Hold a lid in your AWS cloud goodies with breach and assault simulation

Final yr had its shares of massive information breaches with cloud providers. The heavyweight within the cloud market remains to be Amazon Net Providers (AWS) and regardless of providing quite a few instruments and tips for securing information saved within the AWS cloud, clients proceed to make errors that depart their delicate enterprise information uncovered and weak. For instance, in February a contractor’s AWS misconfiguration brought about a massive breach of data stored by Dow Jones. Then in October, a database snapshot created at Imperva for inner testing was left unsecured and its API key was stolen, resulting in a breach of buyer information. And, after all, the most important information of all is how U.S senators are calling for an investigation regarding the massive Capital One data breach that occurred in July, which allegedly concerned a hacker who beforehand labored for AWS. So, I suppose we will all breathe a sigh of aid now that 2019 is over and 2020 has now begun.

Or can we? That’s the road of questioning I took lately once I talked with Menachem Shafran, VP Product at XM Cyber, a cybersecurity firm based by safety executives from the elite Israeli intelligence sector and whose core crew contains extremely expert and skilled veterans from Israeli intelligence with experience in each offensive and defensive cybersecurity.

I started my dialogue by mentioning how AWS has been within the information rather a lot lately as numerous firms have left their delicate enterprise data saved in AWS uncovered and weak for hackers to acquire. This raised the query in my thoughts whether or not it truly is that tough to safe your information saved in AWS. “If securing data stored on public clouds were too hard, leading companies wouldn’t have adopted the cloud,” Menachem stated. “While we hear in the news about different companies leaving their sensitive information exposed, we need to remember that there are many more that are doing a good job protecting their data.”

A lack of knowledge

The most important impediment to making sure cloud safety is just not the expertise however the individuals who use the expertise. “Many aspects of cloud security are due to lack of awareness and lack of proper training,” Menachem stated. “If we look back 15 years ago, most web developers didn’t know what SQL injection was, for example, and today the situation is much better due to OWASP and other initiatives that raised awareness and brought tools to help lower the risk. I believe that in cloud security we are in the same place. This is a new technology for many and the awareness for security is low, also the tools to help make sure we do not make mistakes are still evolving. Just like SQL injections, the problem is not going to be solved, attackers are going to find more clever ways but it will become harder for the attackers over time.”

Many elements of cloud safety are on account of lack of knowledge and lack of correct coaching … This can be a new expertise for a lot of and the notice for safety is low.

I requested him subsequent what different kinds of breaches can occur when firms deploy their infrastructure and information in AWS. I’ve heard, for instance, about things like IAM privileges escalations, entry token theft, leveraging of the Cloud Occasion Metadata API to pivot throughout the cloud, and so forth. So I questioned if he may briefly clarify a few of these totally different sorts of assaults, and Menachem replied, “Whereas within the cloud now we have a lot of the identical assault floor now we have in on-prem datacenters — stealing SSH keys, credentials, exploits and so forth — the cloud additionally presents new and distinctive assault surfaces, a lot of it ensuing from misconfigurations which result in IAM privileges escalations. On-prem datacenters have community configurations with firewalls and different controls, and a separate layer of credentials, that are normally managed by totally different teams in numerous methods. Within the cloud, nonetheless, identification is every part, so getting access to a powerful sufficient identification will help you management every part from community entry, credential administration and extra.

“Whereas this flexibility is among the keys to the agility of cloud growth, it additionally results in complexity, making it simple to make errors resulting in conditions the place an identification would possibly look not so highly effective, however in actuality, can do a couple of steps to turn into extraordinarily highly effective. For instance, a developer may need very restricted permissions, solely permitting it to create lambda capabilities, and invoke them in order that he may take a look at them. To create a lambda perform the consumer additionally must assign an IAM function to the perform, which is the context wherein the perform will run with. Now whereas this seems harmless, if within the account there’s a function which permits to vary a consumer’s permission (which is an inexpensive function to have) the developer can create a lambda perform which can assign himself full administrative rights, set it with the function which might change a consumer’s permissions after which invoke it, making him an admin on the account.

“Another option is leveraging the Cloud Instance Metadata API to steal a strong access token. The Cloud Instance Metadata API is an API that is exposed only from a cloud instance, such as an EC2, which allows it to query information about itself. One such thing is asking for an access token of a role that is attached to the instance. If the instance is needed to be able to query a DBaaS, the best practice would be to assign it a role with access to the DB instead of placing access keys somewhere on the disk. If an attacker can run code on the instance he can make a query to the cloud instance metadata API and ask for the token of the role effectively gaining access to the DB.”

Breach and assault simulation

breach and attack simulation


My subsequent query was about how simulating an assault on a company’s infrastructure may also help bolster the safety of that infrastructure. The rationale I requested it is because Menachem’s firm XM Cyber focuses on automated breach and assault simulation as a method of enabling firms and organizations to judge and strengthen their cybersecurity defenses. “Simulating attacks on an organization’s infrastructure is the best way to find the problems we didn’t even know we had,” Menachem stated. “Only when looking at the organization from the attacker’s perspective we are able to both find the issues and also understand their impact. This is why red team exercises are considered the best way to improve security. The only problem with red team exercises is that they are a slow, manual and require expertise. For cloud infrastructure, the situation is even harder as there are very few talented red teamers with strong capabilities in cloud security.”

What about auditing AWS configurations to strengthen the safety of a company’s AWS infrastructure? “Auditing AWS configurations can help expose many of the issues leading to data being publicly exposed,” Menachem stated. “In general, we cannot assume that we do not make mistakes, and in the cloud, the risk is higher and the expertise is lower, making the need to audit much greater. Auditing usually involves reviewing the configuration and trying to understand the logical issues. This is usually the easier alternative to simulating attacks, yet as such in many cases it doesn’t find the more sophisticated issues such as many of the IAM privilege escalations which we talked about.”

Generally, we can not assume that we don’t make errors, and within the cloud, the chance is increased and the experience is decrease, making the necessity to audit a lot higher.

Eager to dig deeper into the nitty-gritty of how XM Cyber’s HaXM platform truly audits AWS configurations, I requested Menachem to present us a glimpse of how his product works underneath the hood and what sorts of advantages it could present for organizations that use AWS. Menachem defined that “HaXM is a fully automated attack simulation platform” and that “when HaXM audits your AWS configurations, it actually acts like a strong red team trying to understand what can be done assuming we compromised something in the environment. At each step of the attack simulation, the system will ask again what can be done trying to reach your critical assets in an iterative process.”

configuration management

Figuring out how attackers anticipate to breach your system is essential to stopping them. “One needs to understand that attacks are usually just a group of small, usually legitimate actions, chained in a way we didn’t intend. So, for example, you can ask what would happen if an attacker is able to steal the credentials of someone from DevOps. The system would then understand it is able to run a command on a specific EC2 due to the user having permissions to use AWS Systems Manager. It will then ask, now that we can execute code on the instance, what can we do? And it might discover it can compromise another EC2 in the same VPC due to a vulnerability. Compromising that EC2 might lead to stealing a token of a role that can create a lambda function, and by creating the lambda function we might grant stronger permissions to our original DevOp user, allowing us to compromise the environment completely. All of this is running continuously.”

Working towards good safety hygiene

Closing our dialogue, Menachem ended with this remaining thought on the topic: “I want readers to understand that done properly the cloud can help us become even more secure. We need to raise the awareness to do things right in the cloud and keep our cloud IT hygiene in good shape.” And good hygiene is one thing that each enterprise or group that makes use of the cloud ought to observe, isn’t it? Actually, let’s make that our New 12 months’s decision for 2020.

Featured picture: Shutterstock

Put up Views:

report this ad

Read Next

About the Author

Leave a Reply

Your email address will not be published. Required fields are marked *