Finding Attack Paths in Cloud Environments

The mass adoption of cloud infrastructure is fully justified by
innumerable advantages. As a result, today, organizations’ most
sensitive business applications, workloads, and data are in the
cloud.

Hackers, good and bad, have noticed that trend and effectively
evolved their attack techniques to match this new tantalizing
target landscape. With threat actors’ high reactivity and
adaptability, it is recommended to assume that organizations are
under attack and that some user accounts or applications might
already have been compromised.

Finding out exactly which assets are put at risk through
compromised accounts or breached assets requires mapping potential
attack paths across a comprehensive map of all the relationships
between assets.

Today, mapping potential attack paths is performed with scanning
tools such as AzureHound or AWSPX. Those are graph-based tools
enabling the visualization of assets and resources relationships
within the related cloud service provider.

By resolving policy information, these collectors determine how
specific access paths affect specific resources and how combining
these access paths might be used to create attack paths.

These graph-based collectors display topological results mapping
out all cloud-hosted entities in the environment and the
relationships between them.

The links between each entity established in the resulting graph
are analyzed according to the asset’s properties to extract the
exact nature of the relationship and the logical interaction
between assets based on:

• The relationship direction – is the connection direction from
  asset X to asset Y or the other way round.
• The relationship type – is asset X:

Contained by asset Y Can access asset Y Can act on asset Y …

The goal of the information provided is to assist red teamers in
identifying potential lateral movement and privilege escalation
attack paths and blue teamers in finding ways to block critical
escalation and stop an attacker.

The keyword in that sentence is “assist.” The comprehensive
mapping output they generate is a passive result, inasmuch as the
information needs to be accurately and timely analyzed and acted
upon to effectively map potential attack paths and take
preventative measures.

Though the information provided by cloud-specific collectors
will shine a light on misconfiguration in Privileged Access
Management and faulty Identity Access Manager (IAM) policies and
enable preemptive corrective action, it fails to detect potential
secondary permission layers that an attacker could leverage to
carve an attack path.

This requires additional analytical capabilities able to perform
in-depth analysis on, for example, containing assets and the
passive relationships relative to the contained assets. Cymulate is
currently developing a toolkit that operationalizes a more active
discovery approach that performs a far more in-depth analysis.

For example, if we imagine a situation where privileged user A
has access to the key vault X, a graph-based collector will
correctly map the relationship between user A and asset X.

In this case, there is no direct relationship between user A and
the secrets contained in key vault X. As per the classification
above, if we call the secrets assets Y(1 to n), the
relationships described by the collector are:

• Asset Y is contained by Asset X
• The direction of the connection between user A and asset X is A
  ⇒ X.

From an adversarial perspective, though, gaining access to the
key vault holds the potential of gaining access to all the assets
accessible via those secrets. In other words, the graph-based
relationship map fails to identify the relationships between user A
to assets Y(1 to n). This requires analytical capabilities
enabling the identification of the relationships between assets
contained within other assets and assets external to the containing
asset.

In this case, finding out exactly which assets are potentially
at risk from user A requires mapping out all the assets related to
the secrets stored in key vault X.

Cymulate’s extensive array of continuous security validation
capabilities unified in an Extended Security Posture Management
(XSPM) platform is already adopted by red teamers to automate,
scale, and customize attack scenarios and campaigns. Always seeking
new ways to help them overcome such challenges, Cymulate is
committed to continuously enrich the platform toolset with
additional capabilities.

Explore XSPM capabilities^[1]
freely at your leisure.

Note: This article was written by Cymulate
Research Labs.^[2]