BSides Berlin Keynote 2023
This presentation was created for BSides Berlin 2023. A massive thanks to the organizers for the opportunity and for organizing such a great community event in Berlin!
If you are interested in a similar topic, please see the bottom of the page.
Images are largely purchased stock photos.
In 2025, it is estimated that the world will store 200 zettabytes of data.
From medical and genetic data, to credit card information.
Company data is at least 60% in 2022 which is up from 15% in 2015.
Data has created a treasure trove for cybercriminals.
And, we are super heroes - the defenders, red teamers, even the suits - tasked to protect this.
The threat landscape is the entirety of potential and identified cyberthreats affecting a particular sector, group of users, time period, and so forth. The threat landscape is usually thought of as including the vulnerabilities, malware, and specific groups of attackers and their techniques that represent a danger in a given context.
Let’s take a look at it from a few different sectors.
Threat Landscape of…
Software
Use of “shadow SaaS” services with little overview of security as well as the evolving landscape of SaaS based attacks. Reliance of being able to process data from different sources.
Aviation/Airline industry
In a bid to be more innovative, the airline industry is opening up to innovative service providers. In addition to existing large attack surface, attackers opt to target the data side - for example loyalty programs.
Telecommunications
Digital transformation initiatives are increasing the threat surface. This is in addition to existing traditional threats and vulnerabilities of established technologies that exist already. Regulations are impose - in some ways this is seen as a threat (against innovation) and other ways it is to curb threats and forces innovation.
SaaS Attack Techniques
SaaS is a relatively new attack surface
Existing models are being upgraded or tweaked to take into account SaaS based attacks
Push Security SaaS attacks Github repository https://github.com/pushsecurity/saas-attacks and blog https://pushsecurity.com/blog/saas-attack-techniques/
MITRE ATT&CK SaaS Matrix
https://attack.mitre.org/matrices/enterprise/cloud/saas/
In the name of “digital transformation”, cloud models rise in complexity, with it new SaaS attack models
Due to business and technical processes, it’s now an explosion of services, applications and business models all involved in the sharing of, processing of, analysing of data.
Examples: Okta, Cloudflare, 1Password, 23andMe
Data processing encryption is being overlooked
We know about attacks targeting confidentiality requirements (via encryption-at-rest and encryption-in-transit) But what about, encryption-in-use?
Lack of data sovereignty
Key management - who holds the encryption keys? And this goes for all states (encryption-in-transit, encryption-in-use, encryption-at-rest). Enforcing own KMS is researched as a requirement.
Attacks in processing:
Data processing between two parties using confidential or regulated data – you have a SaaS provider that requires processing of regulated data and for this regulated data the confidentiality must be maintained
Unclear shared responsibilities
Action point: Take a look at your current SaaS / cloud situation and consider which security requirements are unclear.
According to the CCC (Confidential Computing Consortium) , confidential computing protects data in use through a minimum of three properties:[10]
Data confidentiality: "Unauthorized entities cannot view data while it is in use within the TEE".
Data integrity: "Unauthorized entities cannot add, remove, or alter data while it is in use within the TEE".
Code integrity: "Unauthorized entities cannot add, remove, or alter code executing in the TEE".
Main point:
Confidential computing tackles the problem of attacks targeting data in process, however there are still gaps in play and these gaps usually require some research on the cloud provider in use.
The impact, the likelihood, risk appetite, threat landscape all differ.
What remains constant is data. Data is key to business success - whether it is credit card or biomedical data. We need to be able to classify this data and with it, being able to enforce the protection requirements.
And once classify this data, we need to be able to treat the data in a way that suits its classification.
Enforce:
Enforce data sovereignty, key management and key ownership requirements are not dependent on CSP or SaaS, work on strengthening security requirements by working with risk and compliance teams.
Section 01:
Pentest reports should take into account to make is useful for risk management and analysis. The point here is to be able to move a penetration test report forwards to the project teams, or the contract owner beyong only stating the CVSS scofe.
When defining the scope with a pentester:
The scope should indicate what CSP is in use, what configurations are used i.e. CIS level 4 hardening.
The results of the assessment might not be a true reflection of the security
Masking or anonymizing data to remove any sensitive data while ensuring the data’s structure remains the same.
Complexity of the attack
How complex is the attacker able to execute the attack (for example, they can execute after credential access)
Section 02:
Incorporate from MITRE SaaS Framework
Red team attack techniques based on MITRE SaaS framework provides the opportunity to contextualize this attack.
Main point: Managing SaaS / cloud risks and vulnerabilities from a management perspective
How can you use audit and compliance reports to manage cloud risks?
Risk management approaches have to change - SaaS poses unique challenges to risk management approaches like…
Cloud assessment are brushed off. Cloud assessments - normal “bread and butter” assessments like security of DC or business continuity of data gets handed over to CSP. There are false “Logic” approaches being made such as “AWS does this, we don’t do it” → “AWS is a secure company”, → “Our software is therefore vers secure (!)”
Things like secure administration and operation of the cloud environment (i.e hybrid) not kept track or hard to enforced.
What are the trends in standards?
There are either established standards, or the more widely adopted standards now have SaaS related risks in place:
Compliance and audit reports are used to map out requirements that should be suitable for the solution.
Dedicated ISO 27000 standard series like:
Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services.
ISO upgrade to 27001:2022 includes controls related to SaaS / cloud. These reflect the growing business requirements:
ISO standards (see slide)
SOC 2 reports i.e with additions like BSI C5 controls catalogue which are specific to German requirements. C5 makes a distinction between basic requirements and additional requirements and data centre attestations are only in certain locations, depending on the CSP.
There are also other third parts reports, i.e. NCC and AWS Nitro API Key third party attestation report.
Security Culture eats strategy for breakfast
There can only be an abundance of data in the future
This is in line with many of the incoming trends - automation, AI, and so on
With the abundance of data we see the attack surface further changing and growing
The landscape in cyber security for this means…
In compliance and data protection: pick up ISO 27001:2022 new controls related to cloud services, adjust risk management process for SaaS/cloud security…
In red team/professional hacking: learn of new attack techniques on SaaS
Blue team: confidential computing, learn about attack techniques on SaaS to go prurple
Information security does not play a main role in decisions by the IT Decision Makers. The only way to move forwards is to work together - red, blue, compliance.
Interested in a similar presentation for your event?
This can be adopted based on the following factors like:
Other talks in the agenda - the live talk made references to other talks in the conference to tie in the other talks. For example, there the conference has topics on confidential computing, SOC 2 Type 2 report of a presenter’s compar, or stolen API keys and this was adjusted.
Audience - technical, information security, industry specific such as airline, location specific such as Asia or Germany, etc
Topical news items - news in the last 1-2 months will be referenced. For example the live talk made a reference to the latest confidential computing news by Azure released in mid-November 2023.
If you are interested in seeing how this presentation can be adapted for your conference, webinar, panel, etc, please get in touch!
