Wednesday, June 7, 2017

Video Review: Cloud Post Exploitation Techniques

I just watched an interesting video from the recent Infiltratecon titled Cloud Post Exploitation Techniques.  You can watch the video by clicking here.  The talk was put on by a couple members of the Azure Red team, who focus on trying to break into the public cloud service and feed information on how to do this to blue team defenders.

What I really liked about this talk was how it reinforced my thinking on the subject of cloud security.  One of my favorite discussion points in cloud security discussions with customers is the idea that storage in Azure is a public facing service.  Put as many firewalls in place as you want, I don't actually need to bypass those devices to get access to your data.  It really is a change from the traditional way of thinking about security.

Here are some points from the presentation:
  • Think services, not servers
As mentioned above, this is a fundamental tenant of cloud security.  Everything is a service, so you need to switch from prevention techniques of the past to detection/response techniques of the future.  The need to audit is greater in the cloud as mistakes automatically open services to the internet.
  • Subscription Admins are the new Domain admins
This, over and over again!  I remember when, in Azure, they introduced the VMAccess extension which allowed you to reset RDP credentials from the portal.  While I agree you have to balance functionality with security, this one step grants your subscription admins full access to all of your VMs.  It can be a dangerous though, and also factors in to how RBAC needs to be deployed in Azure to ensure you are keeping with your segregation of duties requirements.
  • Using the cloud to pivot
This is every security guys worst nightmare.  Effective strategies need to be in place to understand the access the cloud environment has to your corporate environment, what tools you can use to defend against that north/south traffic, and what security considerations should be in place.

So now what?

As the talk was done at an offensive security convention, there wasn't much time put into effective mitigation strategies.  It is also important to note that all the attacks shown relied on access to a subscription admin account.  So, what can we do to help mitigate attacks on subscription admins?

The first thing to do is to ensure that all your subscription admins have two factor authentication turned on.  Actually, I would probably extend this to anyone who has access to the management APIs for any services in Azure.  Here is a link for more information: https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-versions-plans

The second thing to take a look at is role based access control in the Azure portal.  With this service you can limit privileges to the management apis.  This is a great technique in reducing the attack surface, and you should probably be employing separate admin accounts in Azure, much like you would have done on-premises. 

Along the lines of reducing the attack surface of your Azure components, Azure Resource Policy can help control what types of services are deployed.  Controlling the types allow the blue teamers to use their "lists" effectively. 

Our solution wouldn't be complete without some monitoring and threat detection.  Two particular components come to mind.  The first is Azure Active Directory Identity Protection.  The goal of this service is to provide security intelligence on your logins and user accounts.  The second is Azure Monitor and, more specifically, the Azure Activity Log. Using this service could allow you to create alerts to be informed of key events occurring in your Azure subscription.

In conclusion, there are techniques in Azure that can help defend against the threats shown in this video.  The crown jewels in Azure are subscription admins, and there are things we can do to help mitigate threats against those accounts.