CEH v11 Cloud Computing
Anti-virus
AV
AssumeRole
AWS IAM policy permissions that are flexible, but misconfigurations in the role permissions can open doors to various attacks.
Shared Technology Issues
Most underlying components that make up the cloud infrastructure (e.g., GPU and CPU caches) do not offer strong isolation properties in a multi-tenant environment which allows attackers to attack other machines if they can exploit the vulnerabilities in a
Network protocol by Cisco
Netflow
No Back-off Process for Scheduling
No back-off process for scheduling the execution of Kubernetes pods This causes a tight loop as the scheduler continuously schedules a pod that is rejected by the other processes
Container Technology Tier-4
Orchestrators - transforming images into containers and deploying containers to hosts
Mixing of Workload Sensitivity Levels
Orchestrators place workloads with different sensitivity levels on the same host. If a container hosts a public webserver with vulnerabilities, it may pose a threat to containers processing sensitive information.
Compliance Risks
Organizations that seek to obtain compliance with standards and laws may be put at risk if the CSP cannot provide evidence of their own compliance with the necessary requirements, outsources cloud management to third parties, and/or does not permit audit by the client
Non-Updated Images
Outdated images contain security loopholes and bugs that compromise the security of images.
Public key infrastructure
PKI
Theft of Computer Equipment
Poor controls over the physical parameters such as smart card access at the point of entry may lead to the loss of physical equipment and sensitive data
A2 - Broken Authentication
Poor design of identity and access controls
R7 - Multi Tenancy and Physical Security
Poor logical segregation may lead to tenants interfering with the security features of other tenants
Network Management Failure
Poor network management leads to network congestion, misconnection, misconfiguration, lack of resource isolation, etc., which affects service and security
A7 - Security Misconfiguration
Poor patch management, functions with long timeout and low concurrency
AWS pwn
AWS hacking tool that includes various automated scripts for hacking phases such as reconnaissance, escalating privileges, maintaining access, and clearing tracks
Vulnerabilities in AWS-Hosted Applications
Allows attackers to perform attacks such as reading local files and server-side request forgery to steal AWS IAM credentials
None
Allows the container to implement its own networking stack and is isolated from the host networking stack
Real traffic grabber
RTG
Container Technology Tier-3
Registries - storing images and disseminating images to the orchestrators based on requests
Loss of Business Reputation due to Co-tenant Activities
Resources are shared in the cloud, thus malicious activity by one co-tenant might affect the reputation of the another, resulting in poor service delivery, data loss, etc. that can be detrimental to an organization
Dump instance metadata
Retrieves important information metadata of EC2 instances. Extract metadata for the instance the command is run.
Password Reuse
Reusing the same passwords for multiple services enables attackers to compromise the credentials and gain access to other cloud services
Tools used to Identify S3 buckets
S3Scanner, lazys3, Bucket Finder, and s3-buckets-bruteforcer lazys3, Bucket Finder, and s3-buckets-bruteforcer
Security development lifecycle
SDL
VULNERABILITY: Cross-Site Scripting (XSS)
SOLUTIONS: - Encode all untrusted data before transmitting to the client - Use only well-known frameworks and headers
VULNERABILITY: No Certificate Revocation
SOLUTIONS: - Ensure that nodes maintain the Certificate Revocation List (CRL) -Insist that administrators use OCSP stapling for revoking certificates
VULNERABILITY: Insecure Deserialization
SOLUTIONS: - Ensure validation of serialized objects originating from untrusted data - Scan third-party libraries for deserialization vulnerabilities
VULNERABILTY: Sensitive Data Exposure
SOLUTIONS: - Identify and classify sensitive data - Encrypt data both in transit and at rest - Implement HTTPS endpoints for APIs
VULNERABILITY: No Back-off Process for Scheduling
SOLUTIONS: - Implement a back-off process for kube-scheduler to prevent tight-loops
VULNERABILITY: Log Rotation is not Atomic
SOLUTIONS: - Implement a copy-then-rename technique to ensure logs are not lost during log rotation -Avoid using log rotation, and implement persistent logs that add log data linearly
VULNERABILITY: Injection
SOLUTIONS: - Implement safe API, and employ parametrized interfaces or Object Relational Mapping Tools - Avoid special characters using a specific escape syntax in dynamic SQL queries
VULNERABILITY: Using Components with Known Vulnerabilities
SOLUTIONS: - Perform continuous monitoring of third-party libraries and dependencies - Deploy only signed packages and components from official sources
VULNERABILITY: XML External Entities (XXE)
SOLUTIONS: - Scan supply chain libraries for vulnerabilities - Test API calls for XXE vulnerabilities - Always disable Entity Resolution
VULNERABILITY: Non-constant Time Password Comparison
SOLUTIONS: - Use a safe constant-time comparison function such as crypto.subtle.ConstantTimeCompare - Disapprove basic authentication mechanisms for secure options
VULNERABILITY: Security Misconfiguration
SOLUTIONS: - Use the cloud provider's built-in services such as AWS Trust Advisor, to identify public resources - Identify functions with unlinked triggers - Set the functions with a minimum timeout required
VULNERABILITY: Hardcoded Credential Paths
SOLUTIONS: -Define a configuration method for credential paths, and avoid hardcoding credential paths -Allow cross-platform configuration through path generalization
VULNERABILITY: Insufficient Logging and Monitoring
SOLUTIONS: Employ cloud service provider's monitoring tools such as Azure Monitor, or AWS CloudTrail to detect anomalous behavior
VULNERABILITY: Broken Access Control
SOLUTIONS: Follow the least-privilege principle while granting permissions to functions
VULNERABILITY: Unauthenticated HTTPS Connections
SOLUTIONS: - Authenticate all HTTPS connections within the system - Ensure that all the components use CA maintained by the kube-apiserver - Implement two-way TLS for all the connections
VULNERABILITY: Exposure of Sensitive Data via Environment Variables
SOLUTIONS: - Avoid collecting sensitive data directly from environment variables -Use Kubernetes secrets in all components of the system
VULNERABILITY: Secrets at Rest not Encrypted by Default
SOLUTIONS: -Define and document configurations required for different levels of security
VULNERABILITY: Broken Authentication
SOLUTIONS: -Employ identity and access control solutions -Implement strong authentication and access control on external-facing resources -Employ secure service authentication methods such as Federated Identity
VULNERABILTY: No Non-repudiation
SOLUTIONS: -Use secondary logging mechanisms for processes that require strict non-repudiation and auditing -All authentication events should be logged and retrievable from a central location
VULNERABILITY: Exposed Bearer Tokens in Logs
SOLUTONS: - Remove the bearer token from the system logs - Perform code reviews to ensure sensitive data is not logged and implement logging filters
A1 - Injection
SQL/NoSQL injection, OS command injection, Code injection
Secure web gateway
SWG
Secrets at Rest not Encrypted by Default
Secrets defined by users are not encrypted by default. Attackers gaining access to etcd servers can retrieve unencrypted secrets
Hijacked Repository and Infected Resources
Security misconfiguration and bugs allow gaining unauthorized access to the repository that can poison the resources by altering or deleting files.
Public Cloud
Services are rendered over a network that is open for public use. May be free or based on a pay-per-usage model (e.g., Amazon Elastic Compute Cloud (EC2), Google App Engine, Windows Azure Services Platform, IBM Bluemix).
Accessing Container
Similar to accessing nodes, attackers can also retrieve the same information within the container itself. By attacking volumes from a container, attackers can configure the hostpath volume type to retrieve sensitive information from a node. Attackers can further use filesystem tools to browse all m
A3 - Sensitive Data Exposure
Storing sensitive data in plaintext or using weak encryption
Trusted platform module
TPM
VM-Level Attacks
The cloud extensively uses virtualization technology. This threat arises due to the existence of vulnerabilities in the hypervisors
R5 - User Privacy and Secondary Usage of Data
The default share feature in social web sites can jeopardize the privacy of user's personal data
Lock-in
The difficulties experienced by a user when migrating from in-house systems or from one cloud service provider to another due to the lack of tools, procedures, or standard data formats, poses potential threats to data, application, and service portability
Large attack surface
The host OS consists of many containers, applications, VMs, and databases in the cloud or on-premises. It implies a large number of vulnerabilities and an increased difficulty in detecting them.
Loss of Encryption Keys
The loss of encryption keys required for secure communication or systems access provide a potential attacker with the opportunity to get unauthorized access to assets
Licensing Risks
The organization may incur a huge licensing fee if the software deployed in the cloud is charged on a per instance basis
Cloud Service Termination or Failure
The termination of cloud service due to non-profitability or disputes might lead to data loss unless end-users are legally protected
wrapping attack
An attack performed during the translation of the SOAP message in the TLS layer, where attackers duplicate the body of the message and send it to the server as a legitimate user.
Domain Name System (DNS) Attacks
An attack used to obtain authentication credentials from Internet users.
Exploiting SSRF Vulnerability
An attacker exploits a web application that is hosting the cloud service to retrieve the AWS credentials for a role, add the retrieved credentials to the local aws-cli, retrieve user account details from S3 buckets, and gain access and exfiltrate the data stored in all the buckets related to that account.
Kubernetes
An open-source container orchestration engine for automating deployment, scaling, and management of containerized applications
Application security
App Sec
Inspecting HTML
Attackers attempt to perform HTML source code analysis to gather information about the S3 buckets. Analyzing the source code of HTML web pages in the background allows attackers to find URLs to target S3 buckets.
No Certificate Revocation
Attackers can exploit the certificate before it is replaced across the entire cluster
Exploiting Third-Party Software
Attackers compromise third-party software used to manage cloud services to gain high-level access to the data stored in the cloud environment
Abuse and Nefarious Use of Cloud Services
Attackers create anonymous access to cloud services and perpetrate attacks. ex: Password and key cracking, Building rainbow tables, CAPTCHA-solving farms, Launching dynamic attack points, Hosting exploits on cloud platforms, Hosting malicious data, Botnet command or control DDoS
Repository Misconfigurations
Attackers exploit misconfigurations while hosting AWS keys in a shared storage on the internal network such as the Git repository to access the AWS IAM keys
Exposed Bearer Tokens in Logs
Attackers having access to the system logs can impersonate a legitimate user
SQL Injection Attacks
Attackers insert malicious code (generated using special characters) into a standard SQL code to gain unauthorized access to a database and ultimately to other confidential information.
Network-based attacks
Attackers may exploit failed containers having active raw sockets and outbound network connections to launch various network-based attacks.
Loss/ Modification of Backup Data
Attackers might exploit vulnerabilities such as SQL injection, insecure user behavior like storing passwords, and reusing passwords to gain illegal access to the data backups in the cloud
Advanced Google Hacking
Attackers use advanced Google search operators, such as "inurl", to search for URLs related to the target S3 buckets.
Reverse IP Search
Attackers use search engines, such as Bing, to perform reverse IP search to identify domains of target S3 buckets. Attackers use the advance search operator ip:<target IP address> in the Bing search engine to obtain different domains related to the target bucket that resolves the given IP address.
Social Engineering
Attackers use techniques such as fake emails, calls, or SMSs to trick the users into revealing AWS IAM credentials.
DumpsterDiver
Attackers use this tool to identify potential secret leaks and hardcoded passwords in the target cloud services, by examining a large volume of file types while scanning hardcoded secret keys, such as AWS access, SSL, and Microsoft Azure keys.
Finding subdomains
Attackers use tools, such as Findsubdomains and Robtex, to identify subdomains related to the target bucket.
Bypassing isolation
Attackers, after compromising the security of a container, may escalate privileges to gain access to other containers or the host itself.
R4 - Business Continuity and Resiliency
There can be business risk or monetary loss if the cloud provider handles the business continuity improperly
R3 - Regulatory Compliance
There is a lack of transparency, and there are different regulatory laws in different countries
Detective controls
These controls detect and react appropriately to occurring incidents. Example: Employing IDSs, IPSs, etc. helps detect attacks on cloud systems.
Corrective controls
These controls minimize the consequences of an incident by limiting the damage. Example: Restoring system backups.
Deterrent controls
These controls reduce attacks on the cloud system. Example: A warning sign on the fence or property to inform potential attackers of adverse consequences if they proceed to attack
Preventive controls
These controls strengthen the system against incidents by minimizing or eliminating vulnerabilities. Example: A strong authentication mechanism to prevent unauthorized use of cloud systems.
Network Drivers
These drivers are pluggable so that multiple network drivers can be used concurrently on the same network.
Automated management
By minimizing user involvement, cloud automation speeds up the process and reduces labor costs and the possibility of human error.
Unsynchronized System Clocks
Can affect the working of automated tasks. The network administrator cannot accurately analyze the log files for any malicious activity, if the timestamps are mismatched.
Impetuous Image Creation
Careless creation of images without considering the security safeguards or control aspects leads to vulnerabilities in the images
Conflicts between Client Hardening Procedures and Cloud Environment
Certain client hardening procedures may conflict with a cloud provider's environment, making their implementation by the client impossible
Insecure Interfaces and APIs
Circumvention of user defined polices, Credentials leakage, Breach in logging and monitoring facilities Dependency on unknown APIs, Reuse of passwords/tokens, Poor input-data validation
Unknown Risk Profile
Client organizations are unable to get a clear picture of the internal security procedures, security compliance, configuration hardening, patching, auditing, and logging, etc. as they are less involved with hardware and software ownership and maintenance in the cloud
Security-as-a-Service (SECaaS)
This cloud computing model integrates security services into corporate infrastructure in a cost-effective way. It is developed based on SaaS and does not require any physical hardware or equipment. Therefore, it drastically reduces the cost compared to that spent when organizations establish their own security capabilities. It provides services such as penetration testing, authentication, intrusion detection, anti-malware, security incident and event management (e.g., eSentire MDR, Switchfast Technologies, OneNeck IT Solutions, McAfee Managed Security Services).
Management Layer Security Controls
This layer covers the cloud security administrative tasks, which can facilitate continued, uninterrupted, and effective services of the cloud. GRC, IAM, VA/VM, Patch Management, Configuration Management, Monitoring
Physical Layer Security Controls
This layer includes security measures for cloud infrastructure, data centers, and physical resources. Physical Plant Security, CCTV, Guards
Endpoint
To maintain application portability, an endpoint is connected to a network and is abstracted away from the application, so that services can implement different network drivers.
Cloud Container Attack Tool (CCAT)
Tool used for exploiting docker containers on AWS.
R6 - Service and Data Integration
Unsecured data in transit is susceptible to eavesdropping and interception attacks
A7 - Cross-Site Scripting (XSS)
Untrusted input used to generate data without properly escaping
Buckets
Used for static file storage.
packet sniffers
Used to capture sensitive data such as passwords, session cookies, and other web service-related security configuration files such as the UDDI (Universal Description Discovery and Integrity), SOAP (Simple Object Access Protocol) and WSDL (Web Service Description Language)
Docker inspect command
Used to detect external storage mounts, such as S3 and network file system (NFS).
S3Inspector
Used to enumerate AWS S3 bucket permissions. By using this tool, attackers can verify whether a bucket is public or non-public.
S3Scanner
Used to identify open S3 buckets of cloud services, such as Amazon AWS, and retrieve their content for malicious purposes.
Cross-Site Scripting (XSS) Attack
Used to steal cookies used in the user authentication process; this involves injecting a website with malicious code, which is subsequently executed by the browser.
A4 - XML External Entities (XXE)
Using XML processors might make the application vulnerable to XXE attacks
R10 - Non-Production Environment Exposure
Using non-production environments increases the risk of unauthorized access, information disclosure, and information modification.
R1 - Accountability and Data Ownership
Using the public cloud for hosting business services can cause severe risk for the recoverability of data.
Unreliable Third-Party Resources
Using untrusted third-party resources causes severe threat and makes the resources vulnerable to malicious attacks.
Virtual application/Virtual machine
VA/VM
Virtual private network
VPN
Accessing Master Nodes
Volume configurations, such as iSCSI, store configuration details in the form of secrets. If attackers gain access to the API or etcd, they can easily retrieve the configuration details of these volumes.
Exploited Applications
Vulnerable applications can be exploited using various techniques (e.g., SQLi, XXS, RFI).
Web application firewall
WAF
Illegal Access to the Cloud
Weak authentication and authorization controls could lead to illegal access, thereby compromising confidential and critical data stored in the cloud
Authentication Attacks
Weak authentication mechanisms (weak passwords, re-use of passwords, etc.) and the inherent limitations of one-factor authentication mechanisms can allow an attacker to gain unauthorized access to cloud computing systems
Loss of Governance
When using cloud infrastructures, the customer gives up control to the cloud service provider including control of issues that may affect security
dockerscan
a Docker analysis and hacking tool that allows attackers to perform various malicious activities such as scanning networks to identify Docker registries, manipulating registries, analyzing images for retrieving sensitive information, and extracting and modifying Docker images
Kube-bench
a Go application used to check whether Kubernetes is securely deployed by running checks according to the center for internet security Kubernetes benchmark documentation. It performs permission, authentication, and security checks across Kubernetes clusters and secures containers data.
Networking
a channel through which all isolated containers communicate.
McAfee MVISION Cloud
a cloud security platform that provides real-time protection for enterprise data and users across all cloud services. It allows security professionals to gain complete visibility into data, context, and user behavior across all cloud services and devices, take real-time action deep within cloud services to correct policy violations and stop security threats, and apply persistent protection to sensitive information.
Server-Side Request Forgery
a common web application vulnerability used by the attackers to send random web requests to the victims from a compromised web server.
Cloud storage
a data storage medium used to store digital data in logical pools using a network.
Etcd
a distributed and consistent key-value storage, where Kubernetes cluster data, service discovery details, API objects, etc. are stored.
cluster
a group of computers known as nodes, which execute the applications inside the containers
Kube-controller-manager
a master component that runs controllers.
Kube-scheduler
a master component that scans newly generated pods and allocates a node for them. It assigns the nodes based on factors such as the overall resource requirement, data locality, software/hardware/policy restrictions, and internal workload interventions.
Kuryr
a network plugin that implements the Docker libnetwork remote driver by using Neutron, an OpenStack networking service, and also includes an IPAM driver.
Social engineering
a non-technical intrusion that relies heavily on human interaction and often involves tricking other people to break normal security procedures
Cloud Security Alliance (CSA)
a nonprofit global organization that provides rising awareness and promotes best practices and security policies to help and secure the cloud environment.
container
a package of an application/software including all its dependencies such as library files, configuration files, binaries, and other resources that run independently of other processes in the cloud environment.
Server
a persistent back-end process, also known as a daemon process (dockerd command).
Metadata Spoofing Attack
a process of changing or modifying service metadata written in the web service definition language (WSDL) file, where the information regarding service instances is stored.
Loss of Operational and Security Logs
a risk for managing the implementation of the information security management program
IBM Cloud
a robust suite of advanced data and AI tools and deep industry expertise. It provides various cloud services, such as IaaS, SaaS, and PaaS, through public, private, and hybrid cloud delivery models. These services include computing, networking, storage, management, security, databases, analytics, AI, IoT, mobile, Dev tools, and blockchain.
Simple storage service (S3)
a scalable cloud storage service used by Amazon AWS where files, folders, and objects are stored via web APIs.
GCPBucketBrute
a script-based tool that allows attackers to enumerate Google storage buckets, determine what kind of access they have for them, and check whether they can be privilege escalated
Zero Trust model
a security implementation that by default assumes every user trying to access the network is not a trusted entity and verifies every incoming connection before allowing access to the network. This model prevents users/employees from accessing a network without being verified.
Microsoft Azure Functions
a serverless computing platform that allows users to run code without provisioning and managing servers. It is fully automated and provides scaling based on the workload volume; this feature lets users add more values without thinking about back-end server management.
Protego
a serverless security platform that provides complete lifecycle security to serverless applications from deployment to runtime.
CaaS
a service that includes the virtualization of containers and container management through orchestrators.
Container Runtime
a software designed to run the containers. Kurbernetes supports various container runtimes, such as Docker, rktlet, containerd, and cri-o.
Volumes
a storage where persisting data created by Docker and used by Docker containers are stored.
Cloudborne
a vulnerability residing in a bare-metal cloud server that enables attackers to implant malicious backdoor in its firmware.
Front-end layer
accessed by the end user where it provides APIs for the management of data storage
service hijacking
an attacker steals the credentials of a CSP or a client by phishing, pharming, social engineering, and exploitation of software vulnerabilities.
MITM attacks
an attacker uses an exploit that intercepts and manipulates the communication between two parties
Qualys Cloud Platform
an end-to-end IT security solution that provides a continuous, always-on assessment of the global security and compliance posture, with visibility across all IT assets irrespective of where they reside
Docker
an open source technology used for developing, packaging, and running applications and all its dependencies in the form of containers, to ensure that the application works in a seamless environment
Pacu
an open-source AWS exploitation framework for enumerating and hijacking IAM roles. The tool contains a 1100+ wordlist of commonly used role names.
Contiv
an open-source network plugin introduced by Cisco for building security and infrastructure policies for multi-tenant microservices deployments.
enumerate IAM role names
analyzing the AWS error messages, which reveal information regarding the existence of a user.
IPAM Drivers
assign default subnet and IP addresses to the endpoints and networks, if they are not assigned.
Session Riding
attackers "ride" an active computer session by sending an email or tricking users into visiting a malicious webpage during login to an actual target site.
Cloud Malware Injection Attack
attackers install malicious service implementations or virtual machines into the cloud services that run as SaaS, PaaS, or IaaS.
Isolation Failure
attackers may try to control operations of other cloud customers to gain illegal access to the data
Brute-forcing URL
attackers perform brute-force attacks on the target bucket to identify the correct bucket UR.
Man-in-the-Cloud (MITC) Attack
attacks are carried out by abusing cloud file synchronization services, such as Google Drive or DropBox, for data compromise, command and control (C&C), data exfiltration, and remote access.
Trivy
automated tool used to perform container image vulnerability scanning.
Automatic bin packing
can manage a cluster of nodes that run containerized applications.
env
command on a container returns all the details, including the credentials used to initiate the containers.
Sandbox
comprises the container network stack configuration for the management of container interfaces, routing tables, and domain name system (DNS) settings.
Unauthenticated HTTPS Connections
connections between the components are not authenticated properly Attackers can gain unauthorized access to kubelet-managed Pods and retrieve sensitive information
Container images
consist of an operating system, application, runtime, etc. packaged together.
Trusted Computing Layer Security Controls
defines a secured computational environment that implements internal control, auditability, and maintenance to ensure the availability and integrity of cloud operations. Hardware and software RoT and API's
Docker networking architecture
developed on a set of interfaces known as the container network model (CNM), which provides application portability across heterogeneous infrastructures.
Microservices
divide and distribute the application workload, providing stable, seamless, and scalable services by interacting with each other.
Docker architecture
employs a client/server model and consists of various components, such as the host, client, network, registry, and other storage units.
Application Layer Security Controls
establish the policies that match the industry adoption security standards; e.g., OWASP for a web application. It should meet and comply with appropriate regulatory and business requirements. SDLC, Binary Analysis, Scanners, Web App Firewalls, Transactional Sec
Hardware Failure
failures such as switches and servers in data centers can make the cloud data inaccessible
Cryptanalysis Attacks
flaws in cryptographic algorithm implementations (e.g., weak random number generation) may turn strong encryption to weak or broken.
DoS Attacks
flooding the server with multiple requests to consume all available system resources, passing malicious input to the server that crashes an application process, entering wrong passwords continuously so that the user account is locked, etc.
Cloud Hacking
gaining access to user data and blocking access to cloud services.
AWS accounts
identified via unique IDs, which, when exposed in the public domain, can be leveraged by attackers to target cloud services.
Sysdig
identifies Kubernetes vulnerabilities by integrating continuous integration (CI) or continuous delivery/deployment (CD) pipelines, image registry, and Kubernetes admissions controllers and also validates container images at the orchestration level using the Kubernetes admission controller feature.
Tier-1: Developer machines
image creation, testing and accreditation
Docker client
interacts with the Docker daemon, which develops, runs, and distributes the containers.
DDoS attack
involves a multitude of compromised systems attacking a single target, thereby causing a denial of service to users of the targeted system.
Network sniffing
involves interception and monitoring of network traffic which is being sent between the two cloud nodes
Docker Registries
locations where images are stored and pulled, and can be either private or public.
Cloud Provider Acquisition
may increase the probability of a tactical shift which may put non-binding agreements at risk. This could make it difficult to satisfy the security requirements
Docker Backdoor
module used to create a reverse shell backdoor replacing the default CMD command.
Pull Repos from ECR
module used to download the target repository
Enumerate ECR
module used to list the details of available ECR repositories.
Push Repos to ECR
module used to upload the modified Docker image to the ECR repository.
Docker Swarm
multiple Docker engines within the Docker platform.
Distributed storage
offers the cloud better scalability, availability, and reliability of data. However, can potentially raise security and compliance concerns.
Tier-5: Hosts
operating and managing containers as instructed by the orchestrator
Middleware layer
performs several functions such as data de-duplication and replication of data
Google Cloud Platform (GCP)
provides IaaS, PaaS, and serverless computing services. These include computing, data storage and analytics, machine learning, networking, bigdata, cloud AI, management tools, identity and security, IoT, and API platforms.
CloudPassage Halo
provides comprehensive security visibility and continuous compliance for public cloud infrastructure. It is a security automation platform that delivers comprehensive visibility, protection, and continuous compliance monitoring to reduce cyber security risks. It provides features such as discovering all cloud assets, reducing public cloud attack surface, identifying critical risks, and maintaining continuous compliance.
Amazon Web Service (AWS)
provides on-demand cloud computing services to individuals, organizations, the government, etc. on a pay-per-use basis.
Node components
run on each node in the cluster, managing working pods and supplying the Kubernetes runtime services.
Aqua
scans container images, VMs, and serverless functions for known vulnerabilities, embedded secrets, configuration and permission issues, malware, and open-source licensing. This tool restricts untrusted code from running and ensures that functions, containers, and VMs remain immutable, thus preventing any changes to running workloads compared with their originating images.
Tier-3: Registries
storing images and disseminating images to the orchestrators based on request
Man-in-the-Browser attacks
target a user's web-browser by injecting sophisticated malware (e.g., bots) that allow attackers to monitor information being shared between the user's browser and cloud application.
CloudGoat
the "Vulnerable by Design" AWS deployment tool developed by Rhino Security Labs. It allows you to hone your cloud cybersecurity skills by creating and completing several "capture-the-flag" style scenarios.
side-channel attack
the attacker runs a virtual machine on the same physical host as the victim's virtual machine and takes advantage of the shared physical resources (processor cache) to steal data (cryptographic keys) from the victim
Client CLI
the command-line interface used to communicate with the daemon and where various Docker commands are initiated.
cloud-controller-manager
the master component used to run controllers that communicate with cloud providers. It enables the Kubernetes code and cloud provider code to evolve separately.
Supply Chain Failure
Cloud providers outsource certain tasks to third parties. Thus the security of the cloud is directly proportional to the security of each link and the extent of dependency on third parties A disruption in the chain may therefore lead to a loss of data privacy and integrity, as well as services unavailability, a violation of the SLA, and economic and reputational losses, which in turn results in the failure to meet customer demand and cascading
Broad network access
Cloud resources are available over the network and accessed through standard procedures via a wide variety of platforms, including laptops, mobile phones, and personal digital assistants (PDAs).
Cryptojacking
the unauthorized use of the victim's computer to stealthily mine digital currency.
Create DB snapshot
tool allows attackers to access the information stored in a database by creating a snapshot and restoring it.
Orchestrators
tools that allow DevOps administrators to fetch images from the registries, deploy them into containers, and manage container operation.
Tier-4: Orchestrators
transforming images into containers and deploying containers to host
Cloud Hopper attacks
triggered at managed service providers (MSPs) and their customers. Once the attack is successfully implemented, attackers can gain remote access to the intellectual property and critical information of the target MSP and its global users/customers.
Synchronization tokens
used for application authentication in the cloud but cannot distinguish malicious traffic from normal traffic.
AWS IAM
used for providing identity management capabilities to AWS customers and manage the AWS user identities and their changing levels of access to the AWS resources.
Docker Objects
used to assemble an application.
Non-constant Time Password Comparison
using basic password authentication, does not perform secure comparison of secret values. Attackers can launch timing attacks to retrieve passwords
Tier-2: Testing and accreditation systems
verification and validation of image contents, signing images and sending them to the registries.
Back-end layer
where the hardware is implemented
Class of service/Quality of service
CoS/QoS
Hybrid Cloud
Combination of two or more clouds (private, community, or public) that remain unique entities but are bound together, thereby offering the benefits of multiple deployment models. In this model, the organization makes available and manages some resources in-house and provides other resources externally (e.g., Microsoft Azure, Zymr, Parangat, Logicalis). Example: An organization performs its critical activities on the private cloud (e.g., operational customer data) and non-critical activities on the public cloud.
Configuration control
Config Control
Ecosystem complexity
Containers are built, deployed, and managed using multiple vendors and sources. This makes it complex to secure and update the individual components because they originate from different repositories.
DevOps speed
Containers can be executed promptly and, after execution, are stopped and removed. This fugitiveness helps attackers launch attacks and hide themselves without installing any malicious code.
Inflow of vulnerable source code
Containers constitute an open-source platform used by developers to regularly update, store, and use images in a repository. This results in an enormous uncontrolled code that may include vulnerabilities, which can compromise security.
Compromising secrets
Containers require sensitive information, such as API keys, usernames, or passwords, for accessing any services. Attackers who illicitly gain access to this sensitive information can compromise security.
Container breakout to the host
Containers that runs as root may break the containment and gain access to the host OS through privilege escalation.
ls command to retrieve files stored on the Docker host
$ docker -H <Remote IP:Port> exec modest_goldstine ls
command to get an image of Alpine Linux
$ docker -H <Remote IP:Port> pull alpine
command to create a container from the image
$ docker -H <Remote IP:Port> run -t -d alpine
Bridge
Creates a Linux bridge on the host that is managed by the Docker
MACVLAN
Creates a network connection between container interfaces and its parent host interface or sub-interfaces
Create new user
Creates a new IAM user using existing credentials.
R2 - User Identity Federation
Creating multiple user identities for different cloud providers makes it complex to manage multiple user IDs and credentials
Management Interface Compromise
Customer management interfaces of cloud providers are accessible via the Internet and facilitate access to many resources. This enhances the risk, particularly when combined with remote access and web browser vulnerabilities
Distributed denial of service
DDoS
Data loss prevention
DLP
Data Breach/Loss
Data is erased, modified or decoupled (lost). Encryption keys are lost, misplaced or stolen. Illegal access to the data in the cloud due to improper authentication, authorization, and access controls and Misuse of data by the Cloud Service Provider (CSP)
Natural Disasters
Depending on geographic location and climate, data centers may be exposed to natural disasters such as floods, lightening, earthquakes, etc. that can affect the cloud services
A8 - Insecure Deserialization
Deserialization vulnerabilities in Python, JavaScript, etc.
Information Layer Security Controls
Develop and document an information security management program, which includes administrative, technical, and physical safeguards to protect information against unauthorized access, modification, or deletion. DLP, CMF, Database Activity Monitoring, Encryption
Container Technology Tier-1
Developer machines - image creation, testing and accreditation
iam_privesc_by_attachment
Discover and attach existing instance profiles to elevate privileges.
Malicious Insiders
Disgruntled current or former employees, contractors, or other business partners who have authorized access to cloud resources, can misuse their access to compromise the information available in the cloud
Data Exposure in Docker Files
Docker images exposing sensitive information, such as passwords and SSH encryption keys, can be exploited to compromise the security of the container.
R8 - Incidence Analysis and Forensic Support
Due to the distributed storage of logs across the cloud, law enforcement agencies may face problems in forensics recovery
Dump permissions
Dump permissions
Log Rotation is not Atomic
During log rotation, if the kubelet is restarted, all the logs may be erased The attacker waits for the log rotation to happen by monitoring it and then tries to remove all the logs
Multi Cloud
Dynamic heterogeneous environment that combines workloads across multiple cloud vendors, managed via one proprietary interface to achieve long term business goals. Uses multiple computing and storage services from different cloud vendors. It distributes cloud assets, software, applications, etc. across various cloud-hosting environments. Organizations use this cloud environment for distributing computing resources, thereby increasing computing power and storage capabilities, and limiting the data loss and downtime risk to a great extent (e.g., Microsoft Azure Arc, AWS Kaavo IMOD, Google Cloud Anthos).
Encryption
ENC
Overlay
Enables container to container communication over the physical network infrastructure
iam_privesc_by_rollback
Enumerate IAM policy versions and roll back to a previous version with higher privileges.
Exposure of Sensitive Data via Environment Variables
Environmental variables allow settings to be derived from the variables. Attackers can gain access to the stored values through environment logging
Virtualization
Essential technology that powers cloud computing. It provides the ability to run multiple OSs on a single physical system and share the underlying resources, such as servers, storage devices, or networks.
codebuild_secrets
Explore CodeBuild and SSM to discover plaintext secrets in a secure database.
Dump credentials:
Extracts the credentials available with this host and prints them out to the console.
Firewall
FW
ec2_ssrf
Find and exploit the EC2 metadata service to get keys using a server-side request forgery (SSRF) vulnerability in a web app.
rce_web_app
Find the secret endpoint and exploit a web app remote code execution vulnerability to gain root EC2 access inside a virtual private cloud (VPC).
Governance, risk, and compliance
GRC
Unauthorized Access
Gaining access to user accounts leads to privilege escalation attacks.
A5 - Broken Access Control
Granting functions access and more privileges to unnecessary resources
Identity and access management
IAM
Intrusion prevention system
IPS
Economic Denial of Sustainability (EDOS)
If an attacker engages the cloud with a malicious service or executes malicious code that consumes a lot of computational power and storage from the cloud server, then the legitimate account holder is charged for this kind of computation until the primary cause of CPU usage is detected
Subpoena and E-Discovery
If customer data or services are subpoenaed or subjected to a cease and desist request from authorities or third parties, access to such data and services may be compromised
No Non-repudiation
If debug mode is disabled, kube-apiserver does not record user actions. Attackers can directly interact with kube-apiserver and perform various malicious activities
Improper Data Handling and Disposal
If it is difficult to ascertain data handling and disposal procedures followed by CSPs due to limited access to cloud infrastructure, such data may be compromised
Hardcoded Credential Paths
If the cluster token and the root CA are stored in different locations, an attacker can insert a malicious token and the root CA to gain access to the entire cluster
Insufficient Due Diligence
Ignorance of the CSP's cloud environment poses risks to operational responsibilities such as security, encryption, incident response, and other issues such as contractual issues, design, and architectural issues
Insecure Container Runtime Configurations
Improper handling of the configuration option and mounting sensitive directories on the host cause faulty and insecure runtime configurations.
Computation and Storage Layer Security Controls
In the cloud, owing to the lack of physical control of the data and the machine, the service provider may be unable to manage the data and computation and lose the trust of the cloud consumers. CSPs must establish policies and procedures for data storage and retention and implement appropriate backup mechanisms to ensure availability and continuity of services that meet with statutory, regulatory, contractual, or business requirements and compliance. Host-based Firewalls, HIDS/HIPS, Integrity & File/Log Management, Encryption, Masking
Modifying Network Traffic
In the cloud, the network traffic may be modified due to flaws while provisioning or de-provisioning the network, or vulnerabilities in communication encryption and may cause loss, alteration, or theft of confidential data and communications
A10 - Insufficient Logging and Monitoring
Insufficient security monitoring and auditing
Cybersquatting
Involves conducting phishing scams by registering a domain name that is similar to a CSP.
DNS Poisoning
Involves diverting users to a spoofed website by poisoning the DNS server or the DNS cache on the user's system.
Domain Snipping
Involves registering an elapsed domain name.
Domain Hijacking
Involves stealing a CSP domain name.
Network Layer Security Controls
It deals with various measures and policies adopted by a network administrator to monitor and prevent illegal access, misuse, modification, or denial of network-accessible resources. NIDS/NIPS, Firewalls, DPI, Anti-DDoS, QoS, DNSSEC, OAuth
Accessing Nodes
Kubelet manages pods, so if attackers gain access to a node in a pod, they can easily access all volumes used within the pod.
Load balancer
LB
A9 - Using Components with Known Vulnerabilities
Lack of knowledge on component-heavy deployment patterns
Undertaking Malicious Probes or Scans
Malicious probes or scanning allows an attacker to collect sensitive information that may lead to a loss of confidentiality, integrity, and availability of services and data
Exposed Services due to Open Ports
Misconfiguration of an application may allow port access and exposure of sensitive information upon port scanning.
R9 - Infrastructure Security
Misconfiguration of infrastructure may allow network scanning for vulnerable applications and services.
Hijacked Image Registry
Mismanaged configurations and vulnerabilities can be exploited to compromise the registry and image hubs.
Docker Daemon
(dockerd) processes the API requests and handles various Docker objects, such as containers, volumes, images, and networks.
Risks from Changes of Jurisdiction
A change in the jurisdiction of the data can lead to the risk that the data or information system may be blocked or impounded by a government or other organization
Git repository
A common place most organizations host their AWS keys in a shared storage on an internal network
Embedded Malware
A container image may be embedded with malware after creation, or hardcoded functions may download malware after image deployment.
Noisy neighboring containers
A container may consume and exhaust all available system resources, which directly affects the operation of other neighboring containers creating a denial-of-service (DoS) attack.
Insider Threat
A disgruntled employee who wants to damage the reputation of the company can exploit the cloud services using his credentials and perform direct code changes to disclose private information to the public
Privilege Escalation
A mistake in the access allocation system can result in a customer, third party, or employee getting more access rights than needed
Inadequate Infrastructure Design and Planning
A shortage of computing resources and/or poor network design can result in unacceptable network latency or an inability to meet agreed service levels
Nimbostratus
A tool used for fingerprinting and exploiting Amazon cloud infrastructures.
Container orchestration
an automated process of managing the lifecycles of software containers and their dynamic environments. It is used for scheduling and distributing the work of individual containers for microservices-based applications spread across multiple clusters.
Container technology
an emerging container-based virtualization service. It helps developers and IT teams in developing, running, and managing containerized applications by using the API of the service provider or a web portal interface.
Kubelet
an important service agent that runs on each node and ensures containers running in a pod. It also ensures pods and containers are healthy and running as expected.
Network
an interconnected collection of endpoints. Endpoints that do not have network connection cannot communicate over the network.
Cloud computing
an on-demand delivery of IT capabilities where IT infrastructure and applications are provided to subscribers as a metered service over a network
Kubernetes (K8s)
an open-source, portable, extensible, orchestration platform developed by Google for managing containerized applications and microservices.
Registries
provide various services to developers, such as storing images, tagging, and cataloging images for easy identification, version control for easy discovery and reuse, and fetching and downloading images created by other developers.
On-demand self-service
A type of service rendered by cloud service providers that allow provisions for cloud resources, such as computing power, storage, and network, always on-demand, without the need for human interaction with the service providers.
Cloud Broker
An entity that manages cloud services in terms of use, performance, and delivery, and maintains the relationship between cloud providers and consumers
Kube-proxy
It is a network proxy service that also runs on every worker node. This service maintains the network rules that enable network connection to the pods.
Community Cloud
Shared infrastructure between several organizations from a specific community with common concerns (security, compliance, jurisdiction, etc.) The cloud can be either on-or off-premises and governed by the participated organizations or by a third-party managed service provider (e.g., Optum Health Cloud, Salesforce Health Cloud).
Container Technology Tier-2
Testing and accreditation systems - verification and validation of image contents, signing images and sending them to the registries
Kube-apiserver
The API server is an integral part of the Kubernetes control panel that responds to all API requests. It serves as a front-end utility for the control panel and it is the only component that interacts with the etcd cluster and ensures data storage.
Function-as-a-Service (FaaS)
This cloud computing service provides a platform for developing, running, and managing application functionalities without the complexity of building and maintaining necessary infrastructure (serverless architecture). This model is mostly used while developing applications for microservices. It provides on-demand functionality to the subscribers that powers off the supporting infrastructure and incurs no charges when not in use. It provides data processing services, such as Internet of Things (IoT) services for connected devices, mobile and web applications, and batch-and-stream processing (e.g., AWS Lambda, Google Cloud Functions, Microsoft Azure Functions, Oracle Cloud Fn).
Virtualization technology
Virtualization technology in the cloud enables the rapid scaling of resources in a way that non-virtualized environments cannot achieve.
Docker Hub
a predefined location of Docker images, which can be used by all users.
Automated rollouts and rollbacks
automates the process of creating new containers, destroying existing containers, and moving all resources from one container to another.
Load balancing
automatically distributes the traffic to other containers and performs load balancing.
Cloud Carrier
An intermediary for providing connectivity and transport services between cloud consumers and providers
Storage orchestration
allows developers to mount their own storage capabilities, such as local and public cloud storage.
Rest API
allows the communication and assignment of tasks to the daemon.
Secret and configuration management
allows users to store and manage sensitive information such as credentials, secure shell (SSH) keys, and OAuth tokens.
Platform-as-a-Service (PaaS)
(DEVELOPERS) This type of cloud computing service allows for the development of applications and services. Subscribers need not buy and manage the software and infrastructure underneath it but have authority over deployed applications and perhaps application hosting environment configurations. This offers development tools, configuration management, and deployment platforms on-demand, which can be used by subscribers to develop custom applications (e.g., Google App Engine, Salesforce, Microsoft Azure). Advantages of writing applications in the PaaS environment include dynamic scalability, automated backups, and other platform services, without the need to explicitly code for them.
Infrastructure-as-a-Service (IaaS)
(SYSTEMADMINS) This cloud computing service enables subscribers to use on-demand fundamental IT resources, such as computing power, virtualization, data storage, and network. This service provides virtual machines and other abstracted hardware and operating systems (OSs), which may be controlled through a service application programming interface (API). As cloud service providers are responsible for managing the underlying cloud computing infrastructure, subscribers can avoid costs of human capital, hardware, and others (e.g., Amazon EC2, GoGrid, Microsoft OneDrive, Rackspace).
Lack of visibility
A container engine runs the container, interfaces with the Linux kernel, and creates another layer of abstraction camouflaging the actions of the containers and making it difficult to track activities of specific containers or users.
Cloud Consumer
A a person or organization that maintains a business relationship with the cloud service providers (CSPs) and utilizes the cloud computing services.
Cloud Auditor
A party for making independent assessments of cloud service controls and taking an opinion thereon and can evaluate the services provided by a CSP regarding security controls (management, operational, and technical safeguards intended to protect the confidentiality, integrity, and availability of the system and its information), privacy impact (compliance with applicable privacy laws and regulations governing an individual's privacy), performance, etc.
Host
Allows the container to implement the host networking stack
Private Cloud
Cloud infrastructure is operated for a single organization only and and implemented within a corporate firewall. Organizations deploy this cloud infrastructure to retain full control over corporate data (e.g., BMC Software, VMware vRealize Suite, SAP Cloud Platform).
Measured service
Cloud systems employ the "pay-per-use" metering method. Subscribers pay for cloud services by monthly subscription or according to the usage of resources such as storage levels, processing power, and bandwidth. Cloud service providers monitor, control, report, and charge consumption of resources by customers with complete transparency.
Container Technology Tier-5
Hosts - operating and managing containers as instructed by the orchestrator
Etcd cluster
It is a distributed and consistent key-value storage where Kubernetes cluster data, service discovery details, API objects, etc. are stored.
Rapid elasticity
The cloud offers instant provisioning of capabilities to rapidly scale up or down, according to demand. To the consumers, the resources available for provisioning seem to be unlimited and can be purchased in any quantity at any point of time.
Resource pooling
The cloud service provider pools all the resources together to serve multiple customers in the multi-tenant environment, with physical and virtual resources dynamically assigned and reassigned on demand by the consumer of the cloud.
Container-as-a-Service (CaaS)
This cloud computing model provides containers and clusters as a service to its subscribers. It provides services such as virtualization of container engines, management of containers, applications, and clusters through a web portal, or an API. Using these services, subscribers can develop rich scalable containerized applications through the cloud or on-site data centers. CaaS inherits features of both IaaS and PaaS (e.g., Amazon AWS EC2, Google Kubernetes Engine (GKE)).
Software-as-a-Service (SaaS)
This cloud computing service offers application software to subscribers on-demand over the Internet. The provider charges for the service on a pay-per-use basis, by subscription, by advertising, or by sharing among multiple users (e.g., web-based office applications like Google Docs or Calendar, Salesforce CRM, and Freshbooks).
Identity-as-a-Service (IDaaS)
This cloud computing service offers authentication services to the subscribed enterprises and is managed by a third-party vendor to provide identity and access management services. It provides services such as Single-Sign-On (SSO), Multi-Factor-Authentication (MFA), Identity Governance and Administration (IGA), access management, and intelligence collection. These services allow subscribers to access sensitive data more securely both on and off-premises (e.g., OneLogin, Centrify Identity Service, Microsoft Azure Active Directory, Okta).
Weave
a network plugin that is used to build a virtual network for connecting Docker containers spread across multiple clouds.
Cloud Provider
a person or organization who acquires and manages the computing infrastructure intended for providing services (directly or via a cloud broker) to interested parties via network access.
Service discovery
allows a service to be discovered via a DNS name or IP address.
Self-healing
automatically performs a health check of the containers, replaces the failed containers with new containers, destroys failed containers, and avoids advertising unavailable containers to clients.
Monolithic applications
broken down into cloud-hosted sub-applications, called microservices, that work together, each performing a unique task.
Services
enable users to extend the number of containers across daemons, and together they serve as a swarm with several managers and workers.
Master Components
provide a cluster control panel and perform various activities, such as scheduling, detecting, and handling cluster events.
Microsoft Azure
provides cloud computing services for building, testing, deploying, and managing applications and services through Azure data centers. It provides all types of cloud computing services, such as SaaS, PaaS, and IaaS. It offers various cloud services, such as computing, mobile storage, data management, messaging, media, machine learning, and IoT.
Docker Client
the primary interface through which users communicate with Docker. When commands such as docker run are initiated, the client passes related commands to dockerd, which then executes them.
Images
used to store and deploy containers. They are read-only binary templates with instructions for container creation.
