skip to main content
x
x
We use cookies to ensure you get the best experience on our website. By continuing to use the site, you consent to our use of cookies. Read more about our use of cookies and how you can control them at www.presidio.com/cookies.
Presidio Logo
Phone Handset
search
MENU

Breach Prevention in the Cloud – A Security Case Study

by Jeremy Axmacher, Team Lead, Managed Services Cloud, Presidio, Tuesday, 17 Mar 2020
Breach Prevention in the Cloud – A Security Case Study
Breach Prevention in the Cloud – A Security Case Study

At the end of July 2019, news broke of yet another data breach. Data, including Social Security numbers and personally-identifiable-information (PII), had allegedly been stolen from Capital One. The news was particularly notable for two reasons. First, the initial details of the breach came to light through a complaint filed by the FBI in Federal court. The complaint contained both a named defendant, a timeline of events and enough breach details to infer how the attack was carried out. Second, the IT infrastructure that was breached had been hosted on Amazon Web Services (AWS). Because Capital One has been a long-time user and vocal supporter of cloud computing, the story of the breach raises a serious question for companies moving full-speed ahead with their respective cloud strategies-- if Capital One (a company who clearly spent significant time and money moving to the cloud) can get it wrong, how can we get security in the cloud right and prevent breaches?

What Happened?

Several pieces have been written analyzing how the attack was carried out, detected and remediated. To summarize, this was not an insider attack and was the result of a multi-layered misconfiguration which allowed the attacker to escalate privilege and exfiltrate data without being noticed by Capital One. Publicly posted data owned by Capital One was identified three months after the breach by a security researcher who then notified Capital One. Once they were aware of the issue, Capital One was able to quickly repair the issue that had allowed the breach.

Security of the Cloud

As we consider threat vectors in the cloud and how to get cloud security right, knowing this was not an insider attack is an important first step. Despite the defendant being a prior employee of Amazon, inside information was not used. Cloud providers have the benefit of scale when it comes to investing in the security of their infrastructure and services. AWS has easily accessible compliance reports of its systems and operations from third-party auditors for ISO, PCI, SOC, and other regulatory standards. In short, they already do security “of” the cloud better than practically any other company can secure its on-premises data centers.

Configuration is King

The underlying issue was a multi-layered misconfiguration of Capital One’s AWS resources. Capital One was using a Web Application Firewall (WAF) from the AWS Marketplace to secure an application. At a basic level, a WAF guards web applications by filtering out traffic that is suspected to be malicious. The WAF used by Capital One was not the AWS WAF service, so did not have the benefits of AWS’ security apparatus. AWS Marketplace appliances can be significant productivity boosters because they come preconfigured for a specific purpose and allow AWS users to leverage the expertise of other companies and products with minimal effort. However, the WAF used by Capital One had a misconfiguration which allowed the attacker to steal temporary security credentials from the server running the WAF. Further, the identity policies applied to that server were also misconfigured. This misconfiguration gave those stolen security credentials broad access to data stored by Capital One. It was a one-two punch of misconfiguration.

Security in the Cloud

Protect and Detect are two of the five security functions defined in the NIST Cybersecurity Framework. As we examine this breach, we find deficiencies in both of these areas. Proper configuration is a key element of protection. So, how do we ensure proper configuration? In short, continuously. Cloud security will never be set it and forget it. The landscape of tools, features and vulnerabilities is constantly evolving. Processes that continuously audit configuration compliance and perform vulnerability scanning using the latest Application Security Testing (S/D/IAST) are essential. Configuration compliance rules themselves need continuous improvement to cover the growing body of best practices and expanding cloud features. Identity policies need continuous review and monitoring to ensure they conform to the principle of least privilege- this is critical for limiting the blast radius in breach situations. We have no hope of responding and recovering without detection of breaches. In this case study, we see three possible detection mechanisms that would have identified this breach sooner:

  • Simple monitoring – know when attempts are made to use valid security credentials for actions they are not permitted.Your applications using the credentials will not do this, but an attacker trying to discover the limits of those credentials might trip this wire.
  • Honeypot detection – enable access by security credentials to an enticing target which is never touched by normal credential use and monitor if that use occurs to detect a malicious user.
  • Anomaly detection – detect spikes in usage or usage patterns that are atypical.

Finally, choosing AWS managed services over 3rd party or marketplace solutions allows one to take full advantage of the secure framework all their services are built on. Security is “job zero” at AWS, a philosophy that is embraced across their entire organization and technology stack.

A Trusted Partner

The rate of change in the cloud can be difficult for organizations to keep up with when their primary objective is to deliver value, not stay current with the cloud. However, being able to defend against security threats and getting security right in the cloud require keeping up. For example, AWS recently released an updated Instance Metadata service that closes off the most significant part of the attack vector used in the Capital One breach. Keeping up is so important that it’s included in the best practices of AWS’ Well-Architected Framework. A trusted partner like Presidio can help you improve your security posture in the cloud, continuously evolve it and enable you to focus on growing your business.




Presidio Logo
Presidio is a leading North American IT solutions provider focused on Digital Infrastructure, Business Analytics, Cloud, Security & Emerging solutions. We deliver this technology expertise through a full life cycle model of professional, managed, and support services including strategy, consulting, implementation and design. By taking the time to deeply understand how our clients define success, we help them harness technology advances, simplify IT complexity and optimize their environments today while enabling future applications, user experiences, and revenue models.
Facebook
Twitter
LinkedIn
BrightTALK
CONTACT US   |   LOCATIONS
SITEMAP
Phone Handset
Terms    |    Privacy    |    Cookies    |    Careers
© 2020 Presidio, Inc. All rights reserved.
lat6386