WEBVTT

1
00:00:00.000 --> 00:00:01.950
In this lesson, we will learn

2
00:00:01.950 --> 00:00:04.830
about the Cloud Attack Surface.

3
00:00:04.830 --> 00:00:06.930
The Cloud Attack Surface consists

4
00:00:06.930 --> 00:00:10.470
of the vulnerabilities and entry points associated

5
00:00:10.470 --> 00:00:12.780
with an organization's internal

6
00:00:12.780 --> 00:00:15.600
and external cloud infrastructure.

7
00:00:15.600 --> 00:00:17.850
Cloud Attack Surface concepts

8
00:00:17.850 --> 00:00:20.550
include the enumeration and discovery

9
00:00:20.550 --> 00:00:24.930
of internally facing assets, the enumeration and discovery

10
00:00:24.930 --> 00:00:29.310
of externally facing assets, cloud services discovery,

11
00:00:29.310 --> 00:00:33.060
and malicious cloud services and daemons.

12
00:00:33.060 --> 00:00:35.160
The enumeration and discovery

13
00:00:35.160 --> 00:00:39.180
of internally facing assets involves identifying,

14
00:00:39.180 --> 00:00:43.200
and assessing cloud-based resources that are accessible

15
00:00:43.200 --> 00:00:46.140
only within the organization's network.

16
00:00:46.140 --> 00:00:48.810
Next, the enumeration and discovery

17
00:00:48.810 --> 00:00:51.810
of externally facing assets focuses

18
00:00:51.810 --> 00:00:55.860
on cloud resources that are publicly accessible.

19
00:00:55.860 --> 00:00:59.040
Then we have cloud services discovery,

20
00:00:59.040 --> 00:01:00.870
which involves identifying,

21
00:01:00.870 --> 00:01:04.980
mapping, and cataloging all cloud services in use

22
00:01:04.980 --> 00:01:07.710
to identify potential vulnerabilities

23
00:01:07.710 --> 00:01:11.280
or misconfigurations that could be exploited.

24
00:01:11.280 --> 00:01:15.150
Finally, services and daemons are background processes

25
00:01:15.150 --> 00:01:17.760
and programs that run continuously

26
00:01:17.760 --> 00:01:21.090
in the background to manage system functions.

27
00:01:21.090 --> 00:01:23.070
Malicious services and daemons

28
00:01:23.070 --> 00:01:25.560
can lead to unauthorized access,

29
00:01:25.560 --> 00:01:30.210
persistent backdoors, or the execution of harmful actions

30
00:01:30.210 --> 00:01:34.560
within the system, allowing attackers to maintain control,

31
00:01:34.560 --> 00:01:38.250
or disrupt operations without detection.

32
00:01:38.250 --> 00:01:40.560
Let's learn more about the enumeration

33
00:01:40.560 --> 00:01:44.280
and discovery of internally facing assets,

34
00:01:44.280 --> 00:01:48.420
the enumeration and discovery of externally facing assets,

35
00:01:48.420 --> 00:01:50.370
cloud services discovery,

36
00:01:50.370 --> 00:01:53.970
and malicious cloud services and daemons.

37
00:01:53.970 --> 00:01:57.630
The enumeration and discovery of internally facing assets

38
00:01:57.630 --> 00:02:01.003
involves identifying cloud-based resources

39
00:02:01.003 --> 00:02:03.120
that are accessible only

40
00:02:03.120 --> 00:02:07.020
within an organization's network, such as databases,

41
00:02:07.020 --> 00:02:11.700
virtual machines, application servers, storage systems,

42
00:02:11.700 --> 00:02:16.700
and internal application programming interfaces, or APIs.

43
00:02:16.740 --> 00:02:19.680
These assets contain sensitive data,

44
00:02:19.680 --> 00:02:22.440
and support essential business functions,

45
00:02:22.440 --> 00:02:25.920
generally remaining hidden from public access.

46
00:02:25.920 --> 00:02:28.710
However, if misconfigured,

47
00:02:28.710 --> 00:02:30.660
these internal resources

48
00:02:30.660 --> 00:02:33.480
can unintentionally become accessible,

49
00:02:33.480 --> 00:02:36.390
presenting a serious security risk

50
00:02:36.390 --> 00:02:38.970
within the cloud environment.

51
00:02:38.970 --> 00:02:43.851
A prime example of this risk is seen in the 2023 U.S.

52
00:02:44.940 --> 00:02:49.650
No-Fly List leak, where an internal server belonging

53
00:02:49.650 --> 00:02:53.820
to the airline Commute Air was allegedly left unprotected,

54
00:02:53.820 --> 00:02:56.250
and accessible to the public.

55
00:02:56.250 --> 00:03:00.870
This alleged misconfigured server contained sensitive data,

56
00:03:00.870 --> 00:03:04.470
including a version of the U.S. No-Fly List,

57
00:03:04.470 --> 00:03:07.560
which was never meant to be accessible outside

58
00:03:07.560 --> 00:03:09.780
of authorized personnel.

59
00:03:09.780 --> 00:03:13.050
The lack of access restrictions allowed anyone

60
00:03:13.050 --> 00:03:15.810
with the server's IP address to access

61
00:03:15.810 --> 00:03:18.330
and download the information,

62
00:03:18.330 --> 00:03:22.920
underscoring the risks of misconfigured internal assets.

63
00:03:22.920 --> 00:03:25.560
So, to prevent such exposures,

64
00:03:25.560 --> 00:03:28.183
organizations can use cloud management tools

65
00:03:28.183 --> 00:03:30.762
like AWS Config,

66
00:03:30.762 --> 00:03:35.160
or Azure Policy to enforce configuration compliance

67
00:03:35.160 --> 00:03:38.280
and quickly detect potential exposure.

68
00:03:38.280 --> 00:03:41.190
Additionally, regular security assessments,

69
00:03:41.190 --> 00:03:43.440
and internal audits ensure

70
00:03:43.440 --> 00:03:48.270
that only authorized users can access these assets,

71
00:03:48.270 --> 00:03:50.520
strengthening security and reducing

72
00:03:50.520 --> 00:03:53.640
the risk of accidental exposure.

73
00:03:53.640 --> 00:03:55.680
Second, we have the enumeration

74
00:03:55.680 --> 00:03:59.310
and discovery of externally facing assets.

75
00:03:59.310 --> 00:04:03.240
Externally facing assets refer to cloud resources

76
00:04:03.240 --> 00:04:05.340
that are accessible to the public,

77
00:04:05.340 --> 00:04:08.970
such as web applications, APIs,

78
00:04:08.970 --> 00:04:12.150
public storage buckets, DNS servers,

79
00:04:12.150 --> 00:04:15.960
and content delivery networks, or CDNs.

80
00:04:15.960 --> 00:04:19.290
These assets are a prime target for attackers,

81
00:04:19.290 --> 00:04:22.380
since they can be and are meant to be accessed

82
00:04:22.380 --> 00:04:25.560
without internal network restrictions.

83
00:04:25.560 --> 00:04:29.940
Identifying and securing these publicly accessible assets

84
00:04:29.940 --> 00:04:32.580
reduces the cloud attack surface,

85
00:04:32.580 --> 00:04:34.350
as any vulnerability

86
00:04:34.350 --> 00:04:38.970
in these resources could be exploited by external threats.

87
00:04:38.970 --> 00:04:42.420
Externally facing assets are especially important

88
00:04:42.420 --> 00:04:43.920
for enterprise networks

89
00:04:43.920 --> 00:04:47.340
because they directly handle user interactions

90
00:04:47.340 --> 00:04:49.290
and data exchange.

91
00:04:49.290 --> 00:04:53.430
For instance, a company might have a public API

92
00:04:53.430 --> 00:04:57.390
that allows customers to access certain services.

93
00:04:57.390 --> 00:05:02.390
If this API is misconfigured or has weak authentication,

94
00:05:02.610 --> 00:05:06.690
it could expose sensitive internal customer information

95
00:05:06.690 --> 00:05:08.430
to attackers.

96
00:05:08.430 --> 00:05:11.910
Organizations can mitigate risk to these assets

97
00:05:11.910 --> 00:05:14.670
by using tools like Shodan, Census,

98
00:05:14.670 --> 00:05:16.950
or even native cloud solutions

99
00:05:16.950 --> 00:05:21.660
such as AWS Inspector and Google Cloud Security Scanner

100
00:05:21.660 --> 00:05:26.340
to regularly scan and monitor their public cloud resources.

101
00:05:26.340 --> 00:05:29.400
Also, implementing strict access controls,

102
00:05:29.400 --> 00:05:34.400
such as OAuth for APIs and public cloud resources,

103
00:05:34.440 --> 00:05:36.360
and regularly applying updates

104
00:05:36.360 --> 00:05:39.750
and patches help safeguard these assets.

105
00:05:39.750 --> 00:05:43.290
Third, we have cloud services discovery.

106
00:05:43.290 --> 00:05:45.570
Cloud services discovery involves

107
00:05:45.570 --> 00:05:48.270
cataloging all cloud services

108
00:05:48.270 --> 00:05:50.040
an organization uses

109
00:05:50.040 --> 00:05:53.283
to identify potential security vulnerabilities,

110
00:05:53.283 --> 00:05:55.950
or misconfigurations.

111
00:05:55.950 --> 00:06:00.930
This process includes tracking storage, compute, networking,

112
00:06:00.930 --> 00:06:04.830
and software services in multi-cloud environments,

113
00:06:04.830 --> 00:06:09.270
which helps maintain visibility into every active service

114
00:06:09.270 --> 00:06:12.510
and its associated security posture.

115
00:06:12.510 --> 00:06:15.990
Properly identifying these services is essential

116
00:06:15.990 --> 00:06:19.860
because undiscovered or misconfigured services

117
00:06:19.860 --> 00:06:23.400
can unintentionally expose sensitive data,

118
00:06:23.400 --> 00:06:27.030
or critical functions to potential attackers.

119
00:06:27.030 --> 00:06:30.540
For enterprises, cloud services discovery

120
00:06:30.540 --> 00:06:34.770
ensures comprehensive oversight of cloud resources,

121
00:06:34.770 --> 00:06:37.620
especially as many organizations

122
00:06:37.620 --> 00:06:39.720
use multiple cloud providers

123
00:06:39.720 --> 00:06:41.520
for various functions.

124
00:06:41.520 --> 00:06:45.240
For example, an organization may unknowingly have

125
00:06:45.240 --> 00:06:48.840
misconfigured a database in their cloud environment due

126
00:06:48.840 --> 00:06:51.300
to overlooking permissions,

127
00:06:51.300 --> 00:06:53.250
potentially exposing sensitive

128
00:06:53.250 --> 00:06:56.580
information to unintended users.

129
00:06:56.580 --> 00:07:01.290
So, mitigating risks in cloud services discovery involves

130
00:07:01.290 --> 00:07:03.210
using cloud security posture

131
00:07:03.210 --> 00:07:06.240
management tools like Prisma Cloud,

132
00:07:06.240 --> 00:07:11.240
Lacework, or native services like AWS CloudTrail.

133
00:07:11.460 --> 00:07:14.190
These tools, and those like them,

134
00:07:14.190 --> 00:07:17.100
automate cloud service inventory management

135
00:07:17.100 --> 00:07:21.210
and monitor configurations for potential vulnerabilities,

136
00:07:21.210 --> 00:07:25.740
helping organizations maintain a secure cloud environment

137
00:07:25.740 --> 00:07:28.830
by providing alerts on suspicious changes

138
00:07:28.830 --> 00:07:31.170
and misconfigurations.

139
00:07:31.170 --> 00:07:35.190
Fourth and last, we have malicious cloud services

140
00:07:35.190 --> 00:07:36.540
and daemons.

141
00:07:36.540 --> 00:07:40.380
Malicious cloud services and daemons are unauthorized,

142
00:07:40.380 --> 00:07:42.960
or harmful background processes

143
00:07:42.960 --> 00:07:45.720
that can lead to unauthorized access,

144
00:07:45.720 --> 00:07:47.580
persistent backdoors,

145
00:07:47.580 --> 00:07:52.580
or the execution of malicious actions within a cloud system.

146
00:07:52.830 --> 00:07:56.790
These services may appear as legitimate processes

147
00:07:56.790 --> 00:07:59.940
but can allow attackers to maintain control

148
00:07:59.940 --> 00:08:01.590
of cloud resources,

149
00:08:01.590 --> 00:08:06.590
exfiltrate data, or disrupt operations without detection.

150
00:08:06.930 --> 00:08:08.790
Identifying and managing

151
00:08:08.790 --> 00:08:11.880
these malicious services prevents compromise

152
00:08:11.880 --> 00:08:14.130
to critical cloud infrastructure,

153
00:08:14.130 --> 00:08:17.730
which could lead to long-term security issues.

154
00:08:17.730 --> 00:08:19.080
For an enterprise,

155
00:08:19.080 --> 00:08:22.350
malicious daemons are particularly harmful,

156
00:08:22.350 --> 00:08:25.590
as they may evade standard monitoring tools

157
00:08:25.590 --> 00:08:27.750
and persist undetected.

158
00:08:27.750 --> 00:08:31.830
For instance, an attacker might install a malicious daemon

159
00:08:31.830 --> 00:08:34.770
within a compromised virtual machine,

160
00:08:34.770 --> 00:08:37.590
which periodically sends sensitive data

161
00:08:37.590 --> 00:08:39.180
to an external server

162
00:08:39.180 --> 00:08:43.080
without alerting the standard monitoring solutions.

163
00:08:43.080 --> 00:08:45.600
So, to mitigate these risks,

164
00:08:45.600 --> 00:08:47.910
organizations can use advanced threat

165
00:08:47.910 --> 00:08:50.067
detection tools like CrowdStrike,

166
00:08:50.067 --> 00:08:54.600
AWS GuardDuty, or Azure Security Center,

167
00:08:54.600 --> 00:08:59.040
which continuously monitor for unusual process behavior

168
00:08:59.040 --> 00:09:02.280
and network traffic in cloud environments.

169
00:09:02.280 --> 00:09:06.720
Additionally, regularly conducting forensic investigations,

170
00:09:06.720 --> 00:09:08.820
and implementing endpoint detection,

171
00:09:08.820 --> 00:09:11.640
and response solutions can help detect

172
00:09:11.640 --> 00:09:14.250
and remove malicious services

173
00:09:14.250 --> 00:09:16.380
before they cause harm.

174
00:09:16.380 --> 00:09:20.070
So, remember, the cloud attack surface

175
00:09:20.070 --> 00:09:23.520
includes all vulnerabilities and access points

176
00:09:23.520 --> 00:09:26.760
within an organization's cloud infrastructure,

177
00:09:26.760 --> 00:09:29.760
both internal and external.

178
00:09:29.760 --> 00:09:31.200
It involves discovering,

179
00:09:31.200 --> 00:09:34.320
and securing internally facing assets,

180
00:09:34.320 --> 00:09:37.200
which are accessible only within the network,

181
00:09:37.200 --> 00:09:39.690
and externally facing assets,

182
00:09:39.690 --> 00:09:43.740
which are publicly available and more vulnerable to attack.

183
00:09:43.740 --> 00:09:47.670
Additionally, cloud services discovery entails cataloging

184
00:09:47.670 --> 00:09:52.670
all cloud services in use to identify any misconfigurations,

185
00:09:53.250 --> 00:09:57.540
or unmonitored services that could lead to exposure.

186
00:09:57.540 --> 00:10:01.170
Finally, malicious cloud services and daemons,

187
00:10:01.170 --> 00:10:03.840
or harmful background processes,

188
00:10:03.840 --> 00:10:06.060
pose another significant threat

189
00:10:06.060 --> 00:10:09.300
as they can operate undetected and disrupt,

190
00:10:09.300 --> 00:10:11.670
or compromise cloud operations

191
00:10:11.670 --> 00:10:13.560
without being noticed.

192
00:10:13.560 --> 00:10:17.730
So, each component of the cloud attack surface requires

193
00:10:17.730 --> 00:10:22.380
consistent monitoring to detect and secure any weaknesses.

194
00:10:22.380 --> 00:10:26.490
And, by using specialized tools and regular audits,

195
00:10:26.490 --> 00:10:29.430
organizations can maintain a more secure

196
00:10:29.430 --> 00:10:31.770
and resilient cloud environment,

197
00:10:31.770 --> 00:10:34.593
reducing their exposure to threats.