閉める
閉める
明日に向けたネットワーク
明日に向けたネットワーク
サポートするアプリケーションとユーザー向けに設計された、より高速で、より安全で、回復力のあるネットワークへの道を計画します。
          Netskopeを体験しませんか?
          Get Hands-on With the Netskope Platform
          Here's your chance to experience the Netskope One single-cloud platform first-hand. Sign up for self-paced, hands-on labs, join us for monthly live product demos, take a free test drive of Netskope Private Access, or join us for a live, instructor-led workshops.
            SSEのリーダー。 現在、シングルベンダーSASEのリーダーです。
            SSEのリーダー。 現在、シングルベンダーSASEのリーダーです。
            Netskope、2024年Gartner®社のシングルベンダーSASEのマジック・クアドラントでリーダーの1社の位置付けと評価された理由をご確認ください。
              ダミーのためのジェネレーティブAIの保護
              ダミーのためのジェネレーティブAIの保護
              Learn how your organization can balance the innovative potential of generative AI with robust data security practices.
                Modern data loss prevention (DLP) for Dummies eBook
                最新の情報漏えい対策(DLP)for Dummies
                Get tips and tricks for transitioning to a cloud-delivered DLP.
                  SASEダミーのための最新のSD-WAN ブック
                  Modern SD-WAN for SASE Dummies
                  遊ぶのをやめる ネットワークアーキテクチャに追いつく
                    リスクがどこにあるかを理解する
                    Advanced Analytics transforms the way security operations teams apply data-driven insights to implement better policies. With Advanced Analytics, you can identify trends, zero in on areas of concern and use the data to take action.
                        レガシーVPNを完全に置き換えるための6つの最も説得力のあるユースケース
                        レガシーVPNを完全に置き換えるための6つの最も説得力のあるユースケース
                        Netskope One Private Access is the only solution that allows you to retire your VPN for good.
                          Colgate-Palmoliveは、スマートで適応性のあるデータ保護により「知的財産」を保護します
                          Colgate-Palmoliveは、スマートで適応性のあるデータ保護により「知的財産」を保護します
                            Netskope GovCloud
                            NetskopeがFedRAMPの高認証を達成
                            政府機関の変革を加速するには、Netskope GovCloud を選択してください。
                              Let's Do Great Things Together
                              Netskopeのパートナー中心の市場開拓戦略により、パートナーは企業のセキュリティを変革しながら、成長と収益性を最大化できます。
                                Netskopeソリューション
                                Netskope Cloud Exchange
                                Netskope Cloud Exchange (CE) provides customers with powerful integration tools to leverage investments across their security posture.
                                  Netskopeテクニカルサポート
                                  Netskopeテクニカルサポート
                                  クラウドセキュリティ、ネットワーキング、仮想化、コンテンツ配信、ソフトウェア開発など、多様なバックグラウンドを持つ全世界にいる有資格のサポートエンジニアが、タイムリーで質の高い技術支援を行っています。
                                    Netskopeの動画
                                    Netskopeトレーニング
                                    Netskopeのトレーニングは、クラウドセキュリティのエキスパートになるためのステップアップに活用できます。Netskopeは、お客様のデジタルトランスフォーメーションの取り組みにおける安全確保、そしてクラウド、Web、プライベートアプリケーションを最大限に活用するためのお手伝いをいたします。

                                      MITRE Att&ck View: Securing AWS Temporary Tokens

                                      Jan 31 2020

                                      We have previously blogged about the risk and challenges in Securing AWS Temporary Tokens.

                                      In this blog, we will take a fresh look from the MITRE Att&ck chain viewpoint, in order to highlight new insights and specific cloud techniques used by adversaries, in an effort to help users be more effective in detecting, mitigating, and preventing different but similar attacks.

                                      Recap: Securing AWS Temporary Tokens

                                      Let’s summarize the challenges with temporary tokens and the common mitigation steps, before we contrast this with what we can glean from an Att&ck analysis. 

                                      Here is the original attack scenario:

                                      Image of original attack scenario
                                      Original Attack Scenario

                                      The key steps are:

                                      1. A permanent Access Key A is compromised
                                      2. Key A is used immediately to generate an extra credential i.e. Temporary Token B (for backdoor purposes and obfuscation)
                                      3. Key A is used to escalate privileges via AssumeRole, which returns Temporary Token C
                                      4. Temporary Token C is then used to access an S3 Bucket
                                      5. Temporary Token C is used to exfiltrate data from the S3 Bucket

                                      When mitigating this scenario, the defender first deleted/inactivated Access Key A, then also had to remember to “revoke” Temporary Token C. Revocation in this case meant using a specific role policy to deny all API calls by Temporary Token C based on its creation time.

                                      However, this did not remove the adversary’s access, as there was still the existing Temporary Token B, which could also be used to escalate privileges and generate more temporary tokens (D) in order to continue access to the S3 Bucket:

                                      Image of secondary attack scenario
                                      Secondary Attack Scenario

                                      To completely mitigate the situation, the Temporary Token D must be “revoked” in the same manner as Temporary Token C (using the role policy based on creation time). However, this mitigation approach doesn’t work for Temporary Token B, which was created not by AssumeRole, but by GetSessionToken. In this case, the only way to mitigate/remove Temporary Token B is to delete the IAM user that “owns” it (i.e. the same IAM user that had the compromised Key A) or to restrict that IAM user’s permissions.

                                      These mitigation steps and their differences can be summarized here:

                                      Table outlining mitigation scenarios

                                      This table reflects an incident-focus in dealing with temporary tokens. When taking a larger viewpoint, it’d be reasonable to think about a more complete set of preventative, detection, and mitigation measures:

                                      Table showing set of preventative, detection, and mitigation measures

                                      MITRE Att&ck

                                      Let’s now look at the scenario from the Att&ck viewpoint and see what new insights we have. The original attack scenario has been reorganized in more of an attack chain flow along with MITRE references for the tactics/techniques involved:

                                      Diagram showing attack chain flow, along with MITRE references for the tactics/techniques involved

                                      Notice how this primary attack scenario reflects what a defender might be focused on if they were in the middle of an incident. These would be the primary artifacts seen when tracing back from data exfiltration events to the originating credentials. Role Assumption is a good example of a new technique that isn’t yet in the Privilege Escalation tactic in Att&ck, but is common in cloud attacks. Netskope is working to identify additional techniques such as this, so that defensive measures can be specific and clear.

                                      This Att&ck reorganization is easier to understand and also allows a defender to mine the Att&ck knowledge base for ways to detect and mitigate this attack at each step.

                                      Let’s now look at the secondary attack:

                                      Diagram with Att&ck reorganization showing ways to mine Att&ck knowledge base for ways to detect and mitigate this attack at each step.

                                      Here, it is more obvious, that Temporary Token B is part of an attempt at Persistence (backdoor access) and possibly Defense Evasion, and it’s clearer how it provides the same access to the S3 Bucket.

                                      Here’s a summary of the tactics and techniques in the attack:

                                      (1) A permanent Access Key A is compromised

                                      Tactics: Initial Access
                                      Techniques: Valid Accounts
                                      Mitigations: User Training, Network Segmentation, Multi-factor Authentication

                                      IP allow list credential use, multi-factor authentication, and user training can be effective measures to help prevent and mitigate compromised access keys.

                                      (2) Key A is used to generate an extra credential (create Temporary Token B using GetSessionToken)

                                      Tactics: Persistence, Defense Evasion
                                      Techniques: Redundant Access
                                      Mitigations: n/a

                                      GetSessionToken calls cannot be prevented, as they are part of authentication. Mitigation techniques involve early detection by looking for calls to GetSessionToken in CloudTrail events.

                                      (3,2a) Key A or Temporary Token B is used to escalate privileges (create Temporary Token C or D using AssumeRole)

                                      Tactics: Privilege Escalation
                                      Techniques (proposed): Role Assumption and User Impersonation 
                                      Mitigations: Multi-factor Authentication, Privileged Account Management

                                      To mitigate compromised temporary tokens generated by AssumeRole, use a revoke session token policy with a condition based on the creation time of the token. Requiring multi-factor authentication for manual calls to AssumeRole is also a good measure. Ensuring minimal access rights are granted to PassRole and AssumeRole can also mitigate problems. In some specific cases, such as EC2 instance creation, the AssumeRole temporary token can be allow listed to the EC2 instance IP using a metadata proxy, helping reduce the chances for abuse when the tokens are compromised.

                                      (4,2b) Temporary Token C or D is used to access/exfiltrate data from an S3 Bucket

                                      Tactics: Exfiltration
                                      Techniques: Data from Cloud Storage Object
                                      Mitigations: Audit, Encrypt Sensitive Information, Multi-factor Authentication, Restrict File and Directory Permissions, User Account Management

                                      To mitigate unauthorized access to S3 Buckets, ensure S3 bucket permissions are not public, try to simplify bucket/object policies, and monitor event logs for suspicious API access. Multi-factor authentication in a resource-based policy can help ensure manual access is authorized. Finally, encrypt sensitive data, so that impact from loss of data is minimized.

                                      By classifying the Att&ck techniques and tactics used, we can see commonality and differences in the original and secondary attack scenarios. Namely, step 2 involved a different API call to generate a temporary token (GetSessionToken) vs. the assumption of a role (AssumeRole). Further, the escalation of privileges and data exfiltration in both scenarios are the same. This allows us to focus on what is different in the mitigations, detections, and preventions for temporary token creation (GetSessionToken vs AssumeRole). Additionally, we can look to reuse/leverage common mitigations, detections, and preventions for the escalation of privilege and exfiltration (AssumeRole and S3 bucket access).

                                      Detection, Mitigation, Prevention

                                      Let’s dive deeper into the analysis by overlaying not only common detection, mitigation, and prevention measures from Att&ck, but also other measures, such as best practices or the defender’s own policies. We get this view:

                                      More detailed Att&ck view, delving into detection, mitigation, prevention, and best practices

                                      The advantages of this Att&ck view are:

                                      • Defenders can be more comprehensive along all of the attack chain not just with mitigations but with better detection and prevention.
                                      • Defenders can reuse knowledge as captured in Att&ck for common detections or mitigations, to make planning, implementation, and response quicker and more standardized.
                                      • Defenders can also analyze measures as to their efficacy (potential for FP or FN). An example of this is that simple alerting on AssumeRole is too noisy (FP) as it is called by many services when passing roles during invocation (e.g. EC2, Lambdas), so #3 (blue) above was determined to not be a good detection measure.

                                      The analysis from the Att&ck diagram above can be detailed in a structured table:

                                      Table showing an analysis of the Att&ck diagram shown above

                                      The highlighted (yellow) measures are some of the points that either weren’t obvious or weren’t a priority from the first analysis done. 

                                      Conclusion

                                      Taking an Att&ck viewpoint on incidents or attack vectors can be useful for several reasons:

                                      • It provides a common, more repeatable framework for analysis, reducing tribal knowledge or inconsistent approaches
                                      • It allows for easier reuse of defensive measures for mitigation, detection, and prevention
                                      • It allows for a more comprehensive checklist by making it clear what each step of the attack chain is, making it less likely to forget to analyze steps
                                      • It can highlight new cloud techniques being used by adversaries (as the cloud providers continue to add services and APIs). In this case, Role Assumption is a common technique used that is more specific than just using Valid Accounts within the Privilege Escalation tactic, and it’s worth calling this out so the community can share specific practices for mitigating, detecting, and preventing abuse via this technique

                                      By looking at the original attack scenarios in several ways from an Att&ck viewpoint, first by classified tactic/technique, then by wider-ranging analysis in a flow diagram, we are able to better evaluate the attack scenario and effective measures for detection, mitigation, and prevention.

                                      author image
                                      Jenko Hwong
                                      Jenko has 15+ years of experience in research, product mgmt., and engineering in cloud security, routers/appliances, threat intel, vulnerability scanning and compliance.
                                      Jenko has 15+ years of experience in research, product mgmt., and engineering in cloud security, routers/appliances, threat intel, vulnerability scanning and compliance.

                                      Stay informed!

                                      Subscribe for the latest from the Netskope Blog