Finding Attack Paths in Cloud Environments
The mass adoption of cloud infrastructure is fully justified by innumerable advantages. As a result, today, organizations’ most sensitive business applications, workloads, and data are in the cloud.
Hackers, good and bad, have noticed that trend and effectively evolved their attack techniques to match this new tantalizing target landscape. With threat actors’ high reactivity and adaptability, it is recommended to assume that organizations are under attack and that some user accounts or applications might already have been compromised.
Finding out exactly which assets are put at risk through compromised accounts or breached assets requires mapping potential attack paths across a comprehensive map of all the relationships between assets.
Today, mapping potential attack paths is performed with scanning tools such as AzureHound or AWSPX. Those are graph-based tools enabling the visualization of assets and resources relationships within the related cloud service provider.
By resolving policy information, these collectors determine how specific access paths affect specific resources and how combining these access paths might be used to create attack paths.
These graph-based collectors display topological results mapping out all cloud-hosted entities in the environment and the relationships between them.
The links between each entity established in the resulting graph are analyzed according to the asset’s properties to extract the exact nature of the relationship and the logical interaction between assets based on:
- The relationship direction – is the connection direction from asset X to asset Y or the other way round.
- The relationship type – is asset X:
- Contained by asset Y
- Can access asset Y
- Can act on asset Y
The goal of the information provided is to assist red teamers in identifying potential lateral movement and privilege escalation attack paths and blue teamers in finding ways to block critical escalation and stop an attacker.
The keyword in that sentence is “assist.” The comprehensive mapping output they generate is a passive result, inasmuch as the information needs to be accurately and timely analyzed and acted upon to effectively map potential attack paths and take preventative measures.
Though the information provided by cloud-specific collectors will shine a light on misconfiguration in Privileged Access Management and faulty Identity Access Manager (IAM) policies and enable preemptive corrective action, it fails to detect potential secondary permission layers that an attacker could leverage to carve an attack path.
This requires additional analytical capabilities able to perform in-depth analysis on, for example, containing assets and the passive relationships relative to the contained assets. Cymulate is currently developing a toolkit that operationalizes a more active discovery approach that performs a far more in-depth analysis.
For example, if we imagine a situation where privileged user A has access to the key vault X, a graph-based collector will correctly map the relationship between user A and asset X.
In this case, there is no direct relationship between user A and the secrets contained in key vault X. As per the classification above, if we call the secrets assets Y(1 to n), the relationships described by the collector are:
- Asset Y is contained by Asset X
- The direction of the connection between user A and asset X is A ⇒ X.
From an adversarial perspective, though, gaining access to the key vault holds the potential of gaining access to all the assets accessible via those secrets. In other words, the graph-based relationship map fails to identify the relationships between user A to assets Y(1 to n). This requires analytical capabilities enabling the identification of the relationships between assets contained within other assets and assets external to the containing asset.
In this case, finding out exactly which assets are potentially at risk from user A requires mapping out all the assets related to the secrets stored in key vault X.
Cymulate’s extensive array of continuous security validation capabilities unified in an Extended Security Posture Management (XSPM) platform is already adopted by red teamers to automate, scale, and customize attack scenarios and campaigns. Always seeking new ways to help them overcome such challenges, Cymulate is committed to continuously enrich the platform toolset with additional capabilities.
Explore XSPM capabilities freely at your leisure.
Note: This article was written by Cymulate Research Labs.