ORLANDO, Fla. -- Aggressive nation-states see the cloud as a juicy target and, according to one expert, security automation represents the best tactic enterprises have to defend cloud implementations against attackers possessing nearly unlimited resources.
Once I have the [password] hash … it gives me what I need to operate as an administrator in the entire environment.
president, Lieberman Software
Speaking Thursday at the 2013 Cloud Security Alliance Congress, Philip Lieberman, founder and president of Lieberman Software Inc., discussed the types of attacks on cloud computing his company has observed as a provider of cloud IT administration and privileged identity management tools.
Unlike smash-and-grab-style attackers who are out for a quick profit through theft of personal identifiable information (PII), payment card data or intellectual property, nation-state attackers prefer a "low and slow" approach, Lieberman said, using painstaking care to infiltrate cloud environments without detection, aiming to quietly monitor its target's cloud activity for a period of months or years.
Because advanced adversaries have teams of hundreds, if not thousands, of people at their disposal, Lieberman said, they can automate attacks on a previously unthinkable scale. Those attacks commonly include pointing tools such as Metasploit and various other toolkits toward a target organization's infrastructure to find known vulnerabilities, as well as the tried-and-true method of spearphishing, among other attacks.
Not surprisingly, amid growing enterprise use of cloud computing, Lieberman said nation-states are increasingly focusing their efforts on exploiting cloud infrastructure. They commonly start by seeking an entry point into the target organization, often through a vulnerable client or tricking a user. Then they aggressively scan for cloud access credentials that are often embedded in other systems that interact with the cloud, such as databases and middleware.
Commonly, he added, attackers find those credentials in clear text files that are totally undefended.
He also said attackers look not only for passwords, but also password hashes, cryptographic representations of passwords. Using the "pass the hash" method, through which an attacker intercepts hashes over the network or in system memory and uses them to authenticate to a target system remotely, Lieberman said attackers gain near-unlimited access.
"Once I have the [password] hash, if I'm running NT LAN Manager [NTLM] or another common protocol, it gives me what I need to operate as an administrator in the entire environment" for as long as the hash's associated password remains unchanged, Lieberman said.
Many organizations only change their passwords, including admin accounts, every 90 days, but Lieberman said that in light of these attacks, it's time to rethink that policy in favor of an automation-driven approach in which credentials are automatically changed on a much more frequent basis.
"One of our customers changes passwords that have privileged access every 24 hours, everywhere in the world," Lieberman said. Another of his customers, one for which money is no object, changes its privileged account passwords globally every eight hours.
Because even this type of attack is becoming automated, Lieberman advocated for the use of automated password management for access to cloud systems, noting that the technology exists to enable an organization to log in to an account management portal, obtain privileged account credentials for a single shift, and when the user logs out, the credentials expire automatically.
Questioning cloud provider hypervisor security
Lieberman said nation-state adversaries are constantly researching ways to penetrate cloud providers' hypervisors to move up the software stack and into customers' platforms and applications.
Lieberman noted that cloud providers have had to find creative ways to successfully scale and manage their massive infrastructures. Because off-the-shelf software was inadequate, cloud providers such as Amazon Web Services have had to build their own software to run their clouds, including the hypervisors.
That approach to hypervisors comes with pluses and minuses. While they may scale, they may not have all the features necessary to protect them, and providers understandably aren't eager to share much in the way of hypervisor security techniques. Using the example of a Las Vegas casino, he said enterprises should be aware that what goes on behind the scenes of cloud provider hypervisor security may not be as pretty as the part customers normally see.
"To build something for this size, you have to make it simple, because that's the only way it'll scale," Lieberman said. "But you may end up with problems that criminals and nation-states are looking for, such as credentials that aren't managed on a real-time basis."
To counter the risks that nation-states pose to cloud security, Lieberman encouraged enterprises to push their providers to implement better behavior analysis capabilities. He said his company is working with some of its customers to aggregate and analyze cloud identity management and authentication data to quickly and automatically discover anomalies that may be indicators of attempted compromise.
Because of the rapid increase in the number and severity of risks posed by nation-state attackers, Lieberman said enterprises must assume that their cloud environments could be compromised using legitimate credentials at any moment.
"The assumption should be that all accounts could or will go bad," Lieberman said. "It's a change in thinking, but every account and machine is suspect."