How to Manage Complex Clouds Based on Cyber Resistance

Okay, so it's a pleasure to be here. Once again, it's my, I think I'm talking in coping air.

Cool, since 2019. It's four years talking in different events. And my idea today is to talk more about this, to bring some challenge that we have inside the cloud, right? So we talk about how to manage complex cloud based on cyber resistant. It's a quite no name and I'm Philipps by the way. I'm security research from ura. Let me go to the this one.

Okay, so who am I basically am researcher and sales, cybersecurity advocates, security, it's global company responsible for provide Penn solutions and other kind of solutions looking from privileged access management, right? I a advisor, the black and whites technology and I'm advocate, I'm working a lot with different community, right? So hack is not a crime, it's super nice, not name, but the future behind of this because hacking is really not a crime, is a misconception actually. It's a kind of lifestyle, how you can discover it, you know, vulnerabilities and you can help companies.

But the correct name is Fred Actors or attacker or something like this. And means Nick is Nick's ambassador and I'm one of the leads of the DEFCON groups in Sao Paulo, by the way, I'm Brazilian, but I live in Portugal now and I'm structure writer and reviewer. Those three magazines in Europe based on Poland, but they spread around the Europe and sell products and mainly courses and articles, okay? And first of all, just would like to put all people on the same page. Simple definition. What is a thread? Okay? So it's not my definition, it's a core desire, okay?

Is based on the potential, cause remember we are talking about the cloud. So we need to investigate something potential. This is a kind of threat, but what is exactly threat flip is a software attack. Maybe the theft of intellectual property, maybe it's identity theft, maybe it's a sub. And information structure are example of the information security threats. The last one is more mixed sense when you talk about the REM somewhere, right? So this is a threat.

So again, threat is a potential thing that you need to investigate. Okay, nice. So the topic of the talk, the title of the talk that our conversation this morning is cyber resistance, cyber resilience, probably I already heard about that, right?

So I, I, I bring you just the simple picture about some difference because again, it's a concept, right? One is more technical thing, how you can increase your, you know, your wall, let's say this way, how you can using some tools to help you implementing future or something like this. And on the other hand you have a resilience. It's more think about the policy, the organizational things. So how you're the manager and the governance can help you to protect. So what is the best is the best is using both, right?

Because again, we have a technical part, we have an organizational part is is it is nice to put all those peoples, all those things in the same page when you talk about the bigs organizations and this more as well, okay? Now what kind of challenge we have? So let me invite you to think about some brainstorm. So we have a possible insider. Probably you see something on the news about inside that thread. So nowadays you no need to go to the GP web for example, to hiring some people to open the door in your organization.

So if you read the news, usually you see sometimes about new zero days, but usually it's more focused on misconfiguration or some people that open the door like you know, an employee or a third party open this, right? So this is a kind of insider thread. You have a privileged access management in the past we have an admin IT team responsible for admin access in the environment. But nowadays we need to give the admin access for a different people inside of the organization, right? We need to give sometimes the access to the C level board, right?

Because they need to do something, they need to travel for event or to talking to participate in meeting and they need to give this kind of access. Another is mainly based on the, on the pandemic work from home, right? So now the companies are working more hybrid so they need to give the access. Another thing is cloud access.

Again, we are talking about the cloud, not on cloud like AWS for example Azure, but moot cloud, that's another challenge. So what would be the risk impact when we open different store or you know, permissions user and something like this. Other things to think is we need to give the access when you talk about more about the company, about the developer team. So they need to access many apps, right?

And because they need to create different apps, features and something like this, we need to give the access to the DevOps team because they need to optimize the process again, they need to access a different systems to creating like a ci cd pipeline. So they need to integrate all those things. So you cannot broken this pipeline. So because of that, many times you give the privileged access from this guy. Other thing is a database team responsible for provide this for the application cloud teams leader of the business unit. So we have more than one access to give in the organization, right?

So let me show you a simple thing here. I dunno if the, can you change my, the page and my share because I change here. Can you change the, I share another page I'm sharing here. Can you see, no, this is another, no, I'm sharing here this, let me go.

Okay, I got it. One second guys. Where we solve this?

Okay, no problem. We solve this, but now we have another problem. But anyway, I will change one second please. We will solve fast, very fast here.

Okay, nice. Okay, I solved this. Nice.

Okay, I just would like to show you something that we can do. When you talk about the simple document, it's a part technical things. So we have here some files in my machine. So I just would like to sh to you know, share with you some possible manipulation things in the file and how is when you, when the attacker using some file to infect an environment when they need to have the specifically entry point inside of the environment, right? So they need infect that environment. This is the per the first part when you attack performance of attack.

And after that they need to check if they find some, for example, credentials or they need to find if they have other network connections or how many networks they are inside of this environment. So it's a kind of discovery, right?

Or the, the recognize size step. Okay? So I have some files here. The first file that probably is very curious is the mower, another is a sample rejects or something like this, right? So we have a simple comment called file because this a simple tools inside of the Linux platform that you can, you know, check the type of file. Okay? You can see it's good now, okay, so when you try to perform on this, take a look.

This, this is a simple PDF file, okay? So maybe if you receive some CV for example, or if you receive some, you know, invoice for example, if you work in a financial team, so probably the financial team or the HR team will open this file, right? Because it's the work the day, this is the job, right? To open pdf. We open like a open invoice. Okay? But I have an interesting thing inside of this specifically pdf, right? So have you read this specifically file? If you see this, a simple print stuffs here.

So if you know something about, you know, Python script is a simple print information about the Python, okay? So, but I have here one PDF file if you see doc pdf, okay? Based on next station. Nice. And if I try for example to use a Python script here to read this specifically file pdf. When you try to use it here, they did, they doesn't work because mainly is not a a, a Python script here. But I can manipulate something here, I can change a simple thing here in this specifically file because I have this, let's call a string or some letters.

But he's in this case is a, is a a definition, call it magic number. This is the way that the fire using to identify what fire it is, okay? So they're not using the extension to identify the fire, they use the magic number to identify this type of file. Okay? That's the key here. Because if I, for example, cut here for example, and I save the same file here as you can see, let me save here, I save here X, okay?

And yes, and I say here if I try to put in the same common file to, to see the typo data looks, take a look what you, what I saying here is the text file is different if you go see below, now below, above here, you see that is a pdf, right? But now it's a text. If I try to using the same common patent MA pdf, now it's a patent code, right? Let me confirm this. But thet again is another. So if I try to using PDF ID is another tool that you can use it to identify, to identify some specifically PDF files. So when you try this, take a look what the information that we see here is not pdf. Okay?

Why? Because it's a, it is a Python script. That's correct because I sat here once again Python and it works. So now it's a Python. Even the extension is the dock pdf. So if I return here once again and I change and put for example PDF percent pdf, this is a magic number one of this information. Of course they use more than one PDF doc, one point whatever. And I save here once again, let me save, let me save once again, okay?

Yes, let me check if save, save, okay. And if I try to see the pdf, I, because I change now the same result.

No, now it is a pdf you see. So now we have a pdf. This is the header of the pdf, okay? And if you, if you see the check, this is basically the version that we can read the pdf.

So I, I do, I did simple manipulations here about PDF as you can see here. So imagine how easy it is for some, you know, malicious threat actors or threat threat actors or attacker manipulate, things like this.

So, so now we need to think how the impact we can see in the cloud because we have many connections, many permissions, many rules. Okay? So let's return here our presentations just to finish this and how we can ex explore cloud environments without looking from zero days for example. So I would like to show you something like this. Remember when the attacker has the entry point, they will check if they find some credentials inside of the environment, right? So maybe they can find some AWS key sometimes because some misconfigurations or mis, you know, the user work, not a good way.

Or even the attacker find, for example, some AW AWS credentials on the internet for example on GitHub or something like this. So they try to using the AWS C i in this case as I show you. So list users, list policy here or list groups as you can see here. So if you see in this picture, we don't have any access, access deny because you don't have a permission. But let me show you something interesting if you have inside of the aws we have one specifically service, call it aam, right? So identity access management, usually they're using inside of the cloud to manage this, to configure something.

And if you have this only permission, that's a kind of action as you can see here. Create policy version. So you can disable all permissions that you have inside the aws. But if you have just checkbox here, enable, let's see what happened. So I created a simple policy here as you can see, and I call policy Porwal attack module because are you using this attack based on the permissions? Okay? So after that I just go to the website of the, from AWS and I put in on the internet. So how I can create full permission aws, you know, from on the internet.

So this is the kind of information we can collect from aws. It's easier, they will recommend you how you can use and how you can increase your permissions on AWS because they recommend you to using cli. Not recommend, but you can use it by user interface or you can use it by CLI in this case. So I just creating this full access, as you can see here, we can describe other things. You can list route in accounts, you can list policies and many things.

So I call this attacker exploitation doc JK because I remember if I have an access in the environment, I can set some comments using aws, C L I and I can manipulate something. So that's the common, basically AWS AAM is the service create policy version.

Again, where you find this common Philip on the AWS website because this is the way that AWS recommend to using CLI to not only the user interface, but you can use in this by cli. After that you need to set the policy arm, the AWS research name. This is the, the number of course I set the pulse that I created.

Okay, but remember this is the pulse that I created. But for if you gain the access, you try to list the policy. Remember this another comment here as you can see list policy, if the user has the access, even the access is limited, you can read the bunch of policy that you have. If you find one, one of this policy that you have the creation new policy version, as you can see here, you just need to copy and paste this J zone from aws. Set this comment from AWS because we will find in this ex exactly this name, okay, this path.

And after that you need to set the policy document that you created as I created here attacker exploitation doc J zone. And you can use in this flag set as or this parameter dash set as the full. And after that run works good. And after that I using the same, the same comment as you can see here. So now we have access to the all users. I can set other different comments like list, you know, policy, listy route. Because remember this is a bunch of full permissions in ns. So you see it's not a zero day, it's basically how you can using true permissions to explore environments, right?

So you just need to find a specifically user that has this specifically policy. Okay? So nice. So this is just to finish this presentation. This is a simple picture from new 4G database. Okay? This is one of, I'm using here, the open source version. By the way, just to show you the small impact here when you talk about the cloud, okay? So you see here the profile of the CO here, the support guy. One is another user called Thor, and this is a manager. So if you see here, we have a different colors basically from this specifically new four J. You can see here the account access key from AWS e.

Here you can see AWS account. So if you work in some organizations, sometimes, sometimes you just have not only one AWS account, but you have more than one, right? So we can check here for example, and policy states, AWS groups, AWS policy, AWS principle. It's a kind of information that I put in like a principal user access or something like this if you see here. So it's a simple query inside of the database in this case from NEO four J. And you see how many relationships we have in between users, between groups, between rules, between different service, right? So that's the key.

So how we can, you know, find, because we have many threats here, many point of attack here. So based on the pilot, as I show you during this conversation this morning, so we, we have a complexity on the cloud. This is just a four guys in us in uc, four people. They have many different relationships.

This, in this case I just enabled the AAM service. Imagine the cloud in AWS for example, that you have more than one service like C two, like buckets, three VCP and others and so on and so on. And imagine those relationship when you talk about aws e, Azure, gcp, Okta, and other different identity provides and cloud and so on and so on. So we have a million of the possibilities to explore and to move laterally. Okay? So that's the key. So I finish here my presentations, I dunno if we have questions. I think we have a two minutes maybe I hope should be useful for you. And thank you.

Thank you so much again. Any questions?

Well, Philippe, I have a question of my own if I may. Of course. Basically looking at your presentation, does it imply that basically the whole cloud security industry is kind of useless if you don't get your cloud identity management right?

Yeah, actually the, if you see on AWS for example, you can use another cloud provider. So they have a marketplace and if you see there, they have commend you the security vendors to offer you another level of the security. And the other thing, you have a sharing responsibility on the cloud.

So for me, talk about the identity. They have some suggestion, they have a best practice the cloud are investing in, in security. But you know, it's a, it's a layer. So our main point is we should give the difficult for the attacker because if you see I just change policy and gain the access. So we need to make the, the job of the attacker more diff more difficult, you know, so that's the key. So where do we find those tools? Like what keywords should we start Googling for? Basically? You mean the, the tool that you can find for that attacker using you?

No, no, no. I I mean you have demonstrated basically that it's kind of easy to bypass a lot of, yeah, It's Easy additional security consultants.

Yeah, but your identity is The first step, for example. So How do you, how do your identity?

Yeah, you should, you should see for the best practice for the vendor, in this case AWS, that I show you, we need to recommend you, for example, if you try to using some scam for any vendors or open source two, the first recommendation that they looking is for example, this MFA enable. So we still have many users, disabled mfa for example. So the recommendation is AWS Azure has a recommendation we, we should go. And not only this, but putting another layer like some security vendors to protect using, for example, pan solution, implementing a zero trust.

Because you know, we need to check the connections. When you talk about the outsider outside user using, for example, remote sessions or 30 parties, you need to increase this protection, you need to offering this, you need to manage in this because it's easy when you have, for example, developer team responsible for create code, usually they have the developer environment, the staging or in the productions. Okay? So one of the main fault that the developer do is they put in this, this key open to the internet.

So they, the attacker don't need to do difficult things, they just need to search on the GitHub for example. They will find nowadays, unfortunately, or for, I dunno if it's in unfortunately or not, we can find the keys, we can find the open, open doors to the internet. It's easier because of that for our side, we should, you know, go to the recommendations and not only the vendors, the cloud providers, but the vendors and to increase and to make the, the job of the attacker more difficult. Okay?

So basically my takeaway from your presentation is that security is everyone's responsibility nowadays, right? You better just say, I have a security team. Everyone's is on the team. Now Actually the security teams can help you. But if you see, so the people with the team is small, you know, and let me give you an example. For example, the security team is responsible for looking from the cloud, the security in, in the cloud. But on the other hand, you have the cloud team responsible for providing instance for the developer team. On the other hand, you have a market team.

This lady is from marketing, okay, is my colleague. And this team sometimes is responsible for providing some campaigns. Probably they need to have some access inside of AWS to manage this campaigns. And they need to have the access in the cloud. And sometimes when you talk about big or big organizations, the security team don't have the ac, the management of this market team.

So, and they have an instance sometimes publishing on the internet. It's not a fault of the marketing, but it's the fault of the process.

You see, that's the key. So it's a challenge. Working security is a challenge, but it's good. It's good. Believe me, it's good. It's a lot of fun at least. Yeah. Yeah. Well thanks again, Phillip. It's lunchtime.

We'll, oh yeah. Back in an hour. Yeah. See you. Thank you guys.