Testing and Securing Your Cloud with Purple Team Engagements Transcript Watch On-Demand Now

Jessica Olivieri [00:00:05] Hello everyone! Thank you for joining our webinar, Testing and Securing Your Cloud with Purple Team Engagements. 

Jessica Olivieri [00:00:03] My name is Jessica Oliveri and I am the Marketing Media Specialist here at True. 

Jessica Olivieri [00:00:08] Just a little housekeeping: The webinar will be recorded and available afterwards if you have questions during the webinar, and we hope you do, please submit them for Josh and Aaron. 

Jessica Olivieri [00:00:31] They're the Webinar control panel in the chat or question sections. 

Jessica Olivieri [00:00:37] These will be addressed at the end of the webinar. 

Jessica Olivieri [00:00:41] We are thrilled you have joined us today. True Digital Security. 

Jessica Olivieri [00:00:45] I believe cybersecurity is a team sport where people should share knowledge and practices freely while working together. 

Jessica Olivieri [00:00:54] That's why we're here in hopes that two senior members of our red team can offer insight from their work on the front lines to help you prevent cyber breaches. 

Jessica Olivieri [00:01:07] Part of preventing these attacks is identifying and remediating even the smallest of security gaps. 

Jessica Olivieri [00:01:13] Purple Team engagements allow security testing teams, or red teams, to work hand in hand with your IT teams, or blue teams, as they test your environment, giving you the ability to see those gaps in real time, so you can fix them. 

Jessica Olivieri [00:01:30] To discuss this is two of TRUE’s own pen test team members, Josh Bozarth and Aaron Moss. 

Jessica Olivieri [00:01:37] Josh is our Director of Security Testing Services, experienced Security Consultant, and long term expert at True Digital Security. 

Jessica Olivieri [00:01:46] And Aaron is a Senior Security Consultant known for his uncanny ability to get around even the strongest of defenses. 

Jessica Olivieri [00:01:55] Both of these gentlemen engage in ethical hacking, and they will now share what they've learned about testing and sync securing cloud environments. 

Jessica Olivieri [00:02:04] Josh, Aaron? 

Aaron Moss [00:02:12] Hit it, Good, Lord. 

Aaron Moss [00:02:15] Ya know, you you? Yeah. Now this is what people tuned in for. because of the ridiculousness right there. We were trying to hit the unmute button on our microphone just now and it. 

Aaron Moss [00:02:24] Well, we hit it, three times until it finally worked afternoon or good morning, wherever you're at the zero Loss True Digital Security Senior Security Consultant, here, with my colleague cohort in crime, and my boss, occasionally, whenever I want him to be Josh Bozarth are, Josh say, Hi. 

Josh Bozarth [00:02:44] Hello, everybody. 

Aaron Moss [00:02:46] So, today, we're talking about testing and securing your cloud environment with purple team engagements. 

Aaron Moss [00:02:53] And just gonna get into some stuff, real quick, the agenda, real quick. 

Aaron Moss [00:02:57] Uh, I'm on the wrong slide. 

Aaron Moss [00:03:02] It's going to be one of those days. Here's our agenda, guys. We got the introductions, we're going to introduce ourselves. Who we are, et cetera, and we're going to talk about breaches, how we get into some of these environments, how a lot of things are the same, even though they've changed massively in cloud environments. And then, how we can help here at true. 

Aaron Moss [00:03:21] And this not only includes the pen testing team, security testing services team, but also our IT team, and, and risk assessments team. Any of our teams were glad to help out with anything that you guys need. 

Aaron Moss [00:03:34] So, let's get started. Josh? 

Josh Bozarth [00:03:40] I'm talking about myself, OK? 

Aaron Moss [00:03:42] You want me to talk about, you couldn't say? 

Josh Bozarth [00:03:44] I don't want you to talk about me. 

Josh Bozarth [00:03:46] Yeah. So, yeah, Jessica did a good job of kind of, explaining my role at your digital security. I'm the Director of the Security Testing Services team. 

Josh Bozarth [00:03:56] And if you don't know what security testing services is, you know, it's, it's another phrase for, We break stuff and get away with it. 

Josh Bozarth [00:04:04] It's a great job. And my team's designed it, too. 

Josh Bozarth [00:04:08] Break the break the normal processes, the procedures, the things that are happening out there, whether it's your application, your network, your cloud, uh. 

Josh Bozarth [00:04:20] Physical building, I mean, they're testing those defenses and do whatever it takes, you know, within the reasons within reason of the engagement too, you know, show where you might want to make those improvements. And so, it's an interesting position to be in. 

Josh Bozarth [00:04:39] The guys have, have a lot of fun and get creative, obviously, with doing a lot of exploitation. Sometimes it's, we're not exploiting. But, you know, we're doing whatever we can to make sure our clients are raising up that level of security for themselves. 

Josh Bozarth [ 00:04:58] You know we can't guarantee that you're going to be 100% secure, but we're gonna do everything we can, to, reduce that risk to as low as possible. 

Aaron Moss [00:05:10] What Josh trying to say is, we get paid to be the bad guys. 

Aaron Moss [00:05:14] Killing is our business, and business is good. Aaron Moss, Senior Security Consultant here at true. 

Aaron Moss [00:05:22] I'm one of the, obviously, one of the pen testers on the team, and everything, which is the reason that they give me the microphone every now and then talk, Which is a really terrible idea for the marketing department here. So, we're gonna go ahead and get started. 

Aaron Moss [00:05:34] Um, so breaches, let's talk about these breaches. Why are these breaches happen, right? 

Aaron Moss [00:05:40] Well, I mean, you've got the classic examples of, you know, why breaches happen in the first place of, of any environment, not just cloud environments, but, you know, any environment, your on premises environment, any co-location you have, et cetera. And the reason why is for simply for fun and profit, people just want to prove that they can do that, right? I mean, any attacker, any hacker, wants to be able to break it into an environment. 

Aaron Moss [00:06:09] And just to prove just some kind of reason, being anything whatsoever, just to prove that they can't, just to say that, Hey, I got into this place, and, yeah, that was bad. But here we are. 

Josh Bozarth [00:06:22] So, I, and you know, I want to, I'm gonna approach this, Aaron, where I'm kind of asking you questions. OK. I want you to answer them for me, OK. 

Josh Bozarth [00:06:34] Because we're on a webinar here, they can't talk back to us. 

Josh Bozarth [00:06:37] Yeah, I want to, I want you to know what we're talking about cloud environments. We're talking eventually, we'll try to you know, do our best. 

Josh Bozarth [00:06:46] You know, purple team type of style engagements, but we want to talk about cloud security. What the **** is the cloud? 

Aaron Moss [00:06:54] Cloud, yeah. 

Aaron Moss [00:06:55] Somebody else's computer? 

Josh Bozarth [00:06:57] OK, so are you, are you saying that there is no delineation between what you would do on a traditional network versus the cloud or is there? 

Aaron Moss [00:07:06] Some delineation, we're going to do that here in a little bit, as a matter of fact, OK, metadata, stuff like that. Sure, I'm gonna let you talk about the. 

Aaron Moss [00:07:13] Sure, So, I mean, basically, what you're doing with a cloud environment is you're using somebody else's computing environment, if you will, two, do whatever you need to do. 

Aaron Moss [00:07:25] That's, that's really the difference. 

Aaron Moss [00:07:29] If you're not using your own hard way sources, resources, and stuff like that, you're using somebody else and you're paying somebody else to use their resources to do the computing for you. 

Josh Bozarth [00:07:41] And, you know, we all know that there's plenty of cloud vendors out there. You know, the big, the big three are the ones that tend to get brought up a lot with AWS, ECS and Google will go out and Azure which is Microsoft. 

Josh Bozarth [00:07:54] So, AWS, of course, being Amazon, if anybody's not familiar but there's a lot of other cloud providers out there as well that are maybe a smaller in scope and maybe priced better for certain organizations. You know, Alibaba is one that gets brought up a lot. Right. That ace. 

Josh Bozarth [00:08:10] Yeah, Rackspace has their own cloud for providing system digital oceans' Another one that gets brought up a lot. 

Josh Bozarth [00:08:18] But, in general, yeah, these are, these are infrastructures that are, you know, it's a, it's, I guess, it, it gets the idea because of the network diagrams. 

Josh Bozarth [00:08:27] The internet being the cloud, right? You know, the internet is always depicted as a cloud in a network diagram. 

Josh Bozarth [00:08:31] So, it's these resources that are, on, you mentioned, or maybe not delineated, or are listed out, and your pain, as you go, probably is usually how it goes most of the time with, with these cloud environments, You're paying for them. As you're using them and maybe you're scaling out, escrow. You know the orchestration, the automation pieces that can come from that. You can spend that kind of stuff up with your own hardware. And, you know, I know VMware and whatnot, they do a good job of providing software that can make your own what we call a private cloud. 

Josh Bozarth [00:09:06] But, what we're talking about today is, we're really talking about these public cloud providers, and most of this stuff can still apply to private cloud environments, too. 

Josh Bozarth [00:09:17] But, we just wanted to set the stage and make sure everyone's on the same page us on, because, I know I have, like us. There's like web browser extensions that'll change the term. 

Josh Bozarth [00:09:28] When that, anytime the word cloud has mentioned our website to something like, but, or whatever, you know, it's, it's, it's so ... that people are like, What's the cloud? And I wanted to make sure everyone knew what we were talking about when we talk about Cloud. 

Aaron Moss [00:09:40] And I'd just so everybody's aware, we're not going to be discussing very particular configurations or anything like that when it comes to security in these cloud environments. That's going to be very generalized somewhat vague so that it can cover a multitude. 

Aaron Moss [00:09:55] And if you would like to know more about how to secure your specific particular cloud environment, please reach out to us or reach out to our IT team here, specifically. 

Aaron Moss [00:10:05] We have a cloud provider cloud, cloud engagement team that is very specific to different clouds, and they're experts in that field. Whereas we try to break stuff. They actually build it up and help protect you from guys like us. 

Aaron Moss [00:10:22] So, again, you know, why do these breaches happen? 

Aaron Moss [00:10:26] You want to smash the stack for fun and profit. Well, now we're going to smash the Clef Fun and Profit. Again, it's going to be just for fun. 

Aaron Moss [00:10:33] Means we're getting up there and we're going to try to break something just because we can't, right? We want to learn more hackers, as a general rule. Hackers are, it's a mentality of like, constant learning all the time, but also, it's a mentality of, you know, we like breaking stuff because it's fun. So and a lot of times, you know, the profit comes from, hey, we obtain some data and now we're going to sell it to somebody. Right? You also have targeted breaches, targeted attacks and these can fall under the guise of espionage information data and the information and data theft. And then sometimes you're straight up sabotage, and so you're gonna get into this, What's the value for the attackers will, again, no fun and profit? 

Aaron Moss [00:11:16] We're going to have some fun while we're doing it. We may make a little bit of money off of it. You know, we're talking like Cybercriminals here, non-nation state attacks, stuff like that. 

Aaron Moss [00:11:23] Just, you know, people who are using skimmers on credit cards or whatever, right? 

Aaron Moss [00:11:27] This is the same kind of attacks that you're going to see here. 

Aaron Moss [00:11:32] Now for espionage, you're looking at more like National Security Nation, State Attacks. You're going to be looking at attacks on infrastructure, like the electric grid, or the water grid, or whatever else, right? 

Aaron Moss [00:11:43] Also, we're going to be looking at corporate espionage, spying on other organizations trying to gather any kind of intellectual data that you can, stuff like that, right? 

Aaron Moss [00:11:52] The same kind of role is also into the information and data theft. 

Aaron Moss [00:11:56] And so, for instance, whenever you've got a company that attacks in their cloud environment and everything, it's probably because they have some really interesting data that's there that somebody wants to get ahold of. 

Aaron Moss [00:12:09] And they want to be able to either use that for their own nefarious purposes or even their own corporate purposes. 

Aaron Moss [00:12:14] You know, this happens a lot, corporate espionage dates back to begin to incorporations, I'm sure. 

Aaron Moss [00:12:21] Um, and so there's any number of reasons that a company will want to grab that data from somebody else. Either, you know, like let's take for instance the Sony hack here, you know you had a lot of new movies that were coming out, A lot of information about, you know, TV series and stuff like that. 

Aaron Moss [00:12:38] Now while it's being useful, I'm not entirely certain, but some people are begging that stuff but let's look at something else that a lot of us are familiar with, Apple, i-phone, right. Not too long ago the new i-phones. Some of the information was reached or not breached but leaked about it correct? 

Josh Bozarth [00:12:57] Yeah, they are fighting those leaks all the time. And yet, each year when they have a new phone comes out, it's, it's a race to who can leak at first, right? 

Josh Bozarth [00:13:06] Yeah, so it's an internal, obviously a corporate problem that they have to deal with, right? 

Aaron Moss [00:13:13] And the other thing is, of course, sabotage, Now sabotage falls under like blackmailing. Somebody, or you want to deny you like your denial of service on a website or something like that, or you're trying to deny them service to their cloud environment. 

Aaron Moss [00:13:26] Or just straight up destruction, right? I mean, like, you want to just destroy a company. A lot of this falls under the category of, like, generally, hacktivists and stuff like that whenever you're looking at some stuff like that. 

Aaron Moss [00:13:38] So, and again, what can be obtained? Well, it depends on the access, right? 

Aaron Moss [00:13:43] Like, it depends on what kind of access the attacker has through the cloud environment, if we get the keys, like literally, say, AWS keys, right. Forget AWS keys, and which turns out that we'd get the root AWS keys, then we can have the entire system under control. 

Aaron Moss [00:13:59] Like, we can do whatever we want to, with the AWS infrastructure, from S three buckets to the Elastic Load Balancers. In any, any block storage, anything like that, we can grab information from that, pull it down, do whatever we want to do with it, right? 

Aaron Moss [00:14:16] And so, you know, we have the keys to the kingdom, we have access to virtually everything. 

Aaron Moss [00:14:23] That didn't work, I'm on the wrong thing. 

Aaron Moss [00:14:28] So, how do we get into these environments? 

Aaron Moss [00:14:31] Well, password spraying is one thing that still works. 

Aaron Moss [00:14:35] As a matter of fact, we just saw something about the Azure Brute force this morning that the POC was released. We haven't really looked into it, because literally, it just came out 30 minutes before we started this webinar maybe a little bit before that. 

Aaron Moss [00:14:47] But we just saw it, 30 minutes for the webinars, so the whole lot about it yet, but and if you're not aware of it,

Josh Bozarth [00:14:53] it was, the vulnerability was announced a couple of days ago that if you're using active directory and Azure. 

Josh Bozarth [00:15:02] There's a way to basically enumerate and enumerate the users in that active directory instance via a feature. It's always a feature. That supposedly was, that was by design and now Microsoft's backpedaling and looking into ways too. 

Josh Bozarth [00:15:18] Correct that. 

Josh Bozarth [00:15:19] And then today, literally right before we started this webinar, they announced a somebody I don't know who published it, but it was on ARS Technica. So that's a good place to go to read about it. 

Josh Bozarth [00:15:30] But uh, a proof of concept was put out just recently just literally. 

Josh Bozarth [00:15:36] And if you're listening, if your listeners webinar recorded, you know, September 30th, right? 

Aaron Moss [00:15:42] Like in the last couple of hours for this, so. Another one, right. So path refrain going back to that real quick. Password Spraying is a form of brute force. 

Aaron Moss [00:15:53] It's a form of brute force in the sense that, what you're doing is you're taking one good account that you know is a good, known account and then you're throwing tons of passwords at it, right? 

Aaron Moss [00:16:03] Well, that's brute forcing password spraying is several good accounts and I got that backwards on that slide and I just realized fix that later. 

Aaron Moss [00:16:12] You have suddenly good accounts to throw 1 or 5 different passwords that I can't believe I screwed that up. That's OK. 

Aaron Moss [00:16:19] Anyway, several good accounts. Throw different passwords out and stuff like that. 

Aaron Moss [00:16:24] And eventually, you'll hit on one account that has, has, it has a good password, you'll be able to use that to login. And from there, you know, you'll do primitives of privilege escalation and stuff like that. 

Aaron Moss [00:16:37] Another thing that's pretty hot right now, according to them, we got to, is Azure vulnerabilities. 

Aaron Moss [00:16:44] Uh, the newest one, besides this, uh, the brute force hack here, it's called, Oh My God, which is, I highly recommend people, kinda look this one up. 

Aaron Moss [00:16:56] But it's a vulnerability in the open management interface, or, excuse me, open management infrastructure, that allows you to gather statistics and seek configurations across your environment. 

Aaron Moss [00:17:10] It's used extensively by Azure Services. 

Aaron Moss [00:17:13] And basically, there's an exploit, and there's actually four different exploits that were recently, within the last couple of weeks released. 

Aaron Moss [00:17:24] one was the non-authenticated, remote code execution as root, and then three others were privilege escalation vulnerabilities, that basically allows you to have root access to any Linux servers that are running this, or running this in an Azure environment. 

Aaron Moss [00:17:39] So it's been patched. I do believe. 

Aaron Moss [00:17:42] Um, but lot of those patches may have to be updated manually. So be checking your as your Linux environments. 

Josh Bozarth [00:17:50] And if you're here sitting there going what, what is Florida's LMI? It's basically OMI but in the cloud for Azure. 

Josh Bozarth [00:18:00] So if you're familiar enough with the Windows, no OMI, no backend stuff that you can query out of Windows. 

Josh Bozarth [00:18:08] It's similar, not entirely, you know, a 1 to 1 equation, but it's the same concept. 

Aaron Moss [00:18:17] The other one is that we have listed here is the Azure Skeleton key which is basically a pass through authentication with Azure AD Connect. 

Aaron Moss [00:18:26] And essentially you can imbues the Agent, 2, two exploits, the AV Connect perpetual authentication. 

Aaron Moss [00:18:36] And essentially you can, you can tamper with the authentication flow and get access. 

Aaron Moss [00:18:43] So, these are just some examples that you have of doing these passwords braid and other vulnerabilities within right now, in just Azure. 

Aaron Moss [00:18:53] As far as I know, AWS has no known, no public. 

Aaron Moss [00:18:58] We'll just say that, to my knowledge, no, public exploits available for vulnerabilities that they have. 

Aaron Moss [00:19:06] But they do have a lot of miss configurations. 

Aaron Moss [00:19:11] All right, often your is your configurations, will default to less than they are, excuse me, less secure configurations, whereas AWS actually starts out, pretty secure. And then you have to open some stuff up. 

Aaron Moss [00:19:25] So, just a couple of questions to ask whenever you're going into configurations. 

Aaron Moss [00:19:29] Did you set up MFA, multi factor authentication, sometimes known as two factor authentication, double off stuff like that. 

Aaron Moss [00:19:36] Um, yeah. Did you set up some form of multi factor authentication that whenever you login to your, either admin system or any other systems, if you're adding a new, new user, to it, to your, to your, your cloud environments? 

Aaron Moss [00:19:53] Did you add manufactory to them? 

Aaron Moss [00:19:56] Um, your S3 buckets are generally private and secure when they're created. Right. 

Aaron Moss [00:20:02] And so, you have to open up certain things on them to be able to allow them to gain, and, you know, other people add, access, something like that for public. 

Aaron Moss [00:20:10] And sometimes, people will add a configuration that makes it insecure, and that's something that needs to be looked at, as well. Now, here's the thing, like, if you left your keys, somewhere in a config file, configuration file, that's a bad idea, right, Josh? 

Josh Bozarth [00:20:20] Oh, yeah, I mean, it's just, Or any credentials and configuration files? A bad idea, too. 

Josh Bozarth [00:20:30] But, yeah, these concepts, obviously, when we start talking about miss configuration, that's why it's titled using the same old attacks. 

Josh Bozarth [00:20:40] You know, AWS has their IAM, their identity and access management. 

Josh Bozarth [00:20:45] Piece and all these cloud providers have that. 

Josh Bozarth [00:20:47] And if you stared at it long enough, you're like, man, this is super convoluted because they'll have all these access roles that are just weirdly defined, you can create your own and, and, and I think a lot of times, folks run into issues where there, there may be overwhelmed with this concept. And they're just like, OK, let's just make everybody this level of access. Admin niche, kind of access, we know everything will work. 

Aaron Moss [00:21:10] We can spin up instances, things where we and or, you know, we'll take these keys and never rotate them, or not use temporary ones Really just opening themselves up for a can of worms eventually, depending on where that entry point is, You know, so, you're using a cloud environment, yeah. Setting up MFA, You need to know where your endpoints are, where your entry endpoints to your cloud environment, because it's not just walking into your, your, your company's headquarters building, and then, Oh, I'm on that network now, know. You can get to it anywhere, and there's lots of different ways that you can get to it, and if you're managing a Cloud environment like this, you have to be able to identify. 

Josh Bozarth [00:21:52] Paths of entry for everyone. 

Aaron Moss [00:21:57] So, getting back to the configuration files we found, configuration files, and what. 

Josh Bozarth [00:22:01] Like Git repositories and, yeah, there's lots of tools out there that will allow to scour, GitHub repositories or any kind of versioning systems for keys that may have been inadvertently checked in, and then, oh, we deleted that. While it's still in the commit, know, we can search the commits and find those keys exist if you don't go back that far and clean it up. 

Aaron Moss [00:22:24] Also, the fun thing is, whenever you find one in S three bucket that people think is actually, you know, they think the S three buckets secure. But, hey, we were able to log in, you basically just log into it, just look at it, find some configuration files. And then, hey, your AWS keys in here. We logged into the rest of your infrastructure with it. Wow, thank you for that. 

Aaron Moss [00:22:45] I appreciate that, and, of course, that's bad. 

Aaron Moss [00:22:49] As your default settings allow access to storage buckets, basically to anywhere, the Internet included. So you have to lock that down just as soon as you get a storage bucket set up as a general rule, Your firewall rules, are they set to any any any? 

Aaron Moss [00:23:05] Would you do that Blake at your office environment or your home environment? 

Aaron Moss [00:23:12] Probably not. 

Aaron Moss [00:23:14] So you probably want to set those up, like check your firewall rules on your cloud infrastructure. 

Aaron Moss [00:23:20] They shouldn't be like that by default, but, you know, again, if you get frustrated with something, something's not working all of a sudden. 

Aaron Moss [00:23:29] So, you said some of you said the firewall rules to any, any, any try to troubleshoot an issue and then. Oh, shiny thing, I forgot to undo that: we'd get access to your stuff. 

Aaron Moss [00:23:39] Allowing anonymous users to access storage blobs. 

Aaron Moss [00:23:42] This applies of course, to Azure, excuse me, Azure and to AWS, you know, going back to the S3 buckets that you think are locked down but she has set something up wrong. 

Aaron Moss [00:23:53] Now we get access to it. The same thing applies to Azure, storage, blobs. 

Aaron Moss [00:23:58] Those generally have access to everything automatically by default So again, lock those down. 

Aaron Moss [00:24:07] Insecure guest, use your settings, never say anything like that. 

Josh Bozarth [00:24:14] I'm drawing a blank. 

Josh Bozarth [00:24:15] I mean, I'm sure that It depends on what you define as a guest user, but you're clearly thinking of something.

Aaron Moss [00:24:20] I'm thinking of something, I can't remember it. 

Aaron Moss [00:24:25] Is your heads guest users that you can set up, kinda like the roles, I'm, I think, with AWS. 

Aaron Moss [00:24:32] And so, if you, if you have those set up incorrectly, well, people can access your stuff, you're access to your admin portal, you have that locked down. 

Aaron Moss [00:24:41] Can we access your admin portal? 

Aaron Moss [00:24:44] We have clients that have Magento shows. 

Aaron Moss [00:24:47] Magento services, for example, that you can access their admin portal but shouldn't be able to, that should be behind a VPN or behind some kind of firewall. Something doesn't allow access. 

Josh Bozarth [00:25:00] And when we say Admin portal here, we're not, we're not necessarily talking about the, you know, like the AWS Console or Azure Portal. We're talking about things that are that are maybe portals for applications are standing up. Because the Azure portal and AWS consoles, they have their own authentication schemes that are sent. And that's where MFA and things come into play. 

Josh Bozarth [00:25:22] And, obviously, if we can get access to those portals, that's all the most fantastic thing. That could happen, you know, besides getting Enemy at just the key. right? 

Josh Bozarth [00:25:31] But, yeah, it really, it's, it's about you, because there's AWS, Amazon has this thing called the shared responsibility model, which is a term that's probably used across the industry. Where, you know, they're gonna do what they're doing. Their due diligence and locking down the points of control that they have. Whereas, you need to do your due diligence as a user of the resources of creating your own infrastructure. Even though it's virtual on its cloud, that, there's a responsibility on both parties right, to, to do what's right from a security standpoint. And, so, Amazon, you know what? 

Josh Bozarth [00:26:03] The AWS console do a pretty good job. 

Josh Bozarth [00:26:06] It's like, unless I have their password for the user, it's not gonna, it's not something that's easily obtained, easily accessed, and then we're going to go somewhere else, we're going to try to ease of access AWS programmatically using the CLI, right? And if we do have the password, if you'd get NSA setup. 

Aaron Moss [00:26:25] No multi factor authentication set up, and that's going to make it that much harder for us to access it, because we still have to have a code. 

Aaron Moss [00:26:31] If we have no way to access that code, try to brute force it and that's, it, gets shut down at five attempts. Well, we don't have access to anything, so that's that's one good reason to set up multi factor authentication. 

Aaron Moss [00:26:45] So, let's move on to some examples of identified vulnerabilities. 

Aaron Moss [00:26:49] Some public buckets that these are just I want to thank Scott Piper with the, uh, flaws dot Cloud and the company that he works working at. Remember it off the top of my head. 

Aaron Moss [00:27:02] But they have a really, great AWS specific vulnerability, kind of, uh, vulnerability education resource. Hey. Go, yeah, Thank you. And what is it called? 

Aaron Moss [00:27:17] Summit route Yes! Scott paper with summit route. 

Aaron Moss [00:27:21] He built and design flaws dot cloud, and we've used this actually, for some of our resources to try to try to work through some, some AWS vulnerabilities, figured out how to exploit them and there's actually two versions of this now. 

Aaron Moss [00:27:37] It's pretty fantastic. If anybody's interested and how some of these vulnerabilities work. 

Aaron Moss [00:27:43] So first and foremost, we're gonna look at legal robot and Shopify here, and we're not gonna get real in depth of this, but just to know, legal robot and Shopify both had some S3 buckets that they thought were locked down and secure, that somebody had miss configured them, and allowed access for everybody to read. All the data that was on there, the Git object data, was opened up, list, object, data was opened up. 

Aaron Moss [00:28:07] And so, it to everyone it was reported on, they showed that access now. It's been fixed, unfortunately. It's, you know, kinda hard to tell that. 

Aaron Moss [00:28:18] Some kind of monitoring and logging Who all was accessing that data, which is something we're going to get into here in a minute. The full control, read and write access. S3 buckets, again. 

Aaron Moss [00:28:29] Your ... and Shopify again, the moral of the story here, of course, is the Shopify apparently uses a lot of AWS for this stuff. So you know, if anybody else is interested in looking at some hacker, wants stuff for them. 

Aaron Moss [00:28:42] So some bug bounty stuff. 

Aaron Moss [00:28:44] Look them up. I'm sure there's problems in the air. 

Aaron Moss [00:28:47] But that, they had full read, write access, these S three bucket. So let's put that in perspective real quick, right? You can read everything on, on the bucket, and that's fine, you know, I mean, that's, that's not a good thing by any stretch of the imagination. 

Aaron Moss [00:29:03] You know, there may be some confidential data on there that people shouldn't have been able to read. 

Aaron Moss [00:29:07] However, we get into the big, big problems is whenever you're able to write data to that. 

Aaron Moss [00:29:12] So if you're able to upload some malware, a virus, or ransomware, or whatever else, and then you can serve it out of that bucket, it's gonna look like it's coming from a legitimate place, and it's going to be that much easier for an attacker to take advantage of. So it's super important to manage and maintain your read, write access, to only people who need access, gets back to the principle of least privilege, Right, Josh? 

Aaron Moss [00:29:37] Absolutely. 

Aaron Moss [00:29:39] So, let's move on. Roku, I'm curious. And you go ahead and go to the next slide. It's all good. 

Aaron Moss [00:29:44] But, the, the public bucket on, you know, you have previously that, you know, you're talking about public bucket. 

Aaron Moss [00:29:52] Obviously, public buckets are going to be used, right? There's an option to use public buckets. You know, you need something that needs to be exposed to the internet. You're hosting a website. You can use S three buckets or Azure Blobs or Google Cloud. I can't remember the term they used for cleaning. I was just looking at it to host a site, right? 

Aaron Moss [00:30:13] And, I am only asking this because I am curious, because I did look at the Shopify, or the legal robot, like, What was the actual issue in the end? Like, a public bucket is a public bucket. 

Aaron Moss [00:30:24] Like, what was in the bucket that was so valuable that that allowed them to considered in a vulnerability like a public bucket to me is not necessarily a vulnerability. 

Aaron Moss [00:30:37] It's what's in the bucket, right? 

Aaron Moss [00:30:39] Yes. To a degree, I can't remember off the top of my head. What was in there as a matter of fact, one of them was actually one, of the bug bounties was closed out, without being paid out, because they didn't consider it to be a vulnerability. Because there wasn't a whole lot of data in there. 

Aaron Moss [00:30:54] And so, but it was still report on and considered a vulnerability by hacker one. 

Aaron Moss [00:30:59] And, of course, the researcher found it, because it was open. 

Aaron Moss [00:31:04] So, basically, what happened was, at least in my understanding, what happened was, the list object and the Git Objects were both allowed access to the everyone. 

Aaron Moss [00:31:15] Right. 

Aaron Moss [00:31:16] And so, that's what basically made it a public bucket, Whenever you list object, and you, you get object, allow access to everyone, then it's almost like, you know, old Apache servers and stuff like that that have directory, listing, directory indexing, and stuff like that. 

Aaron Moss [00:31:32] Enabled, right? 

Aaron Moss [00:31:34] You can see literally everything that's on the server, and you can access it without having to know what the, the direct URL is. 

Aaron Moss [00:31:44] There's a lot of S three buckets out there, and I'm sure it's your buckets, as well, that essentially have X, you know, they have get object access, Right? But not list object access. So you have to know what the direct link is, to be able to, you know, find any data on there, which, you know, a lot of S three buckets, host images, and stuff like that. It's, it's, it's public information. 

Aaron Moss [00:32:08] It's not something that would be considered a vulnerability, but you still have to know where it's at or you'd have to be able to kind of brute force. It was something like, you know, go bustard, sure. I did, I did. 

Josh Bozarth [00:32:20] I queried my, the back of my brain, also known as a computer, and, yeah, the legal robot, one, for example, public bucket is not a big deal, because they were hosting static assets. But the, the, the permission about listing objects is really where the issue is because that's basically, what you're creating is a directory listing, like, just like you would with, you know, if you had a ... configuration of a directory listing with an Apache or nginx server. 

Josh Bozarth [00:32:45] So, again, that all falls back to, these are things we've seen before. 

Josh Bozarth [00:32:50] And that's kinda the theme, right? 

Josh Bozarth [00:32:54] The theme was, you know, issues with cloud environments are, you know, a dime 12 because of the same things that we're seeing in normal environments, right? 

Josh Bozarth [00:33:05] So, as we transition out of this, this next slide, I want to talk about what makes cloud environments a little more interesting and different than, say, a traditional network. 

Josh Bozarth [00:33:16] And the goal here is to talk about metadata, specifically, what we'll call a metadata service, which is usually, It's It's always attached, usually, to A virtual machine. And in a cloud environment, an instance, like an EC two instance, or Google Compute instance, or whatever Azure wants to call their things. 

Josh Bozarth [00:33:40] Um, you can tell, I worked with a lot of Azure here. 

Josh Bozarth [00:33:45] It's a metadata about the instance in it, and with AWS, they have metadata instances for your elastic load balancers. Your container services, if you're using Kubernetes, it's got its own metadata service. 

Josh Bozarth [00:33:57] These are services that, You're like, OK, that's great. Wow, it's an API. Basically, it's basically a website, and that's why I say remember this. 

Josh Bozarth [00:34:05] And that is an IP address that's designed by, you know, I IETF set these up, set this internal range up where this is not ..., but it's also accessible to you, spun up an EC two instance, right now. And then you connect to it and say, you curl that IP. 

Josh Bozarth [00:34:25] use, curl that IP. You can get responses back. You can get that metadata back from the EC two instance. 

Josh Bozarth [00:34:34] It's another passive attack, right? 

Josh Bozarth [00:34:39] It's internal, right? We'll get to that in a minute. 

Josh Bozarth [00:34:41] But all your cloud providers provide this. They don't. Most of them use the same IP for each instance that would have metadata. And so it's something that you query, you can query internally. There are mechanisms to do it within the environment. But keep in mind, that's all inside your cloud. You know, you're inside the store. 

Josh Bozarth [ 00:35:00] But the purpose of these things, is, is to help the automation and orchestration piece of cloth, which is, what makes Clouds. Interesting, Right? So I can set up an environment where if I get 100 people that hit me, and I was ready for two that I can spin. It can automatically spin up instances, or whatever my application is, it's able to deal with that load. And there's a load balancer in front of, it spreads that load out, but the idea is that I can spin things up and take things down when I need to take a, to keep my costs reasonable. But, also, just from an automation standpoint, too. 

Josh Bozarth [00:35:36] From an attacker standpoint, it's great because, you know, we can spin things up and spin things down and as we need it. 

Josh Bozarth [00:35:43] Default, you know, the metadata service by default is going to carry basic information like your hostname, internal, IP address, and it all. 

Josh Bozarth [00:35:53] They're termed firewall rules. 

Josh Bozarth [00:35:55] But it's really like, what can this book in this instance access, or what's the access policy of this instance, We call them firewall rules, just for the sake of simplicity. 

Josh Bozarth [00:36:06] But it's a metadata service, so you can actually add other metadata to it, and maybe you've installed some third-party applications, or software in your environment. 

Josh Bozarth [00:36:17] And if it's adding that metadata out there, that maybe you didn't know, was there, and half the time, and for the longest time, it's getting better. 

Josh Bozarth [00:36:27] But usually, you have to, you can access stuff without authentication, because it's internally, ... address is not going anywhere. So most of the time, people are like, yeah, whatever, you know, it's, it's there. 

Josh Bozarth [00:36:38] So, keeps us in the back your head metadata. What can be put out there, there's a lot of things that can be stuck out and metadata. 

Josh Bozarth [00:36:46] And if you don't know what's out there, it's a good opportunity to check it, because that's what we're doing. 

Aaron Moss [00:36:52] What can like, how would you access it without authentication? 

Josh Bozarth [00:36:56] What do you mean without authentication? 

Aaron Moss [00:36:58] You said it can be accessed without authentication. Yeah, like, like I said, you just do a curl. 

Josh Bozarth [00:37:03] And if you're on the box, right, so, and this is the second slide is and I, I'm ashamed that. I put a Star Trek meme on here. [Yeah, You should be, would be proud]. He would be, but I'm a Star Wars, guys. So, let's say that we do. 

Josh Bozarth [00:37:19] But, so, this internal IP address. And keep in mind, we're talking about, just keep it simple. It's an EC two instance, it's a VM. 

Josh Bozarth [00:37:26] It's, let's say it's a Linux VM. It could be a Windows, I don't, it doesn't matter. 

Josh Bozarth [00:37:30] This, this metadata service is there, right. 

Josh Bozarth [00:37:33] Because of the orchestration piece, it's there, it helps, it helps organize a lot of that keeps that data flowing, like, if you have all this data going, these environments, you know, talking to one centralized location, it just makes it easier. 

Josh Bozarth [00:37:45] Um, EC two has a setup where you can Apps Scripts that run upon the first boot. And this is helpful for, like, if I'm cloning a VM, because I need to scale out, and I need this, this VM to be configured the same way as the one before it. I can put all that information in there. Well, now we're talking about a hot attack vector. 

Josh Bozarth [00:38:06] Because if anything's anything, when you start automating that kind of stuff, if you can get away with it, you're gonna put your credentials in something, right? 

Josh Bozarth [00:38:15] So, have the URL on here that if you go to your EC two instance and hit that URL locally, or within your network, or you can hit this. And this user data metadata section, is where all this kind of customized stuff gets thrown in there. 

Josh Bozarth [00:38:31] So, there could be, you know, dot EMV file that has a configuration information that's going to get applied to path environment, or it might be your AWS tokens are, and whether they're temporary or not, it doesn't matter. They're in there. They may be zipped up, and they may be base 64 encoded. 

Josh Bozarth [00:38:51] But if we can query that metadata service, I can do, I can reverse that. Obviously, that's not rocket science, Right? 

Josh Bozarth [00:39:00] Base 64, decode and unzip it. Yeah, that we have credentials. Sure, OK. But I know everyone's like, well, it's on the inside, it's on the inside, it's like, I can't access that, OK? 

Josh Bozarth [00:39:11] Let's do, really, yeah. 

Josh Bozarth [00:39:13] I didn't have the music, music, let's talk about server side request forgery, forgery then. 

Josh Bozarth [00:39:18] It's we're talking cloud here, right. 

Josh Bozarth [00:39:21] Your EC two instance may not be talking out to the internet, but most cloud instances have some, some cloud environments. Most cloud environments have some kind of internet facing component. Let's say you got a web server out there that's running a web app that requires some kind of authentication maybe, or it's buggy, like, you wouldn't believe. And maybe you didn't realize it. 

Josh Bozarth [00:39:41] If it's got to server side request forgery issue with it. 

Josh Bozarth [00:39:47] I can take, tell it I can tell that server, like, hey, I want you to do this web query. 

Josh Bozarth [00:39:54] Remember I told you the metadata service is query able via a standard web request with curl. 

Josh Bozarth [00:40:01] If I can tell that server, hey, I want you to do a web request to this URL, the metadata service, and send it to my system over here elsewhere on the internet, you've just given me whatever's in that metadata now. Sometimes that metadata is just, hey, that's good information. 

Josh Bozarth [00:40:19] And no, I get to know what your internal IP addressing scheme is. I might get a little bit of fruit, or information here and there, that can be used in some other types of attacks. It's still information that you probably didn't want in my hands. 

Josh Bozarth [00:40:32] But, it's also information, you know, if it's using some of those user data or, hey, if I want to do this request to the IAM security credentials, I can see what this system has access to, and then I can query it again with that credential token name, and it'll give me the key data. It will literally give you that temporary key or permanent key, depending on how its configured. 

Josh Bozarth [00:40:54] And this is how the, there's a breach in 2019 that happened to Capital one, and it was kind of an insider job, too, but this is how that happened. It was all SSRF. 

Josh Bozarth [00:41:05] And one of the things that, and this is all happening on Amazon's stuff, and one of the things that came out of out of this whole issue, is that Amazon created a new metadata service, and it's, it was, it's basically, it was called V two of the data, but a metadata service. It's not really turned on by default. You still have to turn it on, but it requires things like authentication headers or just header data. 

Josh Bozarth [00:41:30] So it helps prevent that SSR F attack. 

Josh Bozarth [00:41:35] Like when the server makes that request, and tries to send it to the attacker controlled endpoint, it, it screws up the, the, the request, a malformed. It can't happen because of adding all this header metadata that needs to be added to the request. 

Josh Bozarth [00:41:49] It's interesting, but it's SSRS still an issue, because, again, it's not the default to use the new version of the metadata service. 

Josh Bozarth [00:42:02] It's there. And, and like I said, metadata is available on GCP Google Cloud. Environment has the same metadata service. It's metadata dot google dot com, is they actually give you, it's still the same IP, that you can use a URL, but it requires a header. Metadata header to Add to that request. Azure has a header, it needs to be added as well. 

Josh Bozarth [00:42:27] So, they're all trying to address it, It's still an issue. And, it's going to be an issue probably for awhile. But keep that in the back of your head. Like if you're on AWS turn on that that for that V two metadata service. 

Josh Bozarth [00:42:39] And, and I don't have specific links for you to go to, because they documented the tar out of it. 

Josh Bozarth [00:42:45] But if you go to their documentation, there, there are ways that show how that turned on by default, kind of have that be turned on as instances are spun up, whether it's, you know, a load balancer or a container service or just a server. 

Josh Bozarth [00:43:00] So, yeah, I think that covers everything that I wanted to talk about with metadata. 

Josh Bozarth [00:43:04] But we wanted to give you an example of how, how somebody could get into a cloud environment. Right? This is, this is still a common occurrence and short of miss configurations and or posting your access keys out to the world. This is another way that we will do what we can to get those keys. And because once we get those keys, just let me let me walk through that scenario, I guess. what do we do when we get those keys, right? 

Josh Bozarth [00:43:29] So these keys are, allow us to have programmatic access to the, the environment that those keys have access to. 

Josh Bozarth [00:43:37] So, there are command line interfaces for all these Google or all these cloud environments, you know, G Cloud, Azure, CLI, AWS, CLI. And if you can take those keys and say, OK, use these keys and access this environment after we've enumerated what we need to numerate, then we're authenticated to it. In a more like, it's, it's basically you just created a VPN for us to be inside your environment. Yeah. 

Josh Bozarth [00:44:00] And it's not a VPN, But you know what I mean? It's, I'm able to do things to your environment with whatever permissions I've got. So, that's like layer one I'm, I'm inside your environment. Show me what I have access to give me access to, what's all in your identity and access management piece? 

Josh Bozarth [00:44:16] What am I, what are my credentials? What are my privileges that I have? 

Josh Bozarth [00:44:21] So once I have those privileges, What can I do to escalate that? And that's where we get into traditional pen testing scenarios, like it's privilege escalation, like where we're just looking for the next hop to get to that next layer of access, before. It's all said and done. 

Josh Bozarth [00:44:37] I will tell I'll tell a story. I'm sorry that I'm not letting you talk and it's the why not errands like role in his eyes. Like, oh God. 

Aaron Moss [00:44:45] We've got like maybe 5, 10 minutes left in this webinar. And we still love it. 

Josh Bozarth [00:45:55] I love how Aaron's telling me to hurry up hey, this is a first is Jeremiah. Just so you know, he said server side request forgery. 

Josh Bozarth [00:45:01] So move on. OK, I got a text message. Don't worry about. 

Josh Bozarth [00:45:05] OK, So we have, I was doing a security test security assessment test on an AWS environment, and so they, it started with me already having access already had a VM. 

Josh Bozarth [00:45:18] And it was, what can you do, and, you know, I'm sitting there looking at the environment, and I find, they're using AWS Lambda. Lambda is serverless computing, which is another cool thing to do. Like, oh, I want to just run this JavaScript. every time this request comes in, I want it to trigger, run this JavaScript, and then spend down. And I only pay for the zero point five seconds that that JavaScript is running. And so, it's serverless computing. There's no infrastructure for anybody to manage other than, hey, you just give them this, whatever it's running. 

Josh Bozarth [00:45:47] Well, and I'm looking at that, and I'm like, well, I have the privileges to pull down those that JavaScript and look at that JavaScript, even though it was not available maybe to the application directly. Right? So I'm looking at the access, pull down this JavaScript from this function. 

Josh Bozarth [00:46:02] And it's got credentials in it. Because I see that the javascript's processing this data. 

Josh Bozarth [00:46:07] And then it's posting it over to a database using these credentials, which are inside the JavaScript file. On my Oh, that's nice. So, I'm like, can I use that? 

Josh Bozarth [00:46:16] And I won't tell you that the user account was root. But it was root. 

Josh Bozarth [00:46:20] And yeah, so I had root on this. 

Josh Bozarth [00:46:26] It was a, it was an Oracle database, I believe. 

Josh Bozarth [00:46:29] It was a big database, and it was data that the client probably did not want me messing with site. 

Josh Bozarth [00:46:34] So make sure to disclose that rather quickly. Like, hey, don't put these credentials in your JavaScript file. Figure out another way to do it. 

Josh Bozarth [00:46:42] I gave them some examples of how to use Amazon's credential services, so you can, like, hey, instead of putting credentials inside your JavaScript files, you can just call this token, and it will do the authentication. And make sure that everything's OK, It sounds like pulling it from a web that can big server. 

Josh Bozarth [00:47:00] Yeah. Pretty much. Yeah, OK, cool. So, yeah. I just wanted to tell that story. I mean, I was already on the inside. But again, that's, that's privilege escalation, that's what we're looking for. 

Josh Bozarth [00:47:10] We're looking for what can we do once we have access to something. 

Josh Bozarth [00:47:14] Alright I'll go ahead and go to the next slide. 

Aaron Moss [00:47:17] No, Jeremiah. 

Aaron Moss [00:47:19] Um, So again, we're back to the more things change, right? The more they stay the same. So the more things change me. 

Aaron Moss [00:47:27] Now we're in the cloud environment instead of an on-premises environment and stuff, but a lot of the same principles still apply to your cloud environments that we've been preaching about now for years with your on-premises environments or your co-locations, whatever else, right. 

Aaron Moss [00:47:42] So your controls are they in place, do you have these controls in place, do you have, you have a set of controls at all, if not, check out our previous webinars on the CIS top 20 critical security controls. 

Aaron Moss [00:47:56] Most AWS controls are in place by default, right? 

Aaron Moss [00:47:59] Like AWS's get a pretty good model so far of you open up. 

Aaron Moss [00:48:05] What you need to open up instead of is yours, which is kinda the opposite. 

Aaron Moss [00:48:11] That it's opened up by default with a lot of things, and you have to close things down. 

Aaron Moss [00:48:16] Right. 

Aaron Moss [00:48:17] So, it takes a little more configuration to make Azure work, at least, it'll actually sure. probably works better by default, which is probably the reason why they do that. Think of the old, you know, like how Windows has been for years. 

Aaron Moss [00:48:29] We're, everything's opened up by default and you have to go lock it down. 

Aaron Moss [00:48:35] It takes a little more configuration and get it working, right? 

Aaron Moss [00:48:37] But Azure can still be secure, even with all the vulnerabilities that are out there. 

Aaron Moss [00:48:43] You want to turn off all anonymous accounts, right? Any knowledge of accounts that are set up, turn them all off, only open back up what you need. 

Aaron Moss [00:48:54] And there may be a good business reason for that to be opened up in the first place. 

Aaron Moss [00:48:59] And then, of course, as we've preached before, set up multi factor authentication for all accounts that you add, all devices that you add, where possible, right, And make sure that these MFA accounts are set up with, with fairly secure. I mean, you know, text messages have been proven to be not the most secure at all, but, hey, anything is better than not having MFA set up. 

Aaron Moss [00:49:22] So, I still think that's a valid way to do MFA. 

Aaron Moss [00:49:29] Your passwords are generally, again, your first line of defense. 

Aaron Moss [00:49:33] You want to make them Truong, keep them safe, put them in a password vault, make them ridiculously long. 

Aaron Moss [00:49:40] It doesn't matter because the thing is, basically, you password length is directly in correlation to how long it takes to brute force something password length and password complexity, and if they're sitting in a plain text, you know, configuration, file, somewhere. 

Aaron Moss [00:49:56] It doesn't matter how long or how complex it is because now we can just read it without having to crack it. 

Aaron Moss [00:50:03] Bob's your uncle we get in, stop, including them in configuration files. 

Aaron Moss [00:50:09] That's something that we've harped on what, 3 or 4 times during this webinar, so far, right? 

Aaron Moss [00:50:14] AWS keys are still passwords, even if they're just a, you know, nine digit, 12 digit, whatever is. Still a password. Right? 

Aaron Moss [00:50:25] So, you want to rotate those keys, and it says, if they're exposed publicly, all right. 

Aaron Moss [00:50:31] Even if you've deleted them from you know, it's permanent about, I'd just like normal password rotate. 

Aaron Moss [00:50:36] Your AWS keys every, how many ever days, 180 hundred and 180 days. I mean, if your company policy is 90 days, then rotate them every night is treat these, like any other password that's out there. 

Josh Bozarth [00:50:48] You're gonna treat them just like you would like any other private key, Right. 

Josh Bozarth [00:50:52] So if you've got you, you've got servers dress SH and into and you've got a private key. You're protecting that right. You don't want the public part of its fine, whatever, but the private side of it, you want to guarded with your life. 

Josh Bozarth [00:51:06] And know, we talk about MFA. MFA is great, when it's a user, MFA. It doesn't work great when you're talking about service accounts, and that's where we see a lot of the issues is. 

Josh Bozarth [00:51:18] Clients will create, these keys are service accounts effectively, and then they store them where anybody can access them or shouldn't access them or have had controls around them, right. 

Josh Bozarth [00:51:29] So, Yeah, don't think the MFA is going to save your bacon. 

Josh Bozarth [00:51:33] It's obviously another layer in the security layer onion that we like to talk about. 

Josh Bozarth [00:51:40] If you're using service accounts, and you're generating keys that are being used out there, you better know where they're being used. 

Josh Bozarth [00:51:46] And, if they get asked why I wrote, what I wrote is like, if they get accidentally exposed in a repo. And you're like, I'm gonna delete that, man, I would you rotate that key, even if you've deleted the commit, and you've deleted the repo, rotate the keys burn you. Just assume it's gone. 

Aaron Moss [00:52:00] Yeah, You don't know who had access to it before yet, before you rotated out or deleted it from the commit and the repo policies. Do you have company policies for how cloud infrastructure is used? 

Aaron Moss [00:52:15] Are you following these policies? 

Aaron Moss [00:52:17] If you don't have policies well, this webinar is a good starting point, right? 

Aaron Moss [00:52:23] So how can we help you have to TRUE help you. 

Aaron Moss [00:52:26] Well, purple team engagements, right? What's the purple team engagement? Well, that's whenever you take a red team, blue team, you put them together. 

Aaron Moss [00:52:33] So you take guys like us. 

Aaron Moss [00:52:35] and he gave your blue team, which is your, your cloud engineers, your IT engineers. Anybody who's working on the defensive side and get your stuff together. Your SOC that might be monitoring, rice, you work. 

Aaron Moss [00:52:48] You placed him in a room together, or on a call together, or whatever else, and we work together to say, hey, we just attack from this perspective. We attack this endpoint. We attack whatever. Did you see what we did? 

Aaron Moss [00:53:02] Give them indicators of compromise. IOC's, say, OK, this is what it should look like. Can you tell me what you saw on your end if you're not seeing that on your end? 

Josh Bozarth [00:53:12] That's a problem. I'll give you a cloud version, kind of example of that kind of scenario. 

Josh Bozarth [00:53:16] So, you know, the idea is that you're working in concurrence with the blue team, you know, the red team is, and, and so, when we're talking about like something like AWS logging and monitoring with, AWS is usually done through what's called cloud trail, which is kind of their little centralized logging and monitoring setup. 

Josh Bozarth [00:53:35] So, it's like maybe I, maybe I want to know when an AWS key has been used in a weird way. 

Josh Bozarth [00:53:47] Well, that's how Cloud trail can help you, and, and, for example, and referring back to that Capital one, hacking in 2019, where, you know, these keys were compromised and they're using them to access metadata services. 

Josh Bozarth [00:54:02] I read something that the Netflix of all people have created. 

Josh Bozarth [00:54:05] Had created a tool to kind of help identify things out of Cloud Trail. That would maybe be from an entropy standpoint. Maybe that's an odd usage of a key, or maybe, obviously, you want it to trigger if a key gets created. But a key might get used in a weird way. Like, just like, if I were to come into the office at 3 AM. 

Josh Bozarth [00:54:26] and it logs that I did that. My boss view, Like, what does he do, right. That's, that's an indicator, like that maybe we need to investigate that. And so, there, there are ways within the cloud environment. 

Josh Bozarth [00:54:38] So, a red team person like us can issue or do something, that would be in accordance to what we would call like you know, atomic red team type things, that would fall within like miter attack framework. So did you see this? Look? let's look in cloud Trail and find that. And if you didn't see this, well, let's tweak that. So that you will be alerted for these types of scenarios going forward. Because that's the whole point. And it's, you know, it may sound, kind of not as exciting as, Hey, I'm, I'm hacking your networks, ha-ha-ha. 

Josh Bozarth [00:55:08] But you know, hey, we're all, we're all humans here. Let's kinda work together and make things better, as opposed to adversarial all the time. Like, let's make it more efficient, it can be cheaper in the long run, because everyone's working together to get it done. As opposed to meet certain, there, beat my head on something for four hours, trying to figure out where the keys, right. 

Aaron Moss [00:55:27] So, and if you have problems with configurations, you know, we've got an IT cloud provisioning team that's, that's here to help make your configurations more secure, Which makes, overall, your cloud environment more secure. 

Aaron Moss [00:55:40] We also have a team of experts here that, let me just repeat this real quick IT Cloud Provisioning team that can help make your configurations in your cloud environments more secure, running, out of time. So I'm going to start going through these real quick. Here's your perfectly exercised flow. 

Aaron Moss [00:55:54] Essentially what we said before we attach, we ask, did you see the attack? 

Aaron Moss [00:56:00] They say yes or no, OK. 

Aaron Moss [00:56:03] We're going to go ahead and share what we, what the attack look like, then they're going to document what they saw. They're going to perform any adjustments to the blue team, whether it be the soccer, security controls, or whatever else, and we're gonna repeat the attack, right. We're going to document that. And then leather, rinse, repeat. 

Aaron Moss [00:56:21] Always repeat. 

Josh Bozarth [00:56:23] Yeah, so the idea is that it's happening in real time, right? 

Josh Bozarth [00:56:28] It's not something where we do the attacks, You know, six weeks in the past, and then you guys go look for him. You know, the blue team It's designed that know We're all in the same chat channel or on the phone We're working in conjunction with same room. 

Josh Bozarth [00:56:43] Yeah. That and that's why it's like considered a tabletop discussion. 

Josh Bozarth [00:56:47] Like hey, we're going to talk about what we're going to do and, you know, if you think of things that you want to make things better before we go through these simulations, or these exercises, Yeah, that's fine, but the idea is like we're going to do this. You need to see if you can find it. 

Josh Bozarth [00:57:01] And, and if not, we're going to make that work, right. 

Aaron Moss [00:57:04] And the whole point of it is to make sure that your blue team is able to see these attacks, that, you know, we try to emulate as best as possible. 

Aaron Moss [00:57:15] Other bad guys, actual bad guys that are out in the Internet, and you're going to attack your infrastructure. 

Aaron Moss [00:57:21] And so, the idea is, if we show them what an actual attack looks like, is as best as we possibly can, they're going to be much better prepared for whenever an actual attack does happen, because it will happen. 

Aaron Moss [00:57:34] Yeah, I know, it's, we gotta wrap it up. So, these are just certifications that we have. We have more questions about anything. 

Aaron Moss [00:57:42] Well, just check out our website, or talk to our marketing person, Jessica here. 

Josh Bozarth [00:57:47] Um, I guess we could pause and ask Jessica if there's any questions. Or, Yeah, because we don't see any questions here. So do you guys, if there's any questions that anybody has discontinued asked, enforcement would be glad to answer. 

Jessica Olivieri [00:58:03] Well, with the time in mind, let's just go to one question here. 

Jessica Olivieri [00:58:10] Um, so, who needs to be informed of a purple team exercise within a tested organization? 

Aaron Moss [00:58:18] Generally, anybody who needs to be on the blue team side of it, yeah, it must mean this is not, go ahead, Yeah. 

Josh Bozarth [00:58:25] As I say, yeah, it's a red team engagement and it is everybody on the know, what's going on sometimes, yes, most of the time. Most of the time, yes, but sometimes maybe they don't, they want their socks to be tested in a purple team exercise. Everyone's kind of aware of what's going on because, Hey, we want it to be as efficient as possible, like we said. 

Josh Bozarth [00:58:45] So, those who need to be aware, are going to be, obviously, your blue team. And men. 

Josh Bozarth [00:58:51] And above that, I mean, it's just the people that are, or, without the front lines of, of doing the detection. 

 Josh Bozarth [00:58:57] And in response, that's, that's where you start at, and you can in there, and you're usually good, because it's not like, we're gonna go in there and actually break things. These are simulated attacks that they're designed to create, what we would call, like, canary type tokens. 

Josh Bozarth [00:59:14] Like, you should be able to find this, but it's not harmful what we've done, and then, so there's no, no real risk to the environment, typically, but it is something that they need to be able to identify, All right. 

Aaron Moss [00:59:27] That's the biggest difference between, you know, what we normally do, and then purple team assessment looks like is everybody's generally in the know versus just a few people on a regular red team. What else do we have? 

Jessica Olivieri [00:59:41] one more here. 

Jessica Olivieri [00:59:43] If true is already the, they're blue team. Does a client need to just ask purple Team engagement? 

Josh Bozarth [00:59:55] I guess I'm trying to understand that if, if you..

Jessica Olivieri [01:00:01]  if a client is using True were as our monitoring their blue team, does a client just need to ask for their purple team engagement? 

Josh Bozarth [01:00:07] I would think they can. Yeah, I will. I will be as forthright as possible is that we actually do a purple team engagement with our sock, right? 

Josh Bozarth [01:00:18] So, the idea is that we want to make our monitoring team better With each and every client that comes on. So, you get that by default whether you've asked for it or not, Let's just say that your client, or, if you're applying, you don't get it out by default. 

Josh Bozarth [01:00:32] If you're somewhere else, if it's IT management, and stuff like that, absolutely, just ask for, it will be glad to ever, that's, you know, it's part of the gig is to make everybody better. 

Josh Bozarth [01:00:43] And so it's never ..., I think that there's a, there's a kind of a stereotype. The Red Teamers are adversarial. 

Josh Bozarth [01:00:54] Like, you know, badmouthing or whatever the blue team. And though, it is always like, we've been blue teamers. We know what it's like to be the defenders and build these networks out and everything, and, you know, so we want to help as much as possible to make sure that everybody's on the same page. 

Jessica Olivieri [01:01:13] All right, Well, I think because of time, we're going to have to end it right there, And you guys did a great job, If anybody is looking for the recording, it will be sent to you via e-mail. 

Aaron Moss [01:01:30] I just have to say, Josh was really worried that we weren't gonna be able to fit an hour of talk with the slides, so, sorry for going over. 

Jessica Olivieri [01:01:39] Yeah, That was great with you guys, OK. Everybody, have a good day. 

Aaron Moss [01:01:47] Thanks, everybody.