Full Report
In this first blog post, we will introduce lateral movement as it pertains to the VPC. We will discuss attacker TTPs, and outline best practices for security practitioners and cloud builders to help secure their cloud environment and reduce risk.
Analysis Summary
# Best Practices: Cloud VPC Lateral Movement Prevention
## Overview
These practices focus on securing the Virtual Private Cloud (VPC) network layer in cloud environments to mitigate attacker tactics, techniques, and procedures (TTPs) used for lateral movement, which aims to expand network access, compromise valuable assets, or gain administrative identities.
## Key Recommendations
### Immediate Actions
1. **Remediate Publicly Exposed Workloads with Stored Keys:** Immediately identify and remediate any cloud environment workload that is publicly exposed and storing cleartext long-term cloud access keys. This is a critical risk factor highlighted in the context.
2. **Scan for Exploitable Remote Services:** Conduct an immediate scan within your VPCs for running services accessible via protocols like SSH and RDP, prioritizing assets storing credentials, as these are direct vectors for remote access-based lateral movement.
3. **Audit Security Group Rules for Unrestricted Access:** Review and restrict overly permissive (unrestricted) Security Group rules, particularly those allowing broad ingress/egress across internal VPC resources, which facilitate worm propagation.
### Short-term Improvements (1-3 months)
1. **Implement Strong Authentication and Credential Management:** Enforce strict authentication methods for all remote services (SSH/RDP). Eliminate the storage of cleartext cloud keys/credentials on compromised workloads by implementing secrets management solutions.
2. **Harden Workloads Against Worm Tactics:** Implement vulnerability and misconfiguration scanning across all VPC workloads. Prioritize patching systems identified as easy targets (e.g., due to weak authentication or open network connections) to prevent worm propagation.
3. **Audit and Restrict IAM Permissions:** Review all existing IAM identities—especially compromised or potentially compromised ones—to determine their effective permissions. Immediately revoke or restrict permissions that allow for escalation or lateral access to high-value resources outside the identity's intended scope.
### Long-term Strategy (3+ months)
1. **Adopt Network Isolation via VPC Segmentation:** Strategically redesign the environment by splitting resources into separate VPCs based on function (e.g., Production, Staging) or organizational grouping (e.g., Finance). This minimizes the blast radius during a breach.
2. **Migrate from VPC Peering to Private Link:** Systematically replace broad, bidirectional VPC peering connections with more granular, unidirectional Private Link (or equivalent CSP services like AWS PrivateLink, GCP Private Service Connect, Azure Private Link) to precisely control cross-VPC resource exposure.
3. **Establish a Cloud Visibility and Threat Analysis Program (Abuse Prevention):** Implement continuous monitoring using CSP-provided APIs to map resource connections, analyze effective permissions across the complex architecture, and actively monitor for API command abuse by compromised identities.
## Implementation Guidance
### For Small Organizations
- Focus efforts on **Immediate Actions** concerning cleartext keys and public exposure.
- Utilize native CSP security group controls religiously to manually restrict ingress/egress traffic between workloads within the single VPC.
- Rely heavily on CSP visibility tools to map initial network connections, as complex architecture mapping can be challenging without dedicated tooling.
### For Medium Organizations
- Begin the **Short-term Improvement** work on credential management and vulnerability scanning across defined environments.
- Pilot **VPC Segmentation** by isolating critical workloads (e.g., database servers, central identity stores) into separate, restricted VPCs or subnets.
- Begin evaluating and planning the transition from VPC peering to **Private Link** for necessary inter-VPC communication paths.
### For Large Enterprises
- Mandate and automate **VPC Segmentation** across the entire organization structure based on security tiers or compliance boundaries.
- Fully implement **Private Link** architecture to manage all service-to-service and cross-environment communications, treating VPC peering as legacy or strictly limited to non-sensitive zones.
- Develop **Automated IAM Posture Management** to continuously assess effective permissions and detect/alert on identities that possess capabilities for lateral movement (e.g., ability to assume high-privilege roles or access crown-jewel resources).
## Configuration Examples
*Note: Specific configuration examples were not detailed in the provided text, but the guidance points to utilizing native controls.*
**General Implementation Guidance based on text:**
* **Remote Access:** Move away from direct RDP/SSH access where possible, favoring bastion hosts or session managers configured within hardened, restricted Security Groups.
* **Cross-VPC Connectivity:** Replace VPC Peering configurations that grant wide access with **Private Link endpoints/services** to ensure only necessary service interfaces are exposed unidirectionally.
## Compliance Alignment
While the article does not explicitly cite frameworks, preventing lateral movement directly correlates with securing network architecture and managing identity access:
- **NIST Cybersecurity Framework (CSF):** Aligns with **Protect (PR)**—specifically PR.AC (Access Control) and PR.PT (Protective Technology).
- **ISO/IEC 27001:** Aligns with Annex A controls related to **Network Security** and **Access Control**.
- **CIS Benchmarks:** Specifically addresses the hardening of infrastructure components and network segmentation controls common in cloud environments.
## Common Pitfalls to Avoid
- **Over-reliance on Network Segmentation Alone:** Assuming that separating environments into different VPCs is sufficient if weak IAM permissions or exposed credentials still exist within those segregated environments.
- **Ignoring Existing Peerings:** Failing to audit pre-existing, broad VPC peering connections when introducing new security boundaries; peering inherently grants broad access that undermines segmentation.
- **Treating Cloud Configuration Speed as Security:** Configuring network components quickly without rigorous security review, which leads to misconfigurations that adversaries can easily exploit for lateral movement.
- **Ignoring Identity Abuse:** Focusing solely on network paths while neglecting the primary cloud lateral movement vector: abusing compromised IAM identities and cloud API commands.
## Resources
- MITRE ATT&CK for Cloud - Tactics: Lateral Movement (TA0008)
- Documentation for specific cloud provider private connection services:
- AWS PrivateLink
- GCP Private Service Connect
- Azure Private Link