Many public cloud infrastructures suffer from serious security loophole

Working with public cloud infrastructure without the right understanding of risks and security challenges may prove to be a risky bet today. One of the most critical spots where attackers look for vulnerability is the cloud Identity and Access Management (IAM) layer, which many companies often fail to secure. A lack of effective identity and access management poses significant risks not only to compliance, but also overall security. The Capital One breach is one such recent example.

Research conducted by XM Cyber's Igal Gofman, Head of Security Research, and Yaron Shani, Senior Security Researcher, suggests a new attack vector in cloud providers' API can be exploited by adversaries to gain highly privileged access to critical assets in the cloud.

What was found in the research?

Researchers found that cloud APIs' accessibility over the Internet opens new possibilities for adversaries to plan their attack. The researchers note that current security practices and controls are not sufficient to mitigate the risk posed by the misconfiguration of the public cloud.

  • Getting API access can be easy if the account credentials of those who manage cloud resources (typically the members of the DevOps, development, and IT teams) is compromised.
  • Obtaining credentials won’t be a highly challenging task since members also use different software development kits and dedicated command-line tools to get access to APIs.
  • In case an organization’s private subnet is not open to the Internet, according to researchers, cloud APIs can still be accessed from the Internet with the right API key.
  • Cloud provider tools—for example, the command-line interface (CLI) tools — save the user credentials inside a file, which is typically locally stored on the individual's workstation.

    • The weak link

      Traditional protections primarily focus on network, application, and operating system defense.

      • Protection and mitigation techniques of companies are, in essence, reactive and not predictive.
      • Many popular defense techniques focus on specific attack vectors, such as brute force protection for cloud apps against password spray tools or AWS reconnaissance tools.
      • Post-breach defense is usually based on different user activities and machine learning algorithms.

        • Organizations can protect themselves from such attacks by following best practice guides from cloud providers. Large and complex organizations need to constantly monitor attack paths since they often have trouble tracking and monitoring permissions in large cloud infrastructures. Analyzing attack paths would also help in identifying high-value cloud resources, which can then be evaluated for risk factors.