Find attack paths in cloud environments

The mass adoption of cloud infrastructures is justified by myriad benefits. As a result, today’s most sensitive business applications, workloads and data are in the cloud.

Hackers, good and bad, have noticed this trend and have effectively evolved their attack techniques to accommodate this new enticing target landscape. Given the high responsiveness and adaptability of threat actors, it is recommended to assume that organizations are under attack and that some user accounts or applications may already have been compromised.

To pinpoint exactly which assets are at risk from compromised accounts or breached assets, potential attack paths must be mapped through a comprehensive map of all relationships between assets.

Today, potential attack paths are mapped using scanning tools such as AzureHound or AWSPX. These are graph-based tools that enable the visualization of assets and resource relationships within the associated cloud service provider.

By resolving policy information, these collectors determine how specific access paths affect specific resources and how combining these access paths can be used to create attack paths.

These graph-based collectors display topological results that map all cloud-hosted entities in the environment and the relationships between them.

The links between each entity created in the resulting diagram are analyzed according to the properties of the asset to extract the exact nature of the relationship and the logical interaction between the assets based on:

  • The relationship direction – is the connection direction from plant X to plant Y or vice versa.
  • The relationship type – is Attachment X:
    • Included in Annex Y
    • Can access Asset Y
    • Can act on Asset Y

The goal of the information provided is to help Red teamers identify potential lateral movement and attack paths for privilege escalation, and to help Blue teamers find ways to block critical escalations and stop an attacker .

The key word in this sentence is “assist”. The comprehensive mapping output they generate is a passive outcome, as the information needs to be analyzed and acted upon accurately and in a timely manner to effectively map potential attack paths and take preventive action.

Although the information provided by cloud-specific collectors sheds light on misconfigurations in Privileged Access Management and flawed Identity Access Manager (IAM) policies and enables preemptive corrective actions, they do not identify potential secondary levels of privilege that an attacker could leverage to carve an attack path.

This requires additional analytical skills capable of performing in-depth analysis of, for example, the contained assets and the passive relationships relative to the contained assets. Cymulate is currently developing a toolkit that operationalizes a more active discovery approach that performs far more in-depth analysis.

For example, if we imagine a situation where privileged user A has access to key vault X, a graph-based collector will correctly map the relationship between user A and asset X.

In this case, there is no direct relationship between user A and the secrets contained in keyvault X. According to the above classification, if we classify the secrets Assets Y(1 to n), the relationships described by the collector are:

  • Asset Y is contained within Asset X
  • The direction of the connection between user A and asset X is A ⇒ X.

However, from an adversary perspective, accessing the key vault has the potential to gain access to any assets accessible through those secrets. In other words, the graph-based relationship map can show the relationships between user A and assets Y(1 to n). This requires analytical skills that allow identifying the relationships between assets contained within other assets and assets outside of the containing asset.

In this case, to find out exactly which assets are potentially compromised by User A, all assets related to the secrets stored in Key Vault X must be mapped.

Cymulate’s extensive suite of continuous security validation capabilities, unified in an Extended Security Posture Management (XSPM) platform, are already being adopted by Red Teamers to automate, scale and customize attack scenarios and campaigns. Cymulate is always looking for new ways to help them overcome such challenges and is committed to continuously enriching the platform’s toolset with additional features.

Explore XSPM features at your leisure.

Note: This article was written by cymulate research laboratories.

New Technology Era

Leave a Reply

Your email address will not be published. Required fields are marked *