Breach Prevention in the Cloud – A Security Case Study

0 1

By Jeremy Axmacher Cloud Insight Blog Security March 17, 2020

At the end of July 2019, news broke of yet another data breach. Data, including Social Security numbers and personally-identifiable-information (PII), had allegedly been stolen from Capital One.

The news was particularly notable for two reasons. First, the initial details of the breach came to light through a complaint filed by the FBI in Federal court. The complaint contained both a named defendant, a timeline of events and enough breach details to infer how the attack was carried out. Second, the IT infrastructure that was breached had been hosted on Amazon Web Services (AWS). Because Capital One has been a long-time user and vocal supporter of cloud computing, the story of the breach raises a serious question for companies moving full speed ahead with their respective cloud strategies– if Capital One (a company that clearly spent significant time and money moving to the cloud) can get it wrong, how can we get security in the cloud right and prevent breaches?

What Happened?
Several pieces have been written analyzing how the attack was carried out, detected and remediated. To summarize, this was not an insider attack and was the result of a multi-layered misconfiguration which allowed the attacker to escalate privilege and exfiltrate data without being noticed by Capital One. Publicly posted data owned by Capital One was identified three months after the breach by a security researcher who then notified Capital One. Once they were aware of the issue, Capital One was able to quickly repair the issue that had allowed the breach.

Security of the Cloud
As we consider threat vectors in the cloud and how to get cloud security right, knowing this was not an insider attack is an important first step. Despite the defendant being a prior employee of Amazon, inside information was not used. Cloud providers have the benefit of scale when it comes to investing in the security of their infrastructure and services. AWS has easily accessible compliance reports of its systems and operations from third-party auditors for ISO, PCI, SOC, and other regulatory standards. In short, they already do security “of” the cloud better than practically any other company can secure its on-premises data centers.

Configuration is King
The underlying issue was a multi-layered misconfiguration of Capital One’s AWS resources. Capital One was using a Web Application Firewall (WAF) from the AWS Marketplace to secure an application. At a basic level, a WAF guards web applications by filtering out traffic that is suspected to be malicious. The WAF used by Capital One was not the AWS WAF service, so did not have the benefits of AWS’ security apparatus. AWS Marketplace appliances can be significant productivity boosters because they come preconfigured for a specific purpose and allow AWS users to leverage the expertise of other companies and products with minimal effort. However, the WAF used by Capital One had a misconfiguration which allowed the attacker to steal temporary security credentials from the server running the WAF. Further, the identity policies applied to that server were also misconfigured. This misconfiguration gave those stolen security credentials broad access to data stored by Capital One. It was a one-two punch of misconfiguration.

Security in the Cloud
Protect and Detect are two of the five security functions defined in the NIST Cybersecurity Framework. As we examine this breach, we find deficiencies in both of these areas. Proper configuration is a key element of protection. So, how do we ensure proper configuration? In short, continuously. Cloud security will never be set it and forget it. The landscape of tools, features and vulnerabilities is constantly evolving. Processes that continuously audit configuration compliance and perform vulnerability scanning using the latest Application Security Testing (S/D/IAST) are essential. Configuration compliance rules themselves need continuous improvement to cover the growing body of best practices and expanding cloud features. Identity policies need continuous review and monitoring to ensure they conform to the principle of least privilege- this is critical for limiting the blast radius in breach situations. We have no hope of responding and recovering without detection of breaches. In this case study, we see three possible detection mechanisms that would have identified this breach sooner:
• Simple monitoring – know when attempts are made to use valid security credentials for actions they are not permitted.Your applications using the credentials will not do this, but an attacker trying to discover the limits of those credentials might trip this wire.
• Honeypot detection – enable access by security credentials to an enticing target which is never touched by normal credential use and monitor if that use occurs to detect a malicious user.
• Anomaly detection – detect spikes in usage or usage patterns that are atypical.

Finally, choosing AWS managed services over 3rd party or marketplace solutions allows one to take full advantage of the secure framework all their services are built on. Security is “job zero” at AWS, a philosophy that is embraced across their entire organization and technology stack.

A Trusted Partner
The rate of change in the cloud can be difficult for organizations to keep up with when their primary objective is to deliver value, not stay current with the cloud. However, being able to defend against security threats and getting security right in the cloud require keeping up. For example, AWS recently released an updated Instance Metadata service that closes off the most significant part of the attack vector used in the Capital One breach. Keeping up is so important that it’s included in the best practices of AWS’ Well-Architected Framework. A trusted partner like Presidio can help you improve your security posture in the cloud, continuously evolve it and enable you to focus on growing your business. Contact us to learn more.

Jeremy Axmacher

+ posts

Cookie	Duration	Description
_GRECAPTCHA	5 months 27 days	This cookie is set by Google. In addition to certain standard Google cookies, reCAPTCHA sets a necessary cookie (_GRECAPTCHA) when executed for the purpose of providing its risk analysis.
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other".
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
bcookie	2 years	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_111355416_1	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
_hjAbsoluteSessionInProgress	30 minutes	This cookie is used to detect the first pageview session of a user. This is a True/False flag set by the cookie.
_hjFirstSeen	30 minutes	This is set by Hotjar to identify a new user’s first session. It stores a true/false value, indicating whether this was the first time Hotjar saw this user. It is used by Recording filters to identify new user sessions.
_hjid	1 year	This is a Hotjar cookie that is set when the customer first lands on a page using the Hotjar script.
_hjIncludedInPageviewSample	2 minutes	This cookie is set to let Hotjar know whether the user is included in the data sampling defined by site's pageview limit.
_hjIncludedInSessionSample	2 minutes	This cookie is set to let Hotjar know whether the user is included in the data sampling defined by site's daily session limit.
_hjTLDTest	session	Hotjar test cookie to check the most generic cookie path it should use, instead of the page hostname. This is done so that cookies can be shared across subdomains (where applicable). To determine this, we store the _hjTLDTest cookie for different URL substring alternatives until it fails. After this check, the cookie is removed.
oktgid	1 year	This cookie is used for storing the visitor ID of the user who clicked on an okt.to link.
oktsid	session	This cookie is used for storing the session ID of the user who clicked on an okt.to link.

Cookie	Duration	Description
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
personalization_id	2 years	Twitter sets this cookie to integrate and share features for social media and also store information about how the user uses the website, for tracking and targeting.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by YouTube and is used to track the views of embedded videos on YouTube pages.

Cookie	Duration	Description
__gwtCookieCheck	session	This cookie is used to check if the visitors' browser supports cookies.
AnalyticsSyncHistory	1 month	These cookies are used to deliver advertisements more relevant to you and your interests. They are also used to limit the number of times you see an advertisement as well as help measure the effectiveness of the advertising campaign. They remember that you have visited a website and this information is shared with other organizations such as advertisers.
li_gc	2 years	These cookies are used to deliver advertisements more relevant to you and your interests. They are also used to limit the number of times you see an advertisement as well as help measure the effectiveness of the advertising campaign. They remember that you have visited a website and this information is shared with other organizations such as advertisers.
UserMatchHistory	1 month	LinkedIn - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.

Breach Prevention in the Cloud – A Security Case Study

Jeremy Axmacher

Leave a comment Cancel reply

Dan O’Brien

Please select your venue city and
complete registration form below.

Please complete registration
form below.

MANNY KORAKIS

Dave Hart

CHRIS BARNEY

JOHN HANLON

Greg Hedrick

BARBARA ROBIDOUX

ROBERT KIM

Courtney Washington

CHRISTINE KOMOLA

VINU THOMAS

JENNIFER JACKSON

ELLIOT BRECHER

MICHAEL KELLY

VINCENT TRAMA

KEVIN WATKINS

WAHEED CHOUDHRY

CHRIS CAGNAZZI

JULIETTE AUSTIN

STEVEN PALMESE