Last year had its shares of big data breaches with cloud services. The heavyweight in the cloud market is still Amazon Web Services (AWS) and despite offering numerous tools and guidelines for securing data stored in the AWS cloud, customers continue to make mistakes that leave their sensitive business data exposed and vulnerable. For example, in February a contractor’s AWS misconfiguration caused a massive breach of data stored by Dow Jones. Then in October, a database snapshot created at Imperva for internal testing was left unsecured and its API key was stolen, leading to a breach of customer data. And, of course, the biggest news of all is how U.S senators are calling for an investigation concerning the massive Capital One data breach that happened in July, which allegedly involved a hacker who previously worked for AWS. So, I guess we can all breathe a sigh of relief now that 2019 is over and 2020 has now begun.
Or can we? That’s the line of questioning I took recently when I talked with Menachem Shafran, VP Product at XM Cyber, a cybersecurity company founded by security executives from the elite Israeli intelligence sector and whose core team includes highly skilled and experienced veterans from Israeli intelligence with expertise in both offensive and defensive cybersecurity.
I began my discussion by mentioning how AWS has been in the news a lot recently as various companies have left their sensitive business information stored in AWS exposed and vulnerable for hackers to obtain. This raised the question in my mind whether it really is that hard to secure your data stored in AWS. “If securing data stored on public clouds were too hard, leading companies wouldn’t have adopted the cloud,” Menachem said. “While we hear in the news about different companies leaving their sensitive information exposed, we need to remember that there are many more that are doing a good job protecting their data.”
A lack of awareness
The biggest obstacle to ensuring cloud security is not the technology but the people who use the technology. “Many aspects of cloud security are due to lack of awareness and lack of proper training,” Menachem said. “If we look back 15 years ago, most web developers didn’t know what SQL injection was, for example, and today the situation is much better due to OWASP and other initiatives that raised awareness and brought tools to help lower the risk. I believe that in cloud security we are in the same place. This is a new technology for many and the awareness for security is low, also the tools to help make sure we do not make mistakes are still evolving. Just like SQL injections, the problem is not going to be solved, attackers are going to find more clever ways but it will become harder for the attackers over time.”
Many aspects of cloud security are due to lack of awareness and lack of proper training … This is a new technology for many and the awareness for security is low.
I asked him next what other kinds of breaches can happen when companies deploy their infrastructure and data in AWS. I’ve heard, for example, about such things as IAM privileges escalations, access token theft, leveraging of the Cloud Instance Metadata API to pivot across the cloud, and so on. So I wondered if he could briefly explain some of these different kinds of attacks, and Menachem replied, “While in the cloud we have much of the same attack surface we have in on-prem datacenters — stealing SSH keys, credentials, exploits and so forth — the cloud also presents new and unique attack surfaces, much of it resulting from misconfigurations which lead to IAM privileges escalations. On-prem datacenters have network configurations with firewalls and other controls, and a separate layer of credentials, which are usually managed by different groups in different ways. In the cloud, however, identity is everything, so gaining access to a strong enough identity will allow you to control everything from network access, credential management and more.
“While this flexibility is one of the keys to the agility of cloud development, it also leads to complexity, making it easy to make mistakes leading to situations where an identity might look not so powerful, but in reality, can do a few steps to become extremely powerful. For example, a developer might have very limited permissions, only allowing it to create lambda functions, and invoke them so that he could test them. To create a lambda function the user also needs to assign an IAM role to the function, which is the context in which the function will run with. Now while this looks innocent, if in the account there is a role which allows to change a user’s permission (which is a reasonable role to have) the developer can create a lambda function which will assign himself full administrative rights, set it with the role which can change a user’s permissions and then invoke it, making him an admin on the account.
“Another option is leveraging the Cloud Instance Metadata API to steal a strong access token. The Cloud Instance Metadata API is an API that is exposed only from a cloud instance, such as an EC2, which allows it to query information about itself. One such thing is asking for an access token of a role that is attached to the instance. If the instance is needed to be able to query a DBaaS, the best practice would be to assign it a role with access to the DB instead of placing access keys somewhere on the disk. If an attacker can run code on the instance he can make a query to the cloud instance metadata API and ask for the token of the role effectively gaining access to the DB.”
Breach and attack simulation
My next question was about how simulating an attack on an organization’s infrastructure can help bolster the security of that infrastructure. The reason I asked this is because Menachem’s company XM Cyber specializes in automated breach and attack simulation as a way of enabling companies and organizations to evaluate and strengthen their cybersecurity defenses. “Simulating attacks on an organization’s infrastructure is the best way to find the problems we didn’t even know we had,” Menachem said. “Only when looking at the organization from the attacker’s perspective we are able to both find the issues and also understand their impact. This is why red team exercises are considered the best way to improve security. The only problem with red team exercises is that they are a slow, manual and require expertise. For cloud infrastructure, the situation is even harder as there are very few talented red teamers with strong capabilities in cloud security.”
What about auditing AWS configurations to strengthen the security of an organization’s AWS infrastructure? “Auditing AWS configurations can help expose many of the issues leading to data being publicly exposed,” Menachem said. “In general, we cannot assume that we do not make mistakes, and in the cloud, the risk is higher and the expertise is lower, making the need to audit much greater. Auditing usually involves reviewing the configuration and trying to understand the logical issues. This is usually the easier alternative to simulating attacks, yet as such in many cases it doesn’t find the more sophisticated issues such as many of the IAM privilege escalations which we talked about.”
In general, we cannot assume that we do not make mistakes, and in the cloud, the risk is higher and the expertise is lower, making the need to audit much greater.
Wanting to dig deeper into the nitty-gritty of how XM Cyber’s HaXM platform actually audits AWS configurations, I asked Menachem to give us a glimpse of how his product works under the hood and what kinds of benefits it can provide for organizations that use AWS. Menachem explained that “HaXM is a fully automated attack simulation platform” and that “when HaXM audits your AWS configurations, it actually acts like a strong red team trying to understand what can be done assuming we compromised something in the environment. At each step of the attack simulation, the system will ask again what can be done trying to reach your critical assets in an iterative process.”
Knowing how attackers expect to breach your system is crucial to stopping them. “One needs to understand that attacks are usually just a group of small, usually legitimate actions, chained in a way we didn’t intend. So, for example, you can ask what would happen if an attacker is able to steal the credentials of someone from DevOps. The system would then understand it is able to run a command on a specific EC2 due to the user having permissions to use AWS Systems Manager. It will then ask, now that we can execute code on the instance, what can we do? And it might discover it can compromise another EC2 in the same VPC due to a vulnerability. Compromising that EC2 might lead to stealing a token of a role that can create a lambda function, and by creating the lambda function we might grant stronger permissions to our original DevOp user, allowing us to compromise the environment completely. All of this is running continuously.”
Practicing good security hygiene
Closing our discussion, Menachem ended with this final thought on the subject: “I want readers to understand that done properly the cloud can help us become even more secure. We need to raise the awareness to do things right in the cloud and keep our cloud IT hygiene in good shape.” And good hygiene is something that every business or organization that uses the cloud should practice, isn’t it? In fact, let’s make that our New Year’s resolution for 2020.
Featured image: Shutterstock