Years ago, a breach that compromised the data of a few million people would have been few and far between. Unfortunately, recently our newsfeeds have been littered with data breach headlines, the recent Optus data breach being a prime example.
This blog explores how to use the MITRE attack knowledge base to help detect attackers operating in cloud environments.
Cloud is a data gold mine
eBay reported that an attack exposed its entire account list of 145 million users. Information includes names, addresses, dates of birth and encrypted passwords. The online auction giant said hackers used the credentials of three corporate employees to access its network and had complete access for 229 days — more than enough time to compromise the user database.
A data breach is almost inevitable these days
Breaches affecting hundreds of millions of people are far too common.
The Yahoo data breach resulted in approximately 3 million encrypted client payment card records being compromised, in addition to the login information for an unknown number of user accounts.
The Facebook data leak resulting in data from 533 million people in 106 countries was published on a hacking forum earlier this month. The company now faces a probe from the Irish data commissioner about whether it broke GDPR rules and mass legal action from affected EU citizens, who had a range of personal data leaked, including phone numbers.
It’s a common refrain that suffering a data breach is almost inevitable, so the best way to keep costs low is to prepare for every eventuality.
Companies with an incident response (IR) team that tested an IR plan using tabletop exercises or simulations saw savings of $2 million compared to those with no such measures in place.
Protect your storage, save your business
Adversaries may access data objects from improperly secured cloud storage.
Many cloud service providers, such as Amazon S3, Azure Storage, and Google Cloud Storage offer solutions for online data storage. These solutions differ from other storage solutions (such as SQL or Elasticsearch) because there is no overarching application. Data from these solutions can be retrieved directly using the cloud provider’s APIs. Solution providers typically offer security guides to help end users configure systems.
Misconfiguration by end users is a common problem. There have been numerous incidents where cloud storage has been improperly secured, typically by unintentionally allowing public access by unauthenticated users or overly-broad access by all users. These mistakes can enable open access to credit cards, personally identifiable information, medical records, and other sensitive information. Adversaries may also obtain leaked credentials in source repositories, logs, or other means, to gain access to cloud storage objects with access permission controls.
Mitigate with MITRE
MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. It is a curated knowledge base and model for cyber adversary behaviour, reflecting the various phases of an adversary’s attack lifecycle and the platforms they are known to target.
The behavioural model presented by ATT&CK contains the following core components:
- Tactics denoting short-term, tactical adversary goals during an attack (the columns);
- Techniques describing the means by which adversaries achieve tactical goals (the individual cells); and
- Documented adversary usage of techniques and other metadata (linked to techniques).
Learn more about how you can leverage the MITRE framework to combat cyber threats in our previous blog.
Detecting attackers operating in cloud environments
The Elastic Security Intelligence & Analytics Team conducts significant research into adversary tradecraft. This research is used to develop new detection features, like rules, machine learning jobs and capabilities that enable small security teams to have an outsized impact. Security features like these increase the cost of an attack for adversaries.
Elastic Security users can expect to see a continued focus on increasing the cost of cloud attacks.
While monitoring the usage of the previously mentioned APIs, it can be difficult to distinguish benign activity from suspicious behaviour, such as an attacker enumerating an environment. In production environments, monitoring for calls to these APIs can be noisy, as the behaviour is quite common. Elastic developed a set of rules based on the MITRE attack framework to overcome this.
Conclusion
Migrating to the cloud can benefit an organisation, but it comes with security risks, especially when storing sensitive data.
Implementing a proper response plan guided by modern security frameworks, such as MITRE ATTACK can help identify adversaries quickly and save you tons of money.
Author: Jose Mari Ponce
References:
https://www.9news.com.au/national/optus-data-breach-cyber-security-expert-says-more-could-have-been-done-to-protect-information/89f12f22-d7d1-43c5-b040-89f9b9f2f638
https://www.nytimes.com/2017/10/03/technology/yahoo-hack-3-billion-users.html
https://www.elastic.co/blog/author/elastic-security-intelligence-&-analytics-team
About Skillfield
Skillfield is an Australian based IT services consultancy company empowering businesses to excel in the digital era. Across our two main practices of Cyber Security & Data Services, our talented and committed professionals provide smart and simplified solutions to complex cyber security and big data challenges.