Hacked Again: Here’s How Breach and Attack Simulations Can Tackle AWS Security Incidents

April 10, 2020


It’s no secret that companies are migrating to AWS at a rapid pace. However as these companies move to the cloud, they may not realize they are opening up a completely new attack surface. It’s important that enterprises monitor this new risk and implement proper controls to defend the network.

It’s hard to understate the reach of Amazon Web Services (AWS), whose infrastructure now powers hundreds of thousands of businesses across the globe. Companies are migrating to AWS (and its competitors) at a rapid clip to take advantage of the scalability and reliability of the cloud.

Yet managing this transition and building a successful infrastructure requires complex coordination. It also requires dealing with multiple components: Databases, virtual machines, security roles and policies and connections to a variety of services. It’s a tall order for even experienced and skilled modern security teams.

Given the scope of the challenge involved, the risks of making a mistake, or misconfiguring accounts or even permissions, must be taken very seriously.

The urgency of accounting for such security risks is reinforced by the near-constant parade of new AWS-related security incidents reported in the media.

The Challenge of Maintaining Strong Cloud Security

One recent example of an AWS security lapse involved a global financial services company that was forced to pull its software offline following the discovery of ransomware. The company, which was running its payment platform on AWS, was unable to offer currency services to its partners for several days — something that left travelers temporarily without access to their funds.

Security researchers quoted in the media pointed to network segmentation issues as the likely culprit for the attack. One researcher claimed the company’s servers had RDP enabled and exposed to the Internet, while the platform’s network location service was disabled. The company was also running Windows Server 8, older software nearing the end of its support cycle making them susceptible to BlueKeep (CVE-2019-0708), the RDP vulnerability that allows for remote compromise with no user interaction.

These incidents are hardly unusual: Shortly before the attack referenced above, we saw a recent example of a simple AWS misconfiguration exposing the data of more than 100 million people.

While such incidents may be routine, there is a relatively new solution to the problem of AWS vulnerabilities that is drawing increasing attention: Automated breach and attack simulations (BAS).

Learn More: Coronavirus: Best Practices for Security Pros to Defend EnterprisesOpens a new window

Defining BAS — and How It Differs from Conventional Approaches

Breach and attack simulations can automatically identify vulnerabilities through a process that is similar to continuous, automated penetration testing. This approach, which was developed by military security researchers, runs simulations of likely attack paths taken by advanced persistent threats and then prioritizes remediation.

BAS platforms are especially effective at limiting one of the most serious threats faced by today’s security teams: The ability of an advanced persistent threat to penetrate a network, embed itself for weeks or months undetected, move laterally and steal an organization’s crown jewels.

Why is the BAS approach superior to conventional penetration testing or red teaming? It’s simple: Those approaches are largely manual and resource-intensive. This means such tests are scheduled weeks or even months apart, which means security professionals have very limited insight into the state of their environments during non-test periods.

For the most robust defense possible, it’s imperative to use tools that are highly automated and apply the power of continuous testing. This is especially true in the context of AWS security.

Learn More: When Files Get Leaked: From Singapore’s HIV Registry to Spoiled ‘Avengers: Endgame’Opens a new window

Are BAS Platforms the Key to Better AWS Security?

An advanced BAS solution can play a critical role in securing AWS environments. To maintain an effective security posture, today’s organizations must gain deeper visibility into potential attacks across AWS infrastructures.

Security teams, however, often struggle to keep up with the demands of cloud migration. As organizations rush to build their cloud infrastructures, this activity often outpaces a security team’s ability to accurately assess the risks presented by their new hybrid environment. Additionally, If you assess on prem and cloud risks in isolation, it’s impossible to understand the risks they pose to each other.

A BAS platform can close this gap — if you choose the right one. More advanced BAS solutions can audit AWS configurations via AWS API, using this data to generate potential attack vectors and run simulated attacks. These simulations can identify misconfigurations that can lead to access token theft, IAM privilege escalation and other serious risks.

By using a BAS solution to protect AWS environments, organizations can see their networks through the eyes of their attackers while running 24/7 simulations that uncover the hidden attack vectors that so often remain undiscovered by more conventional solutions.

One note: To ensure the best possible protection, it’s advisable to implement a BAS solution during cloud migrations, rather than post-migration. This not only limits the possibility of mistakes and successful attacks occurring during migration, it also helps eliminate the need for expensive and time-consuming re-architectures.

The Takeaway

Ultimately, an advanced BAS platform can offer robust protection by simulating advanced persistent threats against an organization’s most sensitive and valuable assets. AWS security gaps can be identified and addressed as needed, greatly reducing the odds of your organization being the next enterprise unfortunate enough to be in the headlines.

Let us know if you liked this article on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!

Chris  Foster
Chris Foster

Director of Solutions Architecture, XM Cyber

Chris Foster is the Director of Solutions Architecture at XM Cyber. He has over 17 years of security experience serving both public and private sector organizations. Chris came to XM Cyber from Flashpoint where he was the Senior Director of Professional Services and Solutions Architecture. He previously held positions with iSIGHT Partners and FireEye where he empowered clients to become intelligence-led security organizations. Additionally, Chris worked with Chevron where he led the cyber intelligence cycle project and served as Chevrons cybersecurity liaison to the U.S. Department of Homeland Security. Chris spent over a decade in the public sector at numerous organizations, including Booz Allen Hamilton and SAIC, supporting various U.S. Military and Intelligence Community operations in the cybersecurity and counterterrorism domains. Chris holds an MBA from The McCombs School of Business, University of Texas at Austin and a bachelors degree from Vanderbilt University.
Take me to Community
Do you still have questions? Head over to the Spiceworks Community to find answers.