I Work in Cloud Security Research! Say What Now?

What is the role of Cloud Security Research in the Cloud Security Industry?

Incase, this is your 1st Cloud Security Newsletter! Welcome, we are a Weekly newsletter from the team behind Cloud Security Podcast & AI CyberSecurity Podcast deep diving into top of mind topics in emerging technology to make sure collectively we feel confident securing things in this every changing world of Cloud, AI and whatever comes next.

Who else is here reading with you? Ashish & Shilpi, from the weekly show Cloud Security Podcast, friends and colleagues from companies like Netflix, Citi, JP Morgan, Linkedin, Reddit, Github, Gitlab, CapitalOne, Robinhood, HSBC, British Airways, Airbnb, Block, Booking Inc & more who subscribe to this newsletter. If you are reading this - thank you for supporting us and sharing with your friends who like to learn a new Cloud Security Topic from their industry peers every week.

Also if you would prefer to receive this newsletter in your inbox, you can sign up for it here!

Security Research on Cloud Provider Environments

Welcome to this week's newsletter, this week we are looking at the world of Cloud Security Research and what role it plays in the world of Cloud Security.

As organizations increasingly adopt multi-cloud strategies and cloud-native technologies, the landscape of cloud security research is rapidly evolving. Are there cutting-edge research methodologies, novel attack vectors, and innovative defense strategies across major cloud platforms? - well -that’s the core of our research here!

We'll be exploring the latest techniques, tools, and what goes behind the scenes in cloud security research with insights from our guests Scott Piper, Principal Cloud Security Researcher at Wiz, Christophe Tafani-Dereeper and Nick Frichette, Staff Cloud Security Researchers at Datadog, Kat Traxler, Principle Security Researcher at Vector AI and Rodrigo Montoro, Chief Research & Innovation Officer at Clavis Segurança da Informação

Definitions and Core Concepts

🔬 Cloud Security Research: The systematic investigation of cloud provider environments to discover vulnerabilities, develop new attack techniques, and create more effective defenses. This field combines elements of traditional security research with cloud-specific knowledge.

🛠️ Cloud Research Tools: Custom-built software designed to test, exploit, or defend cloud environments. These tools often simulate real-world attack scenarios or automate the discovery of misconfigurations.

🕵️ Cloud Threat Detection Engineering: The process of creating, testing, and implementing detection rules for cloud-specific attack techniques. This involves analyzing cloud logs, understanding normal behavior patterns, and identifying anomalies.

🌐 Uncommon Cloud Services: Lesser-known or infrequently used cloud services that may present unique security challenges or novel attack vectors. These services often lack the security scrutiny of more popular services

"I always recommend people read the docs, right? Understand what you're testing. understand that Google Cloud is a resource based IAM CSP. I mean that every resource can have a policy attached to it." - Kat Traxler

Approaches to Cloud Security Research

Our experts use various methodologies in their research:

Deep Service Analysis: You can work on understanding individual cloud services, including their APIs, IAM policies, and potential misconfigurations.

Cross-Service Interactions: It is important to investigate how different cloud services interact between the consumer and the provider.

"Understand the confluence between your web app, your application security and your cloud security. That's going to be a lot of your points of initial access is your web apps." - Kat Traxler

IAM Policy Analysis: You can focus on scrutinizing IAM policies for overly permissive settings or unintended access grants by cloud provider for resources.

Log Analysis: Examining cloud audit logs can often provide some very powerful insights e.g data leakage or undocumented api calls or api calls not recorded etc

"The cloud trail control plane … it's … the actions that you create, … remove. something you change … in the service and so on. That's … cloud trail …, and you have the … event parts." - Rodrigo Montoro

Threat Modeling: Developing comprehensive threat models for cloud environments, considering both common and uncommon services in your own cloud environment for work.

"I think the best thing to do is to get your hands dirty and try it out for yourself. If you're interested in doing managed Kubernetes, spin up a cluster in the cloud of your choosing, bearing in mind the potential costs, of course." - Scott Piper

Cross-Platform Insights: While each expert has their own area of focus, many insights are applicable across cloud platforms.

"Just because you're an expert in AWS doesn't mean that you're going to be an expert in GCP really because the model is flipped on its head. And once you kind of get a sense of GCP, you might end up loving it." - Kat Traxler

Practitioner's Perspective: For Cloud Security Researchers (Red/Purple Team)

Whether you're aspiring to enter the field of Cloud Security Research or you're already conducting research, here are some insights drawn from our expert panel to help guide your efforts:

1. Develop a Comprehensive Understanding of Cloud Platforms

Dedicate time to thoroughly read the documentation for at least one major cloud platform. Create a study plan that covers core services, IAM, networking, and security features. Hint - These AI tools allow you to upload documents and help you understand complex services in simple terms for your use case, do take advantage of that too if possible.

2. Focus on Un-common Cloud Services

There is value in exploring less-known services. Identify and list 5-10 “lesser known” cloud services in your chosen cloud platform. Dedicate time to understand their functionality, potential misconfigurations, and security implications. If you are thinking how would you find uncommon services - see which one of the cloud services that you use in your work but are not reported on your native or 3rd party CSPM - yes they don’t cover all the 400+ services that cloud providers have but CSPMs only pick the most common ones for their customer. 😉

"I was on a incident response call and say, Oh, we did some problem with the Appstream part. I say, What is Appstream? So I started to figure out, okay, I need to study that." - Rodrigo Montoro

3. Adopt a Hands-on Approach

Set up a personal cloud lab environment for experimentation in any cloud provider of your choice (here is an AWS example). Practice creating and manipulating resources, and analyze the resulting logs and events.

"I start to click, right? And see what's happen. And mostly like when I click, I go to cloudtrail and see what's going to be generated." - Kat Traxler

4. Develop Custom Tools

Most of our experts have created their own research tools to automate part of their methodology and style of their research work in an easy to repeatable (to an extent) fashion on any new service they start researching on. Example of this - Step 3 above - build a Cloud Lab for yourself using infrastructure as Code e.g Terraform so you can build and destroy your infrastructure without taking a lot of time.

Also, start small by creating a script to automate a small yet simple repetitive task in your research before moving to complex parts of the research. As you gain confidence, work towards developing more complex tools that fill gaps in existing solutions.

5. Collaborate and Share Findings

Join cloud security forums, discussion groups, meetups, conferences or bootcamps. Start sharing your findings, even if they seem small. Consider starting a blog to document your research journey.

"I had the opportunity to meet an engineer at GCP who describe to me that he's been working on the exact same thing internally and it worked as well." - Nick Frichette

6. Cross-pollinate Knowledge

If you're familiar with one cloud platform, start exploring another. Compare and contrast their approaches to similar problems, like identity management or network security & more which require same foundational knowledge but the implementation maybe unique per cloud provider.

7. Focus on Detection Engineering

Practice creating detection rules for specific attack scenarios. Start with known attack patterns from your cloud security services or CSPM providers already give you. Once comfortable to detect those yourself, gradually move to more complex, multi-step attack paths in Cloud or use the TTPs from MITRE | ATT&CK as your next starting point.

Practitioner's Perspective: For Cloud Security Practitioners (Blue Team)

For those actively working in cloud security roles, a few takeaways from our expert cloud security researchers which may enhance your organization's security posture:

1. Implement Comprehensive Service Monitoring

Conduct an audit of all cloud services in use across your organization. Are you using any un-common or lesser known cloud services? Make a note of these services & implement threat monitoring coverage for all services, especially those less commonly used.

2. Enhance IAM Security

Implement regular IAM audits. Pay special attention to NHI (Non-Human Identities), service-specific IAM mechanisms e.g Amazon EKS's aws-auth ConfigMap which allows to configure identity for a kubernetes cluster hosted in Amazon EKS and is a different identity to the common AWS IAM User identity, if not configured right.

"The way that in AWS EKS you manage permissions is from inside the cluster. So you have a config map. That's called AWS auth in the kube system namespace that maps AWS roles to Kubernetes permissions, right?" - Christophe Tafani-Dereeper

3. Improve Logging and Monitoring

Review and enhance your logging strategy. Ensure you're capturing both control plane and data plane events across all cloud services. e.g Amazon EKS, ensure you are getting logs from the Amazon Control Plane and also the Kubernetes Control Plane.

4. Conduct Regular Security Assessments

Implement a regular schedule of security assessments that cover both cloud infrastructure and applications running on it. There are open source ones like Prowler, Pacu, ScoutSuite that you can use if you don’t want to pay for a security assessment tool.

5. Understand security of Managed Cloud Services

For each managed cloud service in use e.g database as service etc , document the security controls provided by the cloud provider and identify any gaps in logging/monitoring or integration to threat detection that need to be addressed with additional controls from your end.

6. Implement Strong Data Access Controls

Implement strict data access controls, especially for AI and ML workloads. Regularly audit data access patterns and permissions with an updated Data flow diagram of applications that are hosted in your cloud provider. Note - Most Cloud Providers have a gap in data security services so you may need to look identify and even fill the gap with existing data security tools from your broader organization.

"AI especially lives and dies based on the access to data that it has. And so as a result of that, it oftentimes has access to a lot of critical data inside people's environments." - Scott Piper

7. Stay Informed and Contribute to the Community

All our experts emphasize the importance of continuous learning and community engagement.

Allocate time each week for staying updated on cloud security news, research, CTFs . Consider contributing to open-source security tools or sharing your own experiences and best practices.

🔗 Related Resources

• CloudMapper - An open-source tool for analyzing AWS environments. It helps create network diagrams of AWS environments and can identify security issues.
• Stratus Red Team - An open-source adversary emulation tool for cloud environments. It can be used to test detection coverage for various cloud attack techniques across AWS, Azure, and GCP.
• DeRF (Detection Replay Framework) is an “Attacks As A Service” framework, allowing the emulation of offensive techniques and generation of repeatable detection samples in the cloud. Built on Google Workflows
• Pacu - An open-source AWS exploitation framework, designed for testing the security of AWS environments.
• Prowler - An open-source security tool to perform AWS security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness.
• K3s - A lightweight Kubernetes distribution, useful for running Kubernetes locally or in resource-constrained environments.
• Minikube - A tool that lets you run Kubernetes locally, useful for development and testing.
• permissions.cloud - A website that provides information about AWS IAM permissions and policies.

🔗 Related Podcast Episodes

🤖 Are you interested in AI Cybersecurity?

Then you should definitely checkout our sister podcast AI Cybersecurity Podcast that is hosted by Ashish Rajan and Caleb Sima.

👩🏽💻Cloud Security Training from Practitioners!

Want to learn more about Cloud Security or know someone who wants to, we got you !

If you have been following our journey for a while, you would know that one of the big reasons we started Cloud Security Podcast was to make cloud security knowledge accessible for anyone wanting to learn it.

Have you joined our FREE Monthly Cloud Security Bootcamp yet. There are paid online and corporate trainings available for those looking to hit their Cloud Security goals this year!

We would love to hear from you📢 for a feature or topic request or if you would like to sponsor an edition of Cloud Security Newsletter.

Thank you for continuing to subscribe and Welcome to the new members in tis newsletter community💙

Hope you are enjoying this new look Cloud Security Newsletter, there’s plenty more to come.

Peace!

Shilpi Bhattacharjee

Was this forwarded to you? You can Sign up here, if this was helpful for you.

Want to sponsor the next newsletter edition! Lets make it happen