Capital One Breach: Is Your AWS Environment Just as Susceptible?

This blog was originally published on August 9, 2019 by JupiterOne.

The Opportunity for Security Teams

It’s been a little over a week since the coverage of the Capital One data breach. The impact of 100 million plus records that were compromised breathed gasoline onto the fiery debate as to whether the cloud is or even can be secure. Industry experts are divided as to who is to blame. News cycles drum up the age old advice for consumers to monitor or freeze their credit. Many cybersecurity companies are quick to point fingers and lay blame. It’s hyperbolic and fairly unproductive.

Even after 10 days, organizational concerns around their lack of visibility and the potential sleeping vulnerabilities that may exist in their own digital environments and infrastructure are still sky high. So how can security teams capitalize on this hyper-alertness across the organization to ensure they are minding their own risks and shining a light on their own policies for examination?

Two Things You Musn't Forget

This happens to the very best of us. People make mistakes and attacks are inevitable. The root cause was a configuration issue. Put another way, are deadbolts any less secure should you suffer a break-in after forgetting to close the door? No. Misconfiguration in any environment, including the most secure, can lead to compromises.

So the cloud isn’t any less secure, but practices can certainly be improved.

So what can we learn and how can we use that information to be better prepared?

There are a couple of good articles (here and here) with technical details of how it happened, but what it boils down to is being able to complete a comprehensive threat analysis of your AWS environments and configurations and to be able to answer these questions:

• What active EC2 instances do I have that are Internet facing/publicly accessible?
• What IAM roles can these EC2 instances use/assume?
• What policies are assigned to these IAM roles?
• What permissions are allowed by these policies?

Unfortunately, the most challenging part of this threat analysis exercise is the sheer scale. Even when you know what to look for, you may have hundreds or even thousands of instances running across multiple AWS accounts. This analysis can easily take weeks, if not longer.

Providing Visibility

We’d be naïve to think a breach as significant as Capital One won’t put pause on a number of cloud-driven digital transformations. It is probably raising alarms for a number of cloud-native organizations as well. But raising awareness around the importance of execution is good for everyone.