On Cloudcloud cloudsecurity research exploits
While flying through some clouds and on my way to enjoy some holidays on the other side of the globe, the thought about the current status on cloud environments is keeping me awake. “It feels like cloud security is still in it’s infancy!?”, “How long did it actually take, to get to the current status on On-premise AD security?”, “What’s the current status on cloud environments?”, “How long did it take to get to this state?”.
Attacks and tools for On-Prem
Let’s look at some interesting dates:
- 1993: Kerberos v5 (RFC 1510)
- 2000: First release of Active Directory (Win2K Server)
- 2011: First release of Mimikatz by Benjamin Delpy (gentilkiwi)
- 2014: Kerberoasting Disclosure by Tim Medin1
- 2016: Bloodhound 1.0.0
So just to highlight the slowness; It took us 14 years to get to the state of Kerberoasting
The current journey on Azure
Let’s compare the timeline for Azure:
Another 8-10 years until we got some nice tooling and if you search for attacking techniques, it’s still scarce.
A note on hybrid infrastructures
Until now we only took the point of view of heterogeneous infrastructures. But the real world is actually not so easy to categorize, even if we sometimes wish it was. Often times companies build hybrid structures to move On-Prem parts piece by piece. Sometimes hybrid structures are the only way to handle environments, because regulations and laws regarding privacy are of concern.
So, in the end it still feels like an ocean of possibilities, not only because infrastructures of companies migrate slowly, but given the fact that every cloud provider has dozens of services they offer and basically beg to be investigated on.
The future looks bright, especially from a hackers point of view :)