GCP Training

class: center, middle

.ncc-color[
    # Scout Suite – A Multi-Cloud Security Auditing Tool

## Presented by Xavier Garceau-Aranda
    ### Senior Security Consultant, NCC Group 
    ]

#### 44Con – September 2019

---

# Introduction

Scout Suite (https://github.com/nccgroup/ScoutSuite) is an open source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments.

Using the APIs exposed by cloud providers, Scout Suite gathers configuration data for manual inspection and highlights risk areas. Rather than going through dozens of pages on the web consoles, Scout Suite presents a clear view of the attack surface automatically.

The following cloud providers are currently supported:

- Amazon Web Services
    - Microsoft Azure
    - Google Cloud Platform
    - Alibaba Cloud (alpha)
    - Oracle Cloud Infrastructure (alpha)

???

* We've just released support for a number of new cloud providers, to further demonstrate how Scout Suite's cloud-agnostic architecture allows for great extensibility.

---

# Project Details

* Formally known as Scout2 (https://github.com/nccgroup/Scout2).
        * Most of the tool has since been refactored to handle the multi-cloud paradigm elegantly. This has in turn allowed adding support for Azure, Google Cloud Platform and however many more cloud providers.
    * Released under the GNU General Public License v2.0
    * Has received contributions from over 24 developers.
    * Additional details can be found at https://github.com/nccgroup/ScoutSuite/wiki

???

* Project started in 2013, AWS-specific
    * Significant contributions have been made by 7 developers, from NCC and academia

---

# The Multi-Cloud Paradigm

With the steady rise of cloud adoption, many organizations find themselves splitting their resources between multiple cloud providers.

The main reasons for this are:

* Cost
    * Familiarity
    * Offering
    * Resilience

While the readiness to deal with security in cloud native environments has been improving, the multi-cloud paradigm poses new challenges.

???

* Familiarity - e.g. different teams with diverging knowledge/experience
    * Offering - especially SaaS differences
    * Resilience - of a distributed environment

---

# Cloud Provider Similarities

Offering:

* Identity and Access Management
        * Users/Groups, programmatic identities (Roles/Service Principals/Service Accounts), Policies/Permissions
    * Regions, Virtual Private Clouds (VPCs), Resources
    * IaaS, PaaS, SaaS, FaaS services

Risks:

* Access Controls
        * Credential Leaks & Privilege Escalation
    * Publically Accessible Resources
        * Virtual Machines, Databases, Storage Buckets, etc.
    * Development practices
    * Incident Response & Disaster Recovery

???

* Similar offering and risks across all providers.
    * Scout's architecture aims to support these similarities, and help identify risks.
    * Remediation is hard as it's very case by case. A good example of this is privilege escalation (provide CloudFormation example). Scout focusses on helping identify and understand the flaw, over providing a solution.
    ---

# Scout Suite – Demo

.image-90[.center[![](img/scout-report.jpg)]]

---

# Scout Suite – Architecture

.image-100[.center[![](img/BH Arsenal 2019 Scout Suite.html_img1.png)]]

???

Scout provides an overarching framework tailored to cloud provider commonalities, but also allows for flexibility within the provider itself.

The main components are:
    * Core: contains the rule processing engine, the command line interface logic, logging methods and some utils.
    * Output: contains the logic used to transform the scanned data into a web report. The web report scaffolding is located inside the output.data.inc-scoutsuite submodule.
    * Providers: each module contains all the data fetching logic for a provider.

---

# Scout Suite – Provider Support

* Amazon Web Services
        * 25 services & >130 rules
    * Microsoft Azure
        * 6 services & ~30 rules
    * Google Cloud Platform
        * 7 services & ~30 rules
    * Alibaba Cloud
        * 6 services & ~20 rules
    * Oracle Cloud Infrastructure
        * 3 services & ~10 rules

???

---

# Scout Suite – Advanced Features

* Findings & Rulesets
        * https://github.com/nccgroup/ScoutSuite/wiki/HowTo:-Use-with-a-custom-ruleset
    * Exceptions
        * https://github.com/nccgroup/ScoutSuite/wiki/HowTo:-Create-and-use-a-list-of-exceptions
    * Exports to CSV & JSON
    * Report Parsing
        * https://github.com/nccgroup/ScoutSuite/wiki/HowTo:-Exporting-and-Programmatically-Access-of-Scout-Suite-Data

???

* Report parsing can be leveraged by other tools.

---

# Scenarios

.image-100[.center[![](img/BH Arsenal 2019 Scout Suite.html_providers.jpg)]]

???

* Run Scout Suite against a number of cloud environments preconfigured with typical flaws. We will display how Scout can be used to identify and help with remediation of security misconfigurations.
    * In the demo show not only that Scout flags issues, but also how the report allows identifying more complex and cross-service issues.

---

# Scenarios – AWS: Privilege Escalation Vector

.image-100[.center[![](img/BH Arsenal 2019 Scout Suite.html_img5.png)]]

???

* External Role with no MFA / External ID & access to CloudFormation + CloudFormation stack with IAM privileges = privilege escalation vector

---

# Scenarios – Azure: Exposed Virtual Machines

.image-40[.center[![](img/BH Arsenal 2019 Scout Suite.html_img6.png)]]

???

---

# Scenarios – Google Cloud Platform: Storage Buckets

.image-80[.center[![](img/BH Arsenal 2019 Scout Suite.html_img7.png)]]

???

---

# Scout – Public Cloud Account Monitoring

Scout is a user-friendly SaaS platform providing self-service compliance through persistent monitoring of your public cloud accounts, allowing you to check they’re configured in line with industry best practice.

* Persistent monitoring: so you know about changes or issues as they arise
    * One tool: all configuration checks in one place for speed and simplicity
    * Multi-vendor support: AWS, Azure and GCP public cloud accounts
    * Agnostic platform: a trusted third-party tool

.footnote[Source: https://my.nccgroup.com/our-services/service-details/16/scout:-pscoutublic-cloud-account-monitoring]

???

---

# Going Forward

* Improve provider support
    * Addition of a plugin system
        * Privilege escalation checks, identification of publically exposed instances, etc.
    * Integration with native security management solutions
        * AWS Security Hub, Azure Security Center, GCP Security Command Center

Contribute! The wiki (https://github.com/nccgroup/ScoutSuite/wiki)  has everything you need to get started!

???

---

# Special Mentions

Polytechnique Montréal:
    * Antoine Boisier-Michaud
    * Michaël Sghaïer
    * Rémi Pelletier
    * Vincent Fortin
    * Philippe Dugré

Matt Lewis, NCC Group

Loïc Simon, author of Scout2

---

# Q&A

.image-40[.center[![](img/question_mark.png)]]