Cloud Scout: A New Open Source Tool for Cloud Security

Cloud Scout is doing this by leveraging and bringing together the capabilities of great open source tools that are available today, such as BloodHound, StormSpotter and AWSPX; and by adding new functionality and capabilities.

The Challenge

The accelerated transition to cloud services and the adoption of hybrid cloud architectures is creating opportunities but is also introducing new and complex challenges to security.

Among the leading trajectories in cloud which require security attention are:

  • Multi cloud/Cross cloud connectivity – many companies utilize multiple cloud vendors and have many connections established between their applications and services
  • Infrastructure as a Code (IaC) – while in the past CI/CD pipelines were a separate technical procedure, now this area is brought into the cloud and allows building, testing and deploying the code in a single place
  • Native cloud services – new native cloud services and micro services replace other traditional IT and introduce new security challenges that can be exploited with relative ease

Threat actors are adapting to these changes, trying to take advantage of the opportunities created by the cloud. We are seeing an increasing focus on IaaS weaponization, cloud services targeting, and the development of tailor-made malware for cloud workloads.

While adopting hybrid environments, we are unintentionally “adopting” their new misconfigurations, gaps and vulnerabilities, which in turn may expose our entire infrastructure to security risks that could lead to full organizational compromise.

Security teams need to adapt the security of their cloud services to threats to stay ahead of the curve in the competition with threat actors. However, identifying gaps and misconfigurations manually is complex, and, in many cases, not feasible. The community provides a few great open source tools designed to support these efforts. Among these are BloodHound (by Specter Ops), StormSpotter (Microsoft) and AWSPX (F-Secure LABS).

Each of these tools provides data collection and analysis for a single “type” of environment, be it Azure, AWS or on premises domain. Moreover, each framework is executed separately under separate databases, and is making their use not feasible for identifying cross platform, cloud or on-prem connection paths and vulnerabilities. Consolidation needs to be done manually and is inefficient.

In working with organizations worldwide, our teams have identified a need for a capability which will allow them full and efficient mapping and visualization of hybrid environments and attack surfaces. It is a critical foundation in the process of addressing vulnerabilities and adapting security to threats.

When we could not find a solution to meet this objective, we decided to develop our own, which we are now making available to the community. Inspired by “Blood Hound,” we named this tool “Cloud Scout.”

Solution

Cloud Scout delivers three major unique capabilities:

  • Connects cross platforms entities such as: Users, Applications, Roles and services, based on their corresponding attributes
  • Identifies cross platform attack paths that allow attackers to move laterally and escalate privileges
  • Visualizes the cross-platform attack paths on a single screen

The tools that we mentioned earlier are all based on a neo4j graph database, and therefore we decided to expand those tools’ functionality by merging them into one database, just as with real life hybrid environments, where all organizational infrastructures are interconnected.

For example: Users in the on-prem (Active Directory) AD are synced with users in (Azure Active Directory) AAD and, therefore, we can create a relation between StormSpotter users and BloodHound users, based on user security identifiers.

Beyond the trivial relations, we enriched the data of different nodes, and created more complex relations that will show us complex, nontrivial attack paths which we could not see in the past.

Example Use-Cases

In this section we will explain in depth a few of the use cases that Cloud Scout can help address, which have not been easily available before without a solution to interconnect multiple cloud providers under a single platform.

Attacker path from on-premise to KeyVault

The Azure KeyVault resource can be very valuable for an attacker, as it stores sensitive data which can provide an attacker with access to valuable assets. The illustration below (figure 1) demonstrates the added functionality visualized in an attack path to controlling Azure KeyVault that we otherwise would not have seen.

The attack path visualizes how an attacker can gain access to the specified KeyVault instance from the on-premises environment, combining two different frameworks.

In order to connect the different frameworks, relations between their nodes need to be created. In this case, Cloud Scout created relations between the on-premise user to the AAD user, with the same security identifier.

Sygnia Cloud Scout 1.png

Figure 1 – Attacker path from on-premise to KeyVault

Attacker path from Azure to on-premise

Cloud Scout highlighted a path that begins in the on-premises environment and leverages Azure in order to take over that same on-premise domain, again, by visualizing a relationship that we would not have seen otherwise. The illustration below (Figure 2) demonstrates the path.

The attack path visualizes which users in the on-premise domain environment can leverage their roles both in on-premise and Azure environments, in order to gain privileges of “Domain Admins” group and gain control over the domain.

The relations identified by Cloud Scout in this scenario are as follows:

  • Between on premise user and AAD user
  • Between “groups administrator” role and Azure groups
  • Between “application administrator” role and Azure SP
  • Between VM instance on azure and the corresponding on-premise server

Sygnia Cloud Scout 2.png

Figure 2 – Attacker path from Azure to on-premise

Attacker path from on-premise to Azure and AWS

The node on the right side of the illustration below (Figure 3) is the “Effective Admin” role, which grants full control over an AWS account. An attacker may be interested in that role to gain access to critical business assets hosted on the AWS cloud provider.

The attack path visualizes which users in the on-premise domain environment can leverage their roles in order to gain the privileges of the “Effective Admin” in AWS. In this instance we have visualized an attack path through three different environments, and relations that we would not have seen without the functionality of Cloud Scout.

The relations identified by Cloud Scout in this scenario are as follows:

  • Between BloodHound user node and StormSpotter user node connected by the on-premise SID.
  • Between the “Application Adminsitrator” and the SP
  • Between the SP of azure and the corresponding role it has in the AWS environment

Sygnia Cloud Scout 3.png

Figure 3 – Attacker path from on-premise to Azure and AWS

Network data mapping

Cloud Scout has the functionality to map network rules and show them in a visualized manner. At this point, we are not familiar with other open source tools that can provide this functionality, and we hope it will become increasingly available.

The path below illustrates which network rules are attached to which VMs, as well as the path connecting the rule to the VM hosted on Azure.

Relations identified by Cloud Scout: Between the IP to the corresponding NSG

Sygnia Cloud Scout 4.png

Figure 4 - Network Data Mapping

Architecture

Cloud Scout is a plugin which works on top of BloodHound and, in order to actualize its full capabilities, depends on several open source frameworks, such as BloodHound, StormSpotter and AWSPX.

The Cloud Scout plugin extends BloodHound functionality, by adding a few additional buttons and visual elements to handle the ingestion of different frameworks and execute the logic to create relations between relevant nodes. To fully understand the architecture, we need to be familiar with BloodHound architecture.

Bloodhound consists of three main parts:

  • GUI – the graphical interface, which is used by users
  • Neo4j – a database that stores the information ingested
  • Graph theory - the logic behind the graphs, that creates relations between entities

The data showed in BloodHound is generated and collected by Sharphound ingestor from on-premise domain information.

Cloud Scout will have the same three capabilities

  • GUI - handles the added the visualization layer: buttons, icons, text.
  • Database - uses one database for all frameworks (BloodHound, AWSPX, StormSpotter), and utilizes each framework ingestion process into the same database.
  • Graph theory - Behind the graphs’ logic to create complex relations.

Sygnia Cloud Scout 5.png

Figure 5 - Architecture

Future

We hope to continue to improve Cloud Scout and add new functionalities and features. What we currently plan includes:

  • Support SSH private key processing to identify with corresponding VMs deployed on cloud environments
  • Create a tool for GCP environments enumeration
  • Improve integration with platforms
  • Create new relations based on new researches
  • We hope you will be able to leverage the tool in enhancing resilience and we would appreciate any comment or ideas.

References

https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a

https://dirkjanm.io/azure-ad-privilege-escalation-application-admin/

https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#general

https://docs.microsoft.com/en-us/graph/permissions-reference#microsoft-graph-permission-names

https://github.com/BloodHoundAD/BloodHound

https://github.com/FSecureLABS/awspx

https://github.com/Azure/Stormspotter

This site uses cookies to improve your online experience, measure traffic to this website, and allow you to share content on social media. By clicking ACCEPT, you are agreeing to Istari's and their partners' use of cookies. For more information, or to change your cookie preferences at any time, visit Istari's Cookies Policy.