A recent data breach of a high-profile financial services company exposed the personal information of over 100 million clients, including hundreds of thousands of Social Security numbers and linked bank account numbers.
After carefully examining the complaint filed by the FBI, we would like to share our findings on how the attack took place, and more importantly, how enterprises can proactively protect their data against such attacks.
The Attacker’s Modus Operandi
Based on the details in the complaint, the hacker likely took the following steps.
- Exploited Server Side Request Forgery (SSRF) vulnerability in deployed software to relay requests to AWS metadata service.
- Leveraged excessively permissive keys and tokens in clear text obtained from AWS metadata service to access AWS instances.
- Exfiltrated sensitive data from S3 buckets to a Tor or other anonymous nodes on the Internet and used keys and tokens from the above step and invoked a custom script to copy S3 data to another S3 bucket outside this company’s Virtual Private Cloud (VPC).
Details are described in Exhibit 1.
MVISION Cloud can Detect and Remediate similar Threats and Data Breaches
MVISION Cloud Threat Protection, Security Configuration Audit, and Data Loss Prevention (DLP) capabilities can detect signals and remediate potential threats at each of the above-mentioned steps.
- User and Entity Behavior Analytics (UEBA)-based Threat Protection will identify the hacker’s access location as anomalous.
- Security Configuration Audit will find excessive permission of the Metadata Service by running checks against industry’s compliance benchmarks, and automatically remove access to the S3 bucket if such a response action is defined in the policy.
- Near Real-time Configuration Drift Detection can identify any change to existing configurations as it occurs and thus will capture the policy change of the S3 bucket.
- DLP scan, which can be scheduled or be automatically run as a response action upon identification of unsecured resources by Security Configuration Audit, will identify and secure sensitive data in the S3 bucket.
- UEBA-based threat detection will detect the abnormal data transfer activities that originate from trusted network but deviate from normal behavior for the resource, when the data is moved within or is exfiltrated out of VPC.
Details are described in Exhibit 2.
If we take a step back, the vulnerabilities could have been addressed, should the AWS resources be deployed with appropriate security configurations in the first place. With Continuous Integration/Continuous Delivery (CI/CD) integrated Security Audit, misconfigurations can be prevented when new resources are spun up.
A Deeper Dive into UEBA based Threat Protection
MVISION Cloud leverages machine learning to detect signals of a threat based on behavioral analytics.
- Account Compromise Threat: an account compromise can be signaled by changes in user behavior that is defined as a composite of one or more of activity counts, activity types, volume of data downloaded or uploaded, number of times a service is accessed for, rate of access, time of access, etc. A combination of unsupervised and supervised learning is used to detect changes of these behaviors based on all of the user activities supplemented with meta information about both the user and the action.
- Insider Threat and Privileged Access Misuse: a user exfiltrating sensitive data over a period of time can be signaled by various indicators, such as volume of data transferred in this time window, length of this window, deviation from past behavior, the user’s riskiness, intrinsic risk of the cloud service involved, etc. A combination of unsupervised and supervised learning is used to correctly capture these indicators, and thereby call out potential exfiltration.
It is reasonable to expect that an individual’s cloud service usage is different during different times of a day, a week, and a month. It is also important to recognize that the usage can change based on the phase of a project that one is working on. In summary, usage patterns for a user tend to evolve over time. Hence static rule-based detection does not scale, while UEBA-based detection by MVISION Cloud is the effective solution for enterprises.
About the Author
Categories: Cloud Security