writing

Highlights from fwd:cloudsec Europe 2024

September 17, 2024

Highlights From Fwd:cloudsec Europe 2024
LAST UPDATED

This week in Brussels was fwd:cloudsec Europe, the first European edition of the vendor-neutral cloud security conference for practitioners. Datadog sponsored the event and presented two research talks by Katie Knowles and Nick Frichette.

You'll find below the list of talks with a pointer to the slides. The videos are available on YouTube.

fwd:cloudsec Europe talks

How to 10X Your Cloud Security

Rami McCarthy, a well-known practitioner from the community, presented several ways to build an efficient and pragmatic cloud security program. At a high level, he recommends to:

  • Start by doing things manually, then only automate them when they have shown value and you need to scale them. Otherwise, you risk spending time automating something that you won’t end up using.
  • Focus on high-signal, low-noise tools. Having a good signal is usually more important than perfect coverage, especially in the context of a security team with limited resources.
  • Use guardrails and paved roads. Make it easy for developers and platform/infrastructure teams to do the right thing in a secure-by-default mindset, and provide guardrails to ensure that a human mistake doesn't turn into a data breach.

Rami also discussed security scorecards, partnering with FinOps, and leveraging security canaries for early attacker detection.

Cloud-Conscious Tactics, Techniques, and Procedures (TTPs)

Sebastian built this talk on a dataset of hundreds of incidents coming from CrowdStrike's incident response on the ground, trying to understand common attacker tactics in the cloud. Sebastian calls out that there are both "cloud-agnostic" and "cloud-conscious" threat actors, the latter having a deep understanding of how to actively compromise and persist in cloud environments.

Here are some key takeaways from this talk:

  • Initial compromise often happens by compromising human or machine credentials.
  • Long-lived credentials (e.g., GitHub personal access tokens, AWS access keys) are often misplaced and allow attackers for a straightforward and powerful initial access vector.
  • Attackers often persist in a cloud environment by creating new identities or backdooring existing ones—for instance, by resetting their password, adding new credentials, or enrolling new MFA devices.
  • Cloud-native features to pivot from the cloud control plane to virtual machines that are popular with cloud engineers are also attractive for attackers, particularly AWS SSM Sessions Manager, EC2 Instance Connect, and Azure Run Commands.
  • Some attackers exhibit advanced behavior to persist in compromised environments. For instance, CrowdStrike witnessed attackers adding new malicious identity providers to Entra ID and Okta tenants for long-lived persistence through IdP federation.

You can reproduce some of these real-world attacks in your environment with Stratus Red Team. Techniques available in Stratus Red Team and mentioned in this presentation include:

Hidden in Plain Sight: (Ab)using Entra ID Administrative Units

In this talk, Katie Knowles describes Entra ID Administrative Units, a new feature that allows Microsoft Entra ID to scope roles to specific users, but also allows an attacker to achieve sticky privilege persistence.

A privileged role not scoped to the AU is unable to remove the user or reset its password (click to enlarge).
A privileged role not scoped to the AU is unable to remove the user or reset its password (click to enlarge).

Read the full research here.

Service Agents and the Search for Transitive Access in GCP

"Confused deputy" is a situation where a trusted entity is tricked into performing some actions on behalf of another, less privileged entity. This is a common source of vulnerabilities in cloud providers, as some of our previous research has shown.

GCP Service Agents (click to enlarge).
GCP Service Agents (click to enlarge).

Kat describes an unfixed Google Cloud issue where an attacker with permissions on the Document AI service can misuse it to access and exfiltrate data in Google Cloud Storage buckets, even though they don't have the appropriate permissions.

A Look at the AWS Vulnerability Disclosure and Remediation Process

Like many tech companies, AWS runs a coordinated vulnerability disclosure (CVD) program allowing anyone to report vulnerabilities in AWS services. Ryan Nolette is part of the team that receives, analyzes, triages, and prioritizes these thousands of reports. He dives into the inner workings of this process at AWS, discusses the challenges he and his team face, and outlines how researchers can craft high-quality disclosures. See also AWS's vulnerability disclosure process (VDP).

Crafting a good vulnerability report to AWS (click to enlarge).
Crafting a good vulnerability report to AWS (click to enlarge).

Ryan also announced that the AWS VDP is now available on HackerOne.

Staying Sneaky in Microsoft Azure

Christian Philipov presented some offensive-focused research in Microsoft Azure, diving into how an attacker who has compromised an initial user can use different Microsoft APIs to further enumerate the environment and stay under the radar. The key is to leverage undocumented APIs used by the Azure portal rather than going through Microsoft Graph. With this method, it's possible to enumerate various permissions and group memberships without generating any Entra ID audit logs.

Using undocumented Azure APIs for silent enumeration (click to enlarge).
Using undocumented Azure APIs for silent enumeration (click to enlarge).

See also Black Hills Information Security's GraphRunner research. Our very own Nick Frichette has also extensively researched undocumented APIs in AWS.

Kubernetes Audit Log Gotchas

Shay Berkovich talked about Kubernetes control plane audit logs, especially in the context of managed Kubernetes clusters. In these clusters, the cloud provider manages the API server and the logging-related CLI flags, and they surface audit logs in different ways and formats. In addition, cloud-specific components such as daemonsets and authorization/authentication webhooks generate their own logs. These create challenges in multi-cloud situations, or when trying to write Kubernetes-focused detection rules that work independently of the cloud platform in use.

Kubernetes logging gotchas (click to enlarge).
Kubernetes logging gotchas (click to enlarge).

Who Watches the Watchmen? Stealing Credentials from Policy-as-Code Engines and beyond

Policy-as-code engines such as Open Policy Agent (OPA) are commonly used to ensure that code or configuration files follow best security practices. Shelly Raban points out that these tools are also capable, by design, of executing arbitrary code. This allows for supply chain attacks: If an attacker is able to inject malicious rules in a policy-as-code environment, they're also able to execute code and exfiltrate secrets.

Executing arbitrary code through OPA (click to enlarge).
Executing arbitrary code through OPA (click to enlarge).

Hidden Among the Clouds: A Look at Undocumented AWS APIs

Nick Frichette has found a number of vulnerabilities in AWS in the past. He describes his methodology to find undocumented AWS APIs at scale, and how that can be a valuable entrypoint for researching cloud provider vulnerabilities.

Identifying undocumented AWS APIs (click to enlarge).
Identifying undocumented AWS APIs (click to enlarge).

Nick has also open sourced a new project, undocumented-aws-api-hunter.

GCP and AWS Identity Federation: Lessons Learned From the Field as Well as Cross-Cloud Forensics and Incident Response

Multi-cloud is a common use case that creates some challenges for authentication and authorization. Marcus Hallberg and Attila Dulovics describe Spotify's journey through cross-cloud identity federation between AWS and Google Cloud. This was done in an environment with over 5,000 Google Cloud projects and 80 AWS accounts. In particular, removing long-lived credentials that don't expire was one of their goals. To achieve this, they leveraged Google Cloud's Workload Identity Federation and AWS's AssumeRoleWithWebIdentity.

Identity federation between Google Cloud and AWS (click to enlarge).
Identity federation between Google Cloud and AWS (click to enlarge).

Markus and Attila also go into detail about implications of cross-cloud identities for digital forensics and incident response.

Build Your Own CloudTrail

Chris Norman is the creator of the open source project Granted. He explores the use of the Cedar Policy Language to authorize and audit requests made to a custom web application running in the cloud. He also gives an approach for correlating application-level audit logs with CloudTrail events.

Building audit logs for a custom application (click to enlarge).
Building audit logs for a custom application (click to enlarge).

Chris released companion code alongside his talk, available on GitHub.

Conclusion

This edition of fwd:cloudsec was the first in Europe, which was a great opportunity to meet and interact with the community on that side of the Atlantic. If you liked the content, don't forget to watch the talks from the North America edition which took place back in June.

We're eager to hear from you! If you have any questions, thoughts or suggestions, shoot us a message at securitylabs@datadoghq.com or open an issue. You can also subscribe to our newsletter or RSS feed!

Updates made to this entry

September 26, 2024Added a link to the video recordings of the talks.

Did you find this article helpful?

Subscribe to the Datadog Security Digest

Get Security Labs posts, insights from the cloud security community, and the latest Datadog security features delivered to your inbox monthly. No spam.

Related Content