Inside an AWS Breach: Intel From Multi-Step Breaches

Inside an AWS Breach Investigation

What: An upcoming webinar with Threat Stack CSO Sam Bisbee who will walk through the steps of a recent AWS breach while discussing trends in the rising sophistication of AWS actors and how to monitor your own infrastructure for these threats.

When: August 23, 11:00 A.M. ET


As security solutions become more robust and SecOps professionals become more savvy, it’s becoming more difficult than ever for bad actors to breach your servers. But as a result, the bad guys are becoming more and more sophisticated — and so are their attacks.

Using the visibility provided by the Threat Stack Cloud Security Platform®, the Threat Stack Security team has the unique ability to observe user, system, and file trends across cloud infrastructure, to see how bad actors are attempting to exploit it.

Over the past year, the team has observed strong evidence of increasingly sophisticated AWS attacks. Although simpler methods, like exploiting S3 buckets or leveraging mass botnet activity, are as popular as ever, attackers are increasingly using multi-step attacks to traverse infrastructure in search of sensitive customer information and company crown jewels.

Below, we’ll walk through the steps of a typical AWS breach, while discussing trends in the rising sophistication of AWS actors and how to monitor your own infrastructure for these threats.

The Current State of AWS Breaches

There’s no doubt about it — AWS actors have become more sophisticated. They’re able to use AWS functionality to their advantage and are executing attacks in ways that are smarter and harder to catch.

The level of maturity and understanding among SecOps teams is growing as well. Many teams remain green around AWS security, but are constantly gaining expertise and insights into how to best protect their organizations.

Even so, most organizations are not aware of what the increasing sophistication of AWS actors means for their own companies. They focus primarily on security configurations (e.g., S3 buckets and security groups) and new vulnerabilities (e.g., Spectre and Meltdown), missing whole vectors of attack risks.

The most common attack on AWS starts with stolen AWS keys, an EC2 instance launch, and stops there (with DDOS attacks and Bitcoin mining). Sophisticated actors are then able to move laterally across environments to gain access to the RDS (crown jewels).

There are two main types of breaches:

  1. Opportunistic: Attackers scan the infrastructure of any organization with generic objectives. These types of breaches happen constantly and make up the vast majority of malicious traffic online.
  2. Persistent: Attackers attempt to gain particular objectives in targeted organizations. They want something specifically and are willing to increase investment, using manual tactics, to get what they desire.

An Example Kill Chain, Assembled From Multiple AWS Breaches

From 2016 to the present, the level of sophistication in AWS attacks has grown. Threat Stack has observed a number of breaches, and our platform has allowed us to analyze data across all of our customers to identify patterns.

Here’s what an example kill chain might look like, based on data from multiple AWS breaches. This example uses some of the sophisticated techniques that we’ve seen as well as more traditional network attacks.

Step 1. Credential theft from laptop, git, etc.

Just as in a traditional model, an attacker gains access to credentials from a laptop, git, or another host. GitHub has begun proactively scanning repositories and alerting customers about potential vulnerabilities. Even so, this method remains a viable way for attackers to obtain credentials. Another common way to gain credentials is for attackers to use malware on a corporate environment.

Step 2. AWS persistence

Regardless of where the credentials come from, the next step is AWS persistence. At this point, the attacker will analyze what is available to them. They’ll see whether they can move laterally within AWS IAM to persist and entangle within the system. Even if the team does detect that one open key and change it, the attacker can still have access to the system.

Step 3. Launch malicious EC2 host

Whether the attack is sophisticated or not, the attacker probably has the ability to launch a malicious EC2 instance. At this stage, the attacker can then install malware, distribute botnets, and generally have the ability to move across the environment.

Step 4. Lateral network movement

Now, attackers can move across the network environment, looking for available exploits. At every network hop they perform, they’re looking for the IAM permissions they want to achieve their objectives. Rather than looking for traditional data, the attackers may be looking for more from an AWS instance.

Objective achieved: RDS root access

At this point, the attacker can leverage the IAM configuration and gain access directly to the RDS instance. This step can be done by copying and pasting credentials.

Key Takeaways to Combat Sophisticated Breaches

Sophisticated breaches are serious. It’s essential that your SecOps team be prepared. Based on actual AWS attacks we’ve observed, here are some key takeaways to consider as you look to harden your security:

  • Attackers aren’t always persisting to dive deeper into the host. Although traditional attackers may be going deep into the host to try to extract information, some may be just skimming the surface of your infrastructure with a specific objective.
  • Monitor your entire infrastructure, not just your important data. It’s not enough to monitor important data. You must monitor credentials, AWS keys, as well as automation to ensure that you’re not open to vulnerabilities. Data can be exfiltrated directly through AWS APIs, not just your LAN and hosts, so your strategy must cover both.
  • Attackers aren’t always looking for large amounts of data. Sometimes, attackers want access to a small amount of data that can serve them. This means their persistence can be more difficult to detect.
  • Use security solutions with the right capabilities. Solutions like Threat Stack make it easier to have a comprehensive look at potential vulnerabilities, ensuring that you’re protected.

Ultimately, if your team is carefully considering AWS attack trends, using the right software solutions, and monitoring your entire infrastructure, you will protect yourself against sophisticated vulnerabilities.

To learn more about how Threat Stack can help, register for the webinar on August 23 at 11 A.M. ET, download the Cloud Security Threat Briefing: Anatomy of a Sophisticated AWS Attack, and sign up for a demo of our Cloud Security Platform®.

*** This is a Security Bloggers Network syndicated blog from Blog – Threat Stack authored by Sarah Wills. Read the original post at:

Cloud Workload Resilience PulseMeter

Step 1 of 8

How do you define cloud resiliency for cloud workloads? (Select 3)(Required)