Part 1: Hybrid-network digital twin in a blink
Part 2: Defend against in-depth infiltration
Part 4: coming soon
In our previous articles, we introduced the process of setting up a digital twin, and the use of our in-depth infiltration algorithm to uncover attack paths deep inside your on-prem information system.
Infrastructures migration to the cloud comes along with new threats and attack techniques. It has therefore become necessary to offer Optistream audits for cloud infrastructures, to enable simulation of such attacks in these environments.
The new types of vulnerabilities introduced in cloud environments (e.g. IAM layer) must not overshadow the techniques previously used by attackers within more traditional infrastructures.
Indeed, these techniques are still valid, and lateral movement within a network, the cornerstone of any deep attack, is, for example, still relevant. An attacker who has compromised an initial asset within your cloud (e.g. public EC2 instance) will seek to move within the infrastructure across the different zones until he is able to reach your most sensitive assets and data (e.g. RDS database). The robust segmentation of your infrastructure and the isolation of its most critical zones must not be overshadowed by a false sense of security. In fact, moving your infrastructure (or part of it) to the cloud does not offer any de facto improvement in terms of security.
Public cloud providers provide the elements needed to build a robust and correctly segmented infrastructure. In addition to the possibility of organizing your infrastructure (VPC, sub-networks, etc.), the provider (e.g. AWS) offers additional services and configuration elements (AWS Firewall, ACLs) to provide a layer of network security.
A few relatively mature solutions already exist to ensure a first level of security with a robust posture: CSPM (Cloud Security Posture Management). However, as Gartner reminds us, simply verifying control or the applicability of best practice is not enough. To be sure of your level of security, you need to assess the consistency of all your measures to ensure that an attacker cannot take advantage of inconsistencies to circumvent the measures in place.
As in the case of on-prem architecture, these precautions may prove insufficient in the face of in-depth attacks. It may still be possible for an attacker to abuse the permissive rules already in place (e.g. business flows) in order to move from zone to zone and reach your organisation's critical assets. It is therefore necessary to assess the porosity of your segmentation, using Optistream's automatic security audits to identify the attack paths that could be used by the attacker.
In just a few clicks, Optistream can import your AWS cloud environment (Azure & GCP soon to be supported) to create the digital twin of your infrastructure.
Once the digital twin has been created, it isthen possible to simulate the network behavior of your infrastructure, consideringthe network links between each instance, VPC and subnets, as well as thefiltering rules applied to the various objects, in particular:
In the following example, we can check that the SSH flow between the EC2 instance exposed on the Internet (Public Web Site) and the organization’s Critical DB database is effectively blocked at ACL level:
Using the traceroute function, we can see that this flow is indeed blocked by ACLs associated with the subnet hosting Critical DB. Does this mean that Critical DB is unreachable by an attacker?
In a similar way to the scenarios presented in our previous articles, we now want to automatically audit this cloud infrastructure in order to test it against in-depth attacks. Using our automatic audit algorithms ("In-depth infiltration" - IDI), we want to determine whether there are any attack paths that could enable an attacker to reach the sensitive Critical DB asset.
We already introduced the IDI algorithm in the Show Case - Part 2 article. It is used to test all the combinations of network paths that can be taken (open flows) to determine lateral movement attack scenarios in which an attacker will try to progress from zone to zone. To return to our example, we want to know whether, once Public Web Site has been compromised, an attacker can reach Critical DB even though it is not directly reachable, as we saw earlier.
To do this, the Optistream user must specify two things:
Once this has been set up, we can run an IDI audit and observe the results.
The results of the IDI audit show the existence of 2 in-depth attack paths:
The audit reveals that an attacker can first access the subnet hosting the i-037105641bd023262 and i-04cc3cff5a96ffa17 instances. This initial bounce is then used to reach the backend instance on a second subnet using the SSH protocol. Once established in this subnet, the attacker can directly reach the Critical DB instance. In addition, the "Weakspot/path" view shows details of the paths detected and informs us that no ports are filtered on this last instance.
Optistream's power lies in its ability to automatically map your cloud environment. Once the digital twin has been built, you can manipulate it, test it and run the range of audit algorithms we offer.
The (minimalist) example shown demonstrates the speed with which a user can identify attack paths that were perhaps previously unsuspected. The filtering rules applied to different levels and AWS objects are ingested by Optistream and taken into account in the path determination calculation. In our example, we identified two attack paths that could allow an attacker to reach the critical asset, using two bounces whose filtering rules were too permissive.
Part 4: coming soon