Change is afoot. The private, public and third sector are transitioning from on-premises and datacenter-hosted infrastructure to hybrid architectures utilizing software-as-a-service (SaaS) and infrastructure-as-a-service (IaaS) hosted on a variety of cloud platforms. The pivot towards cloud infrastructure providers is unsurprising given the benefits of increased scalability and flexibility of deployment and a more attractive pay-as-you-go pricing model versus on-premises deployments. As a result, companies are increasingly wanting to hire people with the skills to manage and secure this new type of infrastructure.
Where there is a skills demand, competitive salaries follow, and potential employees are looking to become knowledgeable in cloud technologies.
Even before the pandemic, cloud-based tools were very popular. The pandemic has further accelerated the adoption of these tools and services, as the global workforce converted to remote employees overnight. There simply wasn’t the time to build out on-premises infrastructure when off-the-shelf collaboration and remote working solutions were readily available. According to the Statista Cloud (IaaS) Market Share publication, Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) are the three largest cloud service providers, having captured over 60% of the market between them.
A further advantage of the cloud is the “fix once, fix for everyone” concept, which isn’t possible with on-premises infrastructure deployments. However, the cloud is no cyber security panacea, and data breaches involving the cloud show no sign of abating.
A very well-known example of a cloud security issue was the Capital One breach in 2019. A web application firewall hosted on an Amazon EC2 instance was found to suffer from an SSRF (Server Side Request Forgery) vulnerability, which was leveraged by a hacker to access the internal EC2 instance metadata service (IMDS). The metadata contained credentials that permitted access to an S3 bucket containing the PII of more than 100 million Americans.
This issue could have been prevented by avoiding use of IMDS version 1, which doesn’t require any authentication. However, at the time of writing, AWS still enables IMDSv1 by default on newly created EC2 instances, and even cautions against disabling it.
Historically, an even simpler issue has been implicated in countless data breaches – cloud storage buckets that have been incorrectly configured to allow public access. This issue isn’t restricted to AWS S3 buckets; there are many examples online of GCP and Azure cloud storage being similarly misconfigured. Although AWS and other cloud providers now provide ample warnings when data is about to be made publicly accessible, these issues persist.
There’s also a lack of awareness that the default cloud service accounts are often over-privileged. When spinning up a GCP compute instance for instance, if the default service account for the project is used and it’s granted the “Allow full access to all cloud APIs” access scope, this presents an easy privilege escalation opportunity. Developers are often given latitude to spin up their own compute instances and infrastructure, which IT or security teams may lack visibility into. These may fall far below organizational standards on security, which add to the risks of shadow IT and present opportunities for hackers. There can also be a misunderstanding or a lack of awareness of the access controls and relationships between provisioned cloud resources.
Organizations can be caught out by thinking that they can lift-and-shift their existing applications, services and data to the cloud, where they will be secure by default. The reality is that migrating workloads to the cloud requires significant planning and due diligence, and the addition of cloud management expertise to their workforce. Workloads in the cloud rely on a shared responsibility model, with the cloud provider assuming responsibility for the fabric of the cloud, and the customer assuming responsibility for the servers, services, applications and data within (assuming an IaaS model).
However, these boundaries can seem somewhat fuzzy, especially as there isn’t a uniform shared responsibility model across cloud providers, which can result in misunderstandings for companies that use multi-cloud environments. With so much invested in cloud infrastructure – and with a general lack of awareness of cloud security issues and responsibilities, as well as a lack of skills to manage and secure these environments – there is much to be done. It’s crucial for developers and administrators to be provided with cloud and security training, allowing them to code and provision resources securely.
Hack the skills gap
According to the US Bureau of Labor Statistics’ Occupational Outlook Handbook for Information Security Analysts, released in September 2021, cybersecurity professions in general are one of the fastest-growing professional sectors, with roles linked to cloud security in particularly high demand. The current 3 million global cybersecurity talent shortfall is creating challenges for organizations, as the skillsets of existing employees for securely managing traditional infrastructure don’t translate to cloud environments. A new set of skills is needed to manage cloud security as people look to pivot their skill sets to the cloud, which is leading to a surge in demand for training.
For offensive folks, traditional infrastructure pentesting is somewhat like cloud pentesting. For example, an individual could gain access through an exposed web application or other service hosted in the cloud, look to escalate privileges on the compromised host and then move laterally to other identified applications and cloud services. After moving laterally, and potentially gaining access to a more privileged account in the cloud environment, this could allow someone to take over the environment completely.
However, there are many vectors which are unique to the cloud. Knowledge of these vectors and familiarity with the CLI management tools for each cloud platform will allow professionals to undertake a more rigorous examination of a client’s security posture. To upskill in the cloud, it’s necessary to be comfortable with scripting, be familiar with the CLI management tools for each cloud platform (or the one you primarily want to specialize in) and have a sound knowledge of offensive cloud toolkits. It’s recommended to gain hands-on experience with deploying and intentionally misconfiguring resources that can be exploited and to look at various ways that they could be hardened.
Offensive cloud tools
Cloud environments, much like traditional Active Directory environments, contain a bewildering array of permissions, and possibilities for chained object to object control.
While it is possible to use CLI tools to enumerate and identify the best attack paths, open source offensive security tooling has been created to perform the heavy lifting of enumeration and can accelerate progress towards our objectives.
The BloodHound Active Directory auditing tool needs little introduction – it is widely used by cyber red and blue teams alike. Azure AD is not Active Directory, although there are conceptual similarities, and BloodHound capability has been extended to be able to assess Azure environments. Updated Bloodhound node types include Azure subscriptions, VMs, Users, Service Principals, Apps, Resource Groups, Tenents, Key Vaults and Devices, while the new Azure edges include auditing for Global Admin, Contributor, RunAs permissions, and much else besides. GitHub projects such as VulnerableAzure create an intentionally vulnerable Azure environment in which to explore the new Bloodhound features.
For AWS, some popular offensive toolkits include pacu and WeirdAAL. Although they don’t graphically display the object to object control relationships or highlight potential attack chains leading to account takeover, they both identify misconfigurations and privileges that can allow us to move laterally and vertically within AWS environments. For GCP environments, ScoutSuite is a CLI tool that identifies possible attack vectors. Tooling for Azure and AWS is generally more prevalent, but offensive tooling for GCP should be more widely available as the adoption of GCP increases.
Professionals must undertake dedicated cloud security training to ensure their skills, whether offensive or defensive, can protect the sensitive information stored in cloud environments.