Fifty-seven percent of organizations believe the cloud offers better security, according to the Cisco 2018 Annual Cyber Security Report. If the continuing number of exposed AWS S3 buckets is any indicator, this belief may be misplaced. Infrastructure as a Service (IaaS) and Software as a Service (SaaS) solutions are only as secure as the authentication controls to access those cloud services and are vulnerable to brute force attacks that may go unnoticed. Organizations can take simple steps to secure their cloud services and begin to detect and isolate threats.
Two popular attacks against cloud services are credential stuffing and password spraying. Although these attacks are very different, the solution to defend against these in an IaaS, SaaS, or even on-premises configuration are identical.
In a credential stuffing attack, the threat actor buys a list of usernames and passwords from another breach. These data sets are for sale on the dark web, and available through pastebin and similar dumps. A credential stuffing attack assumes that people re-use passwords; for example, a systems administrator may re-use her Yahoo! password for her Office365 email and for access to the AWS Management Console. The threat actor will rent a botnet and attempt to use the stolen usernames and passwords to access numerous cloud services. With a small password dump of 10,000 credentials, even a 1% hit rate will reveal 100 accounts that the threat actor can access. If those working credentials are not for publicly available services (such as Gmail, LinkedIn, or Yahoo!) but rather are for firstname.lastname@example.org, the threat actor may pivot and attempt to use those credentials to access cloud services in use by the victim organization, moving and increasing the amount of data they can access.
By comparison, a password spraying attack will attempt to use one or two low-quality passwords against a target organization. In this scenario, a threat actor determines the email format in use at a target organization; this is easy as there are commercially available and free websites that publish email formats for organizations. Obtaining an employee list for the target frequently involves a search of LinkedIn to create an employee directory. The threat actor then creates a file of known employee’s email addresses, adds the lower-quality passwords, and uses a rented botnet to log in to each cloud service potentially in use by the target organization. Even at a small company of 100 employees, a 1% success rate will allow the threat actor to obtain some amount of information. For example, if the threat actor is able to compromise DropBox, they will have access to company files. If they instead can log into SalesForce, they will access sales forecasts and customer lists.
First, Secure Your Users
Multi-factor authentication (MFA) that incorporates User Behavior Analytics (UBA) is the lowest-cost and easiest solution for organizations to prevent both credential stuffing and password spraying attacks. These attacks both work because the user account is typically protected with a password which may be stolen or guessed, and which may be reused at multiple websites and cloud services. MFA requires that the user provide a second form of authentication to access a cloud service, such as typing a six-digit code generated by an authenticator app, or by pressing a button in an authenticator app. This will quickly get tiresome to end users, however, if they access cloud services from the same office location at approximately the same time each working day. Modern MFA solutions incorporate UBA, which can require MFA only when the user is doing something unusual. For example, if they typically log into Salesforce at 10 a.m. each day from their office in Chicago, they should not be prompted for a second authentication factor. If they are logging in from France at 2 a.m., however, they should be prompted for the second authentication factor. This simple and elegant solution can protect both non-privileged business and privileged users, such as Azure or AWS administrators.
Organizations seeking to increase their cyber security defenses should plan on vaulting their administrative credentials in a Privileged Access Management (PAM) solution. Under normal circumstances, a systems administrator should not need to log in to the AWS Management Console or the Azure portal, and their password should differ from their day-to-day login password. In a PAM solution, the privileged credentials are held in a secured digital vault, and the solution rotates the password regularly. When an administrator needs to access a cloud service with administrative privileges, she will log in to the vault and check out the password and secret key, optionally with an approval process for her to request access to the credentials. She can then log in to the cloud service as an administrator and perform the tasks. The PAM solution will rotate the administrative password after a duration of time so she cannot access the system again, or outside the duration of an approved change window. Mature PAM solutions often include an auditing function to record the session of the administrator and may not display the password to the administrator at all. This configuration also makes it easier to answer questions from external auditors about who has privileged access to cloud-based systems.
Second, Engage The Threat Actors In A Controlled Environment
An organization can increase their cloud cyber security maturity by engaging in threat hunting with honey privileges once they have deployed MFA for non-privileged users and PAM for privileged users. Threat hunting is a way of engaging with the threat actors to observe their tactics, techniques and procedures to build better defenses against existing and emerging threats. Honey privileges are usernames and passwords that should never be used, and the use of which indicates a breach. At a high level, this involves setting goals, building a trap, setting bait, establishing monitoring procedures, and then waiting.
For example, consider a B2B company concerned about threat actors attacking key resources like a cloud-based file storage solution. A potential goal would be to determine how threat actors are attacking these resources so that those attacks can be blocked, but once MFA and PAM have been deployed, this goal is less useful. A more useful goal is to determine what attackers do after a resource has been compromised so that defenses can be improved against a breach.
To build the trap, the organization would create a new username and password on the cloud-based file storage solution—these are the honey credentials. Crucially, MFA should not be enabled for this new user account, and the password should be easily guessable. To make the trap realistic, the defenders should load several realistic-sounding files containing garbage data or false data into the trap.
The next step is to establish monitoring for the trap. This will vary based on the SaaS or IaaS solution but should include alerting on successful login at a minimum. As this is a fake account with fake data, no legitimate user should ever use the credentials, and the use of those credentials immediately indicates a breach. Additional logging should be set up to monitor what is done after the login succeeds, such as downloading data or uploading data. Any data uploaded by the threat actor should immediately be quarantined and inspected as it will provide advance insight into the tools in use by the threat actor.
Baiting the trap can be done in a variety of ways. The easiest way would be to create a fake LinkedIn account with the same username and email address for the honey credentials. An alternate and slightly more complicated strategy would be to create a Word document using the honey credentials and then intentionally publish that document where it can be indexed by search engines, revealing the honey credentials. As an organization improves at threat hunting, these techniques will change.
The last phase is to wait for the account to be compromised. This is a matter of when, not if. Once the account is compromised, the organization can use the established monitoring to monitor the threat actor’s actions. Once a sufficient level of data has been recorded, the organization should immediately disable the account and collect the available forensic evidence from the breach. This evidence can update malware signatures, block malicious domains and IP addresses, and to further harden cloud services against observed vulnerabilities.
Although organizations believe the cloud to be inherently more secure, this two-step strategy will improve the security of cloud-based solutions for each organization. When combined with a larger cyber security program, these reduce the risks of a damaging breach.
McGladrey is a national cyber security expert helping clients develop proactive IAM programs to manage cyber risk. He's the Director of Information Security Services for Integral Partners and has 20+ years of experience, including 10 years in blending information technology and management acumen to cultivate and build best practices within the Professional Services team.