How to build a secure AWS infrastructure

 

Every day more businesses migrate from their traditional IT infrastructure, while the pandemic has only accelerated the adoption of cloud technologies among remote workforces. Cloud services such as Amazon Web Services (AWS) have been widely accepted as a channel for cloud computing and delivering software and applications to a global marketplace, cost effectively and securely. However, cloud consumers tend to wash their hands of the responsibility towards securing their cloud infrastructure. 

Cloud service providers and consumers share the responsibility of ensuring a safe and secure experience on the cloud. While service providers are liable for the underlying infrastructure that enables cloud, users are responsible for the data that goes on the cloud and who has access to it. 

AWS cloud service

The AWS Well-Architected Framework is a guide/ whitepaper issued by Amazon on AWS key concepts, design principles, and architectural best practices. Security is one of the five pillars that this Framework is based on, upholding the fact that protecting your data and improving security is crucial for AWS users. This blog intends to summarize the whitepaper on the security pillar and discuss:

  • Design principles for AWS
  • Few use case scenarios, and 
  • Recommend ways to implement a securely designed AWS infrastructure. 

 

AWS provides a variety of cloud services, for computation, storage, database management, etc. A good architecture commonly focuses on the efficient methods for reaching peak performance, scalable design, and cost saving techniques. But other cloud infrastructure design aspects are given more importance, quite often, compared to the security dimension.

The security of the cloud infrastructure can be divided into five phases:

  1. Identity verification and access management with respect to AWS resources.
  2. Attack detection, identification of potential threats and misconfigurations.
  3. Controlling access via defining trust boundaries, applying best practices in operation.
  4. Classifying all data, protecting data at all states: rest and transit.
  5. Incident response: Pre-defined mechanisms to respond and mitigate any surfacing security incident.

 

The Shared Responsibility Model

As I mentioned earlier, it is the collective responsibility of the user and the AWS service provider to secure the cloud infrastructure. It is important to keep this in mind while we explore the different implementation details and design principles. 

AWS provides plenty of monitoring, protection and threat identification tools to reduce the operational burden of its users, and it is very important to understand and choose an appropriate service to achieve a well secured environment.

AWS offers multiple services of different nature and use cases such as EC2 and Lambda. Each of these cloud services have varying levels of abstraction that enable users to focus on the problem to be solved instead of its operation. The share of each party’s responsibilities similarly vary based on the level of abstraction. With higher levels of abstraction, the share of responsibility to provide security in the cloud shifts further to the service providers (with some exceptions).

AWS - Shared Responsibility Model
AWS – Shared Responsibility Model

 

Management and Separation of User Accounts to Organise Workload

Based on the nature of processes that are run on AWS, and the sensitivity of the data that is processed, workloads can change. They must be separated by a logical boundary and organised into multiple user accounts to make sure that different environments are isolated. For instance, the production environment commonly has stricter policies, more compliance requirements, and must be isolated for the development and test environments.

It is important to note that the AWS root user account must not be used for common operations. And using AWS Organizations one could simplify things and create multiple users under the same organisation, with different access policies and roles. Also, it is ideal to enable Multi-Factor Authentication, especially on the root account.

 

Managing Identity and Permissions

AWS Resources can be accessed by humans (such as developers or app users) or machines (such as EC2 instance or Lambda functions). Setting up and managing an access control mechanism based on the identity of the requester is very important, as these individuals seeking access could be an external or internal part of the organization. 

Each account should be granted access to different resources and actions using IAM (Identity and Access Management) roles, with policies defining the access control rules. Based on the identity of the user account and the IAM attached, certain critical functionalities can be disabled. For example, denying certain changes from all the user accounts, with exceptions for the Admin. Or preventing all users from deleting Amazon VPC flow logs.

For each identity added on AWS Organisation, they should be given access to only a set of functions that are necessary to fulfil the required tasks. This will limit unintended access to functionalities. And unexpected behaviours arising from any identity will only have a small impact. 

 

Leveraging AWS Services to Monitor and Detect for Security Issues

Regular collection and analysis of logs generated from each workload component is very important to detect any unexpected behaviour, misconfiguration or a potential threat. However, collection and analysis of logs is not quite enough. The volume of incoming logs can be huge, and an alerting and reporting flow should be set up along with an integrated ticketing system. AWS provides services such as these to ensure automated and easy processes:

  • CloudTrail: Provides the event history of the AWS account activity which includes all AWS services, Management console, SDKs, CLIs, etc.
  • Config: Enables automated assessment, auditing, and evaluation of the configuration of each AWS resource.
  • GuardDuty: Continuous security monitoring service that flags malicious activity surfacing within AWS environments by analysing log data and searching for patterns that may indicate any sort of privilege escalation, exposed credentials, established connections to malicious IPs, or domains.
  • Security Hub: Presents a comprehensive view of the security status of AWS infrastructure by enabling aggregation, prioritization, deduplication of security alerts from multiple AWS services and even third party products.

 

Protecting the Infrastructure: Networks and Compute

Obsolete software programmes and outdated dependencies are not unusual and it is essential to patch all systems in the infrastructure. This can be done manually by system administrators, but it is better to use the AWS Systems Manager Patch Manager which basically automates the process of applying patches to the OS, applications and code dependencies.

It is crucial to set up AWS security groups in the right way, mainly during the phase when the infrastructure is growing at a fast rate. Things often go wrong when unorganized, messy security groups are added to the infrastructure. Creation of security groups and assignment of them should be dealt with caution, as even a slight overlook can result in the exposure of critical assets and data stores, on the internet. Security groups should clearly define ingress and egress traffic rules, which can be set under the Outbound traffic settings. 

If some assets are required to be exposed on the internet, make sure your network is protected against DDoS attacks. AWS services such as Cloudfront, WAF, and Shield help to enable DDoS protection at multiple layers. 

 

Protecting the Data

The classification of all data stored at multiple locations inside the infrastructure is essential. Unless it is clear which data is most critical and which ones can be directly exposed on the internet, setting up protection mechanisms can be a bit of a task. Data resting inside all the different data stores must be classified in terms of sensitivity and criticality. If the data is sensitive enough to prevent direct access from users, policies and mechanisms for ‘action at a distance’ shall be put in place. 

AWS provides multiple data storage services, the most common ones being S3 and EBS disks. Application data can usually be found lying around inside data stores self hosted on EBS volumes. Also, all sensitive data that goes into S3 buckets should be properly encrypted prior to that. In fact, it would be better to enable encryption by default on these.

Protecting in transit data is also equally important, and to do that, secure connections are required, which can be obtained using TLS encryptions. Making sure that data is transferred over secure channels should be enough. AWS Certificate Manager is a good tool to manage SSL/ TLS certificates.

 

Preparing and Responding to Security Incidents the Right Way

Once all the automation has been set up, and security controls are put in place, designing incident response plans and playbooks becomes easier. A good plan must cover the response, communication, and recovery steps following any security incident. This is where the logs, snapshots and backups, GuardDuty findings play a critical role. They make the task relatively more efficient. Overall, the aim should be to prepare for an incident before it happens and to iterate and train the entire team to thoroughly follow the incident response plan.

data breach impact

How much does a data breach cost you?

 

The increase in cyber-attacks during the Coronavirus pandemic has highlighted the gaps in traditional cybersecurity programs. With the large-scale shift to teleworking, companies have been forced to take their operations online. And this has proved to be a breeding ground for threat actors. From the increase in ransomware attacks and phishing campaigns to bitcoin scams and data leaks, we have witnessed increasingly sophisticated threats across the internet.

There is no denying that cyber threats have far-reaching real-world impact. From stock price to reputation, organizations cannot escape the consequences of a cyber-attack. For example: Twitter’s shares went down by 3% following the recent hack that targeted several profile twitter accounts.

The annual Cost of Data Breach report by the Ponemon Institute has been quantifying this impact for the last 15 years. The Cost of a Data Breach Report 2020 (published by IBM) has found a 1.5% decrease in the average cost from $3.92 million in 2019 to $3.86 million in 2020. However, for organizations that have mandated remote work, the average cost of a data breach is $137,000 more, making the global annual cost almost $4 million.

In this article we explore ways to incorporate the findings from this report to strengthen an organization’s cyber security posture.

 

Key takeaways from the report’s findings:

 

Identify stolen or leaked credentials

Stolen credentials, which are the costliest and most frequent threat vectors, are the root cause for 19% of malicious breaches. Despite this, organizations are slow to identify and neutralize leaked credentials. The longer the credentials are exposed the higher the chance that threat actors will exploit them to orchestrate large-scale intrusive attacks.

Which is why it is important to incorporate processes and tools that ensure data leaks related to your organization are monitored continuously. This includes real-time monitoring of the surface web, deep web, and dark web using a comprehensive threat monitoring tool such as CloudSEK’s XVigil.

 

Monitor for cloud misconfigurations

Cloud misconfigurations are exploited in 19% of malicious breaches. And the cost of these breaches, at $4.41 million, is 14% higher than the average. While the move to cloud-based services and databases are convenient, they come with a unique set of security requirements.

The bedrock of cloud security is a combination of Identify Access Management (IAM), permission controls, and continuous misconfiguration monitoring. XVigil’s Infrastructure Monitor offers solutions to scan for misconfigured cloud storage, web applications, and ports. This allows you to identify and mitigate the risks before they can be exploited by threat actors.

 

Leverage Artificial Intelligence (AI) to identify and mitigate threats

Automation separates the winners from the losers. The cost of breaches for organizations that have not leveraged end-to-end AI based security solutions was $6.03 million, which is more than double the cost of breaches seen by organizations that have deployed automated security solutions. With a difference of $3.58 million between companies that have deployed automated solutions and those that have not, automation is no longer a bonus, but the very core of effective cybersecurity.

 

Secure your customers’ PII

80% of data breaches include customers’ Personally Identifiable Information (PII). And each lost or stolen record costs an organization an average of $175, which is 17% higher than the average cost of a stolen record. Since customer PII is the most coveted type of data, it is important to ensure that it is anonymized and backed-up regularly. And as a rule of thumb, enforce strong password policies, encryption standards, and multi-factor authentication.

 

The healthcare industry needs to up its cybersecurity quotient

It takes the healthcare industry 329 days to identify and contain a breach, which is 49 days more than the average 280 days, and a whopping 96 days more than the financial sector. The faster a breach is identified, the lower the cost incurred. So, it doesn’t come as a surprise that the healthcare sector, for the 10th year in a row, clocked the highest average cost of a breach at $7.13 million, which is a 10.5% increase from 2019.

Timely identification only comes with continuous real time monitoring of internal and external threats. And this cannot be done manually, which is why automation and AI-driven security tools need to be deployed across organizations.

 

Proactively mitigate remote work related data breaches

With more organizations adopting remote work, there has been a surge in cyber-attacks, globally. Relaxed security controls to support remote work, unsecured home Wi-Fi networks, dependence on conferencing platforms, and the deluge of COVID-related scams have made it easier for threat actors to target organizations.

It is incumbent on organizations to reassess their cybersecurity programs to account for new threat vectors. So much so that 76% of respondents believe that despite their current cybersecurity measures, remote work will increase the time it takes to detect and contain a breach. But by deploying solutions that can address the WFH-related threat vectors, organizations can gain a significant advantage over threat actors.

 

Given that a data breach can have severe short-term and long-term impacts on an organization, taking preventive measures is a must. And with more and more companies adopting teleworking, the need for continuous monitoring of the internet, for threats related to your organization, is at an all time high.

Here’s where XVigil can help you strengthen your security posture. XVigil’s AI-driven engine scours the internet for threats and data leaks related to your organization, prioritizes it by severity, and provides real time alerts. Thus, giving you enough time to mitigate the threats before it can have adverse impacts on your business.

Market plummets

Want to deter threat actors? Start by nullifying your data leaks.

 

70% of successful breaches are perpetrated by external actors whose attacks originate on the internet. Since these actors don’t have access to your organization’s internal assets or networks, they rely on data available on the internet. With 8.5 billion records compromised, in 2019 alone, adversaries can find an employee’s credentials, or your organization’s API keys, within a few hours. Allowing them to infiltrate your organization, spread malware and ransomware, or steal intellectual property and sensitive documents. 

Apart from the direct operational impacts, cyber-attacks affect an organization’s hard-earned reputation and revenue as well. Snapchat shares dropped by 3.4% the day after their source code leak was made public. And in addition to the immediate backlash, companies that have experienced a breach, underperform the market by > 15%, even 3 years later. 

Considering the stakes, it is important to take a closer look at the types of leaked data that threat actors seek out, and ways to effectively prevent them from getting their hands on it. 

 

What types of data do threat actors look for?

 

1. Credentials

 

27% of successful breaches involve stolen credentials

In almost all cyber-attacks affecting an organisation, credentials are involved either as a target of theft or as a means to furthering access in a network. This includes email credentials and hardcoded access credentials that can be used to access confidential emails, systems, and documents. 

 

Target was breached using stolen credentials

In one of the first major breaches, threats actors uploaded BlackPOS to Target’s point-of-sale (PoS) network, allowing them to steal customers’ credit card information and other personal details. It was later found that threat actors were able to compromise Target servers using credentials stolen from Fazio Mechanical Services. Fazio, Target’s HVAC vendor, had access to Target servers. And since the network was not properly segmented, threat actors were able to compromise Target’s PoS network.

 

2. Source codes

 

100,000 + GitHub code repos contain secret keys that can give attackers privileged access

While source code can be exposed on purpose, by malicious insiders, most often it is exposed by developers being careless while pushing code from their machines to GitHub. Leaked source code could potentially expose SSH keys – digital certificates that unlock online resources, Application Programming Interface (API) keys, and other sensitive tokens. Using the source code, threat actors can find vulnerabilities that can be exploited, to launch cyber-attacks on the company.

 

Mercedes-Benz “smart car” components’ source code leak

After discovering one of Daimler AG’s Git web portals, a researcher registered an account on Daimler’s code-hosting portal and downloaded 580 Git repositories from the company’s server. The repositories contained the source code of onboard logic units (OLUs) used in Mercedes vans, which provide live vehicle data. The researcher then uploaded the files to file-hosting service MEGA, the Internet Archive, and on his own GitLab server, thus making it public. 

 

3. Sensitive data

 

Over 23 million stolen credit cards are being traded on the Dark Web

Sensitive data such as credit card details, healthcare information, customer PII, etc. often end up on the dark web after being exposed on unsecured databases or cloud storage. This information could be used to launch phishing attacks. It could also lead to your intellectual property being exposed to the public. 

 

540 million Facebook users’ records were exposed on unsecured S3 buckets

Mexico based digital media company Cultura Colectiva exposed 146 GB of Facebook user data, including comments, likes, account names, reactions, and Facebook IDs, on an unsecured Amazon S3 bucket. Another S3 bucket, belonging to Facebook integrated app At The Pool, exposed 22,000 Facebook users’ friend lists, interests, photos, group memberships, and check-ins.

 

How to eliminate these low hanging fruits that expedite attacks?

As seen from the above examples, despite their best efforts, Target, Mercedes, and Facebook were not able to prevent their data from leaking. This can be attributed to the highly distributed, interconnected, and globalized nature of modern businesses. This means, there aren’t enough resources to monitor every employee, vendor, and vendor’s vendor. But the good news is, if you can detect data leaks in time, and have them taken down, their impact will be greatly reduced. 

Usually, a data breach lifecycle is 279 days, 206 days to identify a breach, and 73 days to contain it. Instead of 206 days, if a data leak can be identified within a few hours, its presence across the surface web and dark web can be contained. However, this cannot be done manually. The only way to effectively identify and curb data leaks is to adopt AI-driven real-time monitoring.  

 

Continuous monitoring for leaked or exposed data

Incorporate processes and tools that ensure data leaks related to your organization are monitored continuously. This includes real-time monitoring of the surface web, deep web, and dark web, for credentials, source code, and sensitive information. Deploy a comprehensive threat monitoring tool such as CloudSEK’s XVigil, whose AI-driven engine scours the internet for threats and data leaks related to your organization, prioritizes them by severity, and provides real-time alerts. Thus, giving you enough time to neutralize the data leaks before it can have adverse impacts on your business.

Threat actors’ next big target: VIPs, Executives, and Board members

A recently uncovered spear phishing campaign, orchestrated by the PerSwaysion group, targeting 150+ executives across the globe, is a prime example of the growing trend of concerted cyber attacks on CXOs and VIPs. This process of targeted attacks on VIPs is commonly known as Whaling. Whaling tactics are similar to general spear-phishing. But they differ in the fact that it specifically targets high-level and important individuals within an organization. 

Threat actors are slowly moving from large-scale, low-value attacks, which target a general population, to small-scale, high-value attacks, which target the key personnel of an organization. Furthermore, the Verizon 2019 Data Breach Report found that senior executives are 12 times more likely to be targets of social incidents, and 9 times more likely to be targets of social breaches. This is because high-profile personnel have exclusive clearances, privileges, and access to:

  • Confidential and sensitive information including financials, trade secrets etc. 
  • Authorize or order other employees in the organization to carry out certain tasks.
  • Valuable assets including networks, devices, and facilities. 

How do threat actors target C-level executives?

Research and reconnaissance

  • To orchestrate a typical attack, threat actors perform extensive reconnaissance and research, to understand an organization’s structure and functions.
  • Using this information, they narrow down the list of potential targets and their associates.
  • They then collect personal information about the shortlisted VIPs. Most companies publish their executives’ details on social media, news media, and their own websites. Thus, a simple Google search will give the threat actor access to this information. Moreover, the executives themselves have personal accounts on platforms such as Facebook and LinkedIn. And often, the privacy settings on these accounts are lax. 
  • They further search for exposed account credentials from previous data leaks. Given that most of us, executives being no exception, use the same password for multiple accounts, the exposed credentials can be used to gain access to the executive’s official email account.

Data theft attacks

  • Once hackers have obtained access to C-suite executives accounts, through brute-force attacks or other means, they steal valuable information. This may include client lists, customer data, financial data, internal processes, business strategy and plan, and more. 

Impersonation attacks

  • Threat actors could hijack executives’ social media accounts and post harmful messages. And, this could tarnish the reputation of the executive and their organization.  
  • Using the email access, threat actors decipher the communication frequencies and styles within the organization. For example: If there is a trail of audit related emails, threat actors can send requests for audit related details in continuation to the ongoing communication. 
  • If threats actors cannot get access to an executives’ credentials, they create fake email IDs. These email IDs closely resemble one of the executives’ email IDs or that of the HR department or Accounting department. From the fake ID they send an urgent, actionable, and believable email to a C-level executive. 

Extended attacks

  • Threat actors bank on executives having limited time, or relying on assistants, to read and respond to emails. They also ensure the emails are believable. For this, they add references to the executive’s interests and hobbies, which are gleaned from their social media profiles. The emails usually request the email recipient, who is also an executive or VIP, for sensitive information, wire transfers, or to download an attachment. 
  • If the recipient falls for the trap, they will end up revealing sensitive information or authorizing someone else to do so. They could also authorize transfers to the fake account details shared by the threat actor. A malicious attachment could drop a malware or ransomware payload in their systems. The recent PerSwaysion campaign used a fake Microsoft Outlook login page, from where they were able to collect 150+ executives’ login credentials. The credentials can be used to orchestrate other attacks or could be sold on the Dark Web, to the highest bidder.  

How to protect C-level executives from these attacks?

Given the heightened risk to VIPs, here are a few measures to combat and mitigate threats:

Continuous monitoring

Deploy a real-time monitoring tool that will scour the internet – surface web, deep web, and dark web – for potential threats.  A comprehensive SaaS platform such as CloudSEK’s XVigil tracks VIP’s personal email IDs for their presence in past security breaches. Organizations are alerted to such threats immediately, along with other significant details pertaining to the risk.

Review social media presence

Ensure the executives’ social media accounts have the highest level of privacy. Report duplicate accounts and delete dormant accounts on a regular basis. 

Multi-layered protection

Enable Multi Factor Authentication (MFA) for all their accounts, including email, company assets and network. 

Regular cybersecurity refreshers

Since threat actors are constantly changing and upgrading their whaling tactics and ruses, periodic training will help executives spot and avoid such traps. 

 

An attack on a VIP doesn’t just affect them personally, it also affects their organizations revenue and brand image. Threat actors could gain access to the company’s central database, and steal employee and customer details, and leak them or even sell them. It takes years of painstaking effort to build a company’s brand image, and any damage to this intangible asset can have very serious and far-reaching consequences. Hence it is important to enable processes, and tools such as XVigil, to continuously monitor and protect VIPs and their organizations.