Hackfest 2023 - Back to the Future

Cloud environments: Red Team perspectives
2023-10-14, 15:30–16:20, Track #1

This presentation delves into the realm of cloud computing's security challenges and the Red Team perspective. It sheds light on intrusion testing, shared security models, and vulnerabilities unique to cloud systems. The discussion covers cloud intrusion testing's importance, methodologies, and distinctiveness compared to traditional approaches. Identity and Access Management's crucial role will be highlighted and explain through the 3 main CSP AWS/Azure/GCP, their main differences and security implication. The talk will outlines reasons for conducting Red Team engagements focusing on critical resource access. Applied assessment methodologies are proposed, including BlackBox, AssumBreach, and White Box approaches. Attack scenarios, based on the Mitre Att&ck Cloud Matrix framework, are explored, encompassing various stages. The presentation also delves into using the cloud offensively (Redirectors, storage and delivery), cloud-based phishing and Oauth abuse. The aim is to facilitate knowledge exchange, encourage research, and enhance cloud security by leveraging Red Team insights.

Cloud computing has become an integral part of modern infrastructure, offering scalable and flexible solutions for businesses. However, this new paradigm brings its own set of security challenges. This presentation aims to explore the Red Team perspectives in cloud environments, focusing on various aspects such as intrusion testing, shared security models, and the unique vulnerabilities and attack vectors associated with cloud-based systems (AWS/GCP/Azure).

This presentation will introduce the concept of cloud intrusion testing and its significance in today's technological landscape, from the perspective of an attacker or Red Team operator. Standards and frameworks will be discussed to provide a comprehensive understanding of its purpose, objectives, and main differences compared to more classic approaches such as network, web application, mobile, and wireless intrusion testing. Emphasis will be placed on the heavy reliance on Identity and Access Management (IAM) as a crucial factor in enabling or restricting actions within cloud environments.

The reasons for conducting intrusion tests and Red Team engagements in cloud environments will be outlined, highlighting similar attack surfaces to web applications or external networks. Additionally, the potential access to critical resources will be addressed, including development pipelines, CI/CD systems, sensitive data backups or storage, user accounts synchronized with on-premise domains, synchronization with on-premise Active Directory servers, and management of devices and computers through services like Azure Hybrid Joined and Intune.

Furthermore, applied methodologies for assessing and testing the security posture of cloud environments will be proposed, offering three distinct approaches or positions: BlackBox, AssumBreach, and White Box. These approaches will provide the audience with practical guidance on how to approach cloud environment assessments and intrusion testing engagements.

Subsequently, TTPs (Tactics, Techniques, and Procedures) and attack scenarios based on the Mitre Att&ck Cloud Matrix framework will be presented, covering enumeration/discovery, initial access, persistence, and impact. Examples will range from password spray limitation bypass to S3 Ransomware detonation.

Expanding the scope of the discussion, the concept of the cloud as an offensive tool in Red Team operations and social engineering will be explored. Examples of cloud-based phishing approaches and the offensive use of cloud resources will be presented.

Finally, the emerging field of Purple Team within the cloud environment will be briefly touched upon. Collaborative approaches that bring together Red and Blue Teams to enhance cloud security will be discussed.

Are you releasing a tool? – No