3
1 ANATOMY OF A CLOUD-NATIVE DATA BREACH 1 The information presented in this document is based on the breach disclosure details provided by the company on its website. The accompanying screenshots are for illustration only and are not screenshots of the actual incident. Migrating computing resources to cloud environments opens up new attack surfaces previously unknown in the world of premise-based data centers. As a result, cloud-native data breaches frequently have different characteristics and follow a different progression than physical data breaches. Here is a real-life example of a cloud-native data breach, how it evolved and how it possibly could have been avoided. TARGET PROFILE: A SOCIAL MEDIA/MOBILE APP COMPANY The company is a photo-sharing social media application, with over 20 million users. It stores over 1PB of user data within Amazon Web Services (AWS), and in 2018, it was the victim of a massive data breach that exposed nearly 20 million user records. This is how it happened. ANATOMY OF A CLOUD-NATIVE DATA BREACH DISSECTING A REAL-WORLD CLOUD DATA BREACH AND HOW IT COULD HAVE BEEN AVOIDED COMPROMISING A LEGITIMATE USER 1 Frequently, the first step in a data breach is that an attacker compromises the credentials of a legitimate user. In this incident, an attacker used a spear-phishing attack to obtain an administrative user’s credentials to the company’s environment. FORTIFYING ACCESS After compromising a legitimate user, a hacker frequently takes steps to fortify access to the environment, independent of the compromised user. In this case, the attacker connected to the company’s cloud environment through an IP address registered in a foreign country and created API access keys with full administrative access. 2 1 STEP STEP

ANATOMY OF A CLOUD-NATIVE DATA BREACH

  • Upload
    others

  • View
    2

  • Download
    0

Embed Size (px)

Citation preview

Page 1: ANATOMY OF A CLOUD-NATIVE DATA BREACH

1ANATOMY OF A CLOUD-NATIVE DATA BREACH

1 The information presented in this document is based on the breach disclosure details provided by the company on its website. The accompanying screenshots are for illustration only and are not screenshots of the actual incident.

Migrating computing resources to cloud environments opens up new attack surfaces previously unknown in the world of premise-based data centers. As a result, cloud-native data breaches frequently have different characteristics and follow a different progression than physical data breaches. Here is a real-life example of a cloud-native data breach, how it evolved and how it possibly could have been avoided.

TARGET PROFILE: A SOCIAL MEDIA/MOBILE APP COMPANYThe company is a photo-sharing social media application, with over 20 million users. It stores over 1PB of user data within Amazon Web Services (AWS), and in 2018, it was the victim of a massive data breach that exposed nearly 20 million user records. This is how it happened.

ANATOMY OF A CLOUD-NATIVE DATA BREACH DISSECTING A REAL-WORLD CLOUD DATA BREACH AND HOW IT COULD HAVE BEEN AVOIDED

COMPROMISING A LEGITIMATE USER1 Frequently, the first step in a data breach is that an attacker compromises the credentials of a legitimate user. In this incident, an attacker used a spear-phishing attack to obtain an administrative user’s credentials to the company’s environment.

FORTIFYING ACCESSAfter compromising a legitimate user, a hacker frequently takes steps to fortify access to the environment, independent of the compromised user. In this case, the attacker connected to the company’s cloud environment through an IP address registered in a foreign country and created API access keys with full administrative access.

2

1

STEP

STEP

Page 2: ANATOMY OF A CLOUD-NATIVE DATA BREACH

2ANATOMY OF A CLOUD-NATIVE DATA BREACH

RECONNAISSANCE Once inside, an attacker then needs to map out what permissions are granted and what actions this role allows.

EXPLOITATIONOnce the available permissions in the account have been determined, the attacker can proceed to exploit them. Among other activities, the attacker duplicated the master user database and exposed it to the outside world with public permissions.

EXFILTRATIONFinally, with customer information at hand, the attacker copied the data outside of the network, gaining access to over 20 million user records that contained personal user information.

4

5

3

STEP

STEP

STEP

LESSONS LEARNEDÐ Your Permissions Equal Your Threat Surface: Leveraging public cloud environments means that resources that used to be hosted inside your organization’s perimeter are now outside where they are no longer under the control of system administrators and can be accessed from anywhere in the world. Workload security, therefore, is defined by the people who can access those workloads and the permissions they have. In effect, your permissions equal your attack surface.

Ð Excessive Permissions Are the No. 1 Threat: Cloud environments make it very easy to spin up new resources and grant wide-ranging permissions but very difficult to keep track of who has them. Such excessive permissions are frequently mischaracterized as misconfigurations but are actually the result of permission misuse or abuse. Therefore, protecting against those excessive permissions becomes the No. 1 priority for securing publicly hosted cloud workloads.

Page 3: ANATOMY OF A CLOUD-NATIVE DATA BREACH

3ANATOMY OF A CLOUD-NATIVE DATA BREACH

© 2020 Radware Ltd. All rights reserved. The Radware products and solutions mentioned in this document are protected by trademarks, patents and pending patent applications of Radware in the U.S. and other countries. For more details, please see: https://www.radware.com/LegalNotice/. All other trademarks and names are property of their respective owners.

Ð Cloud Attacks Follow Typical Progression: Although each data breach incident may develop differently, a cloud-native attack breach frequently follows a typical progression of a legitimate user account compromise, account reconnaissance, privilege escalation, resource exploitation and data exfiltration.

WHAT COULD HAVE BEEN DONE DIFFERENTLYÐ Protect Your Access Credentials: Your next data breach is a password away. Securing your cloud account credentials — as much as possible — is critical to ensuring that they don’t fall into the wrong hands.

Ð Limit Permissions: Frequently, cloud user accounts are granted many permissions that they don’t need or never use. Exploiting the gap between granted permissions and used permissions is a common move by hackers. In the aforementioned example, the attacker used the accounts’ permissions to create new administrative-access API keys, spin up new databases, reset the database master password and expose it to the outside world. Limiting permissions to only what the user needs helps ensure that, even if the account is compromised, the damage an attacker can do is limited.

Ð Alert of Suspicious Activities: Since cloud-native data breaches frequently have a common progression, there are certain account activities — such as port scanning, invoking previously used APIs and granting public permissions — which can be identified. Alerting against such malicious behavior indicators (MBIs) can help prevent a data breach before it occurs.

Ð Automate Response Procedures: Finally, once malicious activity has been identified, fast response is paramount. Automating response mechanisms can help block malicious activity the moment it is detected and stop the breach from reaching its end goal.

HOW RADWARE CAN HELP YOURadware’s Cloud Native Protector provides an agentless cloud-native solution for comprehensive protection of AWS assets. It uniquely protects both the overall security posture of the cloud environment and individual cloud workloads, and protects against cloud-native attack vectors.

Radware analyzes the gap between defined permissions and permissions that are actually being used. This helps detect excessive permissions that might leave you exposed and provides smart hardening recommendations based on the principle of least privilege.

To protect against data breaches, Radware uses machine learning algorithms to detect malicious behavior in your account and places events in contextual attack storylines to detect potential attacks and block them as they evolve. Finally, Radware’s solution includes automated response mechanisms, so you block data theft activities as soon as they are detected and ensure that your data isn’t compromised.

CONTACT US TO LEARN HOW RADWARE’S CLOUD NATIVE PROTECTOR CAN HELP PROTECT YOU!

https://www.radware.com/LegalNotice/
https://www.radware.com/contactus/
https://www.radware.com/products/cloud-native-protector/

BREACH FORMATION: Laboratory and Numerical Modelling of Breach Formation · Laboratory and Numerical Modelling of Breach Formation ... of the field modelling and breach uncertainty

BREACH FORMATION: Laboratory and Numerical Modelling of Breach Formation · Laboratory and Numerical Modelling of Breach Formation ... of the field modelling and breach uncertainty

Documents
The Target Breach: Anatomy of an Attack

The Target Breach: Anatomy of an Attack

Technology
ACL RECONSTRUCTION INDIVIDUALISED, …arthroscopic ACL reconstruction surgery, where the basis of treatment is centred on each patient’s individual native anatomy. ANATOMY OF THE

ACL RECONSTRUCTION INDIVIDUALISED, …arthroscopic ACL reconstruction surgery, where the basis of treatment is centred on each patient’s individual native anatomy. ANATOMY OF THE

Documents
Breach, breach, breach…

Breach, breach, breach…

Documents
Morpho-anatomy and chemical profile of native species used as

Morpho-anatomy and chemical profile of native species used as

Documents
The Anatomy of a Major University Data Breach Dan … Anatomy of a Major University Data Breach Dan Sarazen, CISA, CISSP 2016 Annual Conference - Miami, Florida Please Ask Questions

The Anatomy of a Major University Data Breach Dan … Anatomy of a Major University Data Breach Dan Sarazen, CISA, CISSP 2016 Annual Conference - Miami, Florida Please Ask Questions

Documents
The Anatomy of a Breach - NCHICAnchica.org/wp-content/uploads/2015/05/Sparrow.pdf · Anatomy of a Breach: A case study in how to protect your organization Presented By Greg Sparrow

The Anatomy of a Breach - NCHICAnchica.org/wp-content/uploads/2015/05/Sparrow.pdf · Anatomy of a Breach: A case study in how to protect your organization Presented By Greg Sparrow

Documents
Anatomy of a Breach - info.microsoft.com

Anatomy of a Breach - info.microsoft.com

Documents
The Anatomy of a Data Breach

The Anatomy of a Data Breach

Technology
The Anatomy of a Breach - Digital Forensics Training · The Anatomy of a Breach- Agenda ... •Digital Dining •Granbury/Firefly • By default, ... a Protected Computer, and

The Anatomy of a Breach - Digital Forensics Training · The Anatomy of a Breach- Agenda ... •Digital Dining •Granbury/Firefly • By default, ... a Protected Computer, and

Documents
How do Hackers Breach ATMs and Cash Registers?vox.veritas.com/legacyfs/online/veritasdata/9am... · 2 Anatomy of an ATM malware attack 3 ATM breach demonstration ... How do Hackers

How do Hackers Breach ATMs and Cash Registers?vox.veritas.com/legacyfs/online/veritasdata/9am... · 2 Anatomy of an ATM malware attack 3 ATM breach demonstration ... How do Hackers

Documents
DISCHARGE OF CONTRACTS FOR BREACH · DISCHARGE OF CONTRACTS FOR BREACH ... analysis of the situation following on breach of contract ... consequence of the breach

DISCHARGE OF CONTRACTS FOR BREACH · DISCHARGE OF CONTRACTS FOR BREACH ... analysis of the situation following on breach of contract ... consequence of the breach

Documents
Anatomy of a Data Breach - IAPP · PDF fileAnatomy of a Data Breach ... •Blacklist onion routing applications 19 . ... •Start investigating technology solutions

Anatomy of a Data Breach - IAPP · PDF fileAnatomy of a Data Breach ... •Blacklist onion routing applications 19 . ... •Start investigating technology solutions

Documents
Chapter 2: The Anatomy of Cloud Native Systems · (CQRS) Backend For Frontend Cloud Native Databases Per Component Event Sourcing Stream Circuit Breaker Event Streaming Data Lake

Chapter 2: The Anatomy of Cloud Native Systems · (CQRS) Backend For Frontend Cloud Native Databases Per Component Event Sourcing Stream Circuit Breaker Event Streaming Data Lake

Documents
Anatomy Of A Breach: The Good, The Bad & The Ugly

Anatomy Of A Breach: The Good, The Bad & The Ugly

Business
Anatomy of a Data Breach - Symanteceval.symantec.com/mktginfo/enterprise/...anatomy_of_a_data_breach...breaches, representing 35 percent of organizations polled.8 In a typical large

Anatomy of a Data Breach - Symanteceval.symantec.com/mktginfo/enterprise/...anatomy_of_a_data_breach...breaches, representing 35 percent of organizations polled.8 In a typical large

Documents
Breach Prevention: The Root Cause of the Data Breach Epidemic€¦ · Breach Prevention: The Root Cause of the Data Breach Epidemic According to the 2012 Verizon Data Breach Investigations

Breach Prevention: The Root Cause of the Data Breach Epidemic€¦ · Breach Prevention: The Root Cause of the Data Breach Epidemic According to the 2012 Verizon Data Breach Investigations

Documents
Cybersecurity Risk: How a Data Breach Can Impact a Transaction€¦ · Cybersecurity Risk: How a Data Breach Can Impact a Transaction John Williamson, CPA, ... • Anatomy of a Breach

Cybersecurity Risk: How a Data Breach Can Impact a Transaction€¦ · Cybersecurity Risk: How a Data Breach Can Impact a Transaction John Williamson, CPA, ... • Anatomy of a Breach

Documents
Anatomy of a breach - The Legal 500...data breach over the summer. Banks are known to be among the most cyber and data secure institutions in the world, but even JPMorgan’s high-level

Anatomy of a breach - The Legal 500...data breach over the summer. Banks are known to be among the most cyber and data secure institutions in the world, but even JPMorgan’s high-level

Documents
Anatomy of a data breach - RSPA · Anatomy of a A ccording to the Identity Theft Resource Center (ITRC), in 2016, the number of U.S. ... it’s essential that you understand the basic

Anatomy of a data breach - RSPA · Anatomy of a A ccording to the Identity Theft Resource Center (ITRC), in 2016, the number of U.S. ... it’s essential that you understand the basic

Documents
Anatomy of an Attack - AFP Online€¦ · Anatomy of an Attack Lessons Learned From the RSA Breach Kevin Flanagan, CISSP, CISA Director, North American Technical Consulting RSA, The

Anatomy of an Attack - AFP Online€¦ · Anatomy of an Attack Lessons Learned From the RSA Breach Kevin Flanagan, CISSP, CISA Director, North American Technical Consulting RSA, The

Documents
THE ANATOMY OF A CYBER POLICY - imc-seminars.com of... · • Breach response costs comprising: Forensic costs (i.e. identifying there has been a breach, the source of the breach,

THE ANATOMY OF A CYBER POLICY - imc-seminars.com of... · • Breach response costs comprising: Forensic costs (i.e. identifying there has been a breach, the source of the breach,

Documents
The Anatomy of a Cloud Data Breach

The Anatomy of a Cloud Data Breach

Technology
CSCSS Case Study - Peoples Republic of China- Anatomy of a Breach

CSCSS Case Study - Peoples Republic of China- Anatomy of a Breach

Technology
ing, according to the 2019 Anatomy of a - CYREN · Verizon Data Breach Investigations Report. 32% The Anatomy of a Phishing Attack While most folks know what phishing is, few realize

ing, according to the 2019 Anatomy of a - CYREN · Verizon Data Breach Investigations Report. 32% The Anatomy of a Phishing Attack While most folks know what phishing is, few realize

Documents
Anatomy of a Sernior Living Cyber Breach Final 10-20-17€¦ · Anatomy of a Senior Living Cyber Breach Managing Cyber Security in Senior Living October 25, 2017 ... in cybersecurity

Anatomy of a Sernior Living Cyber Breach Final 10-20-17€¦ · Anatomy of a Senior Living Cyber Breach Managing Cyber Security in Senior Living October 25, 2017 ... in cybersecurity

Documents
The Human Firewall is on fire – Anatomy of an email-based · 2020. 6. 10. · 1 Verizon Data Breach Report 2016 | 2 Wired 2015 | 3 Verizon Data Breach Report 2017 | 4 FBI, Public

The Human Firewall is on fire – Anatomy of an email-based · 2020. 6. 10. · 1 Verizon Data Breach Report 2016 | 2 Wired 2015 | 3 Verizon Data Breach Report 2017 | 4 FBI, Public

Documents
Anatomy of a CVAS-City of Thousand Oaks Native Plant Park ...ca.audubon.org/sites/g/files/amh421/f/ccc_cvas_heritage_park.pdf · Anatomy of a CVAS-City of Thousand Oaks Native Plant

Anatomy of a CVAS-City of Thousand Oaks Native Plant Park ...ca.audubon.org/sites/g/files/amh421/f/ccc_cvas_heritage_park.pdf · Anatomy of a CVAS-City of Thousand Oaks Native Plant

Documents
Morpho-anatomy and chemical profi le of Brazilian Journal ... · Morpho-anatomy and chemical profi le of Brazilian Journal of Pharmacognosy native species used as substitutes of quina

Morpho-anatomy and chemical profi le of Brazilian Journal ... · Morpho-anatomy and chemical profi le of Brazilian Journal of Pharmacognosy native species used as substitutes of quina

Documents
Anatomy of a Data Breach - TXC – Intranet...Anatomy of a Data Breach Juan Gonzalez, CIO Emergence Health Network. DISCLAIMER: EDUCATIONAL ONLY THIS TRAINING IS PROVIDED FOR GENERAL

Anatomy of a Data Breach - TXC – Intranet...Anatomy of a Data Breach Juan Gonzalez, CIO Emergence Health Network. DISCLAIMER: EDUCATIONAL ONLY THIS TRAINING IS PROVIDED FOR GENERAL

Documents