Most of us have read about the recent Capital One breach, which exposed more than 100 million customer accounts. Yet far fewer people are familiar with the broader security conditions that led to that breach. That fact that the cloud is accessible through public APIs introduces a huge attack vector for exploitation.
The urgent challenge of public cloud infrastructure management
Misunderstanding the public cloud comes with grave risks attached, often in the form of misconfiguration errors. Security professionals struggle to follow the best practices guide due to lack of resources or time, or because of the large and complex infrastructure to deal with.
Here's what we mean: When researching common cloud-based threats, we at XM Cyber discovered that most cloud security solutions are narrowly focused on hygiene, compliance, and prevention. These approaches suffer from a fundamental flaw: They are purely defensive, rather than predictive.
Why public APIs represent the newest security battleground
While APIs help power the modern Web, they have also created a tempting new avenue of attack for enterprising cybercriminals. Those challenges and conventions that used to work on prem previously don’t apply to cloud infrastructure anymore.
Responsibility for managing these networks falls to DevOps and IT teams, who usually rely on command line tools and development kits. Yet even experienced and skilled people can be victimised by credential theft -- one of the reasons why it's such an effective technique and so popular with hackers. Once team members have their accounts compromised, it takes only a single API call to jeopardise critical kind of assets. This is a nightmare scenario, as it makes the most painful kind of breaches trivially easy.
Many cloud provider tools save credential information within files stored in the user directory in some prefixes. This, once again, makes a breach almost trivially easy to execute and puts an organisation's most critical assets needlessly at risk.
Here's the bottom line: Traditional defensive tools are largely focused on protecting networks, applications and operating systems. Public APIs present a new attack surface -- one that is beyond the ability of traditional defence mechanisms to effectively protect.
Developing an alternative approach
In an upcoming talk for Black Hat Europe 2019 ("Inside Out: The Cloud Has Never Been So Close"), XM Cyber senior security researchers will outline a new approach to attacking cloud infrastructure. This technique illustrates the relationships between various identities, resources and policies, in the process identifying vulnerable choke points that require immediate remediation.
By creating this relationship graph, researchers Igal Gofman and Yaron Shani have allowed for deeper insight into permission relationships within cloud environments. By mapping these relationships, it can be clearly illustrated how attackers can exploit features to escalate privileges and access a company's most critical assets.
Most cloud providers publicly document security features in detail, something that can serve the interests of attackers and defenders. For a skilled person, it won’t be hard to understand all the minor stuff and use it for privilege escalation.
We believe that continuous monitoring of all potential attack paths to critical assets is the best thing an organisation can currently do to fend off attacks of this nature. Ultimately, however, stronger tools will be needed, and we hope today's organisations will build on our research to create their own tools for security and risk assessment.
Why offense is the best defence
We believe that defenders must go on the offensive.
Developing an offensive tool incorporating our research is far easier than constructing a defensive system around it. Yet currently there is no open source offensive tool that automates the entire stack of Gofman and Shani's research.
So what should organisations do to prepare for the likelihood of such attacks? A critical first step is to closely follow best practices from cloud providers. As organisations grow larger and more complex, it becomes increasingly difficult to maintain clear and comprehensive visibility into large cloud infrastructure permissions. Properly assessing risk factors likewise grows more challenging.
Vigilance, adherence to best practices and the right software tool -- that's the ideal combination for protection of your most critical resources within a public cloud infrastructure. With all three elements in place, organisations will be in the best possible position to safeguard their highest value assets.
Gus Evangelakos, Director of North American Field Engineering, XM Cyber