View Show Notes and Transcript

Episode Description

What We Discuss with Brad Richardson:

  • 00:00 Introduction
  • 10:40 Red Teaming OnPrem vs GCP
  • 15:25 How misconfigs + vulnerabilities differ in cloud?
  • 17:15 How to establish initial foothold of your GCP environment
  • 27:03 Does the red team get caught by blue team?
  • 30:49 What to look for after gaining access
  • 39:13 Complexities in GCP Structure
  • 41:50 Entry points into GCP
  • 45:11 Best Practices GCP Security
  • 49:35 Leveraging GCP Provided Security Services
  • 52:36 External tools to consider when securing GCP environment
  • 57:09 How to become a Red Teamer in Cloud
  • 1:03:18 What do companies learn from Red Teams?

THANKS, Brad Richardson!

If you enjoyed this session with Brad Richardson, let him know by clicking on the link below and sending him a quick shout out at Twitter:

Click here to thank Brad Richardson at Twitter!

Click here to let Ashish know about your number one takeaway from this episode!

And if you want us to answer your questions on one of our upcoming weekly Feedback Friday episodes, drop us a line at ashish@kaizenteq.com.

Resources from This Episode:

  • Tools & services, discussed during the Interview

Ashish Rajan: hey, 


Brad Richardson: I’m doing good. How 


Ashish Rajan: are you? Good. Thanks for coming in. And I really appreciate you kind of sharing the stage and basically helping us break into the cloud. Or some, maybe some people might call it even that team in Cloud . 


So, maybe a great base to start is what’s your path into cyber security? So few folks have a bit more idea about yourself. 


Brad Richardson: Yeah. So where I would say I got my start or maybe my interest was back in the days of bulletin board services. 


PBS’s and I was a teenager. Yeah. I love the fact that you could chat with people. You could play online games, you’re basically connected, right? You could download files to share information that networking, that connectedness, I just love it. So I ran a BBS for a couple years and a few years later, post teenager, I was actually , getting my first tech jobs. 


I ended up working at internet server service providers ISP for a couple of years, and it was kind of a continuation. So, , helping people get dialed up maintaining that type of equipment servers, [00:01:00] file servers, email, web servers e-commerce was a natural transition from the BVS world. 


And so that’s kind of where I got my texts. And then for cyber security, few years later, I was working as Unix, admin and Linux admin. It’s working in a federal agency at their national computer center and great job loved it. During that time I wrote some scripts that would help, automate and baseline the security, basically the baseline, the standard configuration, for those Linux and Unix systems, the security manager working there. 


I was not on his team, but this was kind of a, for CIS benchmarks had automated to the well they had, and these were very custom and he paid me back in 2005, by having me join his team, there was an opening that opening was in vulnerability management. So a lot of scanning and. From, , taking that and helping his team, he sort of paid it forward. 


I got my start. I was assessing servers and doing those assessments and [00:02:00] working with teams to remediate security weaknesses, there was a lot of continuous monitoring in that day and over time that would two pen tests and eventually red teaming. And so, , I got to do all those secondary jobs that were security related. 


So, , I was at one point reviewing firewall rules. So getting a really good understanding of TCP, UDP, , interactive log in SSA RDP, 84 43, what was secure, insecure, Telnet even back in those days. 


Ashish Rajan: Well, that’s pretty cool now. 


Brad Richardson: Oh, yeah. Yeah. And , there were all those debates at that time about why an open port is good or why it’s bad, what’s behind it. 


Why is telling that bad? We need encryption. And so that natural evolution, I just kind of road. And over that time, I’ve worked with people that they decided for whatever reason they wanted to go into risk assessment, or maybe , they wanted to be on the defensive side, working in incident response, or maybe they just, , decided they want to be an it and say enough with security. 


For me, I always enjoyed looking behind what [00:03:00] was, , around the corner or behind the door. And what really drove me more and more and deeper and , deeper in why I’m in red teaming today is in those early days I saw. Attackers were successful, right? No matter how much, companies and the government they were spending, attackers were successful. 


And, , you had baselines, you had all these very refined, configurations it hardened networks and hardened systems. And, , so it didn’t seem to be a money issue and it didn’t seem to necessarily be a resourcing issue. And maturity was there and you had things like continuous monitoring and you had new standards and there were, are all these hardening guides by national security agency, et cetera, and attackers feel successful. 


So I really wanted to understand where those gaps were and see why it is. That breaches were still happening, dwell time, , still in hundreds of days. And that’s really what has driven me ever since. And I’m still on that journey trying to figure out how [00:04:00] do we help companies and how do we help the good guys, get more value out of , that tool that they just paid a million dollars for or whatever it might be and have more effective security and drive down that dwell time and make it much more costly or for attackers 


Ashish Rajan: thats pretty cool man, I think. 


And the fact that you’ve come from such a interesting background into red teaming as well. It’s pretty awesome as well because its probably the best segway into my next question, it’s going to be the topic today is red team in Google cloud. And I’m just curious about how the red teaming say on a traditional on-premise environment, is that quite different than what you would do in Google cloud? 


Brad Richardson: Hmm. So that’s a great question. , I would say when you compare traditional on premise versus cloud, they’re quite similar in my opinion. And others could potentially disagree. Everything I share is really just my opinion from what I’ve seen here. Companies may disagree. 


Certainly people in my own company could disagree. These are just my personal views. But I think it is very similar. I think some things have [00:05:00] changed but most of what is out there, still applies. So red teaming, right? The red team is still playing the opposing force and that hasn’t changed. 


Red team is still playing the devil’s advocate to the attacker. We’re still testing prevention. We’re still testing detective. And we’re still testing response and all of those security controls that the organization has put time and money into, putting in place. But again, what hasn’t changed is attackers are still going to take their best practices, whether it’s on cloud or on-premise and attackers, they’re still going to do initial access, right? 


They’re still going to do reconnaissance persistence, probably establishing C2, even if it’s a, , a cloud network versus an on-prem network data, exfiltration still is probably gonna happen. Whatever industry they’re targeting, it could be health records, , it could be financial, it could be intellectual property that doesn’t really change either. 


The attack phases, still apply. So, , attacker going to go through OSN without the organization. I would say that things have potentially [00:06:00] become. As companies have moved towards cloud and SAS what used to be buried behind castle walls is now more public. And I would probably go even as far to say that when you think about in terms of public, a little bread is in here is it’s probably easier as an attacker to target that company. 


That’s using a SAAS software or cloud networks, than it even is for other types of public data. So your voter registration information, right. That’s kind of public data. If you want to, you can fill out some forms, paste them up. And a few weeks later counties in most states will know you that voter registration information that’s considered public. 


Right. But an attacker can now go out and they can go to LinkedIn because part of the phone company or phone records, or, or what used to be in the gal, is now, , partially out in the cloud, right. Requires paying nothing, filling out no forms, your identity service providers in most cases, not mentioning names, but it puts that company [00:07:00] name in front of that identity management portal. 


And you can very quickly as a, the red team or the attacker determine what that company is using. You don’t need to fill out any forms, pay any money to request any data. Those things, , have made it a lot easier. It used to be with on-premise networks to do a password spray. You might look at the email portal, that’s exposed from the DNC, right, right. 


You might hit that company’s VPN, to do a password spray after you did like some reconnaissance from doing a DNS transfer. If that was a possible zone transfer vulnerability, or if you there are different ways you could do it, but today you can go out to DNS dumpster, you can go out to show down, you can quickly learn, , where those networks are. 


Sjodin has done the port scans for you, and because it’s in public cloud you can quickly as a red team or as an attacker, understand where the footprint has moved to and then, , go on to that next attack phase. So I think the best practice is still there. The doors have moved around a little bit. 


The locks moved around a little bit. [00:08:00] But it’s still very similar, in my. 


Ashish Rajan: Awesome. Great answer as well. So I’ve got a question here from Adrian on our YouTube stream. Do the misconfigs or vulnerability that gets you into a private data center differ from those that you get in the cloud environment 


Brad Richardson: a little bit different, I would say. 


But exactly the same in terms of misconfiguration misconfiguration in implementation, tends to be my bread and butter, , getting that initial foothold you still have to do. And , it could have been like in a private data center, maybe what got exposed was an FTP server, an exchange server, maybe it was even like IP telephony. 


And that was, , your initial foothold, something obscure or could have been a public facing web server with cloud that attack surface moves around the world. But what? You seem like a, I think in the capital one attack happened a couple of years ago. You had still a web server. 


I think it was an SSRF vulnerability. The back end changed a little bit, but that vulnerability and the nature of it didn’t the web server, even though it was in cloud [00:09:00] didn’t I think that was occurred in AWS. And the attacker was able to read information out of buckets , that server, , have permissions to obviously, there’s still a lot of overlap in similarity. 


Ashish Rajan: Yep. Perfect. I love the question from Adrian also, because this is a good segway into my next question, which is the initial foot hold that you were talking about in the Google cloud space from a red teaming perspective. 


You mentioned misconfigure is your bread and butter as well. So I’m curious, what are some of the common, low hanging fruits or common techniques that you see for people to get an initial foothold into the Google cloud environment? 


Brad Richardson: So on a pen test, I think that you’re probably focusing, especially on misconfigured or the exploitable web application. 


Maybe you again, find that SSRF vulnerability That can be used to perform a curl against the metadata server, potentially dump environment variables that still works, whether it’s cloud or on-premise web server as well. Maybe you want to read from the GCs buckets maybe you have access to write code to storage and do something like a code [00:10:00] injection attack. 


I’m definitely going to be scanning those public areas, whether it’s pen test or red team, I’m going to look in other repos like Github, looking for keys, , it happens more times than not that accidentally developers will post code to. Public health forums. And the key is in there, right? 


That, that still happens. I will look for, for those things other secrets that may get put in there, even if they go back and delete that later, somebody finds, it says, Hey, you left your, AWS or a service account. Key out there could be any cloud. I’ll go back and look at the commit history. 


If that’s not deleted again, attacker can also use that potentially to, leverage that as initial foothold and would it being cloud, remember again, the firewalls , get a bad reputation as being like a, a legacy type technology. But the cloud makes it much easier. Once you get, , a long live, account token or a service account, you have. 


, a long, lift persistence and access, whatever I am permissions that a [00:11:00] service account has, the attacker, , gets to enjoy. But shifting gears a little bit towards red teaming, , where it’s not just focused on a very specific piece of technology, but you’ve also got in red teaming, , I’m looking to assess people process and the technology of it. 


So just like with on-premise in traditional types of assessments and you’re going to hear me kind of go back and forth to that over and over, because I really believe, things haven’t changed that much. Password sprays are still beautiful. Once you find those. , web portals, those web science, the sign into your cloud environment, your Google sign in, that’s publicly exposed from anywhere in the world and like password sprays are really effective. 


So for anyone that may not be familiar with password sprays, works just like with on-prem. You’re going to take a list that you’ve gathered during reconnaissance and that open-source intelligence gathering, put that list together, and you’re going to take the same password, whether it be like , company name or season or [00:12:00] year bang 1, 2, 3, and you’re gonna just use there are a lot of tools out there that will help automate this. 


And it’s just going to play that credential and go to the next name, same password. Go to the next name and iterate over all. Employees or accounts that you have, and it’s only doing one password per account. So the chance that you’re going to lock anything out or raise awareness to, your defenders is very low, that anybody’s going to notice this, so cloud or on premise, this is very effective. 


, it used to happen a lot against active directory. Now that’s shifted where you store files. Doesn’t even have to be like GCP. But I think that’s very effective. Phishing is still very effective. So, phishing attacks, are they still work and using tools like evil gen X, is one way like, , if a company’s using a SAAS based identity, provider, then you can set up a man in the middle attack, send a convincing phishing email to. 


Your target list. Maybe you want to, [00:13:00] because you’re trying to get into cloud, make it so that you focus more on developers or cloud admins, whoever you think that based on their title, is more likely to have that access to, GCP or the cloud environment. And evil gen X is a really super cool tool. 


Open-source out on the internet for red teamers, pen testers in a sense of a middle man in the middle attack, it supports multiple identity providers. And essentially what it will do is it helps the attacker hijack that identity session. Potentially bypass MFA if that’s enabled and gain access to the cloud console or, behind that identity that you providers, , page with all the other applications. 


A lot of them, , these days are SAAS , so it’s not just getting access to the cloud. But there’s other ways of doing additional reconnaissance for the applications you get access to it’s really enables the attacker in some way. 


Ashish Rajan: Yeah. its actually interesting cause. I’m glad you mentioned those as well, especially because of, I guess coming, asking a question, like, what are some of the initial foothold way or ways of [00:14:00] getting initial foothold in a Google Cloud environment? 


It’s easy for everyone to kind of keep focusing on the things that may be exposed from the cloud provider, but as users, we really haven’t evolved. We’re still the same users that we used to. We still probably use I guess sales, same password everywhere, phishing , a too common. I wonder being in the Google cloud. 


I remember these phishing attacks that used to almost take over people’s Gmail accounts and because Gmail, Google workspace, or if they want to use our workspace is almost linked with Google cloud. If I can access to someone’s Gmail or which would be a work team because they have a business service, as well as just Google workspace. 


If I get access to someone’s Google workspace, does that automatically give me access to like their cloud as well as a basic user? Maybe not as a service account user, is that happening as well? 


Brad Richardson: It doesn’t necessarily give you access. But again overly permissive rights convenience I often say is the enemy of security. 


And so it, it shouldn’t by default. But it certainly can. And [00:15:00] depending on the account you get, again, if you get into the email of say a cloud admin or an organizational admin in GCP, even just a project owner, then it’s very likely that you did get access to both email and GCP. It really depends on the user that you compromise, but , if you gave me a choice and you said, on a red team operation, you can have access to their email to start with, or you can have access to their. 


I might take email because that is just such a juicy, valuable target, people store everything. And again, back to SAAS if I’ve got access to Gmail, I probably got access to Google drive and who knows what Prudential’s service account keys, how to do this, how to do that, how this operates. It saves me a lot of time as , as a simulated attack or, 


Ashish Rajan: yeah, I mean, I guess so I guess so the reason I asked that question as well in the traditional private data center or on-premise environment, the, I guess the quote unquote, Hey, you [00:16:00] got pawned. 


We used to be, you’ve got access to someone’s domain. So I’m assuming email these days is that domain admin in a cloud space as well, sometimes where you show your point, you get access to so many other things, but also it’s not just an email. What’s it equal. And then the Google cloud space, I guess, for something like that, when you lo oh, I have control, I guess for what’s that moment of Iowa. 


This is point, 


Brad Richardson: I would say organizational admin, organizational IAM admin the workspace itself in the designated admins, is definitely nice to have, depending on the objectives of the simulation, the red team simulation, It could be more valuable, but in terms of GCP and the cloud, and just accomplishing the objectives in the cloud for your test, organizational IAM admin is pretty much like domain admin or enterprise admin in the world. 


Ashish Rajan: Actually. That’s interesting. So ive got a question here from Adrian as well how often do you get caught by blue team? Is it possible to be super noisy or end go unnoticed [00:17:00] or a blue team are getting better at detecting attacks, especially in public cloud. 


And there’s a follow-up question to that. Do you ever get busted by honey tokens , like fake cloud keys designed to sound an alarm if used? 


Brad Richardson: Well, I really liked that, so Hmm. Probably detection got really good. With companies and on-premise networks, definitely the tools evolved and just as they got, a lot of content built in out of the box that helped catch attackers. 


And I think that companies started to get a hold on that, everything started shifting to the cloud and it was, , a potentially as a setback. And that’s where red team, , really helps inform the defenders to the point of the question is it just depends. You have to look at, who you think as a company will target you. 


Red team really helps with playing out those, tactics, techniques and procedures used commonly by those, attackers. And you have to help the defendant. Learn what those attacks look like, so they can build [00:18:00] better defenses for detecting red team. Generally speaking, I think it’s an evolution for every company, the tools help. 


But a lot of it requires custom, detections to be built and focused because it takes time. This is really where red team is valuable. But where do you get caught somethings you still get caught immediately. Other things is very hard for the blue team, to detect it, even if it’s noisy, because for example, GCP has great logging, but if those logs aren’t being ingested, into your Sim where it would like in traditional on-premise network, you might have the logs, but you don’t really have the visibility and you don’t have the detection. 


So you can be about as noisy as you want as an attacker. And unless you cause an outage somehow, you’re probably going to be unnoticed it’s just a general statement of where I think cloud environments have to defenders just have to, catch up, beyond that, it really depends on the [00:19:00] TTP being used, the tools being used by the attacker. 


Ashish Rajan: Awesome, great answer. And hopefully the answer, your question as well, but I’m curious now, so. It definitely feels like similar opportunities in the private data center exists in the Google cloud space. 


I guess we never really evolved as humans. , we may have better technology, but to your point about the initial foothold, what are some of the things that you look for, I guess maybe to assist or lateral movement, or I guess maybe one of the things I’ve, I’ve actually probably worthwhile calling out because a lot of the folks who are listening in may be new to red teaming, but may also be people who may have done the thing for a while. 


So kind of finding a balance between them, where once you’re in, what’s your next thinking there and where do you take it from there? I guess you can take it from a methodology perspective or you can take it however you feel would be understandable by people, I guess who maybe on that balance of done some red teaming, but don’t know where I am. 


So what’s your thinking around that? Once you’re in a Google. 


Brad Richardson: So once I get in it’s similar to, if he landed [00:20:00] on a, user workstation in traditional network, I still need to get situational awareness. So I want to understand, what’s the maybe perhaps the compute instance that I have access to, where it is in terms of what project am I am. 


What role do I have would that initial foothold, in cases where, , you want to quickly answer that question, you can query the metadata server. This is not GCP specific, but it’s certainly there, it’s just a feature and a function that Salud operates. And that will come back with like the project name, , potentially where you’re coming from, depending on how you got access. 


It’ll tell you, computers since information. Similar to what you see with dumping out environment variables and any like Linux resource. So that gives me a little bit of basis of where I am to orient me to the cloud. From there I’m going to use something like a G cloud, which is going to be built into all your computers since is going to be installed. 


This is like think PowerShell in terms of very [00:21:00] powerful CLI resource. It’s going to be installed. It’s going to be available. And from there you can begin querying to see what permissions you have, what access you obviously have, what’s around you and where you want to go next. So for me, I want to understand what permissions I have do I need to look at how to escalate those privileges immediately. 


Maybe that can wait, but that always comes in, Once I understand my permissions, I can kind of tally that up. See what I have, see what I don’t have. I have an idea of what I’m going to need to begin lateral movement, more times than not, I probably have the permissions I want. So I’m going to look at how to establish some persistence, things happen if I were to get kicked out. 


Can I come back? When you work at those permissions, for example, if you’re on a compute instance, do I have access to look at the, the compute instance metadata? I should probably be able to, persistence. One of the things that I like to do is kind of living off the land, but in the cloud, living off the cloud, I will take those G-Cloud CLR [00:22:00] commands, just like, , you become familiar with PowerShell, dos and Linux. 


One of my favorite things. If I have the permissions, I will try to install my SSH key, a public key in the compute instance, metadata, to escalate my privilege level and also persistence if I can. And again, all I need is G cloud, which is built in and the right permissions. I can put my key there, if I can do it at the project level. 


And, if you’re not familiar in basically in GCP, in terms of hierarchy, you have all your compute resources. So you think about your GCs buckets, your compute instances, which are really just virtual machines, , whatever it is your cloud functions, your cloud build all those resources tie into a project from there. 


It ties up into. Could be they’re known as folders are kind of like many organizations. And then at the top level you have the organization and you may be wanting to persist and laterally move. But again, if I can install my key on a project level, metadata, or put my keys in there, then I not only have access [00:23:00] to the instance. 


But I have access to every instance in that project at that point. And I have access SSH access to every new resource that gets built out for compute instance. So it’s not only persistence that I like out of that, but it’s also lateral movement in terms of tools. These days I had the privilege to work on a tool called GCP hound which was the brain child of a good friend of mine, a fantastic OPSEC researcher by the name of Moto bot. 


He was the the originator at GCP hound. I got to work on the persistence in some other modules. And so these are, these are things that I just enjoy living off the cloud with. Now, if it’s a windows resource, , may have to do something slightly different than put my SSH keys in the commute and since meditator or the project level metadata. 


But again, G cloud is your friend, and using that CLI there is a there’s a documented, admin function. So if you’re in an environment where there are windows instances, you can use a do cloud command that will reset the windows password. [00:24:00] Assuming you have the rightIAM permissions. It will not only give you the password or reset the password. 


If that account doesn’t exist, it’ll create it for you. And back to the question about stealth with, with your defenders, this is kind of back point like functionality. So it’s a compute instance, but where you think about traditional on-prem kind of attacks where I might use a net user. I had command to add and , an account for persistence on a host, not so easy to detect in this case. 


So I can use that G-Cloud command reset that password. If the account doesn’t exist, Google will go ahead and create that account for me and give me the password. And one of the great thing is it drops it in the local administrators group on that compute instance. So I got admin over there. It doesn’t have to always be about linux, even though it tends to be, a lot of Linux in the, in the cloud. 


So there’s some very initial, early onsets methodology that I will do to live off the cloud. You’re not [00:25:00] really, , abusing some vulnerability per se, but you’re looking at those IAM permissions that might be overly permissive. Default permissions, that will get you in. Those are the things in your assessment that you want to call out. 


Ashish Rajan: I love the fact that it’s really creative in those possible for you. If you’re, if you don’t, it’s like, boy, I mean, this is kind of where , the feature is your probably your backdoor into the system as well. And I appreciate you sharing the different, I, by the way, I definitely recommend people check out GSP hound tool by month. 


I think it’s pretty good. Do you guys did a presentation on this as well on LinkedIn, in the show notes when we’re done as well? So to your point then, if there are so many ways to kind of. Persists ourselves in Google cloud. If, if I just take a step back and some people who may be listening to this from an AWS context and going, I don’t know what these words are. 


Some of them may sense. Some of them didn’t make sense. You spoke about project is focused organization. So in terms of I guess people who may be from a traditional networking background who would see a network you’re going for a domain [00:26:00] controller. So I’m but these are, I imagine these are like different layers of domain controller in a Google cloud space where you have, you may be slightly stuck on here, but you may service somewhere else as well. 


So what are some of the complex scenarios that you had to kind of have you may have seen in the GCP space, out of curiosity where the whole project organization, and maybe if you can start with what these are a quick, like a one-liner if you want, and then keen to know what kind of structures you’ve seen. 


And if yeah, I’ll start with that. 


Brad Richardson: Yeah. So the organization down to the project down to the compute resources or storage buckets, , server was code that kind of thing. That hierarchy you’re basically compromising in working upward. Once you compromise that compute instance with that initial foothold or whatever it might be, get that that server was code to give you a service account key or, or some kind of token that will get you to the next step. 


You want to compromise the project, that will basically give you the domain in the active directory world, at least all the resources , in that project. [00:27:00] So now, , you can use those cloud resources, Pillage them, do additional reconnaissance dump out OSTP environment variables, look at service account keys that, admins have, , accidentally left on hosts, and just continue to snowball your access. 


But that’s kind of the hierarchy you’re working from whatever compute resources up to compromising the project and then moving laterally potentially to other projects. And usually when you get high enough up in the IAM permissions chain in GCP hound will help you enumerate those IAM permissions in the groups and the members of those groups, kind of like when you think of active directory and what bloodhound does for you, GCP hound will also help you in the GCP world to make sense in dry out that path. 


And save that time and move fast as the attacker so that you move project to project up all the way, even potentially to, again, org I am admin role. She 


Ashish Rajan: has interesting. So to your point lateral movement could be between different projects, different [00:28:00] folders, different organizations, as well from an environment perspective where there are services, which are provided by GCP. 


We can’t touch on the whole Google workspace and all the other services that may exist within the Google Cloud directly do you find sometimes they are entry points as well? Like we spoke about compute here, which is kind of like your virtual server. Are there other non-computer kind of entry points as well, or persistence points as well that you’ve seen as you’ve been able to use in the past? 


Or are they Vulnerable? I have maybe a question. 


Brad Richardson: So there are definitely other entry points into the various GCP resources. They tend to be from what I’ve seen, implementation or misconfigurations that attack surface still gets exposed. Just like if it were a, an on-prem service, it could be microservices. 


So example , if you’re setting up your own Kubernetes clusters, you’re running containers, you can do all of that in GCP. Just like any other provider or, , private data center. It’s [00:29:00] not really a vulnerability per se in Google. But for example, if you leave the Kubernetes dashboard, expose. 


That is an entry point into that entire environment. If you expose a vulnerable, a microservice, a container running, not Google’s fault, but it is an entry point. If your code, , and if you’re not familiar with like the four CS of native cloud security, here’s where it plays out. You have to for example, take into account the code. 


So if everything else is perfectly secure and logged down, but , you go back to the code code that has a vulnerable. Yeah, that is leveraged to the attacker, if it’s expensive. Yes, absolutely. It’s not just compute instances, although I love, the privilege, escalation, the foothold and exploitation, that compute instances, all of those services, are potentially entry points in Google, has so much documentation out there is so feature rich. 


There’s a lot of places where accidents and misconfigurations can [00:30:00] happen. And in your assessments, you want to be working through that as much as you can finding those gaps in shoring them up as defenders. 


Ashish Rajan: Okay. If, once you have the entry point and there may be misconfiguration on managed services as well, so if misconfiguration seems to be a common theme , and then it seems like it’s straightforward, kind of has some kind of, some form of persistence as well. What do you kind of, if you’re going to flip the script a bit and for people who may be on the blue team, listening to this as well, going okay. 


What do you recommend for some of the common best practices that people could use to, say not have the low hanging fruit expose? Cause I think the whole kubernetes thing reminded me of the Tesla hack that an appetite for data breach that happened as well. Kubernetes platform was the management platform there from the internet again, GKE. 


So it does happen. So I’m curious, what can people do to maybe prevent this from happening? And I I’m sure anyone who’s trying to be a red team. I would appreciate that they can share the good things as well, or to stop, red teams from getting in. So what are some of [00:31:00] the things we can look up. 


Brad Richardson: So probably first and foremost, that I would say is if you don’t have some type of two factor authentication turned on for your cloud console also for, , your CLI access, that would be number one. 


Any control can eventually be bypassed, but MFA has so much value in slowing down the attacker. , I mentioned password sprays are one of my favorite, adding that second factor increases a difficulty so much. So having MFA enabled enable it everywhere you can. Google supports Two factor authentication or multi-factor authentication on your compute instances? 


There’s not that much, really has to be enabled to very straightforward applying it. They’re applying as the console, making sure the CLI requires it as well. That is one thing, from also , your key management. So we talked about some, , what are some other places to secure other services in the cloud? 


Looking at your key management again, GCP is very feature rich. You have key management, [00:32:00] everything is on the back end, typically encrypted by default, but how are you managing those keys who has access to those keys? What roles and permissions, is that locked down because if it’s encrypted, but the attacker finds a service account, it can read storage and they can read keys. 


And , in Google if you can get access to KMS, you can get, what’s known as the, the ke ke, which will decrypt the decrypting key, which will decrypt the data in red team operations. It’s usually about getting the data, getting the data out, not that hard to get the data out, usually, for companies , facing an attacker attackers. 


Typically when. But, defending that area, knowing your environment, knowing who has access to the keys, the keys are there, how often are they rotated? Are you backing those up? Just basically really understanding how you’re storing the keys because the keys unlock the data. So I think that’s very important. 


And then again, back to logging, logging and GCP is [00:33:00] really, really good, but are you getting the logs? Is your SIM or whatever your solution is it at your company? Ingesting those logs so that defenders can, use that out of the box content, build custom detection content, and also be able to respond effectively if all those other things are in place. 


So I think those are three big things. Certainly. You want to go through all your IAM permissions because tools like GCP hound will, and you want to understand who has the power? Do they have too much power really like that down then? Of course, the last thing I would say is also do that due diligence, looking your, your firewall. 


They can be, overly open exposing things you don’t expect to be open. And just because it’s cloud, don’t assume that everything is being taken care of by the cloud provider. It’s not necessarily a fault. But things turned on when you set up your projects may provide more access than you really want out there. 


That’s another good defense and protection that should be in place. 


Ashish Rajan: And that’s through a lot. We really good [00:34:00] gems as well, but I’m curious are these things that can, cause I imagine being a Google cloud kind of environment or a cloud environment, general people may start small, but ultimately become really big organizations. 


Right. Are there kind of similar to AWS or some of the other cloud providers? Tools provided by Google Cloud for security, which people can leverage, like listening to what, on Twitter space and YouTube and everywhere else, we’re listening into this. Where can they I guess, would they be able to use some of the Google provided services for this? 


Brad Richardson: Yeah, yeah, absolutely. Yeah. I would highly encourage, security teams to, look at what’s available. There’s no shortage of tools that will help , defenders do things like you traditionally would say, you want to see like, network connections, right. And where things talking, you want to be able to see like , exploits potentially being leveraged against your network malware, could be ransomware even trying to laterally move. 


Different devices or across different networks, because of the hierarchy and the segmentation, generally, , that, to me, wouldn’t be [00:35:00] as much of concern say for ransomware, but , if the attacker is creative, they have GCs permissions to put anything malicious or ransomware into one of those buckets, everything consuming it from humans down to compute instances could potentially, ingest that code and it could be a price to pay there. 


But yeah, there are third-party. For GCP and GCP also has for example, beyond Corp, I would definitely recommend it may not be for, , all teams and all companies, but look into what that provides because that kind of takes, , your, your firewall and, puts it on steroids. 


It’s not really like a firewall, but if if you’re definitely looking into the benefits of like zero trust, checkout beyond Corp, it’s still an evolving product and offering from Google. But definitely something that every defender should be aware of. And in architects, working in GCP, 


Ashish Rajan: it’s funny, you’re the fourth person that’s told me about BeyondCorp in this month. 


Cause we’ve been running the Google cloud month, this entire month. And everyone that I’ve spoken to about Google cloud [00:36:00] security. And he’s, every time I spoke with the blue side, they all mentioned beyond Corp. And I’m like, what is this thing? So I definitely feel, I need to bring someone. Just you’re going to distill that, but your point is an evolving part as well, but, there are already a lot of tools that can be used within the GCP space. 


That, that makes me happy to know this. Now, to your point with detection, we obviously had a lot of people talk about detection questions being asked our detection as well. , what sort of external tools do you feel work in this kind of space from a red teaming perspective? Like, I think I we’re looking at data like a data leakage prevention or like, what are some of the tools that people should be looking out for in their environment to pick up on some of these behaviors that you kind of mentioned where, Hey I just created like a windows account because it’s a feature in, in GCP that if you don’t have an account, I just create the account for you. 


I’m assuming, because these are two layer. I mean, a few layers deep. I don’t know what tools are Amador without acquire the CSO to secure a Google. 


Brad Richardson: So I, , as a red team or I’m biased there my , what I [00:37:00] truly believe, works is, don’t be afraid to hire that third party red team operation or company, or of course, if you have the resources in your security org staff, internal red team, and simulate those TTPs that you see, for example, in MITRE attack, you can determine in your organization where you want to start from the security perspective in terms of, where do I want to prioritize the TTPs that I want to be able to detect. 


Some of that detection may come out of. Software tools that you purchase, cots tools and implement. But ultimately, , from my perspective, I’m going to say if you want it to be able to detect and track and respond to a real attacker, simulate and emulate real threat actors, walking through those TTPs, both teams building on their best practices and putting, that activity in the logs as it’s really going to look, and you can iterate over this. 


If the first time you don’t detect [00:38:00] it, look at the activity that was left in those cloud logs, where they in the SIM, where they not get it, get it in the CIN, build that detection for. Adding account into a windows compute instance. You can detect it on premise. You should be able to detect it in the cloud environment. 


If you can’t, that’s a finding and you want to be able to detect that. So when that compute instance gets, , that new account rate in the local administrators group, about it. And so it’s kind of the same best practice there. But again, back to the red team, play out that activity, simulate that adversary simulate those attacker, tactics and make sure that you had the visibility that you have to detection and how to respond quickly, if all that plays out and the tools that might help you do that, I’m kind of agnostic. 


I’m a big fan of custom tools, shaped for what works for the team involved in the security, Oregon in the company. 


Ashish Rajan: Yep. Great answers as well. I think it’s really interesting to hear the custom tool, the option, because I always end up finding that when you’re going to go down the incident response plan [00:39:00] exercise, it is so individual to the company is this like, , you can look at the internet, come up with all the most generic scenarios possible, but out of that, maybe two or three, maybe apical for you, but the rest seems to be like so special to the company. 


Would you agree? 


Brad Richardson: Totally, totally. I would totally agree. The time that you can invest in learning what those attacker tactics look like when has played out on the network, when is put into the logs , in your SIM, the time invested in learning your environment and one attacker in your environment looks like versus. 


, going through procurement processes and doing POC. I mean, I don’t want to put it down, , or carte blanche that tools are bad or commercial tools are bad. I really don’t think that way, but I just think of so much I think so highly at the time that all your talent, putting it into learning the environment, being able to recognize that activity and respond effectively. 


It’s just so valuable. 


Ashish Rajan: I think I’ve got a question from here on the YouTube stream, which is basically to get into cloud security. Maybe if you can[00:40:00] put onto the whole red team flavor as well, which is probably a great way to kind of put this forward for people who may be listening to this and going, , Brad has inspired me. 


I’m going to try and be a red teamer in cloud as a suspect in Google cloud. What are some of the certs or education people can find online to become a red team with themselves and maybe even cloud security specifically. 


Brad Richardson: Yeah. So, , kind of back to my own personal view, I know that there are wars started over, , what certifications are best? 


Do you need any certifications at all? From my perspective, I love to see certifications at least to the level that it shows me that, , people are committed, they love this job. They love, , the learning about security and they’re going to stick around and be devoted, which certifications, I don’t know that I have a favorite one, what I would say , as a red team or you need to understand the target environment as a defender, , it’s the same way, right? 


It doesn’t matter whether it’s on premise, whether it is traditional databases for cloud database, it doesn’t matter what it’s applications network. I don’t think really any of that [00:41:00] changes as in cloud, to me, the starting points or being familiar with G cloud, the Google cloud console, or it could be any cloud console, but knowing your environment, Google has a free cloud, program and trial. 


I would recommend jumping into, , that trial, if you can do it , and using that free tier, Coursera, I think it , has multiple courses on GCP. Those, , from fundamental to more advanced services and configurations, again, back to knowing your environment, whether you’re going to be attacking it or defending it, I was probably going to be. 


As valuable as any certification. And there’s certifications that go along with a lot of those courses. And I don’t think that there’s anything wrong with that at all, but getting familiar with Google COI or, or G cloud STK GSU using the cloud console, I think that’s really invaluable. Google makes available a cheat sheet, , knowing that like, , dos or Linux commands is super powerful, no matter which side you’re on red or blue it’s it’s the basis of a lot of automation if you’re doing, sack ops [00:42:00] or dev ops, and as a red teamer, it’s living, , it’s the starting point of living off the cloud, if you’re using GCP hound, and other tools too, a lot of them like GCP hound rely on G-Cloud commands, understanding those API APIs, and it helps automate, , your cognizance, your lateral move. 


And things like decrypting buckets. So that information is really critical. So I think education along with some certifications, super powerful, it shows your devotion in it. And I think if you’re starting out, it really helps you get a foothold into the offset or even the blue side that you got to know your environment, regardless of what route you take. 


Ashish Rajan: Awesome. Yeah. And really good points over there as well, understanding your environment and send you CP if that’s where you’re trying to get in. And I love the fact that you kind of have a sort of broader perspective to this. I think that that’s pretty much what you’re, what you’re after, because I think sometimes when you are very prescriptive with, Hey, do these three things and you’ll probably get into Cloud , you can point out a, as I’m sitting up at that point in time. 


So, I’m glad you mentioned it. And I think to what you were adding [00:43:00] on with the Google certification, or just to cloud certification in generalist, Is there a with a red teaming specifically, are there specific training for red team? Like, I mean, I don’t know any specific Institute or whatever, but because I, I think it’s a different way of thinking as well. 


Like they were just beyond certification. So are there I guess there’s like this offensive security has the OSCP thing that they have, are those like more for pen testing or are they more for like what’s it called? There are red team in the other, 


Brad Richardson: Right. I’m not super familiar with the current content of OSCP , I would say that it is more pen test focused. 


A lot of those best practices there’s going to be overlap, but it’s very, , it’s obviously technology networks. Focused, whereas red team, , again, it doesn’t just focus on the technology, but also the people and the processes and how you can look for gaps in between courses that I would recommend. 


And, I think, we’ll teach you for example, how to do it in the cloud, how to do red team operations, or maybe even pen testing in the [00:44:00] cloud, as well. , whether it’s the planning or the actual execution SANS teaches a red team operations course. I think they also have. Some emulation related, , like how to plan for doing an emulation versus a simulation and red teaming. 


Just to Dell teach you that difference. The difference being, an emulation, you’re looking at the TTPs for a very specific threat actor gathered through threat intelligence, whereas a simulation, , it’s more broad in terms of T TTPs, black Hills InfoSec teaches a good or great course in how to do these, activities that we’ve talked about in the cloud, as well. 


So definitely highly recommend black Hills emphasis. Their course, it is focused completely on cloud operations and of course, SANS for, , best practices, how to do an operation, how to do an engagement that is focused very specifically on, on red team as well. So can’t say enough good things about either of those and there are others I’m sure out there. 


Oh yeah, 


Ashish Rajan: I’m sure it’s about so one last question before we kind of wrap it up from Vishwas. Hey, hello. Hey, which [00:45:00] was, so it’s asking, where does companies learn from red team engineers or some values that they would add? 


Brad Richardson: I think that , one of the top things that you get out of red team in your environment is you test assumptions. 


So, you’ve covered all the best practices. You’ve done all the things, that the handbook says that you should do to secure your environment, but how do you really know? So red team informs, how it really exists. So what, , you will find is all over the world, companies implement security controls, but , there’s this segment and they didn’t implement MFA or, , password, , those are all default, dev systems. 


Well, it’s accurate, doesn’t really care what you call it. The D they don’t care that, , a domain admin is logging into a dev system. They only care that you can dump that domain admins hash from LSS, and now use it in the production environment. So I think it informs, , your prevention, your detection response in ways that probably no other assessment can and has also really shows. 


What you can do to slow down or [00:46:00] stop the attacker if, if possible, and make the attacker pay in terms of time. So we all have to pay in time. Automation doesn’t necessarily solve that problem. So it informs you about how well your security controls are really implemented. And it also shows you how to slow down the attacker, make them pay and how to respond. 


If that attacker really finds a way into your network, don’t assume that, , your company is immune to Phishing, or a lot of other common attacks red team can test those assumptions so that you have a much clearer picture just where you see. 


Ashish Rajan: Awesome. A third grade reader kind of close that as well. 


I just, quickly on that third certification for cloud security is realize the guests that we have coming next week. He is based he’s basically got a Google Cloud security engineer, a certification course as well. So folks who may be interested in that kind of space should definitely check out the next weekend livestream and twitter space as well. 


But this has been pretty awesome then I think I I’ve taken more time than you had where can people find you Brad for follow up questions on red team and in [00:47:00] cloud, and maybe connect with you? 


Brad Richardson: So you can follow me on Twitter. My handle is Richard JB and also I blog at medium. 


So check me out there as well. I love to post things that I think will just be helpful to security researchers, offsec defensive people, in the industry. I love to just share my own information so you can find me there too. I post occasionally, tools that I will write again, back to custom tools to, GitHub 


so keep an eye out there, but we’d love to chat with anybody. Anytime. Just love to share information. 


Ashish Rajan: Awesome. And I’ll definitely put them in the show notes of the podcast as well. So when people check them out on the podcast, they can click on that link and get to connect with you as well. But again, I’m looking forward to having more Google cloud security conversation next week on Twitter space, as well as on the social medias of cloud security podcast. 


Thank you so much. But for everyone else, thank you for your time with us. And we will see you on the next episode, on the next weekend, talking more about Google cloud security, but more from certification. And what do you do to get in? [00:48:00] So thanks everyone. 


We’ll see you next weekend. Peer piece.