XM Cyber at Black Hat Europe 2019: New Approach to Attacking Cloud Infrastructure
Public cloud infrastructure presents security teams with a new invisible management layer, creating new security challenges that demand better understanding. Failure to grapple with such challenges created by this hidden layer of cloud identity and access management is creating profound risk for today’s organizations.
In a talk for Black Hat Europe 2019 (“Inside Out: The Cloud Has Never Been So Close”) on December 5 in London, XM Cyber’s head of security research Igal Gofman and senior security researcher Yaron Shani outlined a new approach to attacking cloud infrastructure. They used graphs to build and illustrate the relationships between different resources, identities, and policies. After mapping all the relationships, they showed how adversaries can easily abuse existing features to escalate privileges and get to high-value resources.
“At XM Cyber, we believe that defenders must go on the offensive. Developing an offensive tool incorporating our research is far easier than constructing a defensive system around it,” said Gofman.
“So what should organizations do to prepare for the likelihood of such attacks? A critical first step is to closely follow best practices from cloud providers. We also believe that vigilant monitoring of all potential attack paths to critical assets is the best thing an organization can currently do to fend off attacks of this nature. Ultimately, however, stronger tools will be needed, and we hope today’s organizations will build on our research to create their own tools for security and risk assessment. That’s the ideal combination for protection of your most critical resources within a public cloud infrastructure. With all three elements in place, organizations will be in the best possible position to safeguard their highest value assets,” he summarized.
The public cloud infrastructure adds a new management layer and security challenges that need to be well understood and secured. The fact that cloud provider application programming interfaces (API) are accessible through the internet has opened a new window for adversaries to take advantage and gain highly privileged access to cloud critical assets. Traditional defense mechanism mostly focuses on network, application and operating system defense. The use of public APIs introduces a new attack surface, one that traditional defenses cannot protect. Credential theft is a well-known attack vector used by many adversaries. It is so successful because organizations are struggling to follow the principle of least privilege. The persons who are in charge of cloud resources usually are the DevOps, Development and IT teams who need to manage those resources. Access to APIs performed by using different software development kit (SDK) and dedicated command-line tools. Once those accounts are compromised, gaining access to high-value resources is one API call away.