3.6 Attacks & exploits: Cloud attacks Flashcards
Attacking the Cloud: what are the ways to attack the cloud (4)?
- Malware Injection Attack
- Side-Channel Attack
- Direct-To-Origin (D2O) Attack
- Denial of Service (DoS) Attack
Attacking the Cloud: explain Malware Injection Attack
▪ Attempts to add an infected service implementation module to the cloud service
▪ The attacker is attempting to insert malicious code into a cloud service or server
Attacking the Cloud: explain Side-Channel Attack and how to prevent from it (3)
▪ Aims to measure or exploit the indirect effects of a system instead of targeting the code or program directly
▪ Prevention:
● Data encryption
● Multi-factor authentication
● Routine monitoring and auditing
Attacking the Cloud: explain Direct-To-Origin (D2O) Attack and explain step-by-step how it happens (3)
▪ Attempts to bypass reverse proxies to directly attack the original network or IP address of the cloud-based server:
1- Attacker launch the attack to the reverse proxy that fwd it to the origin server
2- The reverse proxy disclause
Attacking the Cloud: explain Denial of Service (DoS) Attack and Resource Exhaustion Techniques
Used to attack any protocol, device, operating system, or service to try and disrupt the services it provides to its users.
Resource Exhaustion Techniques:
● Amplification/Volumetric Attack: Used to saturate the bandwidth of a given network resource
● Fragmentation of Requests: Sending multiple fragmented HTTP requests to a server
Attacking the Cloud: what are the other DoS Attacks (6)
● Packet flood
● SYN flood
● HTTP flood
● DNS flood
● DNS amplification
● NTP amplification
Credential Harvesting: what is it?
Any attack designed to steal usernames and passwords
Credential Harvesting: list the different way to harvest from credentials (3)
o Account Takeover
o Privilege Escalation
o Vulnerabilities to Exploit
Credential Harvesting: what is Account Takeover type of doing credential harvesting? Is it easily detected?
▪ Attackers silently embed themselves within an organization to slowly gain additional access or infiltrate new organizations
▪ Account takeovers are very hard to detect
Credential Harvesting: what is Privilege Escalation type of doing credential harvesting? Name to 2 types of doing privilege escalation?
Occurs when an attacker gains the rights of another user or an administrator:
● Vertical: User to admin/root account
● Horizontal: User to another user account
Credential Harvesting: what are the Vulnerabilities to Exploit to do credential harvesting (7)?
▪ Security Account Manager (SAM) File: Contains the hashed passwords of every user on a given Windows system or domain
▪ Windows UAC
▪ Weak Process Permissions
▪ Shared folders: Many organizations do not enable access controls to their files and folders on a shared drive
▪ Dynamic Link Library (DLL): A library file that contains code that can be used or referenced by more than one program
▪ Writable services: Writeable services and unquoted service paths can be used to inject a malicious application that will be launched during startup
▪ Missing patches
Misconfigured Assets: what is a misconfigured cloud asset?
Account, storage, container, or other cloud-based resource that is vulnerable to attack because of its current configuration
Misconfigured Assets: what is Cloud Federation? How can you prevent misconfigured cloud federation?
▪ The combination of infrastructure, platform services, and software to create data and applications that are hosted by the cloud
▪ Identify who’s responsible for the approval of new services and servers, as well as for their vulnerability and patch management
Misconfigured Assets: what is Identity and Access Management (IAM)?
Defines how users and devices are represented in the organization and their associated permissions to resources within the organization’s cloud federation
Misconfigured Assets: what are the assets types to be configured in IAM (5)? How should they be configured?
▪ Personnel Type: Used in IAM to define identities for an organization’s employees. An organization should ensure they are providing good end-user security training
▪ Endpoint Type: Used for resources and devices that are used by personnel to gain legitimate access to the network. Use centralized EMS. Validate endpoints
▪ Server Type: Used for mission-critical systems that provide a service to other users and endpoints. Encryption schemas. Digital certificates. Configuration hardening
▪ Software Type: Used by IAM to uniquely identify a software’s provenance prior to installation. A public key infrastructure should be used to provide higher levels of authentication and authority
▪ Role Type: Used to support the identities of various assets and associated permission and rights to the roles or functions of those resources
Misconfigured Assets: what is a Privileged Account?
Allows the user to perform additional tasks, such as installing software, upgrading operating system, modifying configurations, and deleting software or files
Misconfigured Assets: what is a Shared Account?
Any account where the password or authentication credential is shared between more than one person
Misconfigured Assets: what is a Object Storage? How yo configure it?
▪ Bucket: Amazon Web Services
▪ Blob: Microsoft Azure
▪ An object is the equivalent of a file, and a container is the folder
▪ Object ACLs
▪ Container policies
▪ Access management authorizations
Misconfigured Assets: what is a Cross-Origin Resource Sharing (CORS) Policy? How yo configure it?
▪ Allows objects to be read from multiple domain names and displayed properly in the end user’s browser
▪ OWASP Top 10 lists CORS policy misconfiguration under “Broken Access Control”
Misconfigured Assets: what is a Container? What are the vulnerabilities a containers can have (5)?
▪ An image that contains everything needed to run a single application or microservice
▪ Vulnerabilities:
● Embedded malware
● Missing critical security updates
● Outdated software
● Configuration defects
● Hard-coded cleartext passwords
Metadata Service Attack: what is a Metadata Service? Why are they a cybersecurity risk?
▪ Used to provide data about an organization’s instances so that they can configure or manage their running instances
▪ Some big breaches were tied back to attacks against the metadata service as the initial attack vector
Metadata Service Attack: explain Server-Side Request Forgery (SSRF) and what data you can retrieve from this attack?
A type of attack that takes advantage of the trust relationship between the server and the other resources it can access:
● Exploits vulnerable applications
● Communicates with the Metadata Service
● Extracts credentials
● Pivots into cloud account
Metadata Service Attack: why SSRF and Metadata Service Attack are related?
Metadata service attack is a form of server-side request forgery attack that focuses on taking metadata about the instances
Software Development Kit (SDK): what is it and why can the have vulnerabilities?
▪ A package of tools dedicated to a specific programming language or platform commonly used by developers when creating apps
▪ SDKs can contain vulnerabilities if the author who built those functions didn’t do a good job.
SDK libraries are designed to be consistent, approachable, diagnosable, dependable, and idiomatic
Auditing the Cloud: what is ScoutSuite?
An open-source tool written in Python that can be used to audit instances and policies created on multicloud platforms by collecting data using API calls
Auditing the Cloud: what is Prowler?
▪ An open-source security tool used for security best practices assessments, audits, incident response, continuous monitoring, hardening, and forensics readiness for AWS cloud services
▪ Prowler is a command-line tool that can create a report in HTML, CSV, and JSON formats
Auditing the Cloud: what is Pacu?
An exploitation framework used to assess the security configuration of an Amazon Web Services (AWS) account
Auditing the Cloud: what is CloudBrute?
Used to find a target’s infrastructure, files, and apps across the top cloud service providers, including Amazon, Google, Microsoft, DigitalOcean, Alibaba, Vultr, and Linode
Auditing the Cloud: what is Cloud Custodian?
▪ An open-source cloud security, governance, and management tool designed to help admins create policies based on different resource types
▪ Cloud Custodian is a stateless rules engine used to manage AWS environments by validating and enforcing the environment against set standards