#PurpleTeamSummit Targeting Cloud IAM policies never looked so good - Nathaniel Quist

Targeting Cloud IAM policies never looked so good "Identity and Access Management (IAM) is the cornerstone for keeping cloud environments secure. However, due to dynamically scalable infrastructure and the need to access ever-growing datasets, IAM policy misconfigurations can and do occur. In this presentation, we will dive into key findings from our Unit 42 Fall 2020 Cloud Threat Report, including: how IAM policies can be misused, what IAM policies are commonly misconfigured, who targets them, and what they can lead to. Using the findings from a recent Red Team exercise we lead, I will detail how we compromised a massively scaled AWS environment, which maintained 1000s of workloads, 500+ users, and 1000+ unique roles. By solely exploiting misconfigured IAM trust policies, we gained access to internal data storage from an unauthenticated external account by leveraging a misconfigured IAM trust entity and how we gained admin privileges to the entire organizational cloud environment by exploiting a single misconfigured custom IAM role. By illustrating the actions we took, and the tactics used, I will show the audience how cybercriminals can perform any number of attacks against an organization who maintains these same vulnerable IAM policies. Finally, I will detail how some of the IAM weaknesses addressed in the red team exercise are being targeted in the wild. Known cryptojacking malware families, like TeamTnT and Kinsing, have recently begun adding code to their malware targeting AWS credential and configuration files, as well as performing additional post-exploit operations. The actions taken by these groups allow the actors behind the malware families to expand the attackable surface and potentially compromise additional systems using the same tactics we demonstrate within the red team exercise. I will close the presentation by giving concrete examples of how security teams can view and configure their IAM settings to ensure they can survive cloud identity attacks. " Nathaniel "Q" Quist works with Palo Alto Network’s Unit 42 and Prisma Cloud as a Senior Threat Researcher focused on researching the threats facing public cloud platforms, tools, and services. He has worked within Government, Public, and Private sectors, holds a Masters of Science in Information Security Engineering (MSISE) from The SANS Institute, where he focused on Network and System Forensics, Malware Reversal, and Incident Response. He is the author of multiple blogs, reports, and whitepapers published by Unit 42 as well as the SANS InfoSec Reading Room. Q is actively focused on identifying the threats facing cloud environments, specifically the malware targeting those environments and the actor groups behind those attacks.

Видео #PurpleTeamSummit Targeting Cloud IAM policies never looked so good - Nathaniel Quist автора Python школа