09/26/2024 | News release | Distributed by Public on 09/26/2024 06:10
The simplicity of this attack isn't what makes it shocking. It's not even the speed with which the attacker seized control of an entire cloud environment. The alarming part is that it didn't take advanced techniques to break in. The mistakes that allowed this to happen? Well, they happen. All. The. Time.
So what should we have done to prevent the attack? Let's first look at how it unfolded.
The Attack Breakdown
Launching a brute-force attack on a user account with weak credentials, the attacker gains access to the system. Once inside, they locate a JSON file on the disk that contains an access key. They copy this key to their system, and using the stolen key, they successfully authenticate.
In the environment, the attacker discovers that the compromised service account has overly permissive access, including owner permissions. The excessive level of permissions exposes the system, particularly because it should never be granted to a service account (machine access).
Seizing the opportunity, the attacker writes a script designed to download all the data available in cloud storage. They begin enumerating serverless function environment variables, as these often contain sensitive information that could advance the attack.
Having uncovered valuable details - access tokens or configuration data - the attacker uses the owner's permissions to move laterally through the system, targeting virtual machines. Along the way, they find a shared jumpbox used by multiple users, which contains cloud credentials for various users, significantly widening the attack surface.
At this point, the attacker spots their target - an account with owner permissions to critical areas. It's linked to human resources, sales and IT projects. They seize control of the account and with a few swift commands, the entire cloud environment falls under their control.
Breaking Up This Attack Path
Many interconnected risks, rather than one, led to the success - and magnitude - of this attack. Let's take a look at the various components and what security measures and best practices could have prevented or limited the damage.
IAM and the Principle of Least Privilege
According to a recent Microsoft report, more than 50% of identities are super admins - users or workloads that have access to all permissions and resources. Nothing says we have an urgent need to reassess access management policies to protect sensitive data and infrastructure like the absence of foundational IAM best practices.
In the attack breakdown, the attacker leverages a compromised service account with overly permissive access. This highlights a critical flaw in identity and access management (IAM) - ignoring the principle of least privilege. The least privilege principle dictates that each user or service should only have the minimum permissions necessary to perform their role. Excessive permissions, like the owner permissions granted to the service account, create an attack surface inviting exploitation.
To prevent attacks like this, security teams must enforce least privilege policies across all accounts, especially service accounts (machine users), which are often overlooked and pose a significant risk when granted broad permissions. With this attack, the service account could perform actions beyond its scope, such as accessing sensitive data - and inadvertently allowing the attacker to move laterally within the environment.
Actionable IAM Guidelines
Related Article: Why Are Net-Effective Permissions Critical for Cloud IAM?
Least-privileged access could have prevented the attack from escalating. Even if the initial brute-force attack succeeded, limited permissions would have stopped the attacker from downloading sensitive data or moving laterally across the environment.
Multifactor Authentication (MFA)
The attack began with a brute-force attack on a weak user password, exposing a vulnerability that could have been neutralized by multifactor authentication (MFA). Had MFA been enforced, the attacker would have needed a second form of authentication to access the environment, making a successful brute-force attempt less likely.
MFA could have minimized damage at several key stages of the attack:
Actionable MFA Guidelines
By enforcing MFA, the attacker's ability to gain access to the environment and escalate privileges would have been significantly hindered, likely stopping the attack before it began.
Data Security Posture Management (DSPM)
Once inside the system, the attacker wrote a script to download data from cloud storage, exploiting the lack of data security controls, emphasizing the need for data security posture management (DSPM) technology and strategy.
In this attack, cloud storage permissions were left wide open, and sensitive data was easily accessible once the attacker gained the required permissions. DSPM tools continuously monitor and assess data storage systems to ensure that sensitive data is protected, access is limited, and anomalies are quickly identified.
Actionable DSPM Guidelines
A proactive DSPM strategy would have raised red flags the moment the attacker began accessing cloud storage, allowing the security team to respond before the data could be fully compromised.
Detect Malicious Activity and Respond
One of the most critical failures in the attack was the lack of monitoring for anomalous behavior. Threat detection leveraging user and entity behavior analytics (UEBA) could have detected several suspicious actions early in the attack, long before the attacker took control of the cloud environment.
UEBA works by establishing a baseline of normal user and system behavior, then flagging any deviations from this baseline as potential threats. In this attack, several activities would have triggered alerts:
Actionable Guidelines for Anomaly Detection
UEBA could have stopped the attack early by detecting the brute-force attempt or unusual data access patterns. Implementing UEBA as part of a broader monitoring strategy ensures that even when an attacker slips past traditional defenses, their actions will not go unnoticed.
Cloud Security Platform Reduces Risk and Eliminates Breaches
The highlighted attack underscores the persistent and evolving threats in cloud environments, as well as the importance of rigorous and proactive security.
Prisma Cloud empowers organizations to get ahead of threat actors and effectively reduce security incidents, including data breaches. By integrating comprehensive security measures across the application lifecycle, the Code to CloudTM platform enables teams to ship secure code from the outset, fortify application infrastructure, and stop sophisticated attacks in real time. Leveraging Precision AITM, Prisma Cloud proactively identifies vulnerabilities - enforcing best practices - and ensures continuous compliance.
Learn More
For more IAM best practices, check out our infographic CIEM: Identity Is the New Perimeter. And if you haven't tried Prisma Cloud and wonder how our Code to CloudTM platform could have helped you prevent this attack, consider booking a personalized demo or registering for a free 30-day Prisma Cloud trial.