 Lokesh, we'll talk about the cloud, so without much ado, Lokesh Pederweker. Thanks, Ming, for the introduction. As always, yes, it's been three years. Ming was my mentor in my besides proving ground, besides talk, and it was my opportunity to meet with him, learn from him. All right, so thank you so much for coming, for my talk. It is on an OSINT approach to third-party cloud service provider evaluation. Something that we are going to discuss in the next 20 odd minutes, we'll start with traditional ways how companies assess third-party cloud providers. I'll go over the challenges what people face when they evaluate providers, how we can overcome these challenges using OSINT tools, where am I currently with this, and how I see a future with this solution. All right, so before we begin, let me introduce myself. I do cloud and application security for Cisco, thanks Cisco for sponsoring the trip. I'm a returning speaker at Packet Hacking Village, a big thanks to Packet Hacking Village and Wall of Sheep for organizing the talks and accepting me. So that's pretty much. Before we move on to the talk, let's get the obligatory disclaimer aside. I will be talking about few tools, resources throughout the presentation, but those are not my endorsements. None of these things are something that I get paid to put those things. And if you want to use any of these providers, first of all, please use common sense. And then refer to your corporate policies if you have some in terms of how you can use these providers or solutions in your corporate settings. All right, so as the disclaimer is set aside, let's move on. Third-party cloud provider ecosystem. So a quick round of hands, how many of you work in an enterprise that uses a third-party cloud service for anything? Most of us, because even my enterprises that I have worked in the past now, everyone uses third-party cloud services. And these cloud providers are not doing something like a marketing kind of a thing or sales, which is not that critical. Nowadays, enterprises are embracing these providers to do business critical operations like CRM, mails, storage, dog's cats, everything. So it's a critical thing in any enterprise setting and it becomes even more critical how those enterprises are evaluating these providers. As you see, a lot of sensitive information is going into those cloud providers. So it's a requirement to assess these cloud providers to make sure that data that they are going to store is kept securely. New regulations are coming along, which says you should know how you are protecting the data and everything. So that's how this assessment is important. Now, what do you think what will be the common way to assess cloud providers? Any guesses? That's one good thing. Excel sheets is something that are still predominant in evaluating providers. And I was just browsing my timeline and Jeremiah Grossman, he tweeted this thing and I was like, yeah, this is something that I have to use because not only in asset management, for several enterprise operations, we are still relying on Excel sheets and cloud assessment is no different. But there are other tools that people use generally to evaluate cloud providers. Excel sheets, number one, word documents. Some people like to chat about their cloud providers over drinks or coffee. So that's a cool way. They just see if you have gone through a SOC2 audit, share your audit report and we are good to go. Get the assessment done and then you are set for the life. Some people who are more smart, who have matured the process, they have developed internal tools for the whole process. And there are a few people who are into the cloud inception world where they use third party cloud providers to evaluate third party cloud services. So good luck. Regardless of the tool that you are using, the process remains same. So it starts with sending questionnaire and then the provider is filling out long questions. As a security team, you will be evaluating those questions based on your policies and iterating over their responses, requirements, sharing with them, fix this thing or there is something that we don't want. Do this, do that. And once they satisfy all your requirements, you move on and approve them for life. As you see, this is a cyclic process. So everything just goes on and on for all providers. But at the same thing, this is a long process. I can imagine five things doing for individual providers where large enterprises can use hundreds of providers. It's a tedious long process. Now, in those process, in those process questions, there are different categories. So now we are going one level deep. Like what kind of things do you ask? Mostly these providers are grilled on application security. I'm going to use your application. Can you prove your application is secure? Can you tell me how will I log in? Or will you store my passwords in plain text? MD5, shaven, encryption, no encryption. Do you scan your infrastructure? Do you do any security operations? How do you store logs, monitoring, incident response? Everything. So these are typical questions, typical categories. And if you'll go to Cloud Security Alliance's site, CAIQ, you'll find detailed questions around these categories. Now this is a very important slide because if we want to devise a solution to assess our providers, we have to follow these categories. We have to think that how I can get answers that can fit into one or more categories. And still I don't have to knock on the doors of the provider. So that's the basis of my approach. So in current approach, in the questionnaire world, there are challenges and we discuss few like it's a long process. It's time consuming, but at the same time, it's also point in time. So what happens if I ask one provider today, they are going to give me an answer, okay, I use TLS 1.2 tomorrow, it might change. So we are relying on an information that we are getting at a single frame of time. So that's the biggest problem. The other problems in this current process is it's inconsistent. Some people ask 10 questions, some people ask 150 questions. It's inconsistent. And then when we get responses, we are relying on the face value of the responses. My provider shared this information with a smile, so I trust him. Or they shared a SOC2 report certified by some consultancy. Yes, I trust that consultant, so I am trusting this SOC report. So a lot of things are high trust model. There are no real ways to validate and verify these resources. So these are few challenges that I see in the current process. And I have evaluated more than 100 providers till now. So that's the problem. When I saw these problems and doing more and more effort to find out the security, the acceptable level of security, I thought there should be something else. So pen testers and other security researchers, everyone uses OSINT. Why can't we use Open Source Intelligence to find out information about our providers and then use that solution, use that information to fill these questions so that we are asking less questions and these are very direct. So that's how this whole concept, the whole approach started. Now, what is this approach? How we architect the solution? In order to architect the solution, first we need to identify the resources. Various level of information can be collected through these resources, but there will be various degrees of accuracy and impact. Some resources are very accurate. Like if you do SSL scan on a specific URL, you might get a good level of information in terms of what kind of protocols they support, what kind of cipher suites they support, if they are vulnerable to any known SSL level attack. Whereas if you are looking for information from vulnerable or open bug bounty, it might be a chance where the vulnerability was there, but now it is patched. So that's where the impact and accuracy comes. The third criteria is can we get some information from the provider and then take that information and correlate other things. So that's the third piece that I've used in terms of architecting the solution. Once you get to this, you will find, this is a prototype dashboard that I have designed where you'll have the cloud providers. If you see 100 providers in your enterprise, you'll have list of those providers and then various degrees of their maturity in terms of these tools. Now as all tools are not made similar, we have to develop a weighted solution, a weighted model where we are giving scores to SSL or umbrella or security headers and then based on those weighted scores, we are calculating just to have a parity across the board. If you see, we are also bringing IS like which infrastructure they are based on. If they are based on an infrastructure provider that we trust more, we have seen more, then their overall health will be greater than a provider which we don't know or if they are just hosting the service in the back of the office under developer's desk. So that's another differentiator. Overall, we'll be able to come to a score where it will be A, B plus, A minus, whichever way we want to model it. So that's how the dashboard will look like. Now the sole of the solution is the resource. The open source resource is available on internet that can be used for designing the solution. So as you see in the world everything, there are few things that are free, few things which are paid. So let's start with free resources. In terms of free resources, again I'm categorizing it based on the previous questionnaire category. Remember those slides. So we have to identify resources that can fit into one or more categories. For example, if data security is considered, data and transit communication is important. So that's where SSL scan, HD bridge, HTTP observatory, those kind of resources can be used. Whereas if you are looking into application security, then tools or resources that can give information about vulnerabilities on their web application, on their mobile application will be important. So again, raise of hand, how many of you use mobile application from your third party providers? Most of us, again. So that's where I'll take the example like how we can differentiate between free resource, paid resource and what kind of information is important to grab. So let's take an example where we are going to get a third party provider and their mobile app will be given to us for use, for communication chat or any other thing. So in that case, if you look at the free resource, I have listed HD bridge. So what this tool does, you feed the APK file, it will tell you the information about the APK, whether it has hard-coded secrets, whether it has high-risk, medium-risk findings. Now, if you were just using that provider directly and evaluating their company posture, you might miss this information. That's where the beauty of tool will come. You can drill down into what is the exact issue. So password, like they have a hard-coded password. And then these can be used to have further discussion with the provider. Oh, you said that you don't do these things but we have found something. Same thing can be done on a commercial tool level. So there are various degrees of information and services that we can get through commercial tools. And again, I have listed only few tools here just for the sake of the slide. There are more resources that I have in my list. But the good thing about these commercial tools is they have, most of them have extensibility. So what will happen, you will be able to extend the information collected from that tool to a different dashboard, to a dashboard. So API, an example is API. Most of these tools will have an API that can be extended to a dashboard for correlation. Whereas in the free resource, it might be available, it might not be available. The other thing will be service. Again, you might not get support from the provider. So continuing the example that we took for the free resource. Again, you are using a mobile app from your provider. Is there any commercial resource? So you can use something called Nausicaar Intel. That's a commercial resource that you can feed the APK and IPA files and it will share the result in terms of the score. It can also give more information in terms of like, you know, compliance. There are different compliance standards, how your app works on those, how your app is rated around those compliance standards. The other thing will be, you will be able to get a version detail. So like previous version has this vulnerability, but newer version does not have this vulnerability. And then the future version, you might look for that particular thing. Feel free to grab a free report using the Bitly link. Okay, so now that we have set the premise, we have understood the architecture of the solution. Let's discuss what are the advantages of this approach. First, the challenges. The challenges that we faced during our questionnaire based process. Some of those challenges can be overcome through this process where we'll have a continuous tab on the cloud providers every day or every week. We can just configure that how is the periodicity. Then it can be used, this information can be used to make decisions. So maybe you want to put that provider for only few employees because the provider's health is not better or to that level that is acceptable for you. It can be used to make decisions like partnerships, acquisitions. It can also be used for consistency. So if you are a cloud provider, then you can use this approach to design your solution and understand the security from an outsider's view. So you'll have consistency around your product and the products that you're using. As with other OSIN tools, it also comes with the same drawbacks. Noise false positives is one of the problems but that's where the model will come where we'll rate individual resources whether this is accurate or we can trust or not. Also, these resources change like the resources that I had a couple of years back now no longer they don't have enough information so that's another problem. Other problem with this approach is it cannot satisfy all the questions. So it's limited information, it's very specific to certain things but it will not be able to give me more information. So I can get their privacy policy but I might not be able to get to their patching policy. The last thing is enterprises have to decide whether they have to invest resources and build the solution around the free tools or they have to buy a solution and extend it to a different dashboard. So that's another problem. Okay, so coming to the present day status of the solution currently I'm doing modeling and prototyping of the dashboard where I'm rating individual resources with their accurate results. I'm categorizing those resources. What I need from all of you if you have ideas to improve this process or if you can help me realize the solution please feel free to hit me up on Twitter. I would love to hear your ideas and would love to have helping hands in realizing the solution. Finally, let me summarize the things that we discussed in last 15 minutes. All of us agree that today's enterprise, today's modern enterprise is using lot of cloud providers and security practitioners, engineers will not be able to keep up with the speed of business like I want to use this provider tomorrow. Can you just tell me if it is secure or not? I don't know. It will take some time so we will need to find out some solution that can give us quick result. That's where the value of the proposed solution will come. And then if the thing that I'm thinking and then if we can integrate this thing with our current process it will expedite process. Maybe you are taking six months, you'll start taking 15 days. Finally, for the future where I think the solution will have a common platform to share the information of various cloud providers. We can bring most of the cloud services to an acceptable level through sharing this information. And maybe the tool will be exposed over APIs. People can integrate that tool with their individual processes and make decisions. So that's where I'm hoping for the future. All right, so that's pretty much what I had to say. Any questions? Yes. So how do we get the list of all of the free and paid forest services just hit you up on Twitter? Yes, so I am going to publish it. I was waiting for this talk. I'll publish it on my GitHub, the list of tools that I have categorized with the information that we can get and mapping to the category of questions. All right, thank you. And you can request a PR and contribute more resources. Yes. Some part. So there are few resources that were easy in terms of APIs. So what we did, we wrote a quick Python script to get information about those vendors and using it for our current questionnaire based assessment. Yes, sir. Have you looked at any design patterns for architecture in cloud services and how those represent specific kinds of risk that should be quantified via this method? Yes, it's, we see a lot of architecture because every cloud provider, we ask the same question, share your architecture diagram. Most of them, if they are using, for example, AWS, the pattern is they are using free resources or just going, if it's a small provider, they are just using EC2s. They are not considering VPCs. But if it is a provider that has a security culture and an affinity to security, they are trying to do CIS benchmark. So some providers are doing CIS, some are not. So let me try to clarify. So for example, if I'm in AWS and I have a client who's doing Lambda, that profile would look fundamentally different than if I was doing IAAS. Yes, it will look different. I see good and bad things both in this because some of the providers who were on AWS, but then recently when we started re-reviewing them, they moved out and they shared a few good resources around why they moved out. So I can share some details maybe afterwards.