Empirical Cloud Security: Practical Intelligence to Evaluate Risks and Attacks
Contents
Preface
Acknowledgments
About the Author
1 Cloud Architecture and Security Fundamentals
Understanding Cloud Virtualization
Cloud Computing Models
Comparing Virtualization and Cloud Computing
Containerization in the Cloud
Components of Containerized Applications
Serverless Computing in the Cloud
Components of Serverless Applications
The Characteristics of VMs, Containers, and Serverless Computing
Embedding Security in the DevOps Model
Understanding Cloud Security Pillars
Cloud Security Testing and Assessment Methodologies
References
2 IAM for Authentication and Authorization: Security Assessment
Understanding Identity and Access Management Policies
IAM Policy Types and Elements
IAM Policy Variables and Identifiers
Managed and Inline Policy Characterization
IAM Users, Groups, and Roles
Trust Relationships and Cross-Account Access
IAM Access Policy Examples
Identity and Resource Policies: Security Misconfigurations
Confused Deputy Problems
Over-Permissive Role Trust Policy
Guessable Identifiers in Role Trust Policy
Privilege Escalation via an Unrestricted IAM Resource
Insecure Policies for Serverless Functions
Unrestricted Access to the VPC Endpoints
Insecure Configuration in Passing IAM Roles to Services
Uploading Unencrypted Objects to Storage Buckets Without Ownership
Misconfigured Origin Access Identity for CDN Distribution
Authentication and Authorization Controls Review
Multi Factor Authentication (MFA)
User Credential Rotation
Password Policy Configuration
Administrative or Root Privileges
SSH Access Keys for Cloud Instances
Unused Accounts, Credentials, and Resources
API Gateway Client-Side Certificates for Authenticity
Key Management Service (KMS) Customer Master Keys
Users Authentication from Approved IP Addresses and Locations
Recommendations
Automation Scripts for Security Testing
MFA Check
IAM Users Administrator Privileges Analysis
IAM Users SSH Keys Analysis
References
3 Cloud Infrastructure: Network Security Assessment
Network Security: Threats and Flaws
Why Perform a Network Security Assessment?
Understanding Security Groups and Network Access Control Lists
Understanding VPC Peering
Security Misconfigurations in SGs and NACLs
Unrestricted Egress Traffic via SGs Outbound Rules
Unrestricted Egress Traffic via NACLs Outbound Rules
Insecure NACL Rule Ordering
Over-Permissive Ingress Rules
Cloud Network Infrastructure: Practical Security Issues
Insecure Configuration of Virtual Private Clouds
Insecure Bastion Hosts Implementation
Insecure Cloud VPN Configuration
Reviewing Deployment Schemes for Load Balancers
Insecure Implementation of Network Security Resiliency Services
Exposed Cloud Network Services: Case Studies
AWS Credential Leakage via Directory Indexing
OpenSSH Service Leaking OS Information
OpenSSH Service Authentication Type Enumeration
OpenSSH Service with Weak Encryption Ciphers
RDP Services with Insecure TLS Configurations
Portmapper Service Abuse for Reflective DDoS Attacks
Information Disclosure via NTP Service
Leaked REST API Interfaces via Unsecured Software
Unauthorized Operations via Unsecured Cloud Data Flow Server
Information Disclosure via Container Monitoring Software Interfaces
Credential Leakage via Unrestricted Automation Server Interfaces
Data Disclosure via Search Cluster Visualization Interfaces
Insecure DNS Servers Prone to Multiple Attacks
Recommendations
References
4 Database and Storage Services: Security Assessment
Database Cloud Deployments
Deploying Databases as Cloud Services
Databases Running on Virtual Machines
Containerized Databases
Cloud Databases
Cloud Databases: Practical Security Issues
Verifying Authentication State of Cloud Database
Database Point-in Time Recovery Backups Not Enabled
Database Active Backups and Snapshots Not Encrypted
Database Updates Not Configured
Database Backup Retention Time Period Not Set
Database Delete Protection Not Configured
Cloud Storage Services
Cloud Storage Services: Practical Security Issues
Security Posture Check for Storage Buckets
Unencrypted Storage Volumes, Snapshots, and Filesystems
Unrestricted Access to Backup Snapshots
Automating Attack Testing Against Cloud Databases and Storage Services
Unsecured Databases and Storage Service Deployments: Case Studies
Publicly Exposed Storage Buckets
Unsecured Redis Instances with Passwordless Access
Penetrating the Exposed MySQL RDS Instances
Data Destruction via Unsecured Memcached Interfaces
Privilege Access Verification of Exposed CouchDB Interfaces
Keyspace Access and Dumping Credentials for Exposed Cassandra Interfaces
Data Exfiltration via Search Queries on Exposed Elasticsearch Interface
Dropping Databases on Unsecured MongoDB Instances
Exploiting Unpatched Vulnerabilities in Database Instances: Case Studies
Privilege Escalation and Remote Command Execution in CouchDB
Reverse Shell via Remote Code Execution on Elasticsearch/Kibana
Remote Code Execution via JMX/RMI in Cassandra
Recommendations
References
5 Design and Analysis of Cryptography Controls: Security Assessment
Understanding Data Security in the Cloud
Cryptographic Techniques for Data Security
Data Protection Using Server-Side Encryption (SSE)
Client-Side Data Encryption Using SDKs
Data Protection Using Transport Layer Encryption
Cryptographic Code: Application Development and Operations
Crypto Secret Storage and Management
Data Security: Cryptographic Verification and Assessment
Machine Image Encryption Test
File System Encryption Test
Storage Volumes and Snapshots Encryption Test
Storage Buckets Encryption Test
Storage Buckets Transport Encryption Policy Test
TLS Support for Data Migration Endpoints Test
Encryption for Cloud Clusters
Node-to-Node Encryption for Cloud Clusters
Encryption for Cloud Streaming Services
Encryption for Cloud Notification Services
Encryption for Cloud Queue Services
Cryptographic Library Verification and Vulnerability Assessment
TLS Certificate Assessment of Cloud Endpoints
TLS Security Check of Cloud Endpoints
Hard-Coded Secrets in the Cloud Infrastructure
Cryptographic Secret Storage in the Cloud
Recommendations for Applied Cryptography Practice
References
6 Cloud Applications: Secure Code Review
Why Perform a Secure Code Review?
Introduction to Security Frameworks
Application Code Security: Case Studies
Insecure Logging
Insecure File Operations and Handling
Insecure Input Validations and Code Injections
Insecure Application Secrets Storage
Insecure Configuration
Use of Outdated Software Packages and Libraries
Code Auditing and Review Using Automated Tools
Recommendations
References
7 Cloud Monitoring and Logging: Security Assessment
Understanding Cloud Logging and Monitoring
Log Management Lifecycle
Log Publishing and Processing Models
Categorization of Log Types
Enumerating Logging Levels
Logging and Monitoring: Security Assessment
Event Trails Verification for Cloud Management Accounts
Cloud Services Logging: Configuration Review
Log Policies via Cloud Formation Templates
Transmitting Cloud Software Logs Over Unencrypted Channels
Sensitive Data Leakage in Cloud Event Logs
Case Studies: Exposed Cloud Logging Infrastructure
Scanning Web Interfaces for Exposed Logging Software
Leaking Logging Configurations for Microservice Software
Unrestricted Web Interface for the VPN Syslog Server
Exposed Elasticsearch Indices Leaking Nginx Access Logs
Exposed Automation Server Leaks Application Build Logs
Sensitive Data Exposure via Logs in Storage Buckets
Unrestricted Cluster Interface Leaking Executor and Jobs Logs
Recommendations
References
8 Privacy in the Cloud
Understanding Data Classification
Data Privacy by Design Framework
Learning Data Flow Modeling
Data Leakage and Exposure Assessment
Privacy Compliance and Laws
EU General Data Protection Regulation (GDPR)
California Consumer Privacy Act (CCPA)
A Primer of Data Leakage Case Studies
Sensitive Documents Exposure via Cloud Storage Buckets
Data Exfiltration via Infected Cloud VM Instances
Exposed SSH Keys via Unsecured Cloud VM Instances
Environment Mapping via Exposed Database Web Interfaces
Data Leakage via Exposed Access Logs
Data Leakage via Application Execution Logs
PII Leakage via Exposed Cloud Instance API Interfaces
Stolen Data: Public Advertisements for Monetization
Recommendations
References
9 Cloud Security and Privacy: Flaws, Attacks, and Impact Assessments
Understanding the Basics of Security Flaws, Threats, and Attacks
Understanding the Threat Actors
Security Threats in the Cloud Environment and Infrastructure
Security Flaws in Cloud Virtualization
Security Flaws in Containers
Virtualization and Containerization Attacks
Security Flaws in Cloud Applications
Application-Level Attacks
Security Flaws in Operating Systems
OS-Level Attacks
Security Flaws in Cloud Access Management and Services
Network-Level Attacks
Security Flaws in the Code Development Platform
Hybrid Attacks via Social Engineering and Malicious Code
Security Impact Assessment
Privacy Impact Assessment
Secure Cloud Design Review Benchmarks
Recommendations
References
10 Malicious Code in the Cloud
Malicious Code Infections in the Cloud
Malicious Code Distribution: A Drive-By Download Attack Model
Hosting Malicious Code in Cloud Storage Services
Abusing a Storage Serviceβs Inherent Functionality
Distributing Malicious IoT Bot Binaries
Hosting Scareware for Social Engineering
Distributing Malicious Packed Windows Executables
Compromised Cloud Database Instances
Ransomware Infections in Elasticsearch Instances
Ransomware Infections in MongoDB Instances
Elasticsearch Data Destruction via Malicious Bots
Malicious Code Redirecting Visitors to Phishing Webpages
Deployments of Command and Control Panels
Malicious Domains Using Cloud Instances to Spread Malware
Cloud Instances Running Cryptominers via Cron Jobs
Indirect Attacks on Target Cloud Infrastructure
Cloud Account Credential Stealing via Phishing
Unauthorized Operations via Man-in-the-Browser Attack
Exfiltrating Cloud CLI Stored Credentials
Exfiltrating Synchronization Token via Man-in-the-Cloud Attacks
Infecting Virtual Machines and Containers
Exploiting Vulnerabilities in Network Services
Exposed and Misconfigured Containers
Injecting Code in Container Images
Unsecured API Endpoints
Stealthy Execution of Malicious Code in VMs
Deploying Unpatched Software
Malicious Code Injection via Vulnerable Applications
References
11 Threat Intelligence and Malware Protection in the Cloud
Threat Intelligence
Threat Intelligence in the Cloud
Threat Intelligence Classification
Threat Intelligence Frameworks
Conceptual View of a Threat Intelligence Platform
Understanding Indicators of Compromise and Attack
Implementing Cloud Threat Intelligence Platforms
Using AWS Services for Data Collection and Threat Intelligence
Enterprise Security Tools for Data Collection and Threat Intelligence
Open-Source Frameworks for Data Collection and Threat Intelligence
Hybrid Approach to Collecting and Visualizing Intelligence
Cloud Honeypot Deployment for Data Collection
Threat Intelligence: Use Cases Based on Security Controls
Scanning Storage Buckets for Potential Infections
Detecting Brute-Force Attacks Against Exposed SSH/RDP Services
Scanning Cloud Instances for Potential Virus Infections
Understanding Malware Protection
Malware Detection
Malware Prevention
Techniques, Tactics, and Procedures
References
Conclusion
Appendix A List of Serverless Computing Services
Appendix B List of Serverless Frameworks
Appendix C List of SaaS, PaaS, IaaS, and FaaS Providers
Appendix D List of Containerized Services and Open Source Software
Appendix E List of Critical RDP Vulnerabilities
Appendix F List of Network Tools and Scripts
Appendix G List of Databases Default TCP/UDP Ports
Appendix H List of Database Assessment Tools, Commands, and Scripts
Appendix I List of CouchDB API Commands and Resources
Appendix J List of CQLSH Cassandra Database SQL Queries
Appendix K List of Elasticsearch Queries
Appendix L AWS Services CLI Commands
Appendix M List of Vault and Secret Managers
Appendix N List of TLS Security Vulnerabilities for Assessment
Appendix O List of Cloud Logging and Monitoring Services
Index