OWASP 2024 Global AppSec San Francisco

Day 1 Story: SEOptimyze - Lambda Privilege Escalation - Attack, Detect, and Defense The application is an example of a real-world SEO optimizer, where we analyze website performance and store the files in an S3 bucket, and store other values in DynamoDB. This is a “serverless” app that uses AWS Lambda, API Gateway, DynamoDB, Amazon S3, and other AWS Services. Attack Story Concepts * Attacking Vulnerable Lambda Function and pillaging credentials * Leveraging IAM misconfiguration to be able to escalate privileges * Misconfigured security parameters on S3 and DynamoDB Incident Response * Detection and Response * Promptly detect suspicious activity through monitoring AWS CloudTrail logs, AWS Config, and CloudWatch metrics. * Activate the incident response team upon detection and isolate affected resources. * Containment and Eradication * Contain the incident by disabling compromised IAM credentials and restricting access to affected resources. Investigate the root cause and remove any malicious code or unauthorized access. * Recovery * Restore affected resources from clean backups or rebuild them, ensuring revoked credentials are replaced. Implement security improvements, such as enhancing configurations and conducting thorough testing. Defense Topics and Mini Labs * Lambda Least Privilege Configuration * Remediate Application Vulnerability * Scan Lambda Function with Automated Security Tools Story: Amazon EC2 Attack, Detect, and Defense Lab This stack is a more traditional application stack. Applications and Databases are deployed as VMs in VPCs inside AWS environments. The story focuses on the attacker's objective to attempt to exfiltrate sensitive information from a VPC Attack Story Concept Coverage * Compromise Application hosted on VM, steal credentials from VM * Insecure VPC Configuration along with IAM privilege misconfiguration * Adversary objective OS to perform data exfiltration from internal assets deployed across VPCs Incident Response * Detection and Response[a][b] * Utilize network monitoring, intrusion detection systems, and log analysis to detect suspicious activities such as unauthorized access attempts, unusual network traffic, or unexpected changes in IAM permissions. * Upon detection, activate the incident response team and isolate compromised VMs and affected VPCs to prevent further data exfiltration. * Containment and Eradication * Conduct a comprehensive investigation to determine the root cause of the compromise, including analyzing system logs, network traffic, and IAM configurations. * Contain the incident by revoking compromised credentials, disabling compromised VMs, and implementing security group rules to restrict access to sensitive resources. * Recovery * Recover affected systems by restoring from clean backups or rebuilding them with hardened configurations using Infrastructure as Code (IaC) principles. * Implement VPC hardening measures, including adjusting security group settings, network ACLs, and IAM policies, to prevent similar attacks in the future. Detect Topics and Mini-Labs * VPC Flow Logs for CloudWatch metrics to set the alarm * Threat Intelligence using GuardDuty * CloudWatch Log Insights * Using OSS Cloud Security Posture Management Tools to detect security incidents * Setup automated detection pipeline using AWS Lambda, SNS on VM State Changes, and VPC State Change Defense Topics and Mini-Labs * Harden VM and Configurations using Infrastructure as Code * VPC Hardening and Security Configurations * Hardening with specific Security Groups * IAM Tag-based condition for VPC[c]

Day 2 Story: EKS Privilege Escalation Attack, Detect and Defense Attack Story Concepts * Privilege Escalation on EKS cluster, leveraging vulnerable container * Privilege Escalation involving Amazon ECR, KMS, S3, and so on * Trojanizes the container images and pushes them to the ECR Incident Response * Detection and Response * Utilize monitoring tools such as AWS CloudWatch, AWS Config, and AWS CloudTrail to detect unauthorized access attempts, unusual activity on EKS clusters, and suspicious interactions with ECR, KMS, and S3. * Employ intrusion detection systems and anomaly detection mechanisms to identify potential privilege escalation attempts and unauthorized modifications to container images in ECR. * Implement alerts and notifications to promptly notify the incident response plan upon detection of suspicious activities or security violations. * Containment and Eradication * Immediately isolate compromised containers or EKS clusters to prevent further unauthorized access and potential data exfiltration. * Analyze the extent of the privilege escalation and identify the compromised container images pushed to ECR. * Disable or remove malicious container images from ECR and revoke any compromised IAM credentials or permissions associated with the incident. * Conduct a thorough investigation to identify the root cause of the attack and address any vulnerabilities or misconfigurations that contributed to the incident. * Recovery * Restore affected EKS clusters and container images from clean backups or rebuild them using secure configurations and best practices. * Implement security enhancements such as IMDSv2 to prevent metadata credential compromise, fix SSRF or Path Traversal vulnerabilities in the application, and configure OIDC for Kubernetes deployment on EKS to enhance authentication and authorization mechanisms. * Review and update IAM policies, ECR defense parameters, and overall security posture to mitigate the risk of future privilege escalation attacks and unauthorized access to containerized environments. Defense Topics and Mini-Labs * IMDSv2 to prevent Metadata credential compromise from RCE/SSRF/Path Traversal * Fix SSRF or Path Traversal in the Application * OIDC for Kubernetes deployment on EKS * ECR Defense Parameters - Tag IAM[d] and IAM Hardening Story: GCP Cloud Run metadata Attack and Defense Attack Story Concept Coverage * Application with Deserialization vulnerability is deployed in Cloud Run instance * Exploit the application and get a reverse shell from the compromised application * Sensitive information disclosure from the metadata endpoints Incident Response * Detection and Response * Utilize VPC flow logs to monitor network traffic and detect suspicious activities, such as unexpected connections or unusual data transfer patterns. * Implement real-time monitoring using Pub/Sub to receive alerts and notifications about potential security incidents or abnormal behavior in Cloud Run instances. * Investigate alerts promptly and analyze metadata endpoints for any signs of sensitive information disclosure or unauthorized access attempts. * Leverage Security Command Center for Threat Detection * Containment and Eradication * Upon detection of a deserialization vulnerability exploit or a reverse shell, immediately isolate the compromised Cloud Run instance to prevent further unauthorized access. * Utilize firewall rules to block incoming and outgoing connections associated with the compromised instance and prevent the reverse shell from communicating with external servers. * Apply IAM deny policies to restrict access to sensitive resources and prevent unauthorized actions from the compromised service account. * Recovery * Implement a fix to address the YAML deserialization vulnerability in the application deployed on Cloud Run instances. * Enhance application security by adding authentication via GCP Identity-Aware Proxy (IAP) to prevent unauthorized access to sensitive endpoints and data. * Restore the compromised Cloud Run instance from a clean backup or rebuild it with least-privileged service account permissions and hardened configurations. * Conduct a post-incident review to identify lessons learned and update incident response procedures, security controls, and employee training to improve the organization's resilience against similar attacks in the future. Defense Story Concept Coverage * Fix that prevents the YAML deserialization attack * Add the Authentication to the application via GCP IAP * Prevent the reverse shell using firewall rules * IAM Deny Policies * Run service with a least-privi