eBooks & Reports

Cloud Security Threat Briefing

Issue link: https://resources.threatstack.com/i/1018481

Contents of this Issue

Navigation

Page 0 of 1

Anatomy of a Sophisticated Cloud Attack The visibility provided by the Threat Stack Cloud Security Platform ® gives the Threat Stack Security team the unique ability to observe user, system, and file behavior across cloud infrastructure, to see how bad actors are attempting to exploit it. Over the past two years, the Threat Stack Security team has observed strong evidence of actors using increasingly sophis cated techniques on the public cloud, leveraging the unique characteris cs of cloud services and deployment models to launch or hide their breaches. Unlike simpler a acks where bad actors typically steal access keys and look for a direct path to sensi ve data or valuable resources (such as an open S3 bucket or the ability to launch a new EC2 to mine cryptocurrency), these a acks incorporate mul ple steps and a higher level of crea vity and though ulness. They also traverse the target's infrastructure, moving back and forth from the cloud infrastructure control plane to the host. Because of the amount of me and complexity associated with these a acks, it appears that these actors are primarily targe ng specific organiza ons. The team has not observed their use in mass scan and exploit ac vi es normally associated with commercial botnets and ac vi es such as cryptomining. The following diagram describes a series of steps, based on real a ack pa erns observed across Threat Stack's customers. Gain Access Via Access Keys and Persist Permissions In a acks of this nature, ranging from rudimentary to sophis cated, the actor's first step is to gain access using a stolen API keys. Common methods a ackers use include stealing from employee laptops via malware or farming from open-source code websites like GitHub where employees accidentally upload their Access Keys. Once the actor confirms that the Access Key works, they want to ensure that they can regain access, even if someone in Security or Ops terminates their stolen Access Key. To do so, they create new keys, assume a role, or use another method to create a way to regain access. C L O U D S E C U R I T Y T H R E AT B R I E F I N G INFRASTRUCTURE CONTROL PLANE HOST-LEVEL S T E P 1 THREAT STACK ALERT By inges ng CloudTrail data, Threat Stack is able to alert on specific API calls associated with Access Keys management such as: crea ng, disabling, dele ng or lis ng Access Keys, retrieving the last used access key, crea ng users, or lis ng roles. THREAT STACK ALERT Threat Stack can alert on API calls including DescribeKeyPairs, DescribeNetworkAcls, DescribeRouteTables, and RunInstances. If the a acker wanted to stop CloudTrail logging or delete current Trails, they could use CloudTrail API calls such as DeleteTrail, StopLogging, or Update Trail, all of which Threat Stack would detect. Also, once the a acker launches the EC2 instance, they can access the metadata associated with the instance with a curl/wget call, which would trigger an alert. Check Permissions and Persist Once the actor successfully enters the environment via infrastructure APIs, they look to see whether they have direct access to the resources they need, such as an RDS database or S3 bucket. When they discover they do not, they move on to an alterna ve route. In this case, the actor launches EC2 instances inside the environment, which are as trusted as any other legi mate host on their network (a downside to assuming any network connec on coming through a firewall or on a subnet is to be trusted). The actor has now established a beachhead in the environment's network, allowing them to recon and scan the LAN that they have breached. S T E P 2

Articles in this issue

view archives of eBooks & Reports - Cloud Security Threat Briefing