Lateral Movement and Privilege Escalation in GCP; Compromise any Organization Without Dropping an Implant

Presented at DEF CON 28 (2020) Virtual, Aug. 9, 2020, 4:30 p.m. (30 minutes)

Google Cloud's security model in many ways is quite different from AWS. Spark jobs, Cloud Functions, Jupyter Notebooks, and more default to having administrative capabilities over cloud API's. Instead of defaulting to no capabilities, permissions are granted to default identities. One default permission these identities have is called actAs, which allows a service by default to assume the identity of every service account in its project; many of which typically have role bindings into other projects and across an organization's resources. This means by default many API's and identities can compromise large swaths of an organization by moving laterally by impersonating or gaining access to other identities. This can all be done without dropping a single implant on a machine. In this talk we'll demonstrate several techniques to perform identity compromise via the ActAs permission, privilege escalation, lateral movement, and widespread project compromise in Google Cloud. As well as release tools for exploitation. Next we'll show what detection capabilities are possible in the Google Cloud ecosystem, by showing Stackdriver logs that correspond with our exploitation techniques, and showing limitations in what's available. We'll also release tools and queries that can be used for detection . As well as insight to how we have attempted to tackle this problem at scale. Lastly we'll go over remediation efforts you can take as a Google Cloud customer, and show how difficult it can be to secure yourself against these attacks. We will release tools that can be used to harden your organization, and walk through user stories and anecdotes of what this process looks at scale within our organization.

Presenters:

• Dylan Ayrey - Security Engineer
  I'm a Senior Security. I've been heavily involved in the open source community for a few years, and I've been doing my best to bring security practices into the cloud/devsecops world
• Allison Donovan - Security Engineer
  Allison Donovan is a security researcher who specializes in cloud-based platforms and services. She was previously employed as a Senior Infrastructure Security Engineer at Cruise, where she secured cloud-based environments at scale, and previously worked at Microsoft on mobile application security and site reliability engineering.

Links:

• https://defcon.org/html/defcon-safemode/dc-safemode-speakers.html#Ayrey
• https://infocon.org/cons/DEF CON/DEF CON 28/DEF CON Safe Mode video and slides/DEF CON Safe Mode - Dylan Ayrey and Allison Donovan - Lateral Movement and Privilege Escalation in GCP - Q&A.mp4
• https://infocon.org/cons/DEF CON/DEF CON 28/DEF CON Safe Mode video and slides/DEF CON Safe Mode - Dylan Ayrey and Allison Donovan - Lateral Movement and Privilege Escalation in GCP.mp4
• https://infocon.org/cons/DEF CON/DEF CON 28/DEF CON Safe Mode video and slides/DEF CON Safe Mode - Dylan Ayrey and Allison Donovan - Lateral Movement and Privilege Escalation in GCP.srt (subtitles)
• https://www.youtube.com/watch?v=Z-JFVJZ-HDA

Similar Presentations:

• Texas Cyber Summit 2019 / BT-1050 Shining a Light on Shadow IT in the Cloud
• Black Hat USA 2020 Virtual / Lateral Movement and Privilege Escalation in GCP; Compromise any Organization without Dropping an Implant
• Black Hat Europe 2020 Virtual / Permission Mining in GCP