An Anatomy of a Public Cloud Compromise

In many ways, the public cloud is more secure than a traditional data center. And yet, assets on the public cloud are compromised all the same. To learn why, let’s dive into an example of a public cloud compromise and see how threat actors are having success. We’ll explore how the attackers get in, how they perform lateral movement in the cloud, and how they are likely to exfiltrate data.

After finishing this blog post, be sure to read our latest white paper, The FireEye Approach to Effective Cloud Security, to learn more about public cloud compromises. Additionally, you will find information on developing a comprehensive cloud security plan, and how the FireEye suite of products and services can help organizations using the public cloud.

Our Example

This example is an amalgamation of various cloud incident response investigations that we’ve conducted. It does not represent a single real-world event. Rather, it combines methodology from multiple incidents into one, primarily for brevity.

There are three overall forms that cloud hacks fall under: Hacking vulnerable web apps, exploiting improper permissions, and using external means to gain credentials. We are going to concentrate on the last form.

Phase One: Obtaining Credentials

There are several ways that attackers can acquire cloud credentials. The following are just a few examples:

  • Phishing: Using email to trick users into giving out their passwords is more prevalent than ever before, making email security and the implementation of multi-factor authentication critical for overall security, and cloud security especially.
  • Trojans: Trojans, keyloggers, and other similar types of malware are still a major threat to enterprises today. Nowadays, a new use for Trojans is to steal credentials for cloud consoles and apps. An attacker having a presence on an on-premise asset via a remote access Trojan is especially dangerous because they have the potential to bypass multi-factor authentication and firewall-based access controls. This means that endpoint security plays a significant role in your overall cloud security.
  • Accidental Publication: Unfortunately, developers and administrators sometimes accidentally leak credentials out onto the public internet or large company intranet, allowing malicious parties to spot them using smart searches.

Each of these vectors illustrates the importance that overall security plays when securing cloud assets, as it is usually easier for an attacker to compromise credentials than to hack directly into a cloud asset.

Detection in this initial phase generally consists of traditional, on-premise security actions. FireEye Endpoint Security and FireEye Email Security help protect against these advanced, targeted attacks.

Phase Two: Lateral Movement

Once an attacker has successfully authenticated into your cloud infrastructure, the malicious operative must now determine what access he or she has and map out the environment. In the cloud, these two tasks are incredibly easy. This can be accomplished in Amazon Web Services (AWS), for example, using a few simple commands:

  • aws sts get-caller-identity
  • aws iam list-user-policies
  • aws ec2 describe-instances
  • aws ec2 describe-snapshots

These commands will list the user that is logged in, the permissions attached to the given user, and every virtual machine running in the given region. There are corresponding commands for listing every storage bucket, every database, and so on.

Critically, these commands can be easily scripted, allowing an attacker to leverage previously used tools in subsequent attacks. This is a common and important theme in cloud threat modeling: Attackers move quickly because they can leverage the homogenous nature of the cloud to their advantage.

Let’s look at the power of one of those commands: “describe-snapshots.” This command will list all virtual machine snapshots that exist, which can be a way of gaining access to data even when reasonable protections have been implemented. An attacker armed with credentials that enable the creation of a running instance and mounting a given snapshot can use this to sift through snapshots and extract data. This is especially dangerous for database snapshots, which are one of the most commonly snapshotted assets. Using this mechanism, the attacker can bypass password-based authentication as well as network segmentation.

Detecting this kind of activity is incredibly difficult because it so closely resembles typical administrative actions. Security event management and security analytics are the best tools to detect misuse. Security events need to be centralized and, in addition to anomaly and rule-based detection, organizations should have a mature, active hunting program that can use a combination of machine learning and human analysts to identify suspicious behavior and quickly investigate it. This can often be something as simple as a phone call to a given user asking if strange behavior was intentional.

FireEye Threat Analytics for Helix is an ideal choice for detecting this activity because it makes centralizing critical events quick, easy, and repeatable across all environments. It provides rules and analytics for detecting known-bad and suspicious behavior, and it provides an excellent platform for event triage, context gathering, and threat hypothesis testing (hunting).

Phase Three: Exfiltration

Once an attacker has access to the data, there are many different ways that he or she can steal it. In some cases, an attacker will simply initiate a traditional file transfer to a cloud storage site, FTP server, or some other file storage mechanism. A more advanced attacker may use native cloud mechanisms for copying data, such as bucket-to-bucket replication. This ensures that any updates to the data are made known to the attacker and his or her accomplices.

Detecting the exfiltration of the data may be possible using statistical alerting for metrics such as bytes transferred. To combat unauthorized bucket replication, specific API calls must be monitored. In FireEye Threat Analytics, the AWS Rule Pack has detection for API calls that can be used for exfiltration to provide an early warning mechanism.

The FireEye Cloud Stack

The biggest takeaways in our example are that credentials need to be safeguarded and cloud behaviors need to be analyzed. Here’s a list of FireEye products that can help secure your cloud:

Threat

Solution

Phishing

FireEye Email Security

Remote Access Trojans

FireEye Endpoint Security

Cloud Security Event Analytics

FireEye Threat Analytics

Read our latest white paper, The FireEye Approach to Effective Cloud Security, to learn all about how FireEye products and services can help keep your public cloud implentations secure, and about our overall approach to effective cloud security.

Industry trends show a huge migration of workloads to the cloud. As the cloud grows, FireEye is growing with our customers to ensure that emerging technologies are not an attacker’s playground.