Detecting Lateral Movement in Zero-Touch Environments Phillip Marlow DEF CON Cloud Village 2020 Approved for Public Release; Distribution Unlimited. Case Number 20-2069
Disclaimers & Acknowledgements Approved for Public Release; Distribution Unlimited. Case Number 20-2069 ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. The author's affiliation with The MITRE Corporation is provided for identification purposes only, and is not intended to convey or imply MITRE's concurrence with, or support for, the positions, opinions, or viewpoints expressed by the author. Research conducted to fulfill degree requirements for the SANS Technology Institute’s Master of Science degree. Thank you to Tanya Baccam, Faculty Research Advisor Thank you to my wife Madeline, whom I also don’t speak for in this presentation.
> whoami • Security + DevOps = • Wrote my first vulnerable code in elementary school • Began learning to write exploit code in middle school • First time DEF CON speaker • Learning through hacking
Why Should I Care About DevOps? • Running any applications? That’s just the way it is now. • Cloud native • It’s also better for security @redteamwrangler https://teespring.com/shop/my-c2-has-five-nines-front
Attacker’s Options Internet Workstation Bastion App Server Source Repo Test Servers Configuration Server 1 2 3
Traditional Application Deployment • Developer gives Ops a deployment package and install instructions • Ops logs in to app server, manually installs software • Time to patch? Another manual login and install
Traditional Lateral Movement • To log in and do configuration, Ops has highly privileged credentials • Often the credentials are stored in plaintext on Ops workstations: • SSH Keys, e.g. ~/.ssh/id_rsa • API Tokens/Keys, e.g. ~/.aws/credentials • Attackers use these to move deeper into the environment to steal data, install malware, steal compute resources, etc
What Is Zero-Touch? • Google defined Zero-Touch Networking/Production • Used by mature DevOps organizations https://www.usenix.org/sites/default/files/conference/ protected-files/srecon19emea_slides_wolafka.pdf https://storage.googleapis.com/pub-tools-public- publication-data/pdf/45687.pdf
Zero-Touch Deployment https://www.usenix.org/sites/default/files/conference/protected-files/srecon19emea_slides_wolafka.pdf No Humans
Zero-Touch Deployment Internet Workstation Bastion App Server Source Repo Test Servers Configuration Server 3
Traditional Lateral Movement Internet Workstation Bastion App Server
Lateral Movement in a Zero-Touch Network Internet Workstation Bastion App Server Source Repo Test Servers Configuration Server
Detecting Lateral Movement • Define protected servers • Define human access points • Watch for ANY connections from the manual access points to protected servers • Alert, investigate, etc… • Profit!
Demo Time
But What About Cloud?! • Traffic Mirroring/Virtual Network Tap/Packet Mirroring • Flow Logs • Tagging/Asset Inventory is important • But… there are visibility challenges
Next Steps • If you’re not zero-touch yet – do it! • Implement this detection on your platform of choice • Tailor it to your specific environment • Correlate these events with other suspicious traffic
Lessons Learned • Know your network • Don’t be afraid to look for stupid simple things
Thank You! Phillip Marlow @wolramp

More Related Content

PPTX
Can't Touch This: Detecting Lateral Movement In Zero Touch Environments
Phillip Marlow
 
PPTX
Can't Touch This: Detecting Lateral Movement In Zero Touch Environments
Phillip Marlow
 
PDF
Dave Lewis | Zero Trust & The Flaming Sword of Justice | Codemotion Madrid 2018
Codemotion
 
PDF
ZTNA(7.2 CONFIG AND LAB TEST FORTINET 2022
gagip37481
 
PDF
BATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern
 
PDF
Zero Trust Best Practices for Kubernetes
NGINX, Inc.
 
PDF
Fortinet ZTNA - Um contexto de sua Implementação
mjssbahia
 
PPTX
zerotrustmodelpresentation-200107094517.pptx
niyazhasanov35
 
Can't Touch This: Detecting Lateral Movement In Zero Touch Environments
Phillip Marlow
 
Can't Touch This: Detecting Lateral Movement In Zero Touch Environments
Phillip Marlow
 
Dave Lewis | Zero Trust & The Flaming Sword of Justice | Codemotion Madrid 2018
Codemotion
 
ZTNA(7.2 CONFIG AND LAB TEST FORTINET 2022
gagip37481
 
BATbern48_How Zero Trust can help your organisation keep safe.pdf
BATbern
 
Zero Trust Best Practices for Kubernetes
NGINX, Inc.
 
Fortinet ZTNA - Um contexto de sua Implementação
mjssbahia
 
zerotrustmodelpresentation-200107094517.pptx
niyazhasanov35
 

Similar to Can't Touch This: Detecting Lateral Movement In Zero Touch Environments (20)

PDF
Zero Trust Model Presentation
Gowdhaman Jothilingam
 
PDF
How Zero-Touch Deployment Reduces Onboarding Time.pdf
ample1165
 
PDF
zero trust - how to build zero trust.pdf
AliAlwesabi
 
PPTX
Finding Security a Home in a DevOps World
Shannon Lietz
 
PDF
Deepfence.pdf
Vishwas N
 
PPTX
Adopting A Zero-Trust Model. Google Did It, Can You?
Zscaler
 
PDF
Zero Trust Networks Evan Gilman Doug Barth
xovaniparpov15
 
PDF
Zero Trust Networks Evan Gilman Doug Barth
buracakerina41
 
PPTX
Zero Trust
Boaz Shunami
 
PDF
How Zero Trust Makes the Mission Simple & Secure
scoopnewsgroup
 
PDF
Mfg workshop security
Robert Albach
 
PPTX
Cloud Native Summit 2019 Summary
Everett Toews
 
PDF
Design Implications, Challenges and Principles of Zero-Touch Management Envir...
Michelle Holley
 
PPTX
Zero trust model for cloud computing.pptx
kkhhusshi
 
PDF
Zero trust server management - lightning
Kevin Gilpin
 
PPTX
Zero Trust Networks
Practical Code, LLC
 
PPSX
Zero-Trust SASE DevSecOps
Araf Karsh Hamid
 
PPTX
microsoft-cybersecurity-reference-architectures (1).pptx
GenericName6
 
PPTX
Overview of Google’s BeyondCorp Approach to Security
Priyanka Aash
 
PDF
Zero trust in a hybrid architecture
Hybrid IT Europe
 
Zero Trust Model Presentation
Gowdhaman Jothilingam
 
How Zero-Touch Deployment Reduces Onboarding Time.pdf
ample1165
 
zero trust - how to build zero trust.pdf
AliAlwesabi
 
Finding Security a Home in a DevOps World
Shannon Lietz
 
Deepfence.pdf
Vishwas N
 
Adopting A Zero-Trust Model. Google Did It, Can You?
Zscaler
 
Zero Trust Networks Evan Gilman Doug Barth
xovaniparpov15
 
Zero Trust Networks Evan Gilman Doug Barth
buracakerina41
 
Zero Trust
Boaz Shunami
 
How Zero Trust Makes the Mission Simple & Secure
scoopnewsgroup
 
Mfg workshop security
Robert Albach
 
Cloud Native Summit 2019 Summary
Everett Toews
 
Design Implications, Challenges and Principles of Zero-Touch Management Envir...
Michelle Holley
 
Zero trust model for cloud computing.pptx
kkhhusshi
 
Zero trust server management - lightning
Kevin Gilpin
 
Zero Trust Networks
Practical Code, LLC
 
Zero-Trust SASE DevSecOps
Araf Karsh Hamid
 
microsoft-cybersecurity-reference-architectures (1).pptx
GenericName6
 
Overview of Google’s BeyondCorp Approach to Security
Priyanka Aash
 
Zero trust in a hybrid architecture
Hybrid IT Europe
 
Ad

Recently uploaded (20)

PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Cloud computing and distributed systems.
kkkkkhan
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Approach and Philosophy of On baking technology
30anthuong17
 
Ad

Can't Touch This: Detecting Lateral Movement In Zero Touch Environments

  • 1. Can’t Touch This: Detecting Lateral Movement in Zero-Touch Environments Phillip Marlow DEF CON Cloud Village 2020 Approved for Public Release; Distribution Unlimited. Case Number 20-2069
  • 2. Disclaimers & Acknowledgements Approved for Public Release; Distribution Unlimited. Case Number 20-2069 ©2020 The MITRE Corporation. ALL RIGHTS RESERVED. The author's affiliation with The MITRE Corporation is provided for identification purposes only, and is not intended to convey or imply MITRE's concurrence with, or support for, the positions, opinions, or viewpoints expressed by the author. Research conducted to fulfill degree requirements for the SANS Technology Institute’s Master of Science degree. Thank you to Tanya Baccam, Faculty Research Advisor Thank you to my wife Madeline, whom I also don’t speak for in this presentation.
  • 3. > whoami • Security + DevOps = • Wrote my first vulnerable code in elementary school • Began learning to write exploit code in middle school • First time DEF CON speaker • Learning through hacking
  • 4. Why Should I Care About DevOps? • Running any applications? That’s just the way it is now. • Cloud native • It’s also better for security @redteamwrangler https://teespring.com/shop/my-c2-has-five-nines-front
  • 5. Attacker’s Options Internet Workstation Bastion App Server Source Repo Test Servers Configuration Server 1 2 3
  • 6. Traditional Application Deployment • Developer gives Ops a deployment package and install instructions • Ops logs in to app server, manually installs software • Time to patch? Another manual login and install
  • 7. Traditional Lateral Movement • To log in and do configuration, Ops has highly privileged credentials • Often the credentials are stored in plaintext on Ops workstations: • SSH Keys, e.g. ~/.ssh/id_rsa • API Tokens/Keys, e.g. ~/.aws/credentials • Attackers use these to move deeper into the environment to steal data, install malware, steal compute resources, etc
  • 8. What Is Zero-Touch? • Google defined Zero-Touch Networking/Production • Used by mature DevOps organizations https://www.usenix.org/sites/default/files/conference/ protected-files/srecon19emea_slides_wolafka.pdf https://storage.googleapis.com/pub-tools-public- publication-data/pdf/45687.pdf
  • 12. Lateral Movement in a Zero-Touch Network Internet Workstation Bastion App Server Source Repo Test Servers Configuration Server
  • 13. Detecting Lateral Movement • Define protected servers • Define human access points • Watch for ANY connections from the manual access points to protected servers • Alert, investigate, etc… • Profit!
  • 15. But What About Cloud?! • Traffic Mirroring/Virtual Network Tap/Packet Mirroring • Flow Logs • Tagging/Asset Inventory is important • But… there are visibility challenges
  • 16. Next Steps • If you’re not zero-touch yet – do it! • Implement this detection on your platform of choice • Tailor it to your specific environment • Correlate these events with other suspicious traffic
  • 17. Lessons Learned • Know your network • Don’t be afraid to look for stupid simple things