Red Team vs. Blue Team on AWS ~ re:Invent 2018

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
RedTeam vs. BlueTeam onAWS
Teri Radichel
CEO
2nd Sight Lab
D V C 3 0 4
Kolby Allen
Platform Engineer
Zipwhip

Attackervs.Defender

CloudAdmin ...

Would be aboring talk...

Instead...
Let’s
search
for buried
treasure!

AccountSetup
Vanilla Account
Single Admin User
Base VPC & Default Configuration
AWS Tutorial: Elastic Beanstalk with WordPress
https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/php-hawordpress-tutorial.html
AWS Tutorial: Lambda Accessing RDS in VPC
https://docs.aws.amazon.com/lambda/latest/dg/vpc.html

PilferCredentials

Look for RDSDatabases
aws rds describe-db-instances --filter --query
DBInstances[].[DBInstanceIdentifier,MasterUsername,
DBSubnetGroup.VpcId,Endpoint.Address] --output=table
--color off
supersecretdb?! That sounds like a good
target…

ExamineSelectedDatabaseSubnets
aws rds describe-db-instances --filter "Name=db-
instance-id,Values=supersecretdb" --query
DBInstances[].DBSubnetGroup.Subnets[].SubnetIdentifier
--output table --color off
Hmm… let’s check out: subnet-1ae9df57

WhatTrafficdo NACLsAllow?
aws ec2 describe-network-acls --filter
"Name=association.subnet-id,Values=subnet-1ae9df57" --
query NetworkAcls[].Entries --output table --color off
All traffic allowed ~ Sweet.

WhatTrafficdo DBSecurityGroupsAllow?
aws ec2 describe-security-groups
--filter "Name=groupid,
Values=sg-217f3e4a"
--output table
--color off
Port 3306
172.31.0.0/16

FindVPCWithAccess toDatabase
aws ec2 describe-vpcs --filter
"Name=cidrBlock,Values=172.31.0.0/16" --query
Vpcs[].VpcId --output table --color off
vpc-96c34cfe is assigned to CIDR
172.31.0.0/16

VPCSecurityGroup – 3306 Egress
aws ec2 describe-security-groups --
filter Name=ip-permission.to-
port,Values=3306 Name=egress.ip-
permission.cidr,Values=vpc-96c34cfe
--output table --color off --query
'SecurityGroups[].GroupId'
Cool. Let’s see what’s using this.

CheckLambda Functions
aws lambda list-functions --query
Functions[?VpcConfig.SecurityGroupIds
==[`sg-93aadef8`]].FunctionName
--output table --color off

QueryLambdaCode
aws lambda get-function --function-name
CreateTableAddRecordsAndRead
--query Code.Location
Gives us URL to code location in
S3…

Go toURL...CheckOutTheCode
Hmm, what’s in this file?

About thatrds_config file...
Oops. Database credentials.

Look for InstancesThatCanExfil
aws ec2 describe-instances --output text --query
Reservations[].Instances[].NetworkInterfaces[].
Association.[PublicIp,PublicDnsName]
Check the domains in a browser to find web
sites.

SecurityGroups – NoOutbound Restrictions
aws ec2 describe-security-groups --filter "Name=egress.ip-
permission.cidr,Values='0.0.0.0/0',Name=vpc-id,Values=vpc-96c34cfe"
--output table --color off --query SecurityGroups[].GroupId
Cool. Wide Open Outbound.

Look for InstancesThatCanExfil
Scan Site.
Exploit
Vulnerability.
Upload code to
connect to DB.
Publish to public
web site.
Scrape data.

Samplevulnerabilities...

InSummary...
Super Secret
Lambda RDS
WordPress
RDS
Lambda
function
WordPress
EC2 Instance
security
group
security
group
security
group
security
group
VPC subnet
5. Pivot
1. Steal Keys
2. Recon
3. Steal Creds
4. Exploit
6. Exfil
Read Only.
Single Factor
Credentials
Open network
Secrets in Code
And more…
*

ProtectingCredentials
• User training - Phishing and handling of credentials
• Password policies and rotation
• MFA!!
• Require frequent re-authentication – especially to sensitive apps
• Prevent deployment of code with embedded credentials:
https://github.com/awslabs/git-secrets

ProtectingCredentials – git-secrets

IAM BestPractices
Roles
Least Privilege
Segregation of Duties
Minimum
Permissions to
manage self
Create
Amazon EC2
Set MFA
token

Sid: AllowUserstoListAccounts
Effect: Allow
Action:
- "iam:ListAccountAliases"
- "iam:ListUsers"
- "iam:GetAccountPasswordPolicy"
- "iam:GetAccountSummary"
Resource: "*"
Allows users to view
enough information to
get into IAM
Can get the password
policy IMPORTANT so
it can apply
List Users – needed in
order to find themselves
IAM – InitialRoles

Sid: AllowUserstoManageOwnAccount
Effect: Allow
Action:
- "iam:ChangePassword"
- "iam:CreateAccessKey"
- "iam:CreateLoginProfile"
- "iam:DeleteAccessKey"
- "iam:DeleteLoginProfile"
- "iam:GetLoginProfile"
- "iam:ListAccessKeys"
- "iam:UpdateAccessKey"
- "iam:UpdateLoginProfile"
- "iam:ListSigningCertificates"
- "iam:DeleteSigningCertificate"
- "iam:UpdateSigningCertificate"
- "iam:UploadSigningCertificate"
- "iam:ListSSHPublicKeys"
- "iam:GetSSHPublicKey"
- "iam:DeleteSSHPublicKey"
- "iam:UpdateSSHPublicKey"
- "iam:UploadSSHPublicKey"
Resource: "arn:aws:iam::*:user/${aws:username}"
Actions allow users to
manage their account
– BUT NOT CHANGE
PERMISSIONS
Resource only allows
them to perform on
their username – can’t
modify anyone else

Sid: AllowUserstoListOnlyThierMFA
Effect: Allow
Action:
- "iam:ListVirtualMFADevices"
- "iam:ListMFADevices"
Resource:
- "arn:aws:iam::*:mfa/*"
- "arn:aws:iam::*:user/${aws:username}"
Sid: AllowUsertoManageThierMFA
Effect: Allow
Action:
- "iam:CreateVirtualMFADevice"
- "iam:EnableMFADevice"
- "iam:ResyncMFADevice"
Resource:
- "arn:aws:iam::*:mfa/${aws:username}"
- "arn:aws:iam::*:user/${aws:username}"
User can only ADD
MFA
Administrators must
reset MFA enrollment

Initial role has no
permissions except
to assume other
roles
MFA Required to
assume role with
temp creds
IAM –AssumedRoles

Failure due to default policy not
having permissions
MFA!
Commands work!
Temporary credential
request and setting at
environmental variable
IAM –AssumedRoles

Monitor all
API Actions
Feed data
to events
Respond
CloudTrail

Encryption in flight
with only specific IAM
role with rights
Instance retrieves
encrypted value
Instance IAM Role
allows rights to use
key to decrypt
EC2 Parameter Store for secrets
SecretManagement

New: No
password in
rds_config.py
Instance retrieves encrypted value
OLD: Password
embedded in
rds_config.py
SecretManagement

Calls AWS SSM
EC2ParameterStore

Monitoring
• AWS GuardDuty
• VPC Flow Logs
• CloudTrail
• AWS Config
• Log shipping
• Secure log backups
• Automate Remediation

Monitoring

Patch all software & servers regularly – AWS System Manager
CVE Scanning – AWS Inspector
CVE

WAFSecurity

NetworkArchitecture
Presentation Layer
Application Layer
Data Layer
Limited NACL & Security Groups
between subnets
Limit all outbound traffic

NACLs are wide open
Wide open outbound rules on
security groups
Security Groups all full VPC CIDR
Allows Lateral movement
NetworkArchitecture:Original

NACLs limit access between
subnets
Security Groups are only
allowed access from other
security groups
Blocking internet where not
needed
NetworkArchitecture:Better

Red Team:
Attackers can use the same tools used by DevOps teams.
Cloud APIs provide a means for mapping out an entire account.
Read only access can be powerful.
Wide open networks are an attacker’s best friend.
Blue Team:
Restrict access
Automated deployment
Architect networks to minimize open ports and pivoting
Protect secrets - don't embed in code!
Monitor everything
Conclusion

Thank you!
Teri Radichel
@teriradichel
Kolby Allen
@kolbyallen

Red Team vs. Blue Team on AWS ~ re:Invent 2018

More Related Content

More from 2nd Sight Lab (20)

Recently uploaded (20)

Red Team vs. Blue Team on AWS ~ re:Invent 2018

Editor's Notes