Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Reducing Your Attack Surface and Yuor Role in Cloud Workload Protection
1. Thank you.Reducing Your Attack Surface
Ryan Holland – Sr. Director of Cloud Arch., Alert Logic
2. Summary
• Understanding your attack surface is critical to deploying
the right security controls
• Attack surface in cloud environments is significantly
different than on-premises
• Dominant cloud exposures are often misunderstood
3. 2nd attack HVAC vendor application
Result Successful. Never detected.
Vector SQL Injection
Las Vegas
Bethlehem
1st attack Account Brute Force
Result Detected by the SIEM. Blocked
#1 Sands Casino Breach
4. 2nd attack HVAC vendor application
Result Successful. Never detected.
Vector SQL Injection
Las Vegas
Bethlehem
1st attack Account Brute Force
Result Detected by the SIEM. Blocked • Compromised
admin credentials
• Moved laterally
through Windows
AD
• Used malware to
destroy all hosts
on the network
Sands Casino Breach
5. 1
49
56
86
125
155
172
197
525
908
Denial of Service
Crimeware
Physical Theft / Loss
Payment Card Skimmers
Everything Else
Cyber-espionage
Privilege Misuse
Miscellaneous Errors
POS Intrusions
Web App Attacks
Security risk is shifting to unprotected web applications
Web app attacks are now the #1
source of data breaches
But less than 5% of data center security
budgets are spent on app security
Source: Verizon
UP 500% SINCE 2014
$23 to $1
Percentage of Breaches
10% 20% 30% 40%
Source: Gartner
Web App Attacks
6. 1
49
56
86
125
155
172
197
525
908
Denial of Service
Crimeware
Physical Theft / Loss
Payment Card Skimmers
Everything Else
Cyber-espionage
Privilege Misuse
Miscellaneous Errors
POS Intrusions
Web App Attacks
Security risk is shifting to unprotected web applications
Web app attacks are now the #1
source of data breaches
But less than 5% of data center security
budgets are spent on app security
Source: Verizon
UP 500% SINCE 2014
$23 to $1
Percentage of Breaches
10% 20% 30% 40%
Source: Gartner
Web App Attacks
Underreported. Misunderstood.
7. What Drives This Awareness Disconnect?
• Breach disclosure in a number of states is mandatory,
but technical details are not in disclosure scope
• News media naturally gravitates towards human interest security stories
- Mobile phones
- Endpoint malware
- Email theft
Ransomware
Malware
All other terms: SQL injection,
web application attack, Wordpress vulnerability,
PHP vulnerability, Apache Struts vulnerability
8. Our Perspective on Cloud Attack Surface
• 4,000+ customers
• 80% of deployments in data centers
• 50% of deployments in
public and hybrid cloud
• Dominant workload: business
critical web applications
10. #2 Yahoo
Impact
Number of exposed accounts increased
from 1B to 3B.
How it happened
Exploited a WordPress/PHP vulnerability in
2013
Where are they now?
Sold to Verizon. Valuation revised by
$350M
11. Meet “M4g” AKA Alexsey Belan
• One of the most
prolific hackers
between 2013 - 2015
• Estimated to have
compromised 1.2
billion user accounts
• Prime suspect in
numerous breaches
12. Alexsey Belan’s Techniques
1. Identified peripheral sites and key people via Google and
LinkedIn
2. Initial compromise via CVE-2011–4106 WordPress
vulnerability. Modified authentication mechanisms to
capture credentials
3. Used NMAP & internal Wiki to learn the environment and
move laterally
4. Reused cookies from development staging systems, client
certificates from emails and trouble tickets
5. Used developer credentials to introduce backdoors into
code
Source: https://medium.com/@chrismcnab/alexseys-ttps-1204d9050551
13. Why WordPress?
Used in 28% of all web
sites on the internet
• WP CVE-2011–4106 vulnerability in resulted in 1.2 million compromised sites
• 53 similar vulnerabilities in last 10 years (CVSS 6+)
14. #3 RNC breach
Impact
200M voter records exposed
How it happened
Misconfiguration in Amazon Web Services
S3 service
Where are they now?
Survived the breach. Operational impact
unclear.
16. Most common AWS Misconfigurations
1. Misconfigured EC2 instance single-point-of-
failure and/or auto scaling issue
2. S3 logging not enabled
3. S3 object versioning is not enabled
4. User not configured to use MFA
5. User access key not configured with rotation
6. IAM policies are attached directly to user
7. Dangerous user privileged access to S3
8. ELB security group allows insecure access to
ports or protocols
9. IAM access keys unused for 90 days
10. Dangerous user privileged access to RDS
Across
31,235 EC2 instances / workloads
155,911 vulnerabilities and
exposures sampled
On 381 VPC’s in Dec 2017
18. #3 Equifax
Impact
143M Social Security numbers, names,
addresses
How it happened
Exploited flaw in Apache Struts
Where are they now?
CEO, CIO, CISO fired
$3B erased from market capitalization
19. Apache Struts
CVE-2013-2115
CVE-2013-2134
CVE-2013-2135
CVE-2013-1965
CVE-2013-1966
2013
2017
March 6
New Apache Struts
Vulnerabilities Released
Alert Logic coverage update
for
CVE-2017-5638 released
within 36 hours
May 13
2017
Equifax Breach
Equifax Breached
through CVE-2017-5638
Hackers install 30+ webshells
2017
July
August
September
2017
Equifax Discovers the breach
July 29 – network team detects abnormal activity
July 30 – Vulnerable Struts application taken offline
Aug 2 – Mandiant is contracted for incident response
Equifax publicly discloses the
breach to customers
67 days 108 days
21. Cloud Attack Surface
Attacks
Web App
Attacks
OWASP
top 10
Platform /
library
attacks
App /
System
misconfig
attacks
Web Apps
Server-side Apps
App Frameworks
Dev Platforms
Server OS
Hypervisor
Hardware
The Application Stack
Databases
Attackersaremovingupthestack
1. Wide range of attacks at
every layer of the stack
2. Rapidly changing
codebase can introduces
unknown vulnerabilities
3. Long tail of exposures
inherited from 3rd party
development tools
4. Extreme shortage of cloud
and application security
expertise
22. Attack Surface Factors
Factor Impact Technology Triggers
Custom built
complex web code
Broad attack surface and
numerous opportunities for
hidden vulnerabilities.
Open or
commercial
development
frameworks
Vulnerabilities inherited from
open source community or
software vendors.
3-tier architecture
with relational
databases
Increased risk of SQL injection -
#1 web attack method in volume
and impact
Open and
Interconnected
Easily accessible from outside
world by valid users and
attackers alike