fwd:cloudsec Europe 2024

Shelly Raban

Shelly is a Senior Security Researcher at Tenable, specializing in cloud security research. In her previous roles, Shelly worked as a security researcher and threat hunting expert at Hunters. With 7 years of experience in cybersecurity, Shelly has conducted extensive research in detection engineering, host forensics, malware analysis, and reverse engineering. Outside of work, Shelly loves spending time with her two baby cats.


Session

09-17
14:45
20min
Who Watches the Watchmen? Stealing Credentials from Policy-as-Code Engines (and beyond)
Shelly Raban

If an attacker could run an arbitrary policy on a policy engine, would that be dangerous? Turns out, the answer is yes.

This initial research question took us down a fascinating rabbit hole, which started in the OPA (Open Policy Agent) Rego language and ended all the way in Terraform HCL (Hashicorp Configuration Language).

Infrastructure-as-code (IaC) is the backbone of DevOps for modern cloud applications. Due to the sensitivity and complexity of IaC deployments, policy engines and policy-as-code languages have emerged as key tools to govern these processes. They are also a common tool to govern operations within Kubernetes platforms (using Gatekeeper).

In this session, we'll explore malicious techniques for abusing modern policy-as-code and IaC domain-specific languages (DSLs). Supposedly, since these are hardened languages with limited capabilities, they should be more secure than standard programming languages, and indeed they are. However, more secure does not mean bulletproof. We'll explore techniques adversaries can use to manipulate these DSLs through third-party code to compromise cloud identities, conduct lateral movements, and exfiltrate sensitive data. We will be presenting novel techniques, such as DNS tunneling in DSLs, discovered in our research.

This begs two immediate questions: are attackers leveraging these techniques already? Are common scanners able to detect them? We answer these questions by showing the results of our scan of the public Terraform registry, as well as the scan results of popular scanners against our malicious configurations. We will conclude by presenting detection rules that defenders can use to detect these techniques and best practices that can be used to prevent them.

Breaking the Cloud
Main Room