Virtual AppSec Indonesia 2020

The complexity and number of enterprise cloud applications has resulted in a constant stream of misconfigurations and data exposures breaches. This work is a deep dive into the different types of misconfiguration that lead to cloud data breaches. We examine sensitive data exposures across more than 20 apps -- including meeting apps and project management tools -- and analyze them across three different dimensions. Our goal is to provide a framework that organizations can use to identify and prevent cloud data exposure. We classify the risks according to how they arise: Independent risks happen within a single app, such as accidentally exposing a bucket publicly in Amazon S3. Interconnected risks happen when multiple apps interact, such as configuring Slack notification in Confluence. Interconnected risks are typically a major data transfer blindspot for organizations, who don’t have visibility into data flowing from between apps. We will demo this by creating a nearly invisible command & control channel for an insider to steal sensitive data. Next is the extent to which data can be exposed:  Public data is exposed to the entire Internet External data is shared with individuals outside an organization Internal data is shared within one’s organization. We provide two examples of internal data breaches.   Finally, we analyze the risk factors that contribute to misconfiguration: Design factor, exposure from the design of the app, such as Google Hangouts image links. Default factor, exposure by the default sharing settings of the app, such as Google Groups default visibility. Human factor, exposure from users applying inappropriate permissions, such as using Google Drive “anyone with link” option for confidential files. Finally, we shed light on how attackers can abuse misconfigured cloud apps. We conclude the talk by providing vendor agnostic recommendations and security controls that can aid organizations to mitigate exposure risks.

For defenders in the current threat landscape, threat intelligence is mostly focused on Observables and Indicators of Compromise (IOCs) which are more technical in nature and have a very short lifespan. By the time controls are put in place to thwart the technical IOCs, attackers may have already changed them and countered with new attacks. Therefore, it becomes essential for defenders to continuously harness and operationalize the tactical information made available by technical threat intelligence to identify the Tactics, Techniques, and Procedures (TTPs) used by attackers and deploy the corresponding countermeasures in real-time.

TTPs are the new way of tackling attackers and having your countermeasures in place. This talk will help the defenders understand how to harness the information for TTPs from external and internal sources, how to map/create their own specific tactical threat landscape, and how to use the harnessed information for SOC, IR, Threat Hunting, and Threat Intelligence use cases.