Forem: Fernando Cardoso (Kalopa)

How to use CSPM to help your organization against Ransomware attacks targeting data on Amazon S3?

Fernando Cardoso (Kalopa) — Wed, 19 Jul 2023 12:40:18 +0000

Article was published initially on Medium ->Link

Ransomware attacks are becoming more frequent and sophisticated, with crackers targeting cloud-based data storage systems like Amazon S3. To protect your organization’s sensitive information from these threats, it’s important to implement a comprehensive security strategy. One of the tools that can help you achieve this is a Cloud Security Posture Management (CSPM) solution.

What is CSPM?

CSPM is a software solution that automates the process of monitoring and managing cloud security configurations. It provides a centralized view of your security posture across all your cloud assets, including Amazon S3. CSPM solutions use a combination of machine learning and human expertise to identify security risks and vulnerabilities and provide recommendations for remediation.

Some of the solutions can be integrated into your ticketing system (ServiceNow, PageDuty), notification tools(Microsoft Teams, Slack), integrated into IDE and CI/CD pipelines, and many others integration that can help your team to have full visibility in realtime about cloud misconfigurations.

Attacks Vectors

Ransomware attacks on Amazon S3 are fundamentally distinct from those targeted toward conventional computer systems or servers with a traditional file system architecture. The two ways that we can consider for an Amazon S3 attack will be:

1º — Ransomware can be uploaded to buckets through an application or directly uploaded to S3. To protect your cloud infrastructure against it you will need a malware-scanning solution to scan every objective storage into the buckets. For more details on how to do it, here is a previous article that I talked about it -> Defending in Depth S3
2º — The Amazon Simple Storage Service (S3) can only be accessed through the S3 API, and every operation performed through this API, such as (“Put,” “Get,” “Delete,” etc.), and it must be authenticated. This highlights the significance of properly managing credentials, as they play a crucial role in securing access to the S3 service and all the resources in the cloud.

It is imperative to note that Amazon S3 operates on a platform that is not susceptible to compromise by malware. Unlike traditional file systems, where ransomware attacks can result in direct encryption of files (referred to as objects in S3), S3 objects cannot be altered. Instead, any modifications to S3 objects can only be achieved by copying or deleting them. This architectural design renders the execution of malware within S3 infeasible. Adversaries seeking to manipulate S3 objects or buckets must resort to using APIs and accessing them via the victim’s credentials.

Image from Amazon Web Services Blog

Securing data stored in Amazon S3 requires careful consideration of access permissions. By default, no access is granted, and it is essential to explicitly grant access through various mechanisms, including bucket policies and Access Control Lists (ACLs). Another important factor to consider is the use of IAM, where both users and roles can be granted access to S3.

It is critical to review the level of access granted to each IAM user and role, being mindful of potentially harmful actions such as DeleteObject and PutBucketLifecycleConfiguration, which could result in unintended consequences. To minimize the risk of data breaches, it is advisable to follow the principle of least privilege, only granting the minimum level of access necessary to perform a specific task. For more details about this topic here are three additional pieces of content :

Here is a good example of how this attack could happen:

Attack Example in steps

How can CSPM help protect buckets against Ransomware targeting data on Amazon S3?

AWS recommends the following features to protect S3 buckets against ransomware attacks. Looking for one S3 bucket is simple, but how about 100 or 1,000 buckets across multiple AWS accounts and multiple AWS regions? Here is where CSPM tool could easily help you and your organization.

Source: [https://d1.awsstatic.com/events/aws-reinforce-2022/TDR431_The-anatomy-of-a-ransomware-event-targeting-data-residing-in-Amazon-S3.pdf

Here is a good example of rules out of the box from CSPM tools that could help you to detect those misconfigurations in minutes across multiple accounts, but more than that it will help you to keep continuous monitoring. The CSPM provides real-time monitoring of your Amazon S3 environment, so you can detect and respond to potential misconfigurations very quickly.

Source: [Trend Cloud One — Conformity

Here are some additional features that could help to protect your S3 buckets:

Policy Enforcement: CSPM solutions can help enforce your organization’s security policies by checking for misconfigurations and alerting you to any deviations.
Access Control: CSPM can help you manage access control to your Amazon S3 data so that only authorized personnel can access sensitive information. This is important in the event of a ransomware attack, as it limits the scope of the attack.
Encryption: CSPM can also help you encrypt sensitive data stored on Amazon S3, making it more difficult for crackers to access and steal sensitive information.
Backup and Recovery: CSPM solutions can help you implement an effective backup and recovery strategy, so you can quickly restore your data in the event of a ransomware attack.

Conclusion

In conclusion, CSPM is a valuable tool in helping organizations protect their data stored on Amazon S3 from ransomware attacks. By providing continuous monitoring, policy enforcement, access control, encryption, backup, and recovery capabilities provided by AWS. It can help you secure your sensitive information and reduce the risk of data loss.

Additional Resources:

How can we integrate security into the DevOps pipelines?

Fernando Cardoso (Kalopa) — Thu, 22 Jun 2023 16:57:24 +0000

Article was published initially on Medium ->Link

Without a doubt, this may be one of the most common questions from security teams nowadays. The reason behind it is, security teams are only being involved by DevOps teams when business clients reach out about compliance, security, and internal as well as external regulations. By the time this stage of the project is reached, the CI/CD pipeline is already built-in, and it may be too complex for security teams to understand all the stages in the pipeline process.

Image source from https://devops.com

Traditionally, DevOps teams have a singular focus on building applications and delivering on release dates with little consideration to which security layers should be added to the pipeline. This is mainly because of three key challenges:

1º — The lack of knowledge security teams possess of DevOps.

2º — The high demand business units face to deliver new features, applications, and fixes, forcing DevOps teams to skip the stage of integrating security into the pipeline.

3º — The inadequate selection of security solutions to be seamlessly integrated into the pipeline.

The “Big” Issue with this Integration and How to Overcome it

Image source: [https://blog.hyperiondev.com

The majority of the security teams today have limited knowledge in programming languages such as, Ruby, Go, Node.JS, Java, Python, and others alike. In the past, when DevOps was much less prevalent, the security team didn’t have the responsibility to verify security processes in the development pipeline. The code security was and largely still is dependent on the background knowledge of developers and best practices they rely on for their development process. In most situations, developers have autonomy over their process and how they do their job if they produce the results the business is expecting. Recent culture changes like DevSecOps have introduced a new set of tools to automate security and incident response in the process. It won’t be long until the market and the security teams start adapting and accepting this new reality.

Companies should consider investing in their people by creating cross-functional teams that focus on training developers on the security discipline and teaching security professionals about the development process to fully embrace a DevSecOps culture. This could help security teams have a better understanding of programming languages and how to use APIs to automate the simple processes and win time for a more critical task inside your companies. It may sound cliché, but think about how many people in your team are confident enough to create an automation script in python or any language or manipulate APIs to automate the regular day-to-day work. I bet it is hard, but let me assure you understand this is quickly changing and becoming a sought after skill. Every single company is becoming a software company. If your company is not well adapted to the new world, you may start to face some very complicated challenges shortly.

An excellent example of this new world is how big companies are now asking and checking your GitHub or GitLab to see projects that you have been working on. Which open source project have you been helping in the last couple of years?

The OpenSource community is growing a lot, see some extra details about it in one of the latest reports about it from DigitalOcean: Link

“Try learning some programming language fast, it will help you more than you think in the future.”

8 Recommendations To Start Implementing Security In Your CI/CD Pipeline

The examples below are the most common security layers companies across the globe add in the DevOps pipeline:

Let’s dig in deep to all of the possible security components mentioned in the diagram above:

Unit Testing is a level of software testing where individual and small units or components of a software are verified. It could be used by developers to make sure precisely the right function is providing the right return, and a change/update in a small function is not affecting the results from the application.

Static Application Security Testing or (SAST) , also known as a “white box testing,” has been around for more than a decade. It allows developers to find vulnerabilities in the application source code earlier in the software development life cycle (SDLC). SAST solutions analyze an application from the “inside out” in a nonrunning state. Finding vulnerabilities in this stage of the SDLC can help your company save money and remediate the code faster.

Dynamic Application Security Testing or (DAST) , also known as “black box” testing, can find security vulnerabilities and weaknesses in typically web apps without a view into the internal source code. It does that by employing fault injection techniques on an application, such as feeding malicious data to the software to identify common security vulnerabilities, such as SQL injection and Crosssite scripting (XSS). It uses the same techniques that an attacker uses to find potential weaknesses in the application.

Dependency Scanning is an automated vulnerability scan in the dependencies while you are developing and testing applications, which looks for security issues. Many applications nowadays use external libraries or packages from open source projects that could have libraries with known vulnerabilities, and most of the time, the developers forget to check those things.

Container Scanning is a container image analyzer for known vulnerabilities, secrets keys (private keys), compliance checklist, and malware. Executing container security scanning at all stages of the software development life cycle (SDLC) helps the operations team to gain a clear understanding of what the security concerns are inside the container before they are sent to the production environment.

Runtime Protection is a security layer used on physical or virtual machines to protect the operating system and/or container engines. Some people forget it is crucial to protect the OS on the container host, because if it is compromised it could generate a DoS (Denial-of-Service) from all the containers running on that container host or node. This solution can help you to protect against malware, vulnerabilities and also assist with the audit process using features like file integrity monitoring, log inspection, and application control.

Privileged Container Security is a container where the container uid 0 is mapped to the host’s uid 0. In such containers, protection of the host, and prevention of escape is entirely done through Mandatory Access Control (apparmor, selinux), seccomp filters, dropping of capabilities, and namespaces. Those technologies combined typically prevent any accidental damage of the host, where damage is defined as things like reconfiguring host hardware, reconfiguring the host kernel, or accessing the host filesystem. There are some concerns with this security capability as a way to protect the environment if you are giving the privileged container full access to the host. This could potentially impact all the containers running on it if something goes wrong.

Runtime Application Self-Protection or (RASP) works inside the application as a security framework that monitors and continuously inspects traffic to the application and dynamically intercepts any traffic that indicates malicious behavior. RASP solutions can protect against SQL injection, Cross-site scripting (XSS), vulnerabilities, bots, and many other web application attacks. A RASP security framework is attached at the start of the SDLC, making the application secure by default. This security concept can be used in web applications, containers, and serverless.

Those are some of the most common security layers that you can add to the DevOps pipeline nowadays. I know it may seem complicated to add all of those layers at the same time, but with a good plan, you can adapt and make significant security progress in your current CI/CD pipelines.

Additional Architecture

Following below is an architecture with more details and the breakdown of how to layer in security at different steps in a DevOps pipeline:

Every company across the globe is becoming a software company and in order to stay successful, competitive, and secure, they will need to re-think the current cybersecurity strategy for cloud workloads, containers, and serverless environments.

Conclusion

In summary, more involvement from the security team in the early stages of the project is beneficial. This facilitates more reliable communication and integration between the DevOps and security teams, to achieve higher quality outcomes and better security of the applications delivered for your customers/business.

Thank you for reading this article. I hope it helps you better understand how to build a more secure DevOps pipeline.

Acknowledgment

I would like to say a BIG thank you for some people that helped me with amazing feedback to improve this article:

Stephanie Laranjeira
Russ Cahoon
Erik Scoralick
Ingrid Kibler

References:

● https://www.softwaresecured.com/what-do-sast-dast-iast-and-rasp-mean-to-developers/

● [https://www.gartner.com/it-glossary/static-application-security-testing-sast/#targetText=Static%20application%20security%20testing%20(SAST,out%E2%80%9D%20in%20a%20nonrunning%20state.](https://www.gartner.com/it-glossary/static-application-security-testing-sast/#targetText=Static%20application%20security%20testing%20(SAST,out%E2%80%9D%20in%20a%20nonrunning%20state.)

● https://linuxcontainers.org/lxc/security/

● https://kubernetes.io/docs/tasks/configure-pod-container/security-context/

● https://dzone.com/articles/the-significance-amp-challenges-of-integrating-sec

● https://searchsecurity.techtarget.com/tip/DevOps-security-checklist-requires-proper-integration

Forem: Fernando Cardoso (Kalopa)

How to use CSPM to help your organization against Ransomware attacks targeting data on Amazon S3?

What is CSPM?

Attacks Vectors

How can CSPM help protect buckets against Ransomware targeting data on Amazon S3?

Conclusion

Additional Resources:

How can we integrate security into the DevOps pipelines?

The “Big” Issue with this Integration and How to Overcome it

“Try learning some programming language fast, it will help you more than you think in the future.”

8 Recommendations To Start Implementing Security In Your CI/CD Pipeline

Additional Architecture

Conclusion

Acknowledgment

References:

Other articles recommended: