Thunder CTF�Learning Cloud Security on a Dime

Nicholas Springer, Wu-chang Feng

https://thunder-ctf.cloud

​

​

​

​

​

​

Supported by NSF award #1821841

Race to the cloud...

… going faster due to COVID

What are the biggest challenges for organizations engaged with public cloud?

Source: Forbes

Justified?

• Take one complicated problem, we're struggling with...
• Operating system security
• Router and firewall configuration
• User management and authentication
• Access control management
• Asset and data inventory
• Software updates and patching

• … and add an entirely new set of problems
• IAM access control and policy management
• Account access key and token management
• Credential rotation
• Cloud platform service configuration
• Federated identity providers, zero-trust networks
• Container, serverless, and API security
• Leads to ...

Misconfigured storage buckets

Misconfigured snapshots

Misconfigured databases

Over-provisioned privileges

Exposed login credentials

Exposed API, account, OAuth, ssh keys

• ~1793 unique keys daily
• ~20 seconds before discovery

Exposed metadata

• Via a security product!

All of the above?

• Open vulnerable server (Ruby deserialization RCE via cookie)
• Hard-coded tokens in code
• Weak passwords ('changeme', 'password', 'instagram', <username>)
• Database credentials stored in a file
• AWS access keys stored in a file
• Unprotected application backups containing key material
• Overprovisioned key
• Results in access to all content (source code, site assets, SSL certificates and private keys, API/OAuth keys, etc.)

Criminals and nation-states racing to take advantage

Are we prepared?

• Oregon's CyberSeek numbers

CS 495: Web and Cloud Security https://codelabs.cs.pdx.edu/cs495

Cloud security labs available

(AWS)

(AWS)

(AWS)

Thunder CTF

• A Cloud Security CTF for Google Cloud Platform

Design

• Scenario-based to allow students to role-play actual exploits
• Scaffolded to support differentiated instruction across novices and experienced practitioners
• Extensible to enable developers to add, remove, and customize levels based on current vectors of exploitation
• Frictionless setup, low cost, polymorphism for easy deployment in classrooms

Scenario-based

• Informed by Mitre Att&ck framework
• Comprehensive, industry-standard enumeration of attacker behavior
• "GitHub" for adversary behaviors (A living framework!)
• Derived from incident response and threat intelligence communities
• What are attackers actually using?
• Organized by tactics, techniques, and procedures different APTs and hacking groups actually use
• "TTP"s

TTPs

• Tactics
• Generalized approaches
• Techniques
• Specific approaches to perform a particular tactic
• Procedures
• Playbook of tactics and techniques used by adversaries to accomplish objective
• Best shown in a matrix

​

12 Tactics

• Initial access
• Execution
• Persistence
• Privilege escalation
• Defense evasion
• Credential access
• Discovery
• Lateral movement
• Collection
• Command & Control
• Exfiltration
• Impact

​

• Adapted to GCP (Mitre Att&ck Framework for GCP)

• Scenarios follow procedures used throughout entire attack lifetime (not just app exploitation)
• Overprovisioned permissions, weak IAM policies, IAM privilege escalation
• Keys in code, access token compromise
• Backdoors via metadata, metadata access via SSRF, exposed container images and git information
• Filtered log exfiltration, unsanitized error messages

• Example scenario modeled after Capital One breach (a6container)

Scaffolded

• CTFs often evaluative, targeting experts
• Esoteric levels that discourage novices
• Differentiated instruction approach of Thunder CTF
• Scenarios with gently increasing difficulties
• Hint-system
• Support direct instruction for novices that treats CTF as a walk-through/codelab
• True CTF for advanced practitioners by ignoring hints
• Balance challenge and struggle to target flow

Extensible

• Shifting threat models/counter-measures in the cloud
• e.g. Metadata service SSRF soon a dead bug class
• Requires continuous change in content
• Framework to support
• New levels
• New CTF sequences via namespaces (least-privileges)

• CTF framework
• Levels specified via Python Cloud Deployment Manager scripts and YAML configuration files
• HTML template file for hints

• Level module development guide
• https://github.com/NicholasSpringer/thunder-ctf/wiki
• Python CTF Framework documentation
• http://thunder-ctf.cloud/pydocs/framework

​

Deployable

• Requires only a Google Cloud account to play
• Consumes minimal amount of resources
• Serverless design
• Resource usage within free-tier offerings
• Levels can be played for under a dime!
• Code freely available for use
• https://github.com/NicholasSpringer/thunder-ctf
• Simple level launch via Cloud Shell
• python3 thunder.py create thunder/a1openbucket
• python3 thunder.py destroy
• Polymorphic flags to support courses and certifications

Results

• CS 495/595 Web and Cloud Security (Winter 2020)
• CS 430P/530 Internet, Web, and Cloud Systems (Fall 2019)
• CTF rating (1 = very unhelpful, 5 = very helpful)
• 36 out of 48 students responding

Demo

(spoiler alert)

thunder/a2finance

3. Storage access

4. Git exfiltration

5. Exposed ssh key in repo history

2. Service discovery (compute/storage)

1. Initial permissions

6. Compute account discovery

7. Elevated access to logging

8. Unsanitized error log exfiltrated

Future work

• Additional levels
• Additional play modes
• Additional CTFs
• Continued use in courses

Questions?

​

Code walkthrough?