duo.com Open in urlscan Pro
65.9.63.70  Public Scan

Form analysis
1 forms found in the DOM

GET /decipher/search

<form class="d-search__form" action="/decipher/search" method="GET" onsubmit="submitForm(); return false; " __bizdiag="0" __biza="WJ__">
  <input id="input_search" class="d-search__input" type="text" placeholder="Search..." value="">
  <button class="btn-magnify js-btn-magnify"><svg class="icon-magnify-thick" viewBox="0 0 512 512">
      <path
        d="m430 393l-114-114c13-20 22-44 22-71 0-69-56-125-126-125-69 0-125 56-125 125 0 69 56 126 125 126 27 0 51-8 71-23l115 115c4 4 10 7 16 7 6 0 12-3 16-7 9-9 9-24 0-33z m-297-185c0-43 35-78 79-78 43 0 78 35 78 78 0 44-35 79-78 79-44 0-79-35-79-79z">
      </path>
    </svg></button>
</form>

Text Content

 * All Articles
 * Who We Are
 * * 
   * 
   * 
   * 


Security news that informs and inspires


SEARCH





Aug 13, 2018


TRAILBLAZER HUNTS CREDENTIAL ABUSE IN AWS

By Fahmida Y.
Share

Knowing when credentials have been compromised or being able to identify
unauthorized login attempts is a difficult security challenge, cloud systems or
not. A new tool from Netflix’s security tools and operations team helps manage
these challenges in the cloud.

Netflix relies on Amazon Web Services for its infrastructure and computing
needs, and needs to know when a credential is potentially compromised, Will
Bengtson, a senior software security engineer at Netflix, said at Black Hat USA.
Netflix has hundreds of thousands of virtual server instances on AWS and
utilizes AWS Security Token Service to generate credentials for AWS Identity and
Access Management.

Netflix wanted to make sure tokens from STS weren’t being abused. IT
administrators generate tokens with AWS STS to grant trusted users temporary and
limited access to specific resources. The STS receives authentication
information from AWS IAM and generates credentials with expiration windows that
can be as short as a few minutes or as long as a several hours. While AWS won’t
give access to expired credentials, users can request new credentials before the
old one expires, and the service dynamically generates credentials as needed. By
using STS, IT administrators don’t have to manage credentials within AWS IAM for
these short-term requests.

At Netflix, we have hundreds of thousands of servers. They change constantly,
and there are 4,000 or so deployments every day," Bengtson said. "I really
wanted to know when a credential was being used outside of Netflix, not just
AWS.

If credentials were compromised, an unauthorized users could set up new AWS
infrastructure and log in using those compromised credentials.

Amazon offers a number of tools on AWS to continuously scan for threats and to
log every activity across instances. For example, GuardDuty uses machine
learning to analyze information collected in AWS CloudTrail, VPC Flow Logs, and
AWS DNS logs to find anomalies and alert customers. Netflix tracks event history
for AWS account activity using CloudTrail, the logging service enabled by
default on AWS instances that tells administrators everything that is happening
on the system.

Bengston created Trailblazer, an open-source tool currently available on GitHub,
to look at which AWS API calls were logged by CloudTrail and to make it easier
to find specific functions. CloudTrail logs are by definition huge, so searching
line-by-line is not sustainable, especially considering the size of Netflix’s
infrastructure. While Netflix uses Trailblazer to find compromised STS
credentials, it can be used to with other temporary security credentials such as
ECS and EKS, Bengston said.

Trailblazer collects the first API call from the IP address, instance ID,
assumed role records, and other related AWS data.

The tool "will enumerate all of your API calls in your environment and associate
that log with what is actually logged in CloudTrail," Bengtson said. "Not only
are you seeing that it's logged, you're seeing what it's logged as."

While it’s possible to find unauthorized logins by comparing each IP address in
CloudTrail against a list of all IP addresses the organization owns, it is not a
sustainable task. Maintaining such a list is a challenge, especially considering
that the ephemeral nature of the cloud means IP addresses change over time. This
approach is not sustainable for any decent-sized AWS environment, let alone the
operation Netflix has.

The administrator using Trailblazer doesn’t need to have a list of all IP
addresses or know how the infrastructure is organized. By looking at what calls
are being made, the administrator can quickly determine whether the calls for
those AWS credentials were coming from outside the organization.

The first call wins," Bengtson said. "As we see the first use of that temporary
[session] credential, we're going to grab that IP address and log it.

For example, an attacker would call the “GetCallerIdentity” function to find out
what account the attacker is using. A user using legitimate credentials would
already know what account is being used and not need to call the function.

The methodology behind Trailblazer relies heavily on how AssumeRole calls are
logged by CloudTrail. The tool scales with the the AWS environment and number of
accounts and doesn’t require administrators to maintain a full list of IP
addresses allocated to the account. However, it should not be viewed as the only
security tool.

“Do bear in mind the “defense in depth” truism: this should only constitute one
“layer” of your security tactics in AWS,” Bengtson wrote.

Cloud Aws

Related

Cloud Security Aws


FINDING BADNESS IN AWS WITH PATROLAROID

A new tool called Patrolaroid scans AWS instances and S3 buckets for malware by
taking snapshots rather than using an agent to...

Government Cloud Identity


TRUMP EXECUTIVE ORDER FOCUSES ON RULES FOR CLOUD PROVIDERS

One of the last executive orders for the outgoing Trump Administration
authorized the Commerce Department to create "know your...

Cloud


ATTACKERS EYEING CLOUD PLATFORMS

Attack groups are increasingly focusing their attention on cloud platforms and
services as common entry points for victim...

 * 
 * 
 * 
 * 

All Articles Who We Are
Copyright 2022 Duo Security
Terms & Conditions Privacy Notice
Top