Post Syndicated from James Alaniz original https://blog.rapid7.com/2023/08/01/new-insightcloudsec-compliance-pack-for-cis-aws-benchmark-2-0-0/

The Center for Internet Security (CIS) recently released version two of their AWS Benchmark. CIS AWS Benchmark 2.0.0 brings two new recommendations and eliminates one from the previous version. The update also includes some minor formatting changes to certain recommendation descriptions.

In this post, we’ll talk a little bit about the “why” behind these changes. We’ll also look at using InsightCloudSec’s new, out-of-the-box compliance pack to implement and enforce the benchmark’s recommendations.

What’s new, what’s changed, and why

Version 2.0.0 of the CIS AWS Benchmark included two new recommendations:

• Ensure access to AWSCloudShellFullAccess is restricted
  An important addition from CIS, this recommendation focuses on restricting access to the AWSCloudShellFullAccess policy, which presents a potential path for data exfiltration by malicious cloud admins that are given full permissions to the service. AWS documentation describes how to create a more restrictive IAM policy that denies file transfer permissions.
• Ensure that EC2 Metadata Service only allows IMDSv2
  Users should be using IMDSv2 to avoid leaving your EC2 instances susceptible to Server-Side Request Forgery (SSRF) attacks, a critical fault of IMDSv1.

The update also included the removal of the previous recommendation:

• Ensure all S3 buckets employ encryption-at-rest
  This recommendation was removed because AWS now encrypts all new objects by default as of January 2023. It’s important to note that this only applies to newly created S3 buckets. So, if you’ve got some buckets that have been kicking around for a while, make sure they are employing encryption-at-rest and that it can not be inadvertently turned off at some point down the line.

Along with these changes, CIS also made a few minor changes related to the wording in some of the benchmark titles and descriptions.

How does ICS help me implement this in my environment?

Available as a compliance pack within InsightCloudSec right out-of-the-box, Rapid7 makes it easy for teams to scan their AWS environments for compliance against the recommendations and controls outlined in the CIS AWS Benchmark. If you’re not yet using InsightCloudSec today, be sure to check out the docs pages here, which will guide you through getting started with the platform.

Once you’re up and running, scoping your compliance assessment to a specific pack is as easy as 4 clicks. First, from the Compliance Summary page  you’ll want to select your desired benchmark. In this case, of course, CIS AWS Benchmark 2.0.0.

From there, we can select the specific cloud or clouds we want to scan.

And because we’ve got our badging and tagging strategies in order (right…….RIGHT?!) we can hone in even further. For this example, let’s focus on the production environment.

You’ll get some trending insights that show how your organization as a whole, as well as how specific teams and accounts are doing and whether or not you’re seeing the improvement over time.

Finally, if you’ve got a number of cloud accounts and/or clusters running across your environment, you can even scope down to that level. In this example, we’ll select all.

Once you’ve got your filters set, you can apply and get real-time insight into how well your organization is adhering to the CIS AWS Benchmark. As with any pack, you can see your current compliance score overall along with a breakdown of the risk level associated with each instance of non-compliance.

So as you can see, it’s fairly simple to assess your cloud environment for compliance with the CIS AWS Benchmark with a cloud security tool like InsightCloudSec. If you’re just starting your cloud security journey or aren’t really sure where to start, utilizing an out-of-the-box compliance pack is a great way to set a foundation to build off of.

In fact, Rapid7 recently partnered with AWS to help organizations in that very situation. Using a combination of market-leading technology and hands-on expertise, our AWS Cloud Risk Assessment provides a point-in-time understanding of your entire AWS cloud footprint and its security posture.

During the assessment, our experts will inspect your cloud environment for more than 100 distinct risks and misconfigurations, including publicly exposed resources, lack of encryption, and user accounts not utilizing multi-factor authentication. At the end of this assessment, your team will receive an executive-level report aligned to the AWS Foundational Security Best Practices, participate in a read-out call, and discuss next steps for executing your cloud risk mitigation program alongside experts from Rapid7 and our services partners.

If you’re interested, be sure to reach out about the AWS Cloud Risk Assessment with this quick request form!

Post Syndicated from James Alaniz original https://blog.rapid7.com/2023/06/27/uncover-and-remediate-toxic-combinations-with-attack-path-analysis/

Particularly at enterprise scale, it’s not uncommon to have hundreds of thousands of resources running across your cloud environments at any given time. Of course, these resources aren’t running independently. In modern environments, these resources are all interconnected and in many cases interdependent. This interconnectivity means that if one resource or account is compromised, the whole system is at risk. Should a bad actor gain access to your systems via an open port, there are a number of avenues for them to move laterally across your environment, and even across environments, if your cloud environment is connected to your on-premises network.

Because of this, security teams need to understand how resources deployed across their environment relate to and interact with each other to effectively assess and prioritize risk remediation efforts.

For example, it’s helpful to know whether or not a resource is publicly available and it shouldn’t be, but what if that’s not the whole story? Perhaps that resource also provided an avenue to a database that was housing sensitive customer data, or was assigned a role that enabled it to escalate privileges and cause havoc across your environment. These types of toxic combinations compound risk and widen the potential blast radius should a resource or account be compromised.

Introducing Attack Path Analysis in InsightCloudSec

Attack Path Analysis provides a graph-based visualization that enables users to quickly identify the potential avenues that bad actors could use to navigate your cloud environment to exploit a vulnerable resource and/or access sensitive information.

With Attack Path Analysis, you can:

• Visualize risk across your cloud environments in real-time, mapping relationships between compromised resources and the rest of your environment.
• Prioritize remediation efforts by understanding the toxic risk combinations present in your environment that provide bad actors avenues to access business-critical resources and sensitive data.
• Clearly communicate risk and the potential impact of an exploit to non-technical stakeholders with easy-to-consume attack path visualizations.

Identifying Toxic Combinations that Compound Risk and Widen the Blast Radius of an Attack

To effectively prioritize remediation efforts for the various risk signals across your environment, you need to take into account exploitability—whether or not a vulnerable account or resource can actually be accessed by a bad actor—and the potential impact should that vulnerable resource be compromised.

As an example, let’s dive into an attack path that highlights a publicly exposed compute instance with an attached privileged role. This can be exceedingly difficult to identify, because there are a variety of reasons that a compute instance might be assigned a set of permissions. When that instance is also publicly accessible, even if not directly, this can quickly become a major issue.

In this scenario, the environment would be susceptible to account takeover attacks, in which an attacker can gain control of the instance and use its assigned privileges to steal sensitive data such as login credentials, customer data, financial information or intellectual property. Perhaps even worse, the instance could be weaponized to launch attacks on other systems, cause a denial of service (DOS), or distribute malware across your network.

To remediate this issue, you’ll want to perform an audit to understand whether the compute instance needs to have the permissions and privileges it’s been granted and if it needs to be publicly accessible. Chances are, the answer to one or both will be “no”, and you’ll want to close off public access and/or adjust the privileges assigned to the resource in question.

There are a variety of attack paths that can be detected and investigated in InsightCloudSec upon launch, and we’ll continue to add more in the coming quarters. If you’re interested in learning more about Attack Path Analysis in InsightCloudSec, be sure to check out the dedicated docs page!

Post Syndicated from James Alaniz original https://blog.rapid7.com/2023/03/16/mitre-attack-mitigations-thwarting-cloud-threats-with-preventative-policies-and-controls/

As IT infrastructure has become more and more sophisticated, so too have the techniques and tactics used by bad actors to gain access to your environment and sensitive information. That’s why it’s essential to implement robust security measures to protect your organization. One way to do this is to utilize the MITRE ATT&CK framework, which provides a comprehensive guide to understanding and defending against cyber threats.

Who is MITRE and what is the MITRE ATT&CK Framework?

MITRE is a non-profit organization supporting various U.S. government agencies across a variety of fields, but primarily focusing on defense and cybersecurity. The MITRE ATT&CK® Framework is a free knowledge base of adversarial tactics and techniques based on real-world observations.

It is a tremendous resource for any security practitioner, and can be used as a foundational resource for developing specific threat models and methodologies in both the public and private sectors. The framework is curated by the folks at MITRE, but anyone is able to contribute information or findings for review, as they look to crowdsource as much intelligence as humanly possible to better serve the broader community.

The ATT&CK Framework is intended to provide insights into the goals of hackers as well as the techniques and tactics they are likely to use. These insights provide organizations and the security teams that protect them with a detailed roadmap to plan, detect, and mitigate risk and detect threats. Once an organization has identified potential attack vectors, it can implement the appropriate mitigations.

Wait, but what are Mitigations?

Under each technique outlined within the ATT&CK Framework is a section on relevant mitigations. Mitigations represent security concepts and classes of technologies that can be used to prevent a technique or sub-technique from being successfully executed. It is a large and comprehensive list, so MITRE has broken these mitigations into two primary groups: “Enterprise,” focusing on mitigations that prevent hackers from breaching a corporate network, and “Mobile,” which—as you might have guessed—is dedicated to protecting against attacks targeting mobile devices.

While these mitigations can not guarantee that you won’t be breached, they serve as a great baseline for teams looking to do whatever they can to avoid an attacker gaining access to their sensitive data.

Example mitigations and what they entail

As noted above, MITRE provides a wide range of mitigations. For the purpose of this post, let’s look at a few example mitigations to give a sense of what they entail.

Before we dive in, a quick note: It’s very important to select and implement mitigations based on your organization’s specific threat landscape and unique aspects of your environment. You’ll want to prioritize the mitigations that address the most significant risks to business operations and data first to effectively mitigate risk and the likelihood of a breach.

Mitigation: Data Backup (ID: M1053)

Backing up data from end-user systems and servers is critical to ensure you’re not at risk of attack types that center around deletion or defacement of sensitive organizational and customer data, such as Data Destruction (T1485) and Disk Wipe (T1561). The only recourse to these types of attacks is to have a solid disaster recovery plan. Security teams should regularly back up data and store backups in a secure location that is separate from the rest of the corporate network to avoid them being compromised. This way, you’ll have the ability to quickly recover lost data and restore your systems to a steady state should a bad actor delete your data or hold it as ransom.

Mitigation: Account Use Policies (ID: M1036)

This mitigation is geared toward preventing unwanted or malicious access to your network via attack types such as brute force (T1110) and multi-factor authentication request generation (T1621). By establishing policies such as limiting the number of attempts a user has to properly enter their credentials and passwords before being locked out of their account, you can thwart bad actors that are simply repeatedly guessing your passwords until they gain access. This control needs to be configured in such a way that effectively prevents these types of attacks, but without being so strict that legitimate users within your organization are denied access to systems or data they need to perform their jobs.

Mitigation: Encrypt Sensitive Information (ID: M1041)

As you can probably guess from the name, this mitigation focuses on implementing strong data encryption hygiene. Given that the end goal of many breaches is to gain access to sensitive information, it will come as no surprise that this mitigation plays a critical role in protecting against a wide range of attack techniques, including adversary-in-the-middle (T1557), improper access of data within misconfigured cloud storage buckets (T1530), and network sniffing (T1040), just to name a few. Properly encrypting data—both at rest and in transit—is a critical step in fortifying against these types of attacks.

There are several MITRE tactics and techniques, such as those highlighted above, where the only mitigation for an attack is to ensure your organization’s security policies and controls are configured properly. While it can be a daunting task to ensure you maintain compliance with all policies and controls across your entire environment, InsightCloudSec offers out-of-the-box insights that are mapped directly to each mitigation.

Leveraging InsightCloudSec to implement and track performance against MITRE ATT&CK Mitigations

With this new pack, InsightCloudSec you can easily audit and assess your entire environment against the recommended mitigations provided by MITRE, and ensure you are taking every step possible to stop bad actors from gaining unauthorized access to your network and accessing sensitive information.

InsightCloudSec continuously assesses your entire cloud environment — whether single cloud or hosted across multiple platforms — for compliance with organizational standards. It detects noncompliant resources and unapproved changes within minutes. The platform continuously monitors your environment to ensure you’ve properly implemented the necessary controls as recommended by MITRE for thwarting attackers, regardless of which technique or sub-technique they utilize.

InsightCloudSec can instantly detect whenever an account or resource drifts from compliance. The platform comes out of the box with 30+ compliance packs, including a dedicated pack for MITRE Mitigations. A compliance pack within InsightCloudSec is a set of checks that can be used to continuously assess your cloud environments for compliance with a given regulatory framework, or industry or provider best practices.

If you’re interested in learning more about how InsightCloudSec helps continuously and automatically enforce cloud security standards, be sure to check out the demo!

Post Syndicated from James Alaniz original https://blog.rapid7.com/2023/03/01/new-insightcloudsec-compliance-pack-key-takeaways-from-the-azure-security-benchmark-v3/

Implementing the proper security policies and controls to keep cloud environments, and the applications and sensitive data they host secure, is a daunting task for anyone. It’s even more of a challenge for folks that are just getting started on their journey to the cloud, and for teams that lack hands-on experience securing dynamic, highly-ephemeral cloud environments.

To reduce the learning curve for teams ramping up their cloud security programs, cloud providers have curated sets of security controls, including recommended resource configurations and access policies to provide some clarity. While these frameworks may not be the be-all-end-all—because let’s face it, there is no silver bullet when it comes to securing these environments—they are a really great place to start as you define and implement the standards that are right for your business. In a recent post, we covered some highlights within the AWS Foundational Security Best Practices, so be sure to check that out in case you missed it.

Today, we’re going to dive into the new Azure Security Benchmark V3, and identify some of the controls that we view as particularly impactful. Let’s dig in.

How does Azure Security Benchmark V3 differ from AWS Foundational Security Best Practices?

Before we get started with some specifics from the Azure Security Benchmark, it’s probably worthwhile to highlight some key similarities and differences between the Microsoft and AWS benchmarks.

The AWS Foundational Security Best Practices are, as one might intuitively expect, focused solely on AWS environments. These best practices provide prescriptive guidance around how a given resource or service should be configured to mitigate the risks of security incidents. Because the recommendations are so prescriptive and targeted, users are able to leverage AWS Config—a native service provided by AWS to assess resource configurations—to ensure the recommended configuration is utilized.

Much like the AWS Foundational Security Best Practices, the Azure Security Benchmark is a set of guidelines and recommendations provided by Microsoft to help organizations establish a baseline for what “good” looks like in terms of effective cloud security controls and configurations. However, where AWS’s guidelines are laser-focused on AWS environments, Microsoft has taken a cloud-agnostic approach, with higher-level security principles that can be applied regardless of which platform you select to run your mission-critical workloads. This approach makes quite a bit of sense given AWS and Microsoft’s respective go-to-market strategies and target customer bases. It also means implementation of these recommendations requires a slightly different approach.

As noted above, the guidance in the Azure Security Benchmark isn’t tied to Azure specifically, it’s more broad in nature and speaks to general approaches and themes. For example,it recommends that you use encryption and proper key management hygiene, as opposed to specifying a granular resource or service configuration. That’s not to say that Microsoft hasn’t provided any Azure-specific guidance, as many of the guidelines are accompanied by step-by-step instructions as to how you can implement them in your Azure environment. As AWS has provided checks within AWS Config, Azure has similarly provided checks within Defender for Cloud that help ensure your environment is configured in accordance with the benchmark recommendations.

Five recommendations from the Azure Security Benchmark V3 we find particularly impactful

Now that we’ve compared the benchmarks, let’s take a look at some of the recommendations provided within the Azure Security Benchmark V3 that we find particularly impactful for hardening your cloud security posture.

NS-2: Secure cloud services with network controls

This recommendation focuses on securing cloud services by establishing a private access point for the resources. Additionally, you should be sure to disable or restrict access from public networks (when possible) to avoid unwanted access from folks outside of your organization.

DP-3, 4 & 5: Data Protection and Encryption At Rest and In Transit

These recommendations are focused on ensuring proper implementation of data security controls, most notably via encryption for all sensitive data, whether in transit or at rest. Data should be encrypted at rest by default, and teams should use the option for customer-managed keys whenever required.

DP-8: Ensure Security of Key and Certificate Repository

Another Data Protection control, this recommendation is centered on proper hardening of the key vault service. Teams should ensure the security of the key vault service used for the cryptographic key and certificate lifecycle management. Key vault service hardening can be accomplished through a variety of controls, including identity and access, network security, logging and monitoring, and backup.

PA-1: Separate and Limit Highly Privileged/Administrative Users

Teams should ensure all business-critical accounts are identified and should apply limits to the number of privileged or administrative accounts in your cloud’s control plane, management plane, and data/workload plane. Additionally, you should restrict privileged accounts in other management, identity, and security systems that have administrative access to your assets, such as tools with agents installed on business-critical systems that could be weaponized.

LT-1: Enable Threat Detection Capabilities for Azure Resources

This one is fairly self-explanatory, but focuses on ensuring you are monitoring your cloud environment for potential threats. Whether or not you’re using native services provided by your cloud provider of choice—such as Azure Defender for Cloud or Azure Sentinel—you should leverage a cloud detection and response tool that can monitor resource inventory, configurations, and user activity in real time to identify anomalous activity across your environment.

Implement and enforce Azure Security Benchmark V3 with InsightCloudSec

InsightCloudSec allows security teams to establish and continuously measure compliance against organizational policies, whether they’re based on service provider best practices like those provided by Microsoft, a common industry framework, or a custom pack tailored to specific business needs.

A compliance pack within InsightCloudSec is a set of checks that can be used to continuously assess your cloud environments for compliance with a given regulatory framework, or industry or provider best practices. The platform comes out of the box with 30+ compliance packs, including a dedicated pack for the Azure Security Benchmark V3.

InsightCloudSec continuously assesses your entire cloud environment—whether that’s a single Azure environment or across multiple platforms—for compliance with best practice recommendations, and detects noncompliant resources within minutes after they are created or an unapproved change is made. If you so choose, you can make use of the platform’s native, no-code automation to remediate the issue—either via deletion or by adjusting the configuration or permissions—without any human intervention.

If you’re interested in learning more about how InsightCloudSec helps continuously and automatically enforce cloud security standards, be sure to check out the demo!