SlideShare a Scribd company logo

Reducing Your Attack Surface

Alert Logic , profile picture
Alert Logic

The document discusses reducing attack surfaces in cloud environments. It notes that understanding your attack surface is critical for deploying proper security controls as attack surfaces differ between cloud and on-premises environments. It also states that web application attacks are now the leading cause of data breaches but less than 5% of security budgets are spent on application security. Common cloud misconfigurations are also discussed as a major risk factor.

Technology
Related topics:
Cloud Security Insights
1 of 23
Downloaded 13 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
REDUCING YOUR ATTACK SURFACE Ryan Holland, Senior Director of Cloud Architecture – Alert Logic
Summary • Understanding your attack surface is critical to deploying the right security controls • Attack surface in cloud environments is significantly different than on-premises • Dominant cloud exposures are often misunderstood
2nd attack HVAC vendor application Result Successful. Never detected. Vector SQL Injection Las Vegas Bethlehem 1st attack Account Brute Force Result Detected by the SIEM. Blocked #1 Sands Casino Breach
2nd attack HVAC vendor application Result Successful. Never detected. Vector SQL Injection Las Vegas Bethlehem 1st attack Account Brute Force Result Detected by the SIEM. Blocked • Compromised admin credentials • Moved laterally through Windows AD • Used malware to destroy all hosts on the network Sands Casino Breach
1 49 56 86 125 155 172 197 525 908 Denial of Service Crimeware Physical Theft / Loss Payment Card Skimmers Everything Else Cyber-espionage Privilege Misuse Miscellaneous Errors POS Intrusions Web App Attacks Security risk is shifting to unprotected web applications Web app attacks are now the #1 source of data breaches But less than 5% of data center security budgets are spent on app security Source: Verizon UP 500% SINCE 2014 $23 to $1 Percentage of Breaches 10% 20% 30% 40% Source: Gartner Web App Attacks
1 49 56 86 125 155 172 197 525 908 Denial of Service Crimeware Physical Theft / Loss Payment Card Skimmers Everything Else Cyber-espionage Privilege Misuse Miscellaneous Errors POS Intrusions Web App Attacks Security risk is shifting to unprotected web applications Web app attacks are now the #1 source of data breaches But less than 5% of data center security budgets are spent on app security Source: Verizon UP 500% SINCE 2014 $23 to $1 Percentage of Breaches 10% 20% 30% 40% Source: Gartner Web App Attacks Underreported. Misunderstood.
What Drives This Awareness Disconnect? • Breach disclosure in a number of states is mandatory, but technical details are not in disclosure scope • News media naturally gravitates towards human interest security stories • Mobile phones • Endpoint malware • Email theft Ransomware Malware All other terms: SQL injection, web application attack, Wordpress vulnerability, PHP vulnerability, Apache Struts vulnerability
Our Perspective on Cloud Attack Surface • 4,000+ customers • 80% of deployments in data centers • 50% of deployments in public and hybrid cloud • Dominant workload: business critical web applications
Real world view from our SOC
#2 Yahoo Impact Number of exposed accounts increased from 1B to 3B. How it happened Phishing Email Where are they now? Sold to Verizon. Valuation revised by $350M
Meet “M4g” AKA Alexsey Belan • One of the most prolific hackers between 2013 - 2015 • Estimated to have compromised 1.2 billion user accounts • Prime suspect in numerous breaches
Alexsey Belan’s Techniques 1. Identified peripheral sites and key people via Google and LinkedIn 2. Initial compromise via CVE-2011–4106 WordPress vulnerability. Modified authentication mechanisms to capture credentials 3. Used NMAP & internal Wiki to learn the environment and move laterally 4. Reused cookies from development staging systems, client certificates from emails and trouble tickets 5. Used developer credentials to introduce backdoors into code Source: https://medium.com/@chrismcnab/alexseys-ttps-1204d9050551
Why WordPress? Used in 28% of all web sites on the internet • WP CVE-2011–4106 vulnerability in resulted in 1.2 million compromised sites • 53 similar vulnerabilities in last 10 years (CVSS 6+)
#3 RNC breach Impact 200M voter records exposed How it happened Misconfiguration in Amazon Web Services S3 service Where are they now? Survived the breach. Operational impact unclear.
AWS S3 Data Leaks Due To Misconfigurations
#4 Code Spaces Impact Nearly all customer data, including backups, deleted. How it happened Credential compromise. Where are they now? Closed down immediately after event.
60 Most Common AWS Configuration Remediations Unencrypted AMI Discovered Unencrypted EBS Volume S3 Logging not Enabled Unrestricted Outbound Access on All Ports User not configured to use MFA User Access Key not configured with Rotation IAM Policies are attached directly to User Dangerous User Privileged Access to S3 Dangerous IAM Role for S3 Dangerous User Privileged Access to RDS Disable Automatic Access Key Creation Dangerous User Privileged Access to DDB Dangerous User Privileged Access to IAM IAM Access Keys Unused for 90 Days ELB Listener Security (2 of 4) ELB Listener Security (1 of 4) Dangerous IAM Role for RDS RDS Encryption is not Enabled Dangerous IAM Role for DDB Unrestricted Inbound Access - Specific Ports 2 Dangerous IAM Role for IAM Unrestricted Inbound Access to SSH Port 22/tcp Unrestricted Inbound Access to HTTP Port 80/tcp Amazon S3 Bucket Permissions (2 of 2) Inactive user account Ensure AWS CloudTrail is Enabled in All Regions ELB Listener Security (4 of 4) Unrestricted Inbound Access Publicly Accessible RDS Database Instance Passwords not set to enforce complexity ACL permissions enabled for Authenticated Users in an S3 Bucket CloudTrail Logging Disabled Passwords not configured to expire Ensure Hardware Multi-Factor Authentication is Enabled for the Root Account Unrestricted Inbound Access to Windows RDP Port 3389/tcp Enable Amazon GuardDuty on AWS Account Unrestricted Inbound Access to PostgreSQL Port 5432/tcp Global View ACL permissions enabled in an S3 Bucket Unrestricted Inbound Access to mySQL Port 3306/tcp Unrestricted Inbound Access to NetBIOS over TCP/IP 137/udp/tcp, 138/udp or 139/udp/tcp Unrestricted Inbound Access to SMTP Port 25/tcp Root account not using MFA Unrestricted Inbound Access to FTP Port 21/tcp Unrestricted Inbound Access to DNS Port 53/tcp Unrestricted Inbound Access to SQLServer Port 1433,1434/tcp Unrestricted Inbound Access to FTP Port 20/tcp Unrestricted Inbound Access to VNC Port 5500,5900/tcp Unrestricted Inbound Access to MSQL Port 4333/tcp Unrestricted Inbound Access to SMTP over TLS/SSL Port 465/tcp Unrestricted Inbound Access to ElasticSearch Port 9300/tcp Unrestricted Inbound Access to CIFS/SMB over TCP 445/tcp Root Account Used Recently Unrestricted Inbound Access to Windows RPC Port 135/tcp Publicly Accessible AMI Discovered Unrestricted Inbound Access to Telnet Port 23/tcp Unencrypted Redshift Cluster Unrestricted Inbound Access to DNS Port 53/udp Publicly Accessible Redshift Cluster Nodes Dangerous use of Root Access Keys Unrestricted Inbound Access to CIFS/SMB over TCP 445/udp Across 31,235 EC2 instances / workloads 155,911 vulnerabilities and exposures sampled On 381 VPC’s in Dec 2017
Cloud Insight Essentials check Misconfigurations
Cloud Attack Surface Attacks Web App Attacks OWASP top 10 Platform / library attacks App / System misconfig attacks Web Apps Server-side Apps App Frameworks Dev Platforms Server OS Hypervisor Hardware The Application Stack Databases Attackersaremovingupthestack 1. Wide range of attacks at every layer of the stack 2. Rapidly changing codebase can introduces unknown vulnerabilities 3. Long tail of exposures inherited from 3rd party development tools 4. Extreme shortage of cloud and application security expertise
Attack Surface Factors Factor Impact Technology Triggers Custom built complex web code Broad attack surface and numerous opportunities for hidden vulnerabilities. Open or commercial development frameworks Vulnerabilities inherited from open source community or software vendors. 3-tier architecture with relational databases Increased risk of SQL injection - #1 web attack method in volume and impact Open and Interconnected Easily accessible from outside world by valid users and attackers alike Legacy code Technical debt means increases risk
Importance of Eliminating Dwell Time
The Realities of Dwell Time 1. Ponemon Institute 2017 Cost of Data Breach Study
Thank you.

More Related Content

PDF
Reality Check: Security in the Cloud
Alert Logic
 
PDF
Security Implications of the Cloud
Alert Logic
 
PDF
The Intersection of Security & DevOps
Alert Logic
 
PDF
Security Implications of the Cloud - CSS Dallas Azure
Alert Logic
 
PDF
Realities of Security in the Cloud
Alert Logic
 
PDF
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Alert Logic
 
PDF
Realities of Security in the Cloud
Alert Logic
 
PDF
Realities of Security in the Cloud
Alert Logic
 
Reality Check: Security in the Cloud
Alert Logic
 
Security Implications of the Cloud
Alert Logic
 
The Intersection of Security & DevOps
Alert Logic
 
Security Implications of the Cloud - CSS Dallas Azure
Alert Logic
 
Realities of Security in the Cloud
Alert Logic
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Alert Logic
 
Realities of Security in the Cloud
Alert Logic
 
Realities of Security in the Cloud
Alert Logic
 

What's hot (20)

PDF
Security Implications of the Cloud
Alert Logic
 
PDF
Realities of Security in the Cloud
Alert Logic
 
PDF
Security Implications of the Cloud - CSS ATX 2017
Alert Logic
 
PDF
The AWS Shared Responsibility Model in Practice
Alert Logic
 
PDF
Protecting Against Web Attacks
Alert Logic
 
PDF
Stories from the Security Operations Center
Alert Logic
 
PDF
Realities of Security in the Cloud - CSS ATX 2017
Alert Logic
 
PPTX
#ALSummit: Live Cyber Hack Demonstration
Alert Logic
 
PDF
Reducing Your Attack Surface and Yuor Role in Cloud Workload Protection
Alert Logic
 
PPTX
#ALSummit: Cyber Resiliency: Surviving the Breach
Alert Logic
 
PDF
Managed Threat Detection and Response
Alert Logic
 
PPTX
Cloud Security or: How I Learned to Stop Worrying & Love the Cloud
MarkAnnati
 
PDF
Managed Threat Detection & Response for AWS Applications
Alert Logic
 
PPTX
#ALSummit: Architecting Security into your AWS Environment
Alert Logic
 
PPTX
Cyber Resiliency
Alert Logic
 
PDF
Stories from the Security Operations Center (S.O.C.)
Alert Logic
 
PDF
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Alert Logic
 
PPTX
CSS 17: NYC - Stories from the SOC
Alert Logic
 
PPTX
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
Alert Logic
 
PDF
Extending Amazon GuardDuty with Cloud Insight Essentials
Alert Logic
 
Security Implications of the Cloud
Alert Logic
 
Realities of Security in the Cloud
Alert Logic
 
Security Implications of the Cloud - CSS ATX 2017
Alert Logic
 
The AWS Shared Responsibility Model in Practice
Alert Logic
 
Protecting Against Web Attacks
Alert Logic
 
Stories from the Security Operations Center
Alert Logic
 
Realities of Security in the Cloud - CSS ATX 2017
Alert Logic
 
#ALSummit: Live Cyber Hack Demonstration
Alert Logic
 
Reducing Your Attack Surface and Yuor Role in Cloud Workload Protection
Alert Logic
 
#ALSummit: Cyber Resiliency: Surviving the Breach
Alert Logic
 
Managed Threat Detection and Response
Alert Logic
 
Cloud Security or: How I Learned to Stop Worrying & Love the Cloud
MarkAnnati
 
Managed Threat Detection & Response for AWS Applications
Alert Logic
 
#ALSummit: Architecting Security into your AWS Environment
Alert Logic
 
Cyber Resiliency
Alert Logic
 
Stories from the Security Operations Center (S.O.C.)
Alert Logic
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
Alert Logic
 
CSS 17: NYC - Stories from the SOC
Alert Logic
 
#ALSummit: SCOR Velogica's Journey to SOC2/TYPE2 Via AWS
Alert Logic
 
Extending Amazon GuardDuty with Cloud Insight Essentials
Alert Logic
 
Ad

Similar to Reducing Your Attack Surface (20)

PDF
Keynote: Which way is the SolarWind Blowing? Techniques are changing…are you ...
JamieWilliams130
 
PDF
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beau Bullock
 
PDF
Enhancing the impregnability of linux servers
IJNSA Journal
 
PDF
ENHANCING THE IMPREGNABILITY OF LINUX SERVERS
IJNSA Journal
 
PPTX
Escalation defenses ad guardrails every company should deploy
David Rowe
 
PPS
Sreerag cs network security
Sreerag Gopinath
 
PPTX
Managing Technical Debt .pptx
mageerauldnzsti
 
PPTX
Network Security - Real and Present Dangers
Peter Wood
 
PDF
The hacker playbook: How to think and act like a cybercriminal to reduce risk...
Paula Januszkiewicz
 
PPT
Andrews whitakrer lecture18-security.ppt
SilverGold16
 
PPTX
Corporate Security Issues and countering them using Unified Threat Management...
Rishabh Dangwal
 
PPT
Web Application Security
Abdul Wahid
 
PPTX
pr-host-intrusion-prevention-customer-presentation (5).pptx
maash3
 
PDF
Active Directory Auditing Tools: Building Blocks or just a Handful of Dust?
BeyondTrust
 
PPT
Windows network
Jithesh Nair
 
PDF
SOC-as-a-Service - comSpark 2019
Advanced Technology Consulting (ATC)
 
PDF
Expand Your Control of Access to IBM i Systems and Data
Precisely
 
PDF
2017 Cyber Risk Grades by Industry: Normshield Executive Presentation
NormShield, Inc.
 
PPTX
DSS ITSEC 2013 Conference 07.11.2013 - Radware - Cyber Attacks Survival Guide
Andris Soroka
 
PDF
Controlling Access to IBM i Systems and Data
Precisely
 
Keynote: Which way is the SolarWind Blowing? Techniques are changing…are you ...
JamieWilliams130
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beau Bullock
 
Enhancing the impregnability of linux servers
IJNSA Journal
 
ENHANCING THE IMPREGNABILITY OF LINUX SERVERS
IJNSA Journal
 
Escalation defenses ad guardrails every company should deploy
David Rowe
 
Sreerag cs network security
Sreerag Gopinath
 
Managing Technical Debt .pptx
mageerauldnzsti
 
Network Security - Real and Present Dangers
Peter Wood
 
The hacker playbook: How to think and act like a cybercriminal to reduce risk...
Paula Januszkiewicz
 
Andrews whitakrer lecture18-security.ppt
SilverGold16
 
Corporate Security Issues and countering them using Unified Threat Management...
Rishabh Dangwal
 
Web Application Security
Abdul Wahid
 
pr-host-intrusion-prevention-customer-presentation (5).pptx
maash3
 
Active Directory Auditing Tools: Building Blocks or just a Handful of Dust?
BeyondTrust
 
Windows network
Jithesh Nair
 
SOC-as-a-Service - comSpark 2019
Advanced Technology Consulting (ATC)
 
Expand Your Control of Access to IBM i Systems and Data
Precisely
 
2017 Cyber Risk Grades by Industry: Normshield Executive Presentation
NormShield, Inc.
 
DSS ITSEC 2013 Conference 07.11.2013 - Radware - Cyber Attacks Survival Guide
Andris Soroka
 
Controlling Access to IBM i Systems and Data
Precisely
 
Ad

More from Alert Logic (17)

PDF
Extending Amazon GuardDuty with Cloud Insight Essentials
Alert Logic
 
PDF
The AWS Shared Responsibility Model in Practice
Alert Logic
 
PDF
Security Spotlight: Presidio
Alert Logic
 
PDF
The Intersection of Security & DevOps
Alert Logic
 
PDF
Security Spotlight: Rent-A-Center
Alert Logic
 
PDF
The Intersection of Security & DevOps
Alert Logic
 
PDF
Security Spotlight: Presidio
Alert Logic
 
PDF
Security Implications of the Cloud
Alert Logic
 
PDF
CSS 2018 Trivia
Alert Logic
 
PDF
The AWS Shared Responsibility Model in Practice
Alert Logic
 
PDF
Realities of Security in the Cloud
Alert Logic
 
PDF
The Intersection of Security and DevOps
Alert Logic
 
PDF
Security Spotlight: The Coca Cola Company
Alert Logic
 
PDF
The AWS Shared Responsibility Model in Practice
Alert Logic
 
PDF
Security Implications of the Cloud
Alert Logic
 
PDF
Microsoft Azure Security Overview - Microsoft - CSS Dallas Azure
Alert Logic
 
PDF
10 Step Guide to Cloud Security - 10th Magnitude - CSS Dallas Azure
Alert Logic
 
Extending Amazon GuardDuty with Cloud Insight Essentials
Alert Logic
 
The AWS Shared Responsibility Model in Practice
Alert Logic
 
Security Spotlight: Presidio
Alert Logic
 
The Intersection of Security & DevOps
Alert Logic
 
Security Spotlight: Rent-A-Center
Alert Logic
 
The Intersection of Security & DevOps
Alert Logic
 
Security Spotlight: Presidio
Alert Logic
 
Security Implications of the Cloud
Alert Logic
 
CSS 2018 Trivia
Alert Logic
 
The AWS Shared Responsibility Model in Practice
Alert Logic
 
Realities of Security in the Cloud
Alert Logic
 
The Intersection of Security and DevOps
Alert Logic
 
Security Spotlight: The Coca Cola Company
Alert Logic
 
The AWS Shared Responsibility Model in Practice
Alert Logic
 
Security Implications of the Cloud
Alert Logic
 
Microsoft Azure Security Overview - Microsoft - CSS Dallas Azure
Alert Logic
 
10 Step Guide to Cloud Security - 10th Magnitude - CSS Dallas Azure
Alert Logic
 

Recently uploaded (20)

PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PDF
GamePlan Trading System Review: Professional Trader's Honest Take
SOFTTECHHUB
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PPTX
breach-and-attack-simulation-cybersecurity-india-chennai-defenderrabbit-2025....
defencerabbit Team
 
PDF
Advanced Soft Computing BINUS July 2025.pdf
University of Hertfordshire
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Advanced IT Governance
University of Hertfordshire
 
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
GamePlan Trading System Review: Professional Trader's Honest Take
SOFTTECHHUB
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Teaching material agriculture food technology
LiaRayya
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
breach-and-attack-simulation-cybersecurity-india-chennai-defenderrabbit-2025....
defencerabbit Team
 
Advanced Soft Computing BINUS July 2025.pdf
University of Hertfordshire
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Cloud computing and distributed systems.
kkkkkhan
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Advanced IT Governance
University of Hertfordshire
 
CIFDAQ's Market Insight: SEC Turns Pro Crypto
CIFDAQ
 

Reducing Your Attack Surface

  • 1. REDUCING YOUR ATTACK SURFACE Ryan Holland, Senior Director of Cloud Architecture – Alert Logic
  • 2. Summary • Understanding your attack surface is critical to deploying the right security controls • Attack surface in cloud environments is significantly different than on-premises • Dominant cloud exposures are often misunderstood
  • 3. 2nd attack HVAC vendor application Result Successful. Never detected. Vector SQL Injection Las Vegas Bethlehem 1st attack Account Brute Force Result Detected by the SIEM. Blocked #1 Sands Casino Breach
  • 4. 2nd attack HVAC vendor application Result Successful. Never detected. Vector SQL Injection Las Vegas Bethlehem 1st attack Account Brute Force Result Detected by the SIEM. Blocked • Compromised admin credentials • Moved laterally through Windows AD • Used malware to destroy all hosts on the network Sands Casino Breach
  • 5. 1 49 56 86 125 155 172 197 525 908 Denial of Service Crimeware Physical Theft / Loss Payment Card Skimmers Everything Else Cyber-espionage Privilege Misuse Miscellaneous Errors POS Intrusions Web App Attacks Security risk is shifting to unprotected web applications Web app attacks are now the #1 source of data breaches But less than 5% of data center security budgets are spent on app security Source: Verizon UP 500% SINCE 2014 $23 to $1 Percentage of Breaches 10% 20% 30% 40% Source: Gartner Web App Attacks
  • 6. 1 49 56 86 125 155 172 197 525 908 Denial of Service Crimeware Physical Theft / Loss Payment Card Skimmers Everything Else Cyber-espionage Privilege Misuse Miscellaneous Errors POS Intrusions Web App Attacks Security risk is shifting to unprotected web applications Web app attacks are now the #1 source of data breaches But less than 5% of data center security budgets are spent on app security Source: Verizon UP 500% SINCE 2014 $23 to $1 Percentage of Breaches 10% 20% 30% 40% Source: Gartner Web App Attacks Underreported. Misunderstood.
  • 7. What Drives This Awareness Disconnect? • Breach disclosure in a number of states is mandatory, but technical details are not in disclosure scope • News media naturally gravitates towards human interest security stories • Mobile phones • Endpoint malware • Email theft Ransomware Malware All other terms: SQL injection, web application attack, Wordpress vulnerability, PHP vulnerability, Apache Struts vulnerability
  • 8. Our Perspective on Cloud Attack Surface • 4,000+ customers • 80% of deployments in data centers • 50% of deployments in public and hybrid cloud • Dominant workload: business critical web applications
  • 9. Real world view from our SOC
  • 10. #2 Yahoo Impact Number of exposed accounts increased from 1B to 3B. How it happened Phishing Email Where are they now? Sold to Verizon. Valuation revised by $350M
  • 11. Meet “M4g” AKA Alexsey Belan • One of the most prolific hackers between 2013 - 2015 • Estimated to have compromised 1.2 billion user accounts • Prime suspect in numerous breaches
  • 12. Alexsey Belan’s Techniques 1. Identified peripheral sites and key people via Google and LinkedIn 2. Initial compromise via CVE-2011–4106 WordPress vulnerability. Modified authentication mechanisms to capture credentials 3. Used NMAP & internal Wiki to learn the environment and move laterally 4. Reused cookies from development staging systems, client certificates from emails and trouble tickets 5. Used developer credentials to introduce backdoors into code Source: https://medium.com/@chrismcnab/alexseys-ttps-1204d9050551
  • 13. Why WordPress? Used in 28% of all web sites on the internet • WP CVE-2011–4106 vulnerability in resulted in 1.2 million compromised sites • 53 similar vulnerabilities in last 10 years (CVSS 6+)
  • 14. #3 RNC breach Impact 200M voter records exposed How it happened Misconfiguration in Amazon Web Services S3 service Where are they now? Survived the breach. Operational impact unclear.
  • 15. AWS S3 Data Leaks Due To Misconfigurations
  • 16. #4 Code Spaces Impact Nearly all customer data, including backups, deleted. How it happened Credential compromise. Where are they now? Closed down immediately after event.
  • 17. 60 Most Common AWS Configuration Remediations Unencrypted AMI Discovered Unencrypted EBS Volume S3 Logging not Enabled Unrestricted Outbound Access on All Ports User not configured to use MFA User Access Key not configured with Rotation IAM Policies are attached directly to User Dangerous User Privileged Access to S3 Dangerous IAM Role for S3 Dangerous User Privileged Access to RDS Disable Automatic Access Key Creation Dangerous User Privileged Access to DDB Dangerous User Privileged Access to IAM IAM Access Keys Unused for 90 Days ELB Listener Security (2 of 4) ELB Listener Security (1 of 4) Dangerous IAM Role for RDS RDS Encryption is not Enabled Dangerous IAM Role for DDB Unrestricted Inbound Access - Specific Ports 2 Dangerous IAM Role for IAM Unrestricted Inbound Access to SSH Port 22/tcp Unrestricted Inbound Access to HTTP Port 80/tcp Amazon S3 Bucket Permissions (2 of 2) Inactive user account Ensure AWS CloudTrail is Enabled in All Regions ELB Listener Security (4 of 4) Unrestricted Inbound Access Publicly Accessible RDS Database Instance Passwords not set to enforce complexity ACL permissions enabled for Authenticated Users in an S3 Bucket CloudTrail Logging Disabled Passwords not configured to expire Ensure Hardware Multi-Factor Authentication is Enabled for the Root Account Unrestricted Inbound Access to Windows RDP Port 3389/tcp Enable Amazon GuardDuty on AWS Account Unrestricted Inbound Access to PostgreSQL Port 5432/tcp Global View ACL permissions enabled in an S3 Bucket Unrestricted Inbound Access to mySQL Port 3306/tcp Unrestricted Inbound Access to NetBIOS over TCP/IP 137/udp/tcp, 138/udp or 139/udp/tcp Unrestricted Inbound Access to SMTP Port 25/tcp Root account not using MFA Unrestricted Inbound Access to FTP Port 21/tcp Unrestricted Inbound Access to DNS Port 53/tcp Unrestricted Inbound Access to SQLServer Port 1433,1434/tcp Unrestricted Inbound Access to FTP Port 20/tcp Unrestricted Inbound Access to VNC Port 5500,5900/tcp Unrestricted Inbound Access to MSQL Port 4333/tcp Unrestricted Inbound Access to SMTP over TLS/SSL Port 465/tcp Unrestricted Inbound Access to ElasticSearch Port 9300/tcp Unrestricted Inbound Access to CIFS/SMB over TCP 445/tcp Root Account Used Recently Unrestricted Inbound Access to Windows RPC Port 135/tcp Publicly Accessible AMI Discovered Unrestricted Inbound Access to Telnet Port 23/tcp Unencrypted Redshift Cluster Unrestricted Inbound Access to DNS Port 53/udp Publicly Accessible Redshift Cluster Nodes Dangerous use of Root Access Keys Unrestricted Inbound Access to CIFS/SMB over TCP 445/udp Across 31,235 EC2 instances / workloads 155,911 vulnerabilities and exposures sampled On 381 VPC’s in Dec 2017
  • 18. Cloud Insight Essentials check Misconfigurations
  • 19. Cloud Attack Surface Attacks Web App Attacks OWASP top 10 Platform / library attacks App / System misconfig attacks Web Apps Server-side Apps App Frameworks Dev Platforms Server OS Hypervisor Hardware The Application Stack Databases Attackersaremovingupthestack 1. Wide range of attacks at every layer of the stack 2. Rapidly changing codebase can introduces unknown vulnerabilities 3. Long tail of exposures inherited from 3rd party development tools 4. Extreme shortage of cloud and application security expertise
  • 20. Attack Surface Factors Factor Impact Technology Triggers Custom built complex web code Broad attack surface and numerous opportunities for hidden vulnerabilities. Open or commercial development frameworks Vulnerabilities inherited from open source community or software vendors. 3-tier architecture with relational databases Increased risk of SQL injection - #1 web attack method in volume and impact Open and Interconnected Easily accessible from outside world by valid users and attackers alike Legacy code Technical debt means increases risk
  • 22. The Realities of Dwell Time 1. Ponemon Institute 2017 Cost of Data Breach Study