Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Define & Implement Engodo use cases #1

Open
4 of 12 tasks
luisrx7 opened this issue Aug 7, 2024 · 0 comments
Open
4 of 12 tasks

Define & Implement Engodo use cases #1

luisrx7 opened this issue Aug 7, 2024 · 0 comments
Labels
help wanted Extra attention is needed kind/roadmap Categorizes issue or PR as related to NOS planned cloud roadmap.

Comments

@luisrx7
Copy link
Contributor

luisrx7 commented Aug 7, 2024
edited
Loading

Description

We need to define which use cases will be covered by Engodo and how they will be implemented, following the reference provided in the AWS blog post on detecting suspicious activity.

Each of us will be responsible for implementing each use case on the cloud provider they are most familiar with. (of course, we can help each other)

@falmeida93 AWS
@luisrx7 GCP
@jpantao Azure

@pfilourenco will review the implementation of each use case and provide feedback on how to improve it.

Use Cases

Use Case Resource Type Description
1. Unauthorized Bucket Access S3 (AWS), Cloud Storage (GCP), Blob Storage (Azure) Detect when someone attempts to access a bucket they shouldn't have access to.
2. Malicious Assume Role IAM Identify and detect who's trying to assume a role/Service account that doesn't need to be assumed
3. Unauthorized Secret Store Access Secrets Manager (AWS), Secret Manager (GCP), Key Vault (Azure) Flag attempts to access dummy secrets that should never be accessed.

Implementation

Use Case 1: Unauthorized Bucket Access

AWS

needs review from @falmeida93 and @pfilourenco

  1. create a private bucket with a decoy file in it that can be accessed by anyone in the Organization
  2. Use Eventbridge to monitor the bucket access and trigger a lambda function that will create a security hub finding "Possible Storage Enumeration Attempt" if someone accesses the bucket/file.

GCP

  1. create a private bucket with a few decoy files in it that can be accessed by anyone in the Organization
  2. Use a logs sink filter to monitor the bucket access push the logs to a Pub/Sub topic

Azure

needs review from @jpantao and @pfilourenco

  1. create a private container with a decoy file in it that can be accessed by anyone in the Organization
  2. Use Azure Monitor to monitor the container access and trigger an Azure Function that will create a Security Center finding "Possible Storage Enumeration Attempt" if the container/file is accessed by someone.

Use Case 2: Malicious Assume a Service Account

AWS

needs review from @falmeida93 and @pfilourenco

  1. Create a role that anyone in the Organization can assume
  2. Use Eventbridge to monitor the role assumption and trigger a lambda function that will create a security hub finding "Possible IAM Enumeration" if the role is assumed by someone.

GCP

  1. Create role with low permissions, create a service account and assign the role to the service account
  2. Use a logs sink filter to monitor the Service Account assumption and push the logs to a Pub/Sub topic

Azure

needs review from @jpantao and @pfilourenco

  1. Create a role that anyone in the Organization can assume
  2. Use Azure Monitor to monitor the role assumption and trigger an Azure Function to create a Security Center finding "Possible IAM Enumeration" if someone assumes the role.

Use Case 3: Unauthorized Secret Store Access

AWS

needs review from @falmeida93 and @pfilourenco

  1. Create a secret that anyone in the Organization can access
  2. Use Eventbridge to monitor the secret access and trigger a lambda function to create a security hub finding "Possible Secret Enumeration Attempt" if someone accesses the secret.

GCP

  1. Create a secret and a secret version that anyone in the Organization can access
  2. Use a logs sink filter to monitor the secret access and push the logs to a Pub/Sub topic

Azure

needs review from @jpantao and @pfilourenco

  1. Create a secret that anyone in the Organization can access
  2. Use Azure Monitor to monitor the secret access and trigger an Azure Function to create a Security Center finding "Possible Secret Enumeration Attempt" if someone accesses the secret.

DoD

Research and Development

AWS

  • [AWS] Use Case 1: Unauthorized Bucket Access
  • [AWS] Use Case 2: Malicious Assume Role
  • [AWS] Use Case 3: Unauthorized Secret Store Access

GCP

Azure

  • [Azure] Use Case 1: Unauthorized Bucket Access
  • [Azure] Use Case 2: Malicious Assume Role
  • [Azure] Use Case 3: Unauthorized Secret Store Access

Implementation
@luisrx7 luisrx7 added the help wanted Extra attention is needed label Aug 7, 2024
@luisrx7 luisrx7 changed the title Define Engodo use cases Define & Implement Engodo use cases Aug 26, 2024
@jpantao jpantao added the kind/roadmap Categorizes issue or PR as related to NOS planned cloud roadmap. label Sep 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted Extra attention is needed kind/roadmap Categorizes issue or PR as related to NOS planned cloud roadmap.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@luisrx7 @jpantao @falmeida93