Full Report
This blog post will discuss lateral movement risks from on-prem to the cloud. We will explain attacker TTPs, and outline best practices for cloud builders and defenders to help secure their cloud environments and mitigate risk.
Analysis Summary
# Best Practices: Preventing Lateral Movement from On-Premises to Cloud Environments
## Overview
These practices address critical security risks associated with lateral movement from an organization's on-premises network infrastructure into cloud environments (AWS, Azure, GCP). The primary focus is on securing long-term, cleartext credentials, cached tokens, and secrets stored on compromised on-prem devices that attackers can leverage for unauthorized cloud access and persistence.
## Key Recommendations
### Immediate Actions
1. **Inventory and Audit Cleartext Cloud Keys:** Immediately identify and inventory all systems hosting long-term, cleartext AWS Access Key IDs and Secret Access Keys (often found in `~/.aws/credentials` on Linux/macOS or in Windows equivalents).
2. **Secure Azure Token Cache Discovery:** Locate and review the contents of the cleartext token cache file (`~/.azure/msal_token_cache.json` on Linux/macOS) and the DPAPI-protected cache (`C:\Users\<user>\.azure\msal_token_cache.bin` on Windows) on devices used by personnel accessing Azure CLI/APIs.
3. **Restrict SSH Key Exposure:** Audit systems storing private SSH keys intended for cloud compute instances (EC2/VMs) and ensure these keys are never stored in cleartext on shared or standard user machines.
### Short-term Improvements (1-3 months)
1. **Implement Short-Lived Credentials (AWS):** Mandate the use of temporary credentials (e.g., IAM Roles via STS) for all programmatic access, eliminating the reliance on long-term AWS user access keys whenever possible.
2. **Enforce Token Lifetime Policies (Azure):** Implement Azure AD Conditional Access or Token Lifetime Policies to drastically reduce the default 90-day refresh token lifetime and the 60-90 minute access token lifetime.
3. **Decommission Manual Key Downloads:** Implement processes to stop users from manually downloading and storing long-term cloud keys (especially AWS access keys) on their local machines for programmatic interaction.
4. **Harden Managed Devices:** Increase security monitoring and control on all on-prem devices that are AAD-joined, registered, or hybrid-joined, as these are key targets for techniques like Pass-the-PRT and Pass-the-Cookie.
### Long-term Strategy (3+ months)
1. **Adopt Instance Identity Roles:** Transition authentication for cloud compute instances (AWS EC2s, GCP VMs) away from SSH/RDP and permanent credentials towards unified, centralized services like **AWS Systems Manager (SSM)** or **GCP Identity-Aware Proxy (IAP)**, leveraging IAM for access control.
2. **Eliminate Cached/Stale Tokens:** Develop a strategy or workflow that removes the need for user interaction with CLIs that cache persistent tokens, favoring ephemeral environments or managed identity solutions.
3. **Adopt Cloud Shell Equivalents:** For development or administrative tasks that require interactive CLI access to cloud resources, strongly encourage the use of provider-specific managed shells (like **GCP Cloud Shell**), which eliminate local credential caching risks.
4. **Implement Strong Authentication for Hybrid Access:** Review and strengthen multi-factor authentication (MFA) and device compliance checks for the initial connection points between on-prem systems and AAD to mitigate Pass-the-PRT/Cookie attacks.
## Implementation Guidance
### For Small Organizations
- Focus on **educating users** about the danger of storing cleartext credentials (especially AWS keys) and mandate the use of credential managers or environment variables instead of static configuration files.
- Implement **strong MFA** enforcement immediately upon initial cloud account setup.
- If using AWS CLI heavily, ensure users leverage **IAM roles** assigned to specific machines rather than individual user keys.
### For Medium Organizations
- Formalize a **Shadow IT/Cloud Tooling Policy** forbidding the manual download and local storage of fresh, long-term cloud secrets.
- Deploy **endpoint detection and response (EDR)** tools to actively monitor for known cloud credential file locations (`.aws/credentials`, token cache paths) and alert on access or exfiltration attempts.
- Begin a phased migration of interactive SSH/RDP access to instances toward **AWS SSM Session Manager or GCP IAP**.
### For Large Enterprises
- Implement **Automated Credential Scanning** across endpoints and code repositories to detect and automatically rotate exposed long-term secrets before they are leveraged.
- Enforce **Certificate-Based Authentication or Managed Identities** across all service communications to isolate critical assets from user-based token exposure.
- Mandate the configuration of **Azure AD Conditional Access policies** that restrict token issuance based on device health and location to counter device compromise risks (Pass-the-PRT/Cookie).
## Configuration Examples
| Cloud Provider | Credential/Token Type | Recommended Secure Alternative | Implementation Point |
| :--- | :--- | :--- | :--- |
| **AWS** | User Access Keys (Static, long-term) | IAM Roles assigned via STS (Temporary Credentials) | Use `aws sts assume-role` or configure EC2 Instance Profiles. |
| **Azure AD** | Cached Refresh Tokens (90-day life) | Short-lived Access Tokens enforced by CA Policy | Configure Token Lifetime Policies in Azure AD. |
| **AWS/GCP** | Direct SSH/RDP Access | Cloud Instance Management Services | Configure Security Groups/Firewalls to block direct TCP 22/3389; allow SSM/IAP agents only. |
## Compliance Alignment
- **NIST SP 800-53 (AC-2, IA-5, SC-12):** Focuses on account management, authentication factorization, cryptographic protection, and integrity of communication channels.
- **CIS Critical Security Controls (CSC v8 - Control 1, 4, 5):** Directly addresses inventory of hardware/software, secure configuration, and access control management.
- **ISO/IEC 27001/27017:** Requires the establishment of controls to manage access rights to information assets and protect cloud services from unauthorized access.
## Common Pitfalls to Avoid
- **Assuming DPAPI Protection is Sufficient:** While Windows caches Azure tokens using DPAPI, a compromised user can often access keys in their own context. Treat these caches as sensitive.
- **Ignoring Native CLI Default Behavior:** Failing to disable or reconfigure CLIs (like AWS CLI or Azure CLI) that aggressively cache credentials locally for convenience.
- **"Once in the Cloud, Always in the Cloud" Mindset:** Neglecting the security of the on-premises endpoints that bridge the gap; these devices remain a prime vector for initial cloud credential theft.
- **Over-reliance on MFA for Initial Access Context:** MFA stops credential stuffing but often fails to prevent token theft or abuse if the session is already established on a compromised device (affecting Pass-the-Cookie).
## Resources
- Microsoft Security Blog on MERCURY Attack (Consult for detailed TTP analysis).
- Microsoft Security Blog on LAPSUS$ Attack (Consult for detailed TTP analysis).
- Official Microsoft Documentation on Configurable Token Lifetimes (For Azure token configuration management).
- AWS EC2 Instance Profile Documentation (For migrating from static keys to instance roles).