How Attackers Target Your AWS Cloud

March 24, 2022
Aakash Gupta
Product Manager, Detection & Response for Public Cloud
How Attackers Target Your AWS Cloud

The cloud is complex. AWS alone has over 200 services, and this number is steadily growing. Configuring security across even a small set of these services to operate at the scale of modern organizations creates various challenges. Infrastructures can encompass hundreds of services in constant flux making it difficult to achieve a state of good cyber hygiene. In fact, it is hardly a stretch to say deploying a cloud application securely today is, well, impossible. As cloud footprints continue to grow exponentially, attackers only need a single opening to exploit entire environments. And as overall speed and agility increase, so does the risk of poor cyber hygiene, which may eventually introduce all sorts of security issues.

What’s more – auditing the cloud isn’t straightforward. There are multiple data sources to be monitored for vulnerabilities, such as network packet data and log data. Actions that show up in one data source may not be present in the other source, posing a unique challenge to covering all corners. As organizations look to establish and maintain secure cloud deployments, they must adopt solutions that provide extensive coverage across these threat surfaces.

The Cloud Isn’t Just One Threat Surface...

And, of course, not all cloud attacks are created equal. Attacks manifest differently depending on the threat surface being targeted.

 

Vectra for the AWS Control Plane

Let’s use the AWS Control Plane as an example. In recent years, many-flavored attacks have been uncovered involving the control plane, where an attacker maliciously gains access to an organization’s AWS footprint (say, utilizing stolen credentials from a spear-phishing campaign). Once inside the environment, the attacker wanders through the system like a regular user, assuming different roles, escalating privileges, and accessing high-value resources like cryptographic keys, S3 data stores, and data lakes that house confidential information. This is exactly what happened in the popular Capital One attack, where the data of over 100 million customers was compromised. These attacks are nearly impossible to detect since the actions taken by the attacker appear to originate from a regular user account. Attacks of this nature are increasingly becoming common and have been observed numerous times in organizations with mature cloud deployments. The only means to identify these attacks is through behavioral analysis of principals across AWS services and regions. What’s more, these behavioral patterns present themselves only through log data and do not appear in other data sources (e.g., network packet data).  

This is where Vectra’s coverage for the AWS Control Plane comes in. Within the cloud footprint, the Vectra platform continuously monitors accounts and services (e.g., EC2, S3, IAM, KMS, Config, Organizations, etc.) across all regions to promptly identify malicious attacker behavior at a granular level through the different stages of the cloud kill chain (discovery, lateral movement, exfiltration). Since its launch, Vectra’s coverage for the AWS Control Plane has helped numerous organization secure their cloud deployments by identifying and stopping attacker behavior. In early 2022, the Vectra platform identified an attacker exploiting stolen credentials to extract cryptographic secrets from a Fortune 500 company’s AWS environment. The platform’s efficient prioritization of this malicious entity, true source attribution through the labyrinth of assumed roles and its feature to promptly investigate findings allowed the SecOps team to rapidly identify the source of the attack and respond before it could have a serious impact on their organization.

Figure: Coverage provided by Vectra for AWS Control Plane

Vectra for the AWS Network

Orthogonal to the control plane in AWS lies the network (albeit just as important). Attacks on this surface are commonly observed in lift-n-shift environments. As more organizations repurpose their current deployments for the cloud, they inevitably leave gaps and introduce vulnerabilities that attackers love to exploit.

A popular example of such an attack manifesting in network packet data is the Cloud Hopper attack, where, in 2019, attackers used network vulnerabilities to penetrate the systems of companies managing applications for customers via the cloud. They gained access using stolen credentials and installed malware on cloud hosts, which then allowed them to seamlessly jump between hosts to avoid detection. The hackers used their access to facilitate what has become one of the largest corporate espionage efforts in history.

The only means to discover this attack would have been through prudent monitoring of network traffic – which is precisely what Vectra for the AWS Network was designed to accomplish. For those familiar with the on-premise network threat detection and response solution by Vectra, coverage for the AWS Network represents an extension of the same solution in the AWS public cloud. The platform monitors malicious actions against hosts that are commonly seen in lift-n-shift deployments. Coverage for this threat vector continues to be a major concern for organizations deploying in the cloud. Within the AWS Network, the Vectra platform monitors EC2 virtual machine network traffic using traffic mirroring. Learn more about this solution here.

Figure: Coverage provided by Vectra for AWS Network

How does coverage for the AWS Control Plane differ from coverage for the AWS Network?


The primary difference between the two lies in the threat surfaces covered. While Vectra’s coverage for the AWS Network secures the network component of cloud deployments by monitoring packet data, its coverage for the AWS Control Plane provides fortification for the control plane by analyzing AWS log data. Together, they provide exhaustive coverage across two major threat surfaces in the cloud.

Outside threat surfaces, there are some key differences between the two, primarily around how they are delivered. These are outlined in the table below:

 

Which One is Right for my Organization?

A common question we get revolves around which solution—Vectra for the AWS Control Plane or Vectra for the AWS Network is the right fit for an organization deploying in the cloud. As discussed previously, both cover separate threat surfaces and complement each other.

For organizations with cloud native deployments, we recommend deploying Vectra for the AWS Control Plane first to quickly get a jump on any attacker behavior. The Vectra platform provides control plane threat monitoring across enterprise-scale AWS footprints in a matter of minutes. On the other hand, if an organization is migrating to the cloud in a lift-n-shift fashion, we recommend starting with Vectra for the AWS Control Plane for immediate coverage of the control plane and then enabling coverage for the AWS Network in enclaves of high value to monitor sensitive network traffic. This ensures holistic coverage of threat surfaces as the organization ventures into the cloud. In short, both, Vectra’s coverage for the Control Plane and its coverage for the AWS Network work in conjunction with each other to provide comprehensive coverage for an organization’s AWS footprint. Both are invaluable to bolster a SOC’s arsenal against existing and emerging threats in the cloud. Sounds interesting? Learn more and sign up for a free trial!

FAQs