Download presentation
Presentation is loading. Please wait.
Published byEmmeline Garard Modified over 9 years ago
1
CLOUD 9: UNCOVERING SECURITY & FORENSICS DISCOVERY IN CLOUD CLOUD 9: UNCOVERING SECURITY & FORENSICS DISCOVERY IN CLOUD “Aut viam inveniam aut faciam ” Hannibal Barca by Manu Zacharia MVP (Enterprise Security), C|EH, ISLA-2010 (ISC)², C|HFI, CCNA, MCP Certified ISO 27001:2005 Lead Auditor HackIT – Technology & Advisory Services
2
Information Security Evangelist I am an Information Security Evangelist HackIT – Technology & Advisory Services For paying my bills – I do consulting - HackIT – Technology & Advisory Services – A startup. Awards ISLA (ISC)² - Information Security Leadership Achievement Award from (ISC)² - 2010 MVP Microsoft Most Valuable Professional (Enterprise Security) – 2009 and 2010 Co-Author of a Book ISRA President – Information Security Research Association - NPO # whoami
3
Matriux Chief Architect - Matriux – (www.matriux.com) - OS for Hacking, Forensics and Security testing – Open Source & Free c0c0n Founder c0c0n – International Security & Hacking Conference Cyber Forensics Consultant Extend service to various state and central investigations agencies as Cyber Forensics Consultant # whoami
4
Speaker Speaker at various national and international security, technology and hacking conferences: Microsoft Tech-Ed 2010 (& 2011 upcoming) IQPC - Enterprise Security 2010 - Singapore Information Security Conference - Bangalore ClubHack, etc DevCon
5
Training associations Training associations: Indian Navy Indian Navy - Signal School, Centre for Defense Communication and Electronic and Information / Cyber Warfare and INS Valsura. Centre for Police ResearchKerala Police Centre for Police Research, Pune and Kerala Police SCIT - Symbiosis Centre for Information Technology,Pune IMT Institute of Management Technology (IMT) – Ghaziabad IGNOU M-Tech IGNOU M-Tech (Information Systems Security) – Expert Member – Curriculum Review Committee C-DAC, ACTS C-DAC, ACTS (DISCS & DSSD) # whoami
6
The opinion here represented are my personal ones and do not necessary reflect my employers views. Registered brands belong to their legitimate owners. The information contained in this presentation does not break any intellectual property, nor does it provide detailed information that may be in conflict with any laws (hopefully...) :) DISCLAIMER(S) 6
7
Information and resources from Internet (including publications from Cloud Security Alliance) were extensively used for the creation of this presentation. REFERENCES 7
8
CONCLUSION EXPLOITING CLOUD & FORENSICS CLOUD SECURITY & RISK ASSESSMENT FRAMEWORK INTRO & CLOUD ARCHITECTURE AGENDA 8
9
9
10
So what is Cloud Computing? Do you know what is EC2 and S3? What is SPI Model? QUESTION 10
11
loudloud cloud is loud Headline stealer Everybody is concerned about Cloud Security WHY THIS TALK? 11
12
Why handle cloud differently? power of cloud Simple – power of cloud WHY CLOUD IS DIFFERENT? 12
13
TIGR - ?????? Barack Obama's Technology Innovation and Government Reform Team (TIGR) describe the use of cloud computing as "one of the most important transformations the federal government will go through in the next decade." 13
14
64 node Linux five minutes A 64 node Linux cluster can be online in just five minutes Forget about those sleepless nights in your data centers CLOUD POWER 14
15
Elastic Compute Cloud Amazon Elastic Compute Cloud (Amazon EC2) resizable compute capacity A web service that provides resizable compute capacity in the cloud EC2 15
16
Allows users to rent computers on which to run their own computer applications. Amazon Machine Image (AMI) instance A user can boot an Amazon Machine Image (AMI) to create a virtual machine, which Amazon calls an "instance", containing any software desired. EC2 - WIKIPEDIA 16
17
elastic A user can create, launch, and terminate server instances as needed, paying by the hour for active servers, hence the term "elastic". EC2 - WIKIPEDIA 17
18
S3 (Simple Storage Service) online storage Amazon S3 (Simple Storage Service) is an online storage web service offered by Amazon Web Services. unlimited storage Provides unlimited storage through a simple web services interface S3 18
19
$0.15 per gigabyte-month 102 billion objects as of March 2010 S3 19
20
The New York Times - Amazon EC2 and S3 - PDF's of 15M scanned news articles. NASDAQ uses Amazon S3 to deliver historical stock information. POWER OF CLOUD 20
21
Cloud separates: application and information resources from the underlying infrastructure, and the mechanisms used to deliver them. CLOUD 21
22
Use of a collection of services, applications, information, and infrastructure comprised of pools of compute, network, information, and storage resources. CLOUD 22
23
Components can be rapidly orchestrated, provisioned, implemented & decommissioned, and scaled up or down on-demand Provide an on-demand utility-like model. CLOUD 23
24
confusion From an architectural perspective; there is much confusion similar to and different from How cloud is both similar to and different from existing models of computing? CLOUD CONFUSION 24
25
impact How these similarities and differences impact the organizational, operational, and technological approaches to network and information security practices. CLOUD CONFUSION 25
26
Marcus Ranum - Same old, Same old CLOUD SECURITY – DIFFERENT? 26
27
Same Client / Server paradigm from Mainframe days – Bruce Schneier CLOUD SECURITY – DIFFERENT? 27
28
So what is this cloud? 28
29
29
30
NIST (U.S. National Institute of Standards and Technology) defines cloud computing by describing: five essential characteristics, three cloud service models, and four cloud deployment models. CLOUD 30
31
Five essential characteristics On-demand self-service Broad network access Resource pooling Rapid elasticity Measured service CLOUD CHARACTERISTICS 31
32
On-demand self-service Unilaterally provision without requiring human interaction Unilaterally provision computing capabilities as needed automatically, without requiring human interaction with a service provider. Computing capabilities include server time and network storage CLOUD CHARACTERISTICS 32
33
Broad network access Available over the network Available over the network and accessed through standard mechanisms CLOUD CHARACTERISTICS 33
34
Can be accessed through heterogeneous thin or thick client platforms (e.g., mobile phones, laptops, and PDAs) as well as other traditional or cloud based software services. CLOUD CHARACTERISTICS 34
35
Resource pooling pooled to serve multiple consumers The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, Different physical and virtual resources dynamically assigned and reassigned according to consumer demand. CLOUD CHARACTERISTICS 35
36
location independence Degree of location independence - customer has no control or knowledge over the exact location of the provided resources Customer may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). CLOUD CHARACTERISTICS 36
37
Examples of resources include: storage, processing, memory, network bandwidth, and virtual machines. CLOUD CHARACTERISTICS 37
38
Rapid elasticity Capabilities can be scale out rapidly and elastically provisioned to quickly scale out ; and scale in rapidly released to quickly scale in. In some cases this is done automatically. CLOUD CHARACTERISTICS 38
39
Measured service. Metering capability Metering capability at some level of abstraction appropriate to the type of service transparency Resource usage can be monitored, controlled, and reported — providing transparency for both the provider and consumer of the service. CLOUD CHARACTERISTICS 39
40
Example: storage, processing, bandwidth, active user accounts CLOUD CHARACTERISTICS 40
41
Myths about Cloud Computing Essential Characteristics Virtualization is mandatory Answer is No Cloud services are often but not always utilized in conjunction with, and enabled by, virtualization technologies MYTHS - CLOUD CHARACTERISTICS 41
42
There is no requirement that ties the abstraction of resources to virtualization technologies In many offerings virtualization by hypervisor or operating system container is not utilized. MYTHS - CLOUD CHARACTERISTICS 42
43
Multi-tenancy Multi-tenancy as an essential cloud characteristic Multi-tenancy is not called out as an essential cloud characteristic by NIST but is often discussed as such. MYTHS - CLOUD CHARACTERISTICS 43
44
Divided into three archetypal models. SPI Model The three fundamental classifications are known as the SPI Model. Various other derivative combinations are also available. CLOUD SERVICE MODELS 44
45
Cloud Service Models Cloud Software as a Service (SaaS). Cloud Platform as a Service (PaaS). Cloud Infrastructure as a Service (IaaS). CLOUD SERVICE MODELS 45
46
The client use the software / applications running on a cloud infrastructure. Accessed through thin client interface such as a browser. CLOUD SERVICE MODELS - SaaS 46
47
User does not manage or control the underlying cloud infrastructure including: network, servers, operating systems, storage, or even individual application capabilities CLOUD SERVICE MODELS - SaaS 47
48
Possible exception - limited user specific application configuration settings. CLOUD SERVICE MODELS - SaaS 48
49
User can deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider. CLOUD SERVICE MODELS - PaaS 49
50
The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, CLOUD SERVICE MODELS - PaaS 50
51
Has control over the deployed applications and possibly application hosting environment configurations. CLOUD SERVICE MODELS - PaaS 51
52
The user can provision processing, storage, networks, and other fundamental computing resources CLOUD SERVICE MODELS - IaaS 52
53
The consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure CLOUD SERVICE MODELS - IaaS 53
54
Has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls). CLOUD SERVICE MODELS - IaaS 54
55
Regardless of the service model, there are four cloud deployment models: Public Cloud Private Cloud Community Cloud Hybrid Cloud CLOUD DEPLOYMENT MODELS 55
56
There are derivative variations that address specific requirements. CLOUD DEPLOYMENT MODELS 56
57
Public Cloud The cloud infrastructure is made available to the general public or a large industry group Owned by an organization providing cloud services. CLOUD DEPLOYMENT MODELS 57
58
Private Cloud The cloud infrastructure is operated solely for a single organization. It may be managed by the organization or a third party, and may exist on- premises or off-premises. CLOUD DEPLOYMENT MODELS 58
59
Community Cloud The cloud infrastructure is shared by several organizations Supports a specific community that has shared concerns CLOUD DEPLOYMENT MODELS 59
60
Examples: mission, security requirements, policy, or compliance considerations CLOUD DEPLOYMENT MODELS 60
61
It may be managed by the: organizations or a third party and may exist on-premises or off-premises. CLOUD DEPLOYMENT MODELS 61
62
Hybrid Cloud Composition of two or more clouds (private, community, or public) They remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability CLOUD DEPLOYMENT MODELS 62
63
Example - Hybrid Cloud Cloud bursting for load-balancing between clouds. CLOUD DEPLOYMENT MODELS 63
64
New twist on an old concept :) Bursting into the cloud when necessary, or using the cloud when additional compute resources are required temporarily CLOUD BURSTING 64
65
Example - used to shoulder the burden of some of the application's processing requirements. How it is done? Basic application functionality could be provided from within the cloud CLOUD BURSTING 65
66
More critical (e.g. revenue-generating or mission critical) applications continue to be served from within the controlled enterprise data center. CLOUD BURSTING 66
67
How it is different from the traditional bursting? Traditionally been applied to resource allocation and automated provisioning / de- provisioning of resources Historically focused on bandwidth. CLOUD BURSTING 67
68
In the cloud, it is being applied to resources such as: servers, application servers, application delivery systems, and other infrastructure… CLOUD BURSTING 68
69
…required to provide on-demand computing environments that expand and contract as necessary, without manual intervention. CLOUD BURSTING 69
70
Without manual intervention means? We generally call it - automation But is automation sufficient for cloud? or is it the right thing for cloud? CLOUD BURSTING 70
71
Orchestration describes the automated arrangement, coordination, and management of complex computer systems, middleware, and services. CLOUD ORCHESTRATION 71
72
Generally used in the context of: Service Oriented Architecture, virtualization, provisioning, and dynamic datacenter topics. CLOUD ORCHESTRATION 72
73
Derivative cloud deployment models are emerging due to the maturation of market offerings and customer demand. Example Virtual Private Clouds DERIVATIVE - DEPLOYMENT MODELS 73
74
Public cloud infrastructure in a private or semi-private manner By interconnecting these resources to the internal resources of a consumers’ datacenter, usually via virtual private network (VPN) connectivity. VIRTUAL PRIVATE CLOUDS 74
75
Providers that offer intermediation, monitoring, transformation/portability, governance, provisioning, and integration services. They also negotiate relationships between various cloud providers and consumers. CLOUD SERVICE BROKERS 75
76
They take advantage of the incompatibility issues prevailing and provide an interface for customers. Acts as proxy (middle man) CLOUD SERVICE BROKERS 76
77
Open and proprietary APIs are evolving which seek to enable things such as management, security and inter-operatibility for cloud. OPEN AND PROPRIETARY API 77
78
Open Cloud Computing Interface Working Group, Amazon EC2 API, VMware’s DMTF-submitted vCloud API, Sun’s Open Cloud API, Rackspace API, and GoGrid’s API, OPEN AND PROPRIETARY API 78
79
Play a key role in cloud portability and interoperability as well as common container formats such as the DMTF’s Open Virtualization Format (OVF). DMTF - Distributed Management Task Force OPEN AND PROPRIETARY API 79
80
Not an essential characteristic of Cloud Computing in NIST’s model. Generally identified as an important element of cloud. MULTI-TENANCY IN CLOUD 80
81
Implies a need for policy-driven enforcement, segmentation, isolation, governance, service levels, and chargeback/billing models for different consumers. MULTI-TENANCY IN CLOUD 81
82
CLOUD 82
83
CLOUD CUBE 83
84
CLOUD REFERENCE MODEL 84 Understanding the relationships and dependencies between Cloud Computing models is critical to understanding Cloud Computing security risks.
85
CLOUD REF MODEL 85 IaaS is the foundation of all cloud services, with PaaS building upon IaaS, and SaaS in turn building upon PaaS As the capabilities are inherited, so are information security issues and risk.
86
CLOUD REF MODEL 86
87
87
88
From an attackers point of view: The boxes, Storage, Applications CLOUD – WHAT COULD BE TARGETTED? 88
89
With any new technology comes new risks New vectors - that we need to be aware of Confusion exists - how cloud is both similar to and different from existing models of computing WHY CLOUD SECURITY IS DIFFERENT? 89
90
Cloud based security issues, also commonly know as Cloud Based Risk – CRISK SECURITY ISSUES 90
91
Lock-in When a cloud user decides to migrate (due to various reasons including poor SLA) to another cloud service provider or to in-house IT Different cloud service providers use different API – not compatible with each other for migrating the data SECURITY ISSUES 91
92
Lack of: Tools, Procedures, Standard data formats, and Interfaces, can considerably delay or prevent a successful migration. SECURITY ISSUES 92
93
Shared Service Consequences malicious activity shared platform Any kind of intentional and un-intentional malicious activity carried out or executed on a shared platform may affect the other tenants and associated stake holders. SECURITY ISSUES 93
94
Examples - Shared Service Consequences: Blocking Blocking of IP ranges Confiscation Confiscation of resources as part of an investigation - the availability is in question. SECURITY ISSUES 94
95
Examples - Shared Service Consequences: sudden increase in the resource usage by one application The diversity of application running on the cloud platform and a sudden increase in the resource usage by one application can drastically affect the performance and availability of other applications shared in the same cloud infrastructure. SECURITY ISSUES 95
96
Sudden Acquisitions and Take-overs Cloud is upcoming and promising domain for organizations to venture and expand. Sudden take over can result in a deviation from the agreed Terms of Use & SLA which may also lead to a Lock-In situation. SECURITY ISSUES 96
97
Run-on-the-cloud Similar to the conventional run on the bank concept. Bankruptcy and catastrophes does not come with an early warning. SECURITY ISSUES 97
98
What happens if the majority clients withdraw the associated services from a cloud infrastructure? SECURITY ISSUES 98
99
The cloud service providers may try to prevent that move through direct and indirect methods – which may include a lock-in also. SECURITY ISSUES 99
100
Maintaining Certifications & Compliance Organizations need to ensure that they can maintain the same when moving to cloud. ToU prohibits VA/PT This may introduce security vulnerabilities and gaps Result – Loose your certification. SECURITY ISSUES 100
101
Example - Maintaining Certifications: In general scenario, the PCI DSS compliance cannot be achieved with the Amazon EC2/S3 cloud service. Major downfall in performance and quality metrics may affect your certifications. SECURITY ISSUES 101
102
Technical and Procedural Vulnerability Vulnerabilities applicable to the conventional systems & networks are also applicable to cloud infrastructure. Lack of could based security standards and non-adherence to procedures may affect the CIA of customer data. SECURITY ISSUES 102
103
Confidentiality is @ Risk The information deleted by the customer may be available to the cloud solution provider as part of their regular backups. Insecure and inefficient deletion of data, true data wiping not happening, exposing the sensitive information to other cloud users. SECURITY ISSUES 103
104
Lack of transparency in cloud The service provider may be following good security procedures, but it is not visible to the customers and end users. May be due to security reasons. But end user is finally in the dark. SECURITY ISSUES 104
105
Lack of transparency in cloud End user questions remains un-answered: how the data is backed up, who back up the data, whether the cloud service provider does it or has they outsourced to some third party, SECURITY ISSUES 105
106
how the backup is transferred to a remote site as part of the backup policy, is it encrypted and send, is the backup properly destroyed after the specified retention period or SECURITY ISSUES 106
107
is it lying somewhere in the disk, what kind of data wiping technologies are used. The lists of questions are big and the cloud users are in dark SECURITY ISSUES 107
108
Problems testing the cloud? Permission How do you get permission to test your application running on Amazon EC2 when the results of your testing could show you data from another client completely? SECURITY TESTING 108
109
black hole Getting black hole or getting kicked-off " In networking, black holes refer to places in the network where incoming traffic is silently discarded (or "dropped"), without informing the source that the data did not reach its intended recipient. " - From Wikipedia SECURITY TESTING 109
110
How do you track version? How do you do regression testing? How do you know what version of the search engine google is currently running on? SECURITY TESTING 110
111
If you test an application today and find it vulnerable or not vulnerable, how do you know that the app you testing tomorrow is the same one that you tested yesterday? - You don't SECURITY TESTING 111
112
If its not good, safe or not even new, then why cloud adoption happening? THEN WHY WE MOVE? 112
113
FEW TOP REASONS Management by in-flight magazines Management version – something new and promising – let’s try it out Geek version – It’s really cool There is nobody to put a break when these two people join together. 113
114
Poor uptime and service delivery experience from IT department. Economical factors Multi-tenancy means cost sharing OTHER REASONS 114
115
Cost saving makes it attractive during recession. Cloud computing allows you to move from CAPEX to OPEX. Save 30% of IT Operational Cost OTHER REASONS 115
116
Variable cost subscription model – rapidly scale up and scale down. Go Green or Green IT also influenced many. Powerful - A 64 node Linux cluster can be online in just five minutes - forget about those sleepless nights in your data centers OTHER REASONS 116
117
117
118
Adopt a risk based approach Evaluate your tolerance for moving an asset to cloud Have a framework to evaluate cloud risks. ADDRESSING CLOUD SECURITY 118
119
Identify the asset for cloud. Evaluate the asset Map the asset to cloud deployment models Evaluate cloud service models & providers Sketch the potential data flow RA FRAMEWORK FOR CLOUD 119
120
Two types of assets are supported by cloud: Data Applications/Functions/Processes Either partial functions or full applications 1 - IDENTIFY THE ASSET 120
121
In cloud, we do not need data and application to reside at the same location. We can shift parts of functions to the cloud. 1 - IDENTIFY THE ASSET 121
122
Example: Host the main application and data in our own data-centre. Outsource a portion of its functionality to the cloud through Platform as a Service (PaaS). 1 - IDENTIFY THE ASSET 122
123
First step in evaluating risk for the cloud - determine exactly what data or function is being considered for the cloud. Include potential use of the asset once it moves to the cloud 1 - IDENTIFY THE ASSET 123
124
This will help you account for scope creep Data and transaction volumes are often higher than expected. 1 - IDENTIFY THE ASSET 124
125
What is scope creep? Also known as focus creep, requirement creep, feature creep, function creep 1 - IDENTIFY THE ASSET 125
126
Refers to uncontrolled changes in a project's scope. Can occur when the scope of a project is not properly defined, documented, or controlled. 1 - IDENTIFY THE ASSET 126
127
Determine how important the data or function is to the organization. A detailed valuation is recommended only if the organization has an existing process for that. 2 - EVALUATE THE ASSET 127
128
If not, a rough assessment of the following is recommended: how sensitive an asset is, and how important an application / function / process is. 2 - EVALUATE THE ASSET 128
129
How do we do it? For each asset, ask the following questions: How would we be harmed if the asset became widely public and widely distributed? 2 - EVALUATE THE ASSET 129
130
How would we be harmed if an employee of our cloud provider accessed the asset? How would we be harmed if the process or function were manipulated by an outsider? 2 - EVALUATE THE ASSET 130
131
How would we be harmed if the process or function failed to provide expected results? How would we be harmed if the information/data were unexpectedly changed? 2 - EVALUATE THE ASSET 131
132
How would we be harmed if the asset were unavailable for a period of time? 2 - EVALUATE THE ASSET 132
133
What are we doing basically with the above process? Assessing confidentiality, integrity, and availability requirements for the asset; and how those are affected if all or part of the asset is handled in the cloud. 2 - EVALUATE THE ASSET 133
134
Step 3 - Map the asset to potential cloud deployment models Determine which deployment model is good for the organizational requirement. 3 – MAP THE ASSETS 134
135
Decide whether the organization can accept the risks implicit to the various deployment models (private, public, community, or hybrid); and hosting scenarios (internal, external, or combined). 3 – MAP THE ASSETS 135
136
For the asset, determine if you are willing to accept the following options: Public. Private, internal/on-premises. Private, external (including dedicated or shared infrastructure). Community Hybrid 3 – MAP THE ASSETS 136
137
End of this phase you should have answer to the following: Deployment models and locations that fits your security and risk requirements. 3 – MAP THE ASSETS 137
138
Focus on the degree of control you’ll have at each SPI tier to implement any required risk management. 4 – EVALUATE MODELS & PROVIDERS 138
139
Map out the data flow between: your organization, the cloud service, and any customers/other nodes. 5 – SKETCH DATA FLOW 139
140
High-level design can be adopted for the same. Absolutely essential to understand whether, and how, data can move in and out of the cloud before finalizing. 5 – SKETCH DATA FLOW 140
141
You should have a clear understanding of the following: the importance of what you are considering moving to the cloud, risk tolerance, RA - CONCLUSION 141
142
which combinations of deployment and service models are acceptable, and potential exposure points for sensitive information and operations. RA - CONCLUSION 142
143
For low-value assets you don’t need the same level of security controls Can skip most of the recommendations — such as on-site inspections, discoverability, and complex encryption schemes. A high-value regulated asset might entail audit and data retention requirements. RA - CONCLUSION 143
144
144
145
DO YOU KNOW THIS? 145
146
Clue: Kendo (kumdo in korean) INFORMATION WARFARE 146
147
風 - Swift as the wind 林 - Quiet as the forest 火 - Conquer like the fire 山 - Steady as the mountain INFORMATION WARFARE 147
148
( ) Battle strategy and motto of Japanese feudal lord Takeda Shingen ( 武田信玄 ) (1521–1573 A.D.). Twenty-Four Generals - famous groupings of battle commanders (Takeda Nijūshi-shō ) 武田二十四将 (Takeda Nijūshi-shō ) 武田二十四将 INFORMATION WARFARE 148
149
Came from the Art of War by Chinese strategist and tactician Sun Tzu (Sunzi) A sort of abbreviation to remind officers and troops how to conduct battle INFORMATION WARFARE 149
150
This is what we need in information warfare or when launching an attack INFORMATION WARFARE 150
151
Sample Task Break PGP passphrases Solution Brute forcing PGP passphrases EXPLOITING CLOUD 151
152
Try – ElcomSoft Distributed Password Recovery (with some patches to handle PGP ZIP) Two elements - EDPR Managers & EDPR Agents EXPLOITING CLOUD 152
153
Dual core Win7 box - 2100 days for a complex passphrase. Not acceptable – too long Lets exploit the cloud. EXPLOITING CLOUD 153
154
First things first – Create an Account on Amazon. Credit Card Required Install Amazon EC2 API Tools on your linux box. sudo apt-get install ec2-api- tools EXPLOITING CLOUD 154
155
Select an AMI Example - use a 32 bit Windows AMI - ami- df20c3b6-g EXPLOITING CLOUD 155
156
Start an instance from the Linux shell as follows: ec2-run-instances -k ssh-keypair ami-df20c3b6-g default EXPLOITING CLOUD 156
157
Enumerate the instance ID & public IP: ec2-describe-instances EXPLOITING CLOUD 157
158
Instance status change from “pending” to “running” Extract the admin password for the instance ec2-get-password -k ssh- keypair.pem $instanceID EXPLOITING CLOUD 158
159
Configure EC2 firewall to permit inbound RDP traffic to the instance. ec2-authorize default -p 3389 -s $trusted_ip_address/32 EXPLOITING CLOUD 159
160
Configure the firewall in front of the EDPR manager system to permit TCP/12121 from anywhere. RDP into the instance & configure EDPR EXPLOITING CLOUD 160
161
EXPLOITING CLOUD Login using the password obtained from ec2-get-password command 161
162
Install EDPR Agent, Configure the Agent to connect to the Manager. 3 points to configure mainly EXPLOITING CLOUD 162
163
Configure the public IP address or hostname of the EDPR manager you have configured. EXPLOITING CLOUD 163
164
Interface tab - Set the Start-up Mode to "At Windows Start-up". EXPLOITING CLOUD 164
165
Registry hack EDPR creates a pair of registry values which are used to uniquely identify the agent when connecting to the manager. We need to scrub these values – why? EXPLOITING CLOUD 165
166
If we don’t, every single instance we initiate will appear to be the same agent to the manager. Output = The job handling will be totally corrupted. EXPLOITING CLOUD 166
167
HKEY_LOCAL_MACHINE\Software\ElcomS oft\Distributed Agent\UID Set the value of the UID key to null, but DO NOT DELETE THE KEY. EXPLOITING CLOUD 167
168
bundle Let’s bundle the EC2 instance. Remember in cloud, bundle is similar to creating a ‘template’ in VMware terminology. EXPLOITING CLOUD 168
169
Install and configure EC2 AMI Tools Command: ec2-bundle-instance $instance_id - b $bucket_name -p $bundle_name -o $access_key_id -w $secret_access_key EXPLOITING CLOUD 169
170
Bundling process runs sysprep on the Windows instance, compress and copies the instance to S3. EXPLOITING CLOUD 170
171
Check the progress of the bundle task: ec2-describe-bundle-tasks EXPLOITING CLOUD 171
172
Register the bundled AMI: ec2-register $bucket_name/$bundle_name.manifest. xml EXPLOITING CLOUD 172
173
The register command returns AMI ID Used to spawn instances of the EDPR agent. Example: IMAGE ami-54f3103d EXPLOITING CLOUD 173
174
Start EDPR manager & configure task. to brute an password composed of uppercase letters, lowercase letters, and the numbers 0-9, with a length of between 1 to 8 characters against a PGP ZIP file. ACTION TIME 174
175
ACTION TIME 175
176
Start a single instance of our EDPR agent: ec2-run-instances -k $ssh-keypair ami-54f3103d -g default ACTION TIME 176
177
Agent check in with the EDPR manager. ACTION TIME 177
178
We started it with default parameters EC2 “small” instance Trying 500K keys per second How long will it take? ACTION TIME 178
179
What???? 3600 days? = 10 years!!!!! ACTION TIME 179
180
Let’s scale up – deploy 10 additional instances: ec2-run-instances -n 10 -k ssh- keypair ami-54f3103d -g default -t c1.medium ACTION TIME 180
181
The -n 10 parameter tells EC2 to launch 10 instances. c1.medium instance = “High CPU" instance ACTION TIME 181
182
ACTION TIME 182
183
Now we have more cracking agents in the party!!! 2+M keys/second So what's the time required now??? ACTION TIME 183
184
Down to 122 days ACTION TIME 184
185
Kickoff another 89 to hit a century. ec2-run-instances -n 89 -k ssh- keypair ami-54f3103d -g default -t c1.medium Note: Check your EDPR License. ACTION TIME 185
186
Error: Client.InstanceLimitExceeded: Your quota allows for 9 more instance(s). You requested at least 89 ACTION TIME 186
187
Option 1 Request to instance amazon EC2 Instance Limit - http://aws.amazon.com/contact- us/ec2-request/ ACTION TIME 187
188
Option 2 Amazon spot instances - allows us to bid on unused Amazon EC2 capacity and run those instances. ACTION TIME 188
189
Option 3 Create custom python script to bypass this limitation ACTION TIME 189
190
With a couple more of instances, we can reduce it to hours A successful cloud based distributed cracking system. ACTION TIME 190
191
191
192
Mixed Responses Bad guys have started using cloud based services and infrastructure for launching attacks Cloud do provide a good platform for incidence response and forensics investigations CLOUD FORENSICS 192
193
on-demand service By utilizing the inherent features of cloud computing, computer forensic can become an on-demand service under certain circumstances. CLOUD FORENSICS 193
194
Regular business and operations are not affected when a cloud environment needs to be forensically examined. Not the case with the traditional infrastructure where the equipments are seized. Cloud Example – Amazon EBS CLOUD FORENSICS 194
195
Cloud based forensics took a new turn when Amazon introduced Elastic Block Store (EBS) volumes Enables the user to launch an instance with an Amazon EBS volume that will serve as the root device. CLOUD FORENSICS 195
196
When there is a need to preserve a cloud environment, EBS can create an exact replica of the cloud instance & put it on the same cloud for forensics evaluation and examination. Since the forensic investigators will be working with another instance of the environment, the regular operations is not affected in any way. CLOUD FORENSICS 196
197
Replication process achieved in few minutes. Forensic evidences are invalid if they are not cryptographically hashed. This can be easily achieved using the on- demand feature of cloud. CLOUD FORENSICS 197
198
Replication process achieved in few minutes. Forensic evidences are invalid if they are not cryptographically hashed. This can be easily achieved using the on- demand feature of cloud. CLOUD FORENSICS 198
199
The cloud based hashing takes less time and is much faster when you compare it with the traditional cryptographic hashing process. Amazon Web Services is already providing a good forensic feature where it can provide a MD5 hash of every file that is on the cloud system. CLOUD FORENSICS 199
200
What this practically means is that when a bit by bit copy is initiated (forensic duplication), you have systems in place which can ensure that you made the exact replica and not even a bit has changed during the replication and copying process. CLOUD FORENSICS 200
201
Even though you have all the above services available, cloud forensics is still challenging. Virtualization of various entities like the applications and host systems, which once used to be in-house is now scattered on the cloud. CLOUD FORENSICS 201
202
Makes evidence gathering a challenging task Since we are acquiring data from a virtual environment, the forensic investigator should have a clear and precise understanding of how they work and what files are interesting and required to acquire. CLOUD FORENSICS 202
203
Near to impossible to acquire the complete hard disk due to various reasons including but not limited to: multiple data owners on the same disk, remote geographical location, jurisdictional difficulties, RAID configurations etc CLOUD FORENSICS 203
204
Questions also arise on the compatibility and reliability of the tools used for investigating cloud forensics - because most of the tools are meant for real time systems and not for virtualized environments. A collaborative and collective effort is required to address what we discussed. AND FINALLY 204
205
205
206
The architectural mindset used when designing solutions has clear implications on the: future flexibility, security, collaborative capabilities, and mobility of the resultant solution. CONCLUSION 206
207
With so many different cloud deployment and service models, and their hybrid permutations — no list of security controls can cover all these circumstances. CONCLUSION 207
208
A good security professional is someone who always looks b bb both ways before crossing a o oo one- way street. GOOD SECURITY PROFESSIONAL 208
209
209 Manu Zacharia @ m@matriux.com or @ m@HackIT.co or QUESTIONS??
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.