Rethink Security

On Cloud

cloud cloudsecurity research exploits

Estimated reading time: 2 minutes

While flying through some clouds and on my way to enjoy some holidays on the other side of the globe, the thought about the current status on cloud environments is keeping me awake. “It feels like cloud security is still in it’s infancy!?”, “How long did it actually take, to get to the current status on On-premise AD security?”, “What’s the current status on cloud environments?”, “How long did it take to get to this state?”.

Attacks and tools for On-Prem

Let’s look at some interesting dates:

  • 1993: Kerberos v5 (RFC 1510)
  • 2000: First release of Active Directory (Win2K Server)
  • 2011: First release of Mimikatz by Benjamin Delpy (gentilkiwi)
  • 2014: Kerberoasting Disclosure by Tim Medin1
  • 2016: Bloodhound 1.0.0

So just to highlight the slowness; It took us 14 years to get to the state of Kerberoasting

The current journey on Azure

Let’s compare the timeline for Azure:

  • 2010: First release of Microsoft Azure (with Azure AD)2
  • 2018: Microburst3
  • 2020: ROADtools4

Another 8-10 years until we got some nice tooling and if you search for attacking techniques, it’s still scarce.

A note on hybrid infrastructures

Until now we only took the point of view of heterogeneous infrastructures. But the real world is actually not so easy to categorize, even if we sometimes wish it was. Often times companies build hybrid structures to move On-Prem parts piece by piece. Sometimes hybrid structures are the only way to handle environments, because regulations and laws regarding privacy are of concern.

Moving forward

So, in the end it still feels like an ocean of possibilities, not only because infrastructures of companies migrate slowly, but given the fact that every cloud provider has dozens of services they offer and basically beg to be investigated on.

The future looks bright, especially from a hackers point of view :)

  1. ↩︎

  2. ↩︎

  3. ↩︎

  4. ↩︎