One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 2839747 |
| Date de publication | 2021-05-24 10:00:00 (vue: 2021-05-26 10:05:37) |
| Titre | AWS IAM security explained |
| Texte | Executive summary AWS Policies are a key foundation in good cloud security, but they are often overlooked. In this blog, we take a quick look on some AWS Policies, particularly for Identity and Access Management (IAM), that could become problematic if not properly managed. We'll discuss how they can be used against us to generate attacks like: Ransomware, data exfiltration, credential abuse, and more. Finally, we'll suggest some Open Source tools for cloud policy assessment and pentesting. Analysis The first step in achieving good security is having effective policies to regulate what can and cannot be done in an environment, both physical devices and cloud infrastructure. These regulatory policies are frequently hard to define and keep up-to-date, especially in a fast-paced environment using infrastructure-as-a-service (IaaS). This blog looks at some changes in policies which can reduce success in some common attack types involving: exfiltration, ransomware, credential abuse, and more. For that reason, AT&T Alien Labs is sharing an easy ‘what to look for’ list in order to detect some red flags in AWS policy changes. It is our hope that this list will be helpful for security analysts and forensic investigators. Policies are spoiler alert, defined by AWS Policies, which define permissions for identities and resources. Every time AWS Identity and Access Management makes a request of any kind to a resource, a policy determines if the IAM is allowed or denied access to that specific resource under the policies for the involved parties. A full understanding of AWS policies (types, creation, enforcement, etc.) is outside the scope of this blog, but it can be found in AWS documentation. People implementing AWS policies should have knowledge of the organization, adapting policies to needs of the business. Afterwards, detection rules should be generated for red flags in CloudTrail or other security tools. By doing this, we are avoiding policy changes in a generic manner, for example using ‘*’ to cover the whole Principal without setting any Conditions to it (MFA, IP, usernames, etc.). The problem resides in changes occurring on a daily basis to the policies, which are often overlooked by analysts. The impact that these changes could have is as big as any other event or alert investigated. In order to classify all AWS actions involving a policy change that could be used by attackers, we’ll sort them based on the potential final attack type. Most of the following techniques would fall under Modify Cloud Compute Infrastructure (T1578) but we have attempted to classify them outside of their specific Cloud technique - as if the activity was happening in a traditional environment. Denial of Service (DoS) Endpoint Denial of Service (T1499): Adversaries may perform Endpoint DoS attacks to degrade or block the availability of services to users. This blockage could be used as an additional impact on top of Data Encrypted for Impact (T1486) to avoid or slow down recovery efforts in a ransomware attack. In this scenario, attackers could be trying to block access to several AWS resources like: S3, EC2 through EFS or EBS, or backups between others. |
| Envoyé | Oui |
| Condensat | “unauthenticated ‘what a reasonable above abuse access accessed accessing account accounts achieve achieved achieving acl acm action action: actions activity adapting policies added adding addition additional additionally addresses or adds adversaries affect affected after afterwards against aggravates alert alert: alerting alerts alien all all could allow allowed allowing already also alter alternative amazon amazon’s amis analysis analysts analyze analyzer analyzing anonymous any anywhere api applications applying approximately are around artifacts assessing assessment associated at&t att&ck attack attacker attackers attacks attacks that could attacks/tactics/techniques attempted automatic availability available avoid avoiding aws backdoor backdoors backing backup backup:* backup:delete* backups backups: bad based basis be: become being between big block blockage blocking blog blog: both bucket buckets business but by downloading by: can cannot capability capable captured cas case causing certain change changes charge classify clear cli closely closer cloud cloud/aws/general cloud: cloudsplaining cloudsplaining: cloudtrail cloudwatch com/aws/pacu com/duo com/iam/latest/userguide/access com/nccgroup/pmapper com/netflix/repokid com/salesforce/cloudsplaining com/salesforce/policy coming command common compute computer concerns conclusion condition conditions confidential config configuration constantly container containers contains content contents control copying corresponding could cover coverage create creating creation credential credentials critical cryptographic current daily dangerous data date decrease deep defense define defined degrade delay delete deleteaccesspointpolicy deletebucketpolicy deleting denial denied deny denying deployment destinations detect detected detection detects determined determines devices different direct disabled disabling discuss discuss operations discussed the importance docker documentation does doing domain domains done dos down recovery download drastic due dump dumping each easier easy ebs ec2 ecr ecr:getdownloadurlforlayer ecr:setrepositorypolicy effect effect: effective effects efforts efs either elastic elasticfilesystem:clientmount elasticfilesystem:clientwrite elasticfilesystem:putfilesystempolicy elasticsearch elasticsearch: elemental enable several encrypted encyclopedia endgame endgame: endpoint enforcement entities entity enumerating enumeration environment environment’s environments es:* es:updateelasticsearchdomainconfig escalation especially etc evasion: event event/command event/command: events eventually every example excess excessively executive exfiltrate exfiltrating exfiltration existing expect expected explained exploitation exposes external externally fall fast federated file files final finally finding findings first flags focused focuses following for identity for’ for: forensic found foundation framework/ free frequently from full functions generate generated generated for generating generic getdownloadurlforlayer getsecretvalue given gives glacier goal good great guardduty guidance: hacking happening hard has hashed have have is having help helpful helpful for hence holes hope host how however html https://docs https://endgame https://github https://hackingthe https://rhinosecuritylabs iaas iam identifies identifying identities identity impact impacted impacting implanting implementing important improvement include included includes including increase indications indicator indicators individual information infrastructure ingestion inhibit instance intention intentions interface internal internet investigated investigators involved involves involving involving: io/en/latest is the items its just keep key keys kind kms kms:putkeypolicy knowledge knowledge/connection known labs labs/parliament lack lacks lambda lambda:addpermission lamda later lateral layers lead least leaves length leverage leveraged like like: likely list listed location |
| Tags | Ransomware Tool Threat Guideline |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.