« Previous 1 2 3 4
Exploiting, detecting, and correcting IAM security misconfigurations
Bad Actor
Conclusion
The real-life scenario attacks presented in this article show how it's possible for an adversary to use IAM security misconfigurations to gain high privileges inside a cloud environment. Such attacks can start with valid credentials found online or obtained by tricking users in a phishing attack and can proceed with further privilege escalation to take control of an account.
By leveraging AWS features such as CloudTrail and CloudWatch, among others, it's possible to get alerts when changes are applied in your environment, triggering automatic responses.
Infos
- Cloud lateral movement: https://sysdig.com/blog/lateral-movement-cloud-containers/
- Crypto miner attacks: https://sysdig.com/blog/crypto-sysrv-hello-wordpress/
- IAM security best practices: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
- Principle of least privilege: https://csrc.nist.gov/glossary/term/principle_of_least_privilege
- Valid cloud accounts: https://attack.mitre.org/techniques/T1078/004/
- Group policy modification: https://attack.mitre.org/techniques/T1484/001/
- Phishing: https://attack.mitre.org/techniques/T1566/
- Reverse shell: https://sysdig.com/blog/reverse-shell-falco-sysdig-secure/
- CloudTrail: https://docs.aws.amazon.com/cloudtrail/index.html
- CloudWatch: https://docs.aws.amazon.com/cloudwatch/index.html
« Previous 1 2 3 4
Buy this article as PDF
(incl. VAT)