Thinking Like a Cloud Hacker: Part 1
Originally Published September 30, 2020 on Fugue’s website
In writing this, my objective is to examine some real world, published cloud exploits and examine both the motivations and techniques of the hackers responsible for them so that you can understand who you are up against, how and why they act, and how to better protect your cloud infrastructure.
Cloud Infrastructure Misconfiguration is the Attack Surface
For most of these, the dominant attack surface is the misconfiguration of the target's cloud infrastructure. Hackers also exploit traditional TCP/IP and workload/OS vulnerabilities, but in the era of cloud, these are means to an end rather than the primary approach or goal.
For example, in the case of the Capital One hack, the attacker leveraged a misconfigured workload (a WAF) to gain access to the Amazon Web Services (AWS) infrastructure environment, but the real damage came from gaining infrastructure credentials to AWS IAM and Amazon S3 resources, both to do some crypto mining on Capital One’s AWS bill, and to steal data.
Hackers know that the blast radius of damage they can achieve with cloud misconfiguration exploitation is greater than they can with traditional OS or workload exploits.
To think like a hacker, we have to understand at least three things; why they are hacking, what resources they have at their disposal, and how they are accomplishing it. Motivations among hackers are many, but largely can be described as:
- Political or Ideological Agenda
It’s important to note that these motivations are often combined for an individual hacking event. For example, many semi-state actors are hacking with a political agenda but are also self-funded and therefore hacking for personal financial gain.
Resources - Human and Otherwise
The resources a hacker has at their disposal can be largely defined by the number, skills, and financial means of the hacker(s).
Individuals: In many cases, a skilled individual can be highly effective at performing significant breaches, as we’ll see in the examples we use. Individual hackers usually lack deep financial resources, but often make up for that with skills and knowledge. Some of the most damaging hacks have been carried out by individuals with expertise.
Hacking groups: There are criminal organizations of hackers, and of politically motivated “hacktivists”, though often these are loosely organized groups of individuals. Often, hacking collectives will collaborate through the internet to create shared botnets or other resources that can then be used, or leased to other hackers, to achieve attacks such as DDoS that are more challenging for individuals.
State actors and organized crime: As we all know from the news, there are state actors, and organized crime groups that are engaged in hacking. When you read about truly large and aggressive hacks, such as StuxNet or the attacks that shut down Estonian networks, they are the result of well-financed actors.
While these latter groups are probably the most capable and organized, never underestimate the potential blast radius of the efforts of an individual.
Insiders: Another category of resource that can act independently or be used by any of the above is the insider. Oftentimes, a disgruntled or feckless employee can be leveraged by sophisticated hackers to gain access to the insider’s information and access levels. Of course, insiders can also act maliciously on their own. Phishing and spear phishing attacks are usually used to accomplish this, but so might be bribes or other incentives.
When hackers look to carry out their work, they use many techniques, but most can be described in the following ways:
- Discovery: Hackers need to learn about your organization and security posture to carry out attacks. Often, this is initially done using automated discovery programs that are searching for vulnerabilities in your cloud configurations that they can later exploit to gain purchase in your environment. Once inside, additional discovery will be done to find data, keys, and other useful resources.
- Insertion: Hackers need to get into your environments and resources. They will leverage various kinds of exploits they’ve discovered to gain purchase from which to operate. They will work hard to remain hidden upon insertion to buy time for additional discovery and exploitation.
- Exploitation: Once inserted, hackers will generally be attempting some combination of data theft, compute hijacking, or modification of your system’s behavior.
In the next post, we’ll demonstrate these motivations, resources and techniques were used in four real world hacks and in as much detail as is available to us. Three of these hacks are cloud-native, and we’ll point out how to deny the vectors used by the hackers against the cloud infrastructure they attacked.
Please keep in mind that these are all attacks against sophisticated and capable defenders, who largely did an excellent job of securing their clouds. None of these cases can be chalked up to negligence on the part of the cloud customer. The use of real-world hacks is intended to provide real information to help you understand how they worked so you can better secure your cloud resources. The purpose is not to denigrate any of these organizations.
This is part one of a two-part series on thinking like a hacker. In the next installment, we’ll examine four real world hacks in detail, looking at the motivations, resources, and techniques used in each of them. For more information on Cloud Security and Compliance please go to https://fugue.co for more information
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.