SlideShare a Scribd company logo

Cloud Attacks: A Live Simulation of Cloud MIsconfiguration Attacks

Download as PPTX, PDF
D
DiemShin

The presentation by Josh Stella at InfoSec World focuses on the significant security risks posed by cloud misconfiguration, which is a primary factor in most cloud service attacks. It includes a live demonstration of misconfiguration exploits and offers actionable steps for securing cloud environments, such as implementing monitoring and the principle of least privilege. Key recommendations highlight the importance of automated remediation, clean-up of unused resources, and inclusion of cloud misconfiguration in penetration testing.

Software
Related topics:
Cloud Security Insights Data Breaches
1 of 13
Download to read offline
1
2
3
4
Most read
5
6
7
Most read
8
9
10
11
12
13
CLOUD ATTACKS A Live Simulation of Cloud Misconfiguration Exploits Josh Stella, Co-Founder & CTO Fugue
#InfoSecWorld AGENDA 1. Overview of cloud misconfiguration risk 2. Live Demo: Cloud misconfiguration exploits in action 3. Actionable steps to secure your cloud environment 4. Q&A
#InfoSecWorld A MAJOR SECURITY RISK Nearly all successful attacks on cloud services are the result of customer misconfiguration, mismanagement and mistakes. 93%CONCERNED FOR MAJOR SECURITY BREACH DUE TO MISCONFIGURATION “ ⎯ Neil MacDonald, Gartner “
CLOUD MISCONFIGURATION IS A MAJOR SECURITY RISK 66%IAM 59%SECURITY GROUP RULES 51%OBJECT STORAGE ACCESS POLICIES 42%ENCRYPTION IN TRANSIT DISABLED
Many dangerous cloud misconfigurations are: • not recognized as misconfigurations by security teams • not considered policy violations by compliance frameworks • exceedingly common in enterprise cloud environments CLOUD MISCONFIGURATION IS OFTEN OVERLOOKED
Before Cloud 1. Identify your target organization 2. Search for vulnerabilities to exploit HACKER STRATEGY HAS EVOLVED Cloud 1. Identify misconfiguration vulnerabilities 2. Prioritize your target organizations Bad actors use automation to find and exploit cloud misconfiguration
Before Cloud 1. Network and security teams deliver infrastructure to app teams 2. Network analysis and threat detection tools identify intrusions; human-guided response SECURITY STRATEGY MUST EVOLVE TOO Cloud 1. Developers create their own infrastructure and are empowered to secure it 2. Policy as code validation tools prevent misconfiguration; automated detection and remediation eliminates it Cloud security is a software engineering problem, not a security analysis problem.
A DEMONSTRATION OF A CLOUD MISCONFIGURATION ATTACK
ONE Firewall Misconfiguration Causes often include “drift” and orphaned resources THIS MISCONFIGURATION ATTACK IN REVIEW TWO Accessing EC2 instance Causes include unpatched instances containing a vulnerability (often orphaned) THREE Getting IAM role access to S3 Insecure use of IAM and EC2 permissions FOUR Bucket discovery and duplication The danger of a single IAM role with broad permissions
1: Monitor all access point configurations • Continuously monitor Security Groups for misconfiguration (e.g. access from 0.0.0.0/0) 2: Apply Principle of Least Permission • Ruthlessly limit IAM roles to business requirements for the app • Use different end points for read and write operations • Eliminate S3 bucket listing in production environments 3: Don’t allow EC2 instances to have IAM roles that allow attaching or replacing role policies KEY TAKEAWAYS AND RECOMMENDATIONS
4. Ruthlessly clean up unused cloud resources (especially EC2 instances and S3 buckets) • “Orphaned” resources are common and can contain misconfigurations and unpatched OS or application vulnerabilities 5. Include cloud misconfiguration in penetration testing • Use outside pen testers who understand cloud misconfiguration and how to exploit it 6. Use automated remediation for security-critical cloud resources • Focus first on VPCs, S3 buckets, Security Groups, EC2, and IAM) 7. Use an open source policy as code framework for validating compliance • Open Policy Agent and Rego policy language KEY TAKEAWAYS AND RECOMMENDATIONS
#InfoSecWorld QUESTIONS? Q&A Resources: Fugue Developer is free forever: www.fugue.co/go Validate Terraform with Regula: https://github.com/fugue/regula Fregot (for working with Rego): https://github.com/fugue/fregot Open Policy Agent: https://www.openpolicyagent.org/
THANK YOU! Josh Stella, Co-Founder & CTO Fugue

More Related Content

PPTX
Humla workshop on Android Security Testing - null Singapore
n|u - The Open Security Community
 
PDF
CSS17: Houston - Stories from the Security Operations Center
Alert Logic
 
PDF
2015.04.24 Updated > Android Security Development - Part 1: App Development
Cheng-Yi Yu
 
PDF
Web App Attacks - Stats & Remediation
Qualys
 
PPTX
Top 5 Priorities for Cloud Security
2nd Sight Lab
 
PPTX
CSS 17: NYC - Stories from the SOC
Alert Logic
 
PPTX
How Malware Works - Understanding Software Vulnerabilities
Bunmi Sowande
 
PDF
Acronis Active Protection: A Way To Combat Ransomware Attack
Acronis
 
Humla workshop on Android Security Testing - null Singapore
n|u - The Open Security Community
 
CSS17: Houston - Stories from the Security Operations Center
Alert Logic
 
2015.04.24 Updated > Android Security Development - Part 1: App Development
Cheng-Yi Yu
 
Web App Attacks - Stats & Remediation
Qualys
 
Top 5 Priorities for Cloud Security
2nd Sight Lab
 
CSS 17: NYC - Stories from the SOC
Alert Logic
 
How Malware Works - Understanding Software Vulnerabilities
Bunmi Sowande
 
Acronis Active Protection: A Way To Combat Ransomware Attack
Acronis
 

What's hot (20)

PDF
Security Risks & Vulnerabilities in Skype
Kelum Senanayake
 
PPTX
CSS 17: NYC - Realities of Security in the Cloud
Alert Logic
 
PPT
New microsoft application security problem
John Davis
 
PDF
Re solution - corona virus cyber security infographic
Jacob Tranter
 
DOCX
Cisco WebEx vulnerability: it’s a kind of magic
ITrust - Cybersecurity as a Service
 
PPTX
Secure Coding 2013
The eCore Group
 
PDF
Realities of Security in the Cloud
Alert Logic
 
PPTX
CSS17: Atlanta - Realities of Security in the Cloud
Alert Logic
 
PDF
Internship brochure
FixNix Inc.,
 
PDF
The Intersection of Security & DevOps
Alert Logic
 
PDF
The World Against the Bad, Cisco AMP Solution to the Rescue
Cisco Canada
 
PDF
Reality Check: Security in the Cloud
Alert Logic
 
PPTX
Intel McAfee DeepSAFE Technology
Can Your Security
 
PPTX
Leveraging Osquery for DFIR @ Scale _BSidesSF_2020
Sohini Mukherjee
 
PDF
Realities of Security in the Cloud
Alert Logic
 
PPTX
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
AgileNetwork
 
PDF
Owasp and friends
Mažvydas Skuodas
 
PDF
Cisco amp for endpoints
Cisco Canada
 
PDF
Managing Application Config and Secrets
Eng Teong Cheah
 
PDF
Protecting Against Web Attacks
Alert Logic
 
Security Risks & Vulnerabilities in Skype
Kelum Senanayake
 
CSS 17: NYC - Realities of Security in the Cloud
Alert Logic
 
New microsoft application security problem
John Davis
 
Re solution - corona virus cyber security infographic
Jacob Tranter
 
Cisco WebEx vulnerability: it’s a kind of magic
ITrust - Cybersecurity as a Service
 
Secure Coding 2013
The eCore Group
 
Realities of Security in the Cloud
Alert Logic
 
CSS17: Atlanta - Realities of Security in the Cloud
Alert Logic
 
Internship brochure
FixNix Inc.,
 
The Intersection of Security & DevOps
Alert Logic
 
The World Against the Bad, Cisco AMP Solution to the Rescue
Cisco Canada
 
Reality Check: Security in the Cloud
Alert Logic
 
Intel McAfee DeepSAFE Technology
Can Your Security
 
Leveraging Osquery for DFIR @ Scale _BSidesSF_2020
Sohini Mukherjee
 
Realities of Security in the Cloud
Alert Logic
 
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
AgileNetwork
 
Owasp and friends
Mažvydas Skuodas
 
Cisco amp for endpoints
Cisco Canada
 
Managing Application Config and Secrets
Eng Teong Cheah
 
Protecting Against Web Attacks
Alert Logic
 
Ad

Similar to Cloud Attacks: A Live Simulation of Cloud MIsconfiguration Attacks (20)

PPTX
Zero_Trust_In_Cloud_rbhfbru_newfiu_bewfuguy_cưenfbui.pptx
tngoclinkn
 
DOCX
Why Cloud Penetration Testing Essential
basheerhardwin
 
PPTX
Core strategies to develop defense in depth in AWS
Shane Peden
 
PPTX
7 Ways To Cyberattack And Hack Azure
Abdul Khan
 
PDF
Outpost24 webinar - Mastering the art of multicloud security
Outpost24
 
PDF
CISSP-2022 Update domain 3 certification handouts
jboy80616
 
PDF
The 3 Recommendations for Cloud Security
VAST
 
PDF
Cloud security snippets on the use case of the cloud
alkabarala01
 
PPTX
CSPM UNIT 4 HPS PRESENTATION FOR REFERENCE
sanskritijhabtech202
 
PDF
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
iphonepentest
 
PPT
Cloud computing final show
ahmad abdelhafeez
 
PDF
Cloud security risks
Revital Lapidot
 
PDF
Cloud security risks
Revital Lapidot
 
PPTX
Cloud Security_ Unit 4
Integral university, India
 
PDF
Cloud Security Network – Definition and Best Practices.pdf
qualysectechnology98
 
PDF
The Ultimate Guide For Cloud Penetration Testing.pdf
Craw Cyber Security
 
PDF
Cloud Security Governance
Shankar Subramaniyan
 
PDF
BlueTeamCon-Presentation from TrustedSec
wcuestas
 
PDF
Keynote: Which way is the SolarWind Blowing? Techniques are changing…are you ...
JamieWilliams130
 
PDF
Chaos engineering for cloud native security
Kennedy
 
Zero_Trust_In_Cloud_rbhfbru_newfiu_bewfuguy_cưenfbui.pptx
tngoclinkn
 
Why Cloud Penetration Testing Essential
basheerhardwin
 
Core strategies to develop defense in depth in AWS
Shane Peden
 
7 Ways To Cyberattack And Hack Azure
Abdul Khan
 
Outpost24 webinar - Mastering the art of multicloud security
Outpost24
 
CISSP-2022 Update domain 3 certification handouts
jboy80616
 
The 3 Recommendations for Cloud Security
VAST
 
Cloud security snippets on the use case of the cloud
alkabarala01
 
CSPM UNIT 4 HPS PRESENTATION FOR REFERENCE
sanskritijhabtech202
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
iphonepentest
 
Cloud computing final show
ahmad abdelhafeez
 
Cloud security risks
Revital Lapidot
 
Cloud security risks
Revital Lapidot
 
Cloud Security_ Unit 4
Integral university, India
 
Cloud Security Network – Definition and Best Practices.pdf
qualysectechnology98
 
The Ultimate Guide For Cloud Penetration Testing.pdf
Craw Cyber Security
 
Cloud Security Governance
Shankar Subramaniyan
 
BlueTeamCon-Presentation from TrustedSec
wcuestas
 
Keynote: Which way is the SolarWind Blowing? Techniques are changing…are you ...
JamieWilliams130
 
Chaos engineering for cloud native security
Kennedy
 
Ad

Recently uploaded (20)

PPTX
Odoo POS Development Services by CandidRoot Solutions
CandidRoot Solutions Private Limited
 
PDF
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
PPTX
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
PPTX
Reimagine Home Health with the Power of Agentic AI​
AutomationEdge Technologies
 
PPTX
history of c programming in notes for students .pptx
Vijayakumari829030
 
PDF
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
PPTX
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
PDF
Upgrade and Innovation Strategies for SAP ERP Customers
Virendra Rai, PMP
 
PDF
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
PDF
Digital Systems & Binary Numbers (comprehensive )
fyfhqfhtv2
 
PDF
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
PDF
Nekopoi APK 2025 free lastest update
umarali35kp
 
PPTX
Computer Software and OS of computer science of grade 11.pptx
GauravDahal9
 
PDF
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
PDF
Adobe Premiere Pro 2025 (v24.5.0.057) Crack free
ghrom2211g
 
PDF
Designing Intelligence for the Shop Floor.pdf
nikglvk
 
PPTX
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
PDF
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
PPTX
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
PDF
medical staffing services at VALiNTRY
Tiyan Grayson
 
Odoo POS Development Services by CandidRoot Solutions
CandidRoot Solutions Private Limited
 
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
Reimagine Home Health with the Power of Agentic AI​
AutomationEdge Technologies
 
history of c programming in notes for students .pptx
Vijayakumari829030
 
Adobe Illustrator 28.6 Crack My Vision of Vector Design
ghrom2211g
 
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
Upgrade and Innovation Strategies for SAP ERP Customers
Virendra Rai, PMP
 
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
Digital Systems & Binary Numbers (comprehensive )
fyfhqfhtv2
 
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
Nekopoi APK 2025 free lastest update
umarali35kp
 
Computer Software and OS of computer science of grade 11.pptx
GauravDahal9
 
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
Adobe Premiere Pro 2025 (v24.5.0.057) Crack free
ghrom2211g
 
Designing Intelligence for the Shop Floor.pdf
nikglvk
 
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
medical staffing services at VALiNTRY
Tiyan Grayson
 

Cloud Attacks: A Live Simulation of Cloud MIsconfiguration Attacks

  • 1. CLOUD ATTACKS A Live Simulation of Cloud Misconfiguration Exploits Josh Stella, Co-Founder & CTO Fugue
  • 2. #InfoSecWorld AGENDA 1. Overview of cloud misconfiguration risk 2. Live Demo: Cloud misconfiguration exploits in action 3. Actionable steps to secure your cloud environment 4. Q&A
  • 3. #InfoSecWorld A MAJOR SECURITY RISK Nearly all successful attacks on cloud services are the result of customer misconfiguration, mismanagement and mistakes. 93%CONCERNED FOR MAJOR SECURITY BREACH DUE TO MISCONFIGURATION “ ⎯ Neil MacDonald, Gartner “
  • 4. CLOUD MISCONFIGURATION IS A MAJOR SECURITY RISK 66%IAM 59%SECURITY GROUP RULES 51%OBJECT STORAGE ACCESS POLICIES 42%ENCRYPTION IN TRANSIT DISABLED
  • 5. Many dangerous cloud misconfigurations are: • not recognized as misconfigurations by security teams • not considered policy violations by compliance frameworks • exceedingly common in enterprise cloud environments CLOUD MISCONFIGURATION IS OFTEN OVERLOOKED
  • 6. Before Cloud 1. Identify your target organization 2. Search for vulnerabilities to exploit HACKER STRATEGY HAS EVOLVED Cloud 1. Identify misconfiguration vulnerabilities 2. Prioritize your target organizations Bad actors use automation to find and exploit cloud misconfiguration
  • 7. Before Cloud 1. Network and security teams deliver infrastructure to app teams 2. Network analysis and threat detection tools identify intrusions; human-guided response SECURITY STRATEGY MUST EVOLVE TOO Cloud 1. Developers create their own infrastructure and are empowered to secure it 2. Policy as code validation tools prevent misconfiguration; automated detection and remediation eliminates it Cloud security is a software engineering problem, not a security analysis problem.
  • 8. A DEMONSTRATION OF A CLOUD MISCONFIGURATION ATTACK
  • 9. ONE Firewall Misconfiguration Causes often include “drift” and orphaned resources THIS MISCONFIGURATION ATTACK IN REVIEW TWO Accessing EC2 instance Causes include unpatched instances containing a vulnerability (often orphaned) THREE Getting IAM role access to S3 Insecure use of IAM and EC2 permissions FOUR Bucket discovery and duplication The danger of a single IAM role with broad permissions
  • 10. 1: Monitor all access point configurations • Continuously monitor Security Groups for misconfiguration (e.g. access from 0.0.0.0/0) 2: Apply Principle of Least Permission • Ruthlessly limit IAM roles to business requirements for the app • Use different end points for read and write operations • Eliminate S3 bucket listing in production environments 3: Don’t allow EC2 instances to have IAM roles that allow attaching or replacing role policies KEY TAKEAWAYS AND RECOMMENDATIONS
  • 11. 4. Ruthlessly clean up unused cloud resources (especially EC2 instances and S3 buckets) • “Orphaned” resources are common and can contain misconfigurations and unpatched OS or application vulnerabilities 5. Include cloud misconfiguration in penetration testing • Use outside pen testers who understand cloud misconfiguration and how to exploit it 6. Use automated remediation for security-critical cloud resources • Focus first on VPCs, S3 buckets, Security Groups, EC2, and IAM) 7. Use an open source policy as code framework for validating compliance • Open Policy Agent and Rego policy language KEY TAKEAWAYS AND RECOMMENDATIONS
  • 12. #InfoSecWorld QUESTIONS? Q&A Resources: Fugue Developer is free forever: www.fugue.co/go Validate Terraform with Regula: https://github.com/fugue/regula Fregot (for working with Rego): https://github.com/fugue/fregot Open Policy Agent: https://www.openpolicyagent.org/
  • 13. THANK YOU! Josh Stella, Co-Founder & CTO Fugue