-
Notifications
You must be signed in to change notification settings - Fork 18
Vision
nuvola wants to reduce the gap from open-source tools for on-premise (Windows, clients, networks) security analysis and cloud environments.
The approach is to have an open-source and community driven software that allows users to have a global overview of cloud ecosystems with the possibility of automatically or manually drilling down on specific security aspects like privilege escalations and service misconfigurations.
The aim of this tool is not only for information security teams but also for DevOps. Organisations who can gain alignment among their departments regarding security policies and enforcement strategies and are moving toward a DevSecOps approach are better equipped to deal with configuration errors.
These organisations are more likely to detect and remediate a misconfiguration in much less time (1 day on average, source: The State of Cloud Security Risk, Compliance and Misconfigurations, Cloud Security Alliance, 2021) than organisations where the alignment is partial or absent.
Blog posts, courses, articles only focus on the exploitation or remediation parts and only provide the analyst the tools and attack methodology on simple, yet effective, use cases but do not prepare security professionals to act in very large and complex cloud ecosystems.
In large and complex cloud ecosystems reviewing such permissions can be quite difficult and the IAM policy validation is just a little step for the validation of the security posture of a cloud ecosystem.
The comparison with a classic red teaming operation is still valid: a junior red teamer can't handle a very large environment or multiple extensive subnets during the engagement and even more senior figures can find difficulties managing such wide scopes.
To help security professionals, and real attackers, a variety of automatic tools has been developed like BloodHound, CrackMapExec, Responder, etc...
On cloud ecosystems the community started to release some broad vision tools like (the list is not exhaustive and only collect principal and used features):
- carlospolop/PurplePanda
- dirkjanm/ROADtools
- Azure/Stormspotter
- Integration for AzureAD on Bloodhound
- nccgroup/PMapper
- lyft/cartography
- WithSSecureLABS/awspx
- nccgroup/ScoutSuite
- salesforce/cloudsplaining
The above exceptional tools are the one that helped us perform assessments and experiment permissions combinations on our internal security laboratory but we encountered limits on functionalities, scalability, completeness and usability.
While some tools that support AWS are very useful and greatly developed, many of them lack a global overview or features and the results must be manually reviewed, aggregated and ingested in other tools or custom scripts.
Generally speaking from our experience when dealing with very extensive AWS ecosystems these tools do not provide the desired level of abstraction and information to really help and automate tasks.
In Prima Assicurazioni there are thousand roles, hundreds of EC2 instances and buckets and dozens of lambda functions; these numbers are due to business and security requirements and massive usage of microservice architecture.
Managing such numbers, from a security and DevOps perspective, it's very difficult and a tool that provides general and detailed information could be very helpful; especially within the management of IAM permissions.
In addition, AWS IAM allows to grant or deny permissions only to specific objects using conditions or specifying resource access policies instead of IAM policies. For each role or user the effective permissions must be validated evaluating all possible policies applied from different sources (attached policies, inline policies, group policies, Service control policies (SCP), permission boundaries, etc.) and conditions.
A report from the Cloud Security Alliance (Technology and Cloud Security Maturity, 2022) states that 84% of organisations report having no automation; since Identity and Access Management is a key factor in securing companies, automating the detection of possible attack paths may reduce the attack surface and avoid potential data breaches.
Beyond the technological aspects, another compendium of Cloud Security Alliance (The State of Cloud Security Risk, Compliance, and Misconfigurations, 2022) states that the lack of knowledge and expertise are well-known issues within the information security industry.
It is no surprise then, that lack of knowledge and expertise was consistently identified as:
- the primary barrier to general cloud security (59%)
- the primary cause of misconfigurations (62%)
- a barrier to proactively preventing or fixing misconfigurations (59%)
- the primary barrier to implementing auto-remediation (56%)
Also, from the same report, the primary reason organisations state for having a security incident due to misconfigurations is lack of visibility (68%). It is equally as important for organisations to prioritise tooling that provides three primary aspects:
- improved visibility
- effective risk governance
- automation