Permission Mining in GCP

Presented at Black Hat Europe 2020 Virtual, Dec. 10, 2020, 2:20 p.m. (40 minutes)

Do you know exactly what each user can do in your Google Cloud Platform (GCP) environment? Do you know if you have users who can assume other identities to escalate their privileges? Do you know the effective permissions the users would have if they assume other identities? CodeSpaces went completely out of business in 2014 after an attacker used their IAM misconfiguration to delete all of their AWS infrastructure. Every enterprise should be aware of and monitoring this risk in their public cloud environments.<br /> <br /> In this talk, we'll discuss an effective strategy to assess the full Identity and Access Management (IAM) exposure of a GCP environment. We'll discuss the complexity of this problem with some real world examples, and demonstrate how a misconfigured member can escalate privileges via direct service account impersonation or by launching resources. This threat has existed for years in public cloud providers. While GCP and their recommended open-source tools address some IAM misconfiguration use cases, they do not provide full visibility into the potential for privilege escalation or lateral movement. The solution we designed provides the missing visibility.<br /> <br /> Finally, we'll cover our approach to solve this problem, which uses a graph. Once we obtain all the relevant information via API calls, the graph allows us to map-out the permissions granted to members, the structure of the GCP environment, and the service accounts. The demo will show how we designed the graph, the way we traverse it, and the output.<br /> <br /> We ran this solution in multiple environments, including production environments where we found dozens of 'shadow admin' identities. The identities were able to escalate their privileges to become administrators with control over all resources, permissions, and logging. You will see how the results were used to remediate those environments.

Presenters:

• Colin Estep - Senior Security Researcher, Netskope, Inc.
  Colin Estep is currently a threat researcher at Netskope focused on AWS and GCP. Colin was previously the CSO at Sift Security (acquired by Netskope), where he helped move the product into breach detection for IaaS. He was a senior engineer on the security teams at Netflix and Apple before joining Sift. He was also a FBI Agent specializing in Cyber crime, where he spent a fair amount of time coordinating with other countries to locate and arrest malware authors and botnet operators.

Links:

• https://www.blackhat.com/eu-20/briefings/schedule/#permission-mining-in-gcp-21149

Similar Presentations:

• Black Hat Europe 2021 / Security Industry Call-to-Action: We Need a Cloud Vulnerability Database
• Black Hat USA 2020 Virtual / Lateral Movement and Privilege Escalation in GCP; Compromise any Organization without Dropping an Implant
• Black Hat USA 2022 / IAM The One Who Knocks