Finding Attack Paths in Cloud Environments

Environnements infonuagiques News

The mass adoption of cloud infrastructure is fully justified by innumerable advantages. Today, the cloud is home to many of organizations most critical business applications, data, and workloads.

Hackers, good and bad, have noticed that trend and effectively evolved their attack techniques to match this new tantalizing target landscape. With threat actors’ high reactivity and adaptability, it is recommended to assume that organizations are under attack and that some user accounts or applications might already have been compromised.

Finding out exactly which assets are put at risk through compromised accounts or breached assets requires mapping potential attack paths across a comprehensive map of all the relationships between assets.

Today, mapping potential attack paths is performed with scanning tools such as AzureHound or AWSPX. These tools are graph-based and allow visualization of resources and assets relationships in the cloud service provider.

By resolving policy information, these collectors determine how specific access paths affect specific resources and how combining these access paths might be used to create attack paths.

These graph-based collectors show topological results that map out every cloud-hosted entity in the environment, and their relationships.

The links between each entity established in the resulting graph are analyzed according to the asset’s properties to extract the exact nature of the relationship and the logical interaction between assets based on:

  • The relationship direction is the direction in which assets X and Y are connected.
  • The relationship type is asset X :
    • Contained by asset Y
    • Can access asset Y
    • Can act on asset Y

The goal of the information provided is to assist red teamers in identifying potential lateral movement and privilege escalation attack paths and blue teamers in finding ways to block critical escalation and stop an attacker.

The keyword in that sentence is “assist.” The comprehensive mapping output they generate is a passive result, inasmuch as the information needs to be accurately and timely analyzed and acted upon to effectively map potential attack paths and take preventative measures.

Though the information provided by cloud-specific collectors will shine a light on misconfiguration in Privileged Access Management and faulty Identity Access Manager (IAM) policies and enable preemptive corrective action, it fails to detect potential secondary permission layers that an attacker could leverage to carve an attack path.

This requires additional analytical capabilities able to perform in-depth analysis on, for example, containing assets and the passive relationships relative to the contained assets. Cymulate is currently developing a toolkit that operationalizes a more active discovery approach that performs a far more in-depth analysis.

For example, suppose that privileged user A has key vault access to key vault X. A graph-based collector can correctly map user A’s relationship with asset X.

In this instance, the relationship between A and key vault X is not direct. As per the classification above, if we call the secrets assets Y(1 to n), the relationships described by the collector are:

  • Asset Y is contained by Asset X
  • The direction of the connection between user A and asset X is A = X.

From an adversarial perspective, though, gaining access to the key vault holds the potential of gaining access to all the assets accessible via those secrets. In other words, the graph-based relationship map fails to identify the relationships between user A to assets Y(1 to n). This requires analytical capabilities enabling the identification of the relationships between assets contained within other assets and assets external to the containing asset.

In this instance, mapping all assets that are related to key vault X is required in order to determine which assets may be at risk.

Cymulate’s extensive array of continuous security validation capabilities unified in an Extended Security Posture Management (XSPM) platform is already adopted by red teamers to automate, scale, and customize attack scenarios and campaigns. Always seeking new ways to help them overcome such challenges, Cymulate is committed to continuously enrich the platform toolset with additional capabilities.

Explore XSPM capabilities freely at your leisure.

Note: This article was written by Cymulate Research Labs.

Rate author