Finding Attack Paths in Cloud Environments

Cloud environments

The massive adoption of cloud infrastructure is fully justified by myriad benefits. As a result, today’s most sensitive business applications, workloads, and data of organizations reside in the cloud.

Hackers, good and bad, have noticed that trend and have effectively developed their attack techniques to fit this new tempting target landscape. Given the high reactivity and adaptability of threat actors, it is recommended to assume that organizations are under attack and that some user accounts or applications may already have been compromised.

To know exactly which assets are being compromised by compromised accounts or hacked assets, you need to map out potential attack paths across a comprehensive map of all relationships between assets.

Today, mapping potential attack paths is done with scan tools such as AzureHound or AWSPX. These are chart-based tools that enable the visualization of assets and resource relationships within the related cloud service provider.

By resolving policy information, these collectors determine how specific access paths affect specific resources and how combining these access paths can be used to create attack paths.

These graph-based collectors display topological results that map all cloud-hosted entities in the environment and the relationships between them.

The links between each entity identified in the resulting chart are analyzed based on the asset’s properties to extract the exact nature of the relationship and the logical interaction between assets based on:

  • The relationship direction – is the connection direction from asset X to asset Y or vice versa.
  • The relationship type – is asset X:
    • Withdrawn by asset Y
    • Has access to asset Y
    • Can trade on assets Y

The purpose of the information provided is to help red teamers identify possible attack paths for lateral movement and privilege escalation, and blue teamers find ways to block critical escalation and stop an attacker.

The key word in that sentence is ‘help’. The extensive mapping output they generate is a passive result, as the information must be analyzed and acted upon accurately and in a timely manner to effectively map potential attack paths and take preventive action.

While the information from cloud-specific collectors sheds light on misconfiguration in Privileged Access Management and faulty Identity Access Manager (IAM) policies and enables preemptive corrective action, it does not detect potential secondary permission layers that an attacker could use to plot an attack path.

This requires additional analytical capabilities that are able to perform in-depth analysis on, for example, the holding of assets and the passive relationships related to the embedded assets. Cymulate is currently developing a toolkit that operationalizes a more active discovery approach that performs much more in-depth analysis.

For example, if we imagine a situation where privileged user A has access to the key vault X, a graph-based collector will correctly map the relationship between user A and asset X.

In this case, there is no direct relationship between user A and the secrets in key vault X. According to the above classification, if we take the secrets assets Y (1 to n), the relationships described by the collector are:

  • Asset Y has been incorporated by Asset X
  • The direction of the connection between user A and asset X is A X.

However, from a hostile perspective, gaining access to the key vault has the potential to gain access to all assets accessible through those secrets. In other words, the graph-based relationship map does not identify the relationships between user A and asset Y(1 to .) n† This requires analytical capabilities that enable the identification of the relationships between assets contained within other assets and assets outside the containing asset.

In this case, mapping all assets related to the secrets stored in key vault X requires identifying exactly which assets are potentially at risk from user A.

Cymulate’s comprehensive suite of continuous security validation capabilities, unified in an Extended Security Posture Management (XSPM) platform, is already being used by red teamers to automate, scale and customize attack scenarios and campaigns. Cymulate is always looking for new ways to help them overcome such challenges and is committed to continuously enriching the platform toolset with additional capabilities.

Discover the XSPM options at your leisure.

Note: This article was written by Cymulate Research Labs.


Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top