 That's from Cloud Village for having me here. We are going to talk about CSPM to CloudTrail. My name is Rodrigo Montoro. My handle is Spooker and my Twitter is SpookerLabs. I live in South of Brazil, Florianopolis, and I work at Tempe Secure as research and Tractor Detector Engineer. The motivation behind this research is something that we need to improve our cloud detection in our secret operation center. And since you have a lot of different customers, we start to figure out how we could do something that will fit mostly all the customer without needing a lot of context. And so, when you start to think and brainstorm about that, we get split in two different parts, so you have the threat detection, that's something more complex, and something related about misconfiguration. And that's something more straight to the point. And our agenda, we are just doing a before review about the cloud attacks, CloudTrail and CSPM, a very short review, and talking about research and some future work we are figuring out to do. And so, cloud attacks, I think when you are on premise, we have a kind of perimeter, and this perimeter is something that makes things inside the perimeter safe. Like you could do a lot of bad configuration, not follow hardening stuff, but inside your perimeter, that's called like you have a fire and you have the internal and the external parts. You have your data, your apps, your servers, your containers or whatever, and I could not access from the external part, unless I have some access and other things, but I'm comparing like something by default, like if I open a server, I pick some share in my server and open to anonymous, for example, I could not access from outside by default. And companies are doing and migrating to the cloud. So what they are mostly doing, they are doing what we call lifting shift. Like they do, they work on the same way, they work on premise and they put everything on instance and other things, and they mostly doesn't work with the cloud native stuff in the first instance. But the problem with that, that they are doing the lifting shift of the security of the protections of the data search that they need to monitor. And when we're moving to the cloud, you'll have a new attacks your face, and your attacks your face is born. And what is this new attacks your face? That is really, really important to monitor that if you're in the cloud, like it's the most important part to monitor, is the AWS API or the control plane. And it doesn't matter like if you are a DevOps guy, some automation or the malicious guy, you could from there do a lot of things, you could access the information, you could change the infrastructure, you could open stuff, you could like start something from crypto mining and all that things. Like you have control, especially because we're not going to talk about that, like the over pervasive policy. And that's another subject to talk another day, but that's one of the main problem in the cloud. And so that's been said, like we have something as I mentioned before, like and so you have the threat detections to this specific data search and to have the misconfiguration detection. And the threat detection is something as I said before, it's something a bit more complex. And we are trying something about like a kind of chain, attack chain, like the user will log in from somewhere different, maybe try some enumeration, for enumeration we have a privileged escalation and so you do this filtration. And so you probably need to have some kind of combination of acts to figure out like it's attack or not and something like simulate type a cool framework and see what's happened. And we have the misconfiguration detection and this misconfiguration detection, if you pick the right fields and information, it's something more one to one, like one event you could probably have a detection. And that's where we are fitting our research. And there's three type of activity you could say and those activities will be like, could be the good, the regular guy using, doing good things, following the baselines, using the best threats and so on. And so you have the bad intentional, something like you lick a key and from the key you start to do some, while you have access to do, like you could like access some information, try to do escalation and other things. And you have the bad, no intentional and the bad, no intentional is where the dangerous lives because it's something like the guys that's supposed to have access, have access and are working on the daily job doing something that's not following the best threats. And our main goal here, it's exactly on that. Because like, if you try to find a misconfiguration here, we'll probably find for bad intentional too because sometimes they're going to open some finger and do some things that is the same, but we don't want to stuff to begin wrong. And so like this kind of detection is cool. And that's why it's something most almost in real time. And so when you do that, you're opening your account for other people or other access or something else, doesn't matter. And there is two kinds of misconfiguration, some misconfiguration that you provide direct access, you need nothing to access that and could be something like a Nest 3 bucket. A EBS snapshot could be a security group that you open a part to a server that's running in some instance that has no authorization or no authentication and they will have access. And so this kind of stuff, open your account to the root, direct access. I don't need nothing more. And you have like the second one, you have like the second stage attack and you need another vector. And this vector could be like, access to AC2 instance, a server server quest forgery, an access key or a user and password like yesterday, talk about a lot of different ways to find like some endpoint that are public based on research set AWS that could be disposable. And this kind of thing, most of the things he told like fits on the second stage like they'll have the endpoint open but probably for Redshift or for RDS you need like some extra thing like a user and pass. But he mentioned that your elastic search opens so you have direct access and this kind of thing. And so those three type of activities that the bad non-tentional is where we are looking for. And so to give context to that, like let's do a quick view about the cloud trade. And so how cloud trade work, mostly like whatever you do in your control plane, you have AWS management, you have the SDK that you could develop something, you have the CLI that's very common tool to use. Any of them will connect to the API and execute the actions. And you have like nine, almost 10,000 actions currently. And so like everything will be logged, most of everything with some exceptions. And so it will be logged at cloud trail and how it works. It will record everything. It has a simple JSON format and that's why it's near real time because it's have a delay to put the S3 if there is an S3 and you have a lot of different fields. But mostly you have a JSON like that that will tell you like who did that, when he did that, what he did and this started to be interesting for detection and from and the what parameters. And so the combination of what and what parameters it's where we're going to look and figure out like let's see if something is is being created with the full misconfiguration. Right? And so how we figure out like what we should do, what you should use. And so we start to look on the cloud security measurement tools. And we look at cloud sploits and cloud sploits was created by Meffo Fuller that the other project the company was acquired by Aquasecure and one very interesting point it's a multicloud CSPEN. And what that means that we are talking now about CSPEN to cloud trail but you could just change to CSPEN to cloud detection stuff because we are focused on AWI right now but since it's multicloud it could work with all the clouds all the provider that he has you understand why you want to use it because you have a lot of data ready ready to go. And so if you look on the cloud spot checks we have the Alibaba we have AWS we have Azure GitHub Google Oracle AWS more than 300 that's a great number a lot of work to do and not 100% could be converted in some detection but this brings us like a total of 735 possible detections that's a lot like if you have half of these works that's great we don't need more than that and the check was like a week ago and what is all those checks bring to us a lot of metadata and those metadata has a lot of information you have a title you have where the service it's like some description some have some more information we have link to the commentations you have the the recommendation action so you could figure out oh this happened let's do that and so like if you create some detection you already have the answer and you have the code that you could just look and figure out better what they are doing to validate that and this brings us to CSP to cloud trade research and this research it's something we are we are putting a lot of times we are working to release that and so like I read saying that we are going to release like in the middle of September probably in our GitHub so follow us we have a bunch of cool information and we are going to figure out the better way to do that and that's been said like what you did like the first of like we create a CVS about the close point information pick out the metadata what you need to do here is to add the severance so you could have like some some better like since you have like 306 checks on that time we would like to have something much better like for viralization so we create the severance like and based on our concepts there is no magic rule here and what you did we start to do some cards and so and so we have the rule we have the severance we have the impact that's something we add like because because one important part we are talking about detection like having more metadata, more information make the the security analyst life easier and that's very important and so like from this we want to create this and this is the first version like using Splunk but our main goal is to have like some sigma rule so you could convert to any scene you are using but since our customer most use Splunk and our biggest engine inside the security operation is Splunk so that's something that or what I'm going to do something different than that and how we could like start to create the payloads to make sure that we could create detection and so simulate all things let's create let's create how AWS misconfiguration ever could do and for sure we are using a a lab account and we are creating in string but that's kind of thing that could be nice to have a tool to simulate all this misconfiguration and so could have something like CSPM to writing automation or something like that that could be very nice because it could simulate like if your enforcement is working you could simulate like if your security operation team is working if your detection is working in this kind of thing and just to show some proof of concept about the research that I said is still going and starting with AWS we create a public S3 bucket detection we create we show here a vpc and the point expose it the public EBS snapshot and the trust account relationship and the very first is talking about the public S3 buckets and so there is two rules there so we create one like the the public S3 and the public policy just to show like if they are changing to something that's to anyone we are sure that we are detecting sure that when you're going to release you probably have some extra rules that's not exactly related with this rule but something like you could create across accounts and so we could could add a principle here like another AWS account and so like for example that end game tools, that's a nice tool for Kynard McQuaid who works and it will not make it public it will make available to your account so this kind of less noisy stuff and so that's something you need to pay attention but here I just want to show the sample and so like great head to our fair it's here to show you that that you have a lot of information available already and that's insane because they follow it like for a long time and you'll say like AWS release a lot of tools to the text this and it keep growing that's insane now the VPC and the points expose and so here and this we will create like when you create a VPC to the text is the state principle and state research it's the point to start and sure there is another vector like because like we're talking about when it's being created but you could go there and use another action as the Modify VPC end point and we have the same result and so as I said we are going to focus on the most possible case that how you can expose something and Scott Piper has a nice paper about that I forgot to mention that and there is a very great talk here talking about that and Scott Piper has a paper about this too not about on the exposeable service but about this too so I really recommend you that's open your mind see like how dangerous could be because sometimes you don't have this we could not figure out like how dangerous that could be but this is kind of second stage you cannot abuse this like if you are not inside the perimeter public snapshot EBS snapshot that's something like here is another sample like you could just modify the snapshot attribute as far as I know you could not create it public you need to modify so that will be probably the only way and you add it as group to all but there is another Modify you permit an account and so that kind of thing that probably in the game abused and something that you need to have two rules you have two rules and I'm just showing you one and there is a great talk from find secrets and public exposure EBS like from DEFCO two years ago and the trust cross account the trust cross account it's very very dangerous because when you cross account with some account you are you need to make sure that that account is safer too because like if you put excessive permission and cross account like your account as safe as the permission you give to the to the non-safe account and so that's something that you really need to understand and fix I didn't write here but last year's Alessandro Sierra did a talk here at Cloud Village that the that he explained like for for the for the minutes something like that how the the cross account works and some some ways to mitigate that and so I really suggest you to watch that too and that's been said like some future work we want to create more AWS detection we start to GCP and Azure mapping too and more focus on AWS maybe some the key are curious and provide Sigma rules that's something we have in mind but that could change like when start to work that could change and special thanks to Celso from Tempest Tempest Caduca in our team and Matthew Fuller for reviewing the call for papers that helps a lot and that's it guys thank you very much for having me those my my contacts my Twitter handle the company handle I really suggest you if you're interesting about the content to follow us and so you probably provide some good content in the near future thank you very much