Why Breach and Attack Simulations Are the Keys to a Secure Cloud

 In Blog

Many of today’s businesses are compelled to migrate to the cloud on an accelerated timeline. Unfortunately, this business mandate often forces teams to push forward without fully working through the security considerations.

For a prominent example of this phenomenon, look no further than Amazon Web Services (AWS). When firms begin building their infrastructure in AWS, there is a multitude of potential misconfigurations. Security policies, security roles, virtual machines, databases — the amount of data sitting in S3 buckets can be voluminous.

Capital One learned this lesson the hard way, exposing more than 100 million customer accounts after a simple AWS misconfiguration. That incident highlighted the risks of taking a relaxed approach to security in this context; one slip in AWS and your organization’s most sensitive data can be made public to the entire world.

The same holds true for organizations that press their teams forward without allowing them to grasp the security implications, or who fail to consider the interplay of cloud and on-prem security considerations.

How XM Cyber Helps Mitigate Risk: Anticipation, APIs and Attack Paths

Existing security solutions are now doing a better job of helping users understand misconfiguration risks and other potential cloud security issues. However, they lack a key element: An understanding of the attacker’s perspective. Without this, you can’t effectively anticipate attacks, and you’re forced into a weaker, reactive posture.

XM Cyber also focuses on an area of critical importance that is often overlooked: API security. While APIs are the fuel of modern software, they can also present security risks. If an attacker has the proper authentication or permissions to make an API request, all sorts of negative outcomes are possible. XM Cyber is designed to help companies understand the risks that AWS APIs present to their AWS infrastructure.

XM Cyber also helps users gain deeper visibility into attack paths. Given the amount of data involved, it’s often a challenge to understand how a laptop sitting in a branch office can result in a compromised S3. XM Cyber creates a complete picture that helps users visualize the full breadth of the security environment: Laptops, desktops, on-prem servers, AWS APIs, etc.

Let’s walk through an example of how a laptop breach can lead to full AWS access.

  • Attackers target developers or IT admins managing AWS infrastructure with phishing emails.
  • The phishing email is clicked, allowing the attacker to look for certain files within the system, or run malware that recons the system for stored Chrome passwords, private keys or even AWS tokens.
  • The attacker takes AWS tokens harvested from the developer’s computer; he can now communicate with AWS and initiate a connection. Even if IP blocks are in place, the attacker is on the developer’s computer behind the firewall.
  • The attacker now can create accounts and add an IP address exclusion, allowing him to communicate at will. Even if the attacker loses access to the breached computer, he still has an account of which the targeted company may not be aware.
  • Finally, the attacker can begin scanning to uncover valuable information: What’s in this AWS? How many permissions do I have? What can I access? The potential for damage can be relatively minimal…or absolutely devastating.

XM Cyber’s breach and attack simulations mimic such scenarios and allow organizations to understand the layout of their AWS infrastructure, how on prem and cloud security considerations flow together and any existing vulnerabilities.

The Challenge of Complexity

Between devices, user roles, data types, permissions etc. there are millions of different possibilities for interconnections. Given this complexity, it’s impossible for the human mind to maintain full visibility; only a machine is up to this task.

It’s also important to consider the unique security circumstances of the cloud. If an employee:

  • Accidentally makes internal data publicly accessible on AWS, or
  • Switches IPs when working remotely and forgets to remove it

This can create massive exposure. One seemingly small error can be magnified exponentially in the public cloud. In order to minimize the risk of this occurring, it’s important to have a machine-driven solution such as XM Cyber that offers continuous vigilance.

Other Key XM Cyber Features

XM Cyber helps users better understand the challenges they face by providing visualization into AWS assets and a variety of classification mechanisms to help users easily create scenarios. Users have the ability to incorporate cloud elements (lambdas, S3 buckets, identity and access management roles etc.) into these scenarios.

One example: If a user has SQL databases or file servers where they have PCI data, and they’re continuously assessing how an attacker can access it, they can easily add into the existing scenario an asset hosted in AWS. Users simply add an S3 bucket into the scenario.

XM Cyber also shows users the full AWS environment and offers a window into the connection between cloud and on prem. If an attacker moves between offices in multiple countries, compromising an S3 bucket in a user’s cloud infrastructure, XM Cyber will display the full chain of attack between on prem and cloud. Ultimately, it doesn’t matter where data sits — organizations need to understand how attackers can access it.

XM Cyber also provides remediation guidance within AWS. This can range from:

  • Identifying which accounts are too permissive
  • Showing organizations which permissions to set
  • Showing how to bar certain accounts from reading S3 buckets

Why XM Cyber Breach and Attack Simulation is a Unique Solution

Here’s the bottom line: If you don’t have visibility, you can’t evaluate your risk. You also can’t evaluate your on-prem and cloud risks in isolation, as they are too interconnected.

XM Cyber is the first company to incorporate hybrid environment risk, deploying our attack simulation to show how a single office laptop can expose critical AWS assets.

We do this with three simple clicks. After setting up a cloud-hosted environment, we create an AWS user account in that environment, then assign it the AWS security monitoring role. We then automatically start reading the information, allowing users to create attack simulations to understand potential attack paths to the S3 bucket. All of this can be set up in under an hour.

No hardware is necessary — it’s all cloud-based. We also encourage organizations to begin using our breach and attack simulations while migrating. This helps prevent having to rebuild a year later when security flaws are uncovered.

For organizations seeking to balance security vigilance with the need for fast cloud migration or adaptation, XM Cyber presents the market’s first solution to fully account for hybrid environment risk, and the first breach attack simulation for cloud.

Recommended Posts