Cloud computing account compromises, resulting from stolen access keys and credentials, happen more often than we know. We are all familiar with notable, newsworthy reports of account compromises. But for every report of a massive breach (think DXC or OneLogin), there are numerous other examples that go unreported by the mainstream media.
Take, for instance, the case of security researcher @xKushagra who recently found a "gold mine” open credentials and API keys at Trello. He promptly tweeted about his find and went on to retweet when one of his followers confirmed the event.
Of course, last year we did see headline-worthy incidents such as the Uber breach. Hackers had accessed one of Uber’s private GitHub repositories where they discovered login credentials to Uber’s AWS account. They used these credentials to login into the AWS account and exfiltrate sensitive data on 57 million people.
Uber is by no means alone as far as compromised credentials go; the RedLock CSI team discovered an unprotected Kubernetes console that belonged to Tesla. Within one Kubernetes pod, access credentials were exposed to Tesla’s AWS environment. An examination of the environment revealed it contained an Amazon S3 bucket that had sensitive vehicle telemetry data. These organizations clearly didn’t follow AWS security best practices.
Such incidents prompted the RedLock CSI team to analyze trends around access hygiene. The findings indicate that we can expect this type of attack to increase in frequency in 2018.
The most alarming statistic was the fact that 73% of organizations are allowing the root user account to perform routine activities. This goes against security best practices and Amazon has strongly warned against this; administrators are advised to lock away root user access keys and create individual IAM users instead.
When the team examined organizations’ hygiene around access keys, they discovered that 40% of them had not been rotated in over 90 days. This is concerning because keys often tend to have overly permissive access than is necessary for the role which creates greater exposure. In the event of an account compromise, rotating access keys will ensure that the window of opportunity available to hackers is finite.
Further investigation by the RedLock CSI team determined that 16% of organizations have users whose accounts have potentially been compromised. In addition to closely managing access, organizations must also be vigilant about monitoring user activities within their public cloud environments to detect insider threats or account compromises.
5 Tips to Defend Against Account Compromises
To minimize the probability of an account compromise within your organization, the RedLock CSI recommends the following five security best practices:
- Eliminate the use of root accounts for day-to-day operations: Root accounts should be limited to those who require true administrative access, and administrators should continuously assess who has root accounts, how and when are they being used, and should those privileges be extended or revoked.
- Enforce multi-factor authentication on all privileged user accounts: Implementing MFA is always a cloud security trend best practice.
- Implement a policy to automatically force periodic rotation of access keys: Generally, a 90-day rotation is considered best practice, with some organizations using changing keys every 30 or 60 days.
- Automatically disable unused accounts and access keys: Organizations frequently use contractors and third-parties to help develop and support public cloud environments. Additionally with employee turnover, it is critical to ensure strong governance controls exist to detect and disable accounts unused for over 90 days.
- Implement user and entity behavior analytics: In addition to the preventative controls outlined above, apply Machine Learning (ML) to establish user and access key behavior baselines, and monitor for deviations to detect account takeovers or malicious insider activity.
Want to Learn More?
Defending Against Account Compromise
We discussed the impact of compromised accounts (data theft, cryptojacking, ransomware attacks) and methods that attackers are using to compromise account credentials, as well as a demonstration of how the RedLock Cloud 360 platform can help secure your cloud environment.