Cloud Misconfig Mistakes Show Need For DevSecOps

ryan olson palo alto unit 42

Unit 42 researchers discuss public cloud misconfiguration issues that are leading to breaches of sensitive data.

Developers have become accustomed to deploying apps in data centers with what could be described as a “crunchy hard outer layer,” to keep their data center secure. But when it comes to the public cloud, “it just doesn’t exist that way,” said Ryan Olson, vice president of threat intelligence with Palo Alto Networks’ Unit 42 research team.

That change is leading to poor cloud configuration choices, which in turn are leaving sensitive data exposed. In fact, a recent Unit 42 report found that more than half (60 percent) of breaches occur in the public cloud due to misconfiguration.

Making better cloud infrastructure deployment choices upfront – and a shift from DevOps teams to DevSecOps –  will help businesses better secure information, said Olson.

Olson talks top public cloud deployment mistakes, the proliferation of the Graboid malware and more in the below video interview with Threatpost.

Below is a lightly edited transcript of the video.

Lindsey O’Donnell Welch: Hi, everyone, this is Lindsey O’Donnell Welch with Threatpost and I’m here at the RSA Conference 2020 in San Francisco, joined by Ryan Olson with Palo Alto Networks’ Unit 42 team. Ryan, thanks so much for joining us today.

Ryan Olson: Thanks for having me. It’s great to be here.

LO: Yeah. How’s your RSA going?

RO: It’s going really well. It’s been a busy few days, but RSA is always this way.

LO: It always is. Yeah. So just to start, can you tell us a little bit about yourself and your role at Unit 42?

RO: Sure. So I’m our VP of threat intelligence, I lead Unit 42. I’ve been on Palo Alto Networks for just about six years now. So unit 42’s role at Palo Alto Networks is to look at all the data we’re collecting to identify adversaries, how are they attacking our customers, and get a better understanding that we can share with other people. So I’ve been leading that team for the last few years and as we’ve been gathering, as the company has grown, we’ve got more data. We’ve been expanding new directions, writing reports about cloud vulnerabilities, cloud threats, IoT vulnerabilities and IoT threats, all sorts of stuff. Just the more data we have, the better we can identify these actors.

LO: Great. Well, I know that Unit 42 recently has released a report about cloud security. And you know, the cloud security landscape is really interesting, lots to discuss there. Can you tell me a little bit about the key takeaways of this research that you guys released?

RO: Yeah. So last month, we released our second Cloud Threat Report. In the first report, which was last summer, one of the things we were looking at was, how many breaches were occurring in the public cloud due to misconfiguration, people just making bad choices. And what we found was about 60 percent of the breaches could be attributed back to the fact that people are just making mistakes in how they configure their environment. So in this latest report, what we did was we started looking at how people were deploying that cloud infrastructure, how are they setting up databases and file systems, and were they making secure choices? And a couple of the takeaways that we found were, in one case, about 43% of the databases that people are using in the public cloud, they’re not encrypting the actual data inside the databases. When they set them up, they’re leaving that data unencrypted, which exposes them to potential risks. People might be thinking, no one’s gonna get access to the database, I don’t have to worry about it. But we’ve seen time and time again, that doesn’t turn out to be the case. And the second case, what we found was, people are not enabling logging on access to the storage that they have in the cloud. So if you can think of like Amazon s3 buckets, when someone goes and puts a file inside of that, you can turn on logging so that you can see, did someone access it and someone download it or not? And it’s sort of like building a hotel, but not having any kind of access control on whether or not people are going in and out of rooms. If you’re not monitoring that, and you do have a breach, there’s no way to say, has anyone actually seen those files? Has anyone downloaded them? Did they modify them? So just making sort of those poor configuration choices, leaves people exposed, and in some cases, it might leave them exposed to potential regulatory problems, but really, we just want to keep the data safe and making better choices up front will do that.

LO: Right. And, you know, I think that misconfigurations of S3 buckets and things like that, is such a big thing. I mean, it’s essentially, it’s almost every day that you’re seeing the headlines of this company or that company, leaking very sensitive data. And just through this run of the mill error. So, when you were looking at why this was happening, just from a business standpoint, why is that? I mean, is it kind of just a lax culture? Is it like a lack of awareness or what is the reason?

RO: Part of it is awareness, but it really comes down to developers who’ve gotten very used to deploying new applications inside data centers have always had this sort of crunchy, hard outer layer of their data center. There’s always been a firewall or something else that’s stopping things from coming in. So they get used to deploying things in a way where someone has always got their back. There’s a security team who set up that infrastructure and they’re keeping them secure. But in the public cloud, it just doesn’t exist the same way if the organization’s developers have gone around their security teams, maybe not intentionally, but they said, “Hey, we’re gonna go deploy things without including them in the process.” They don’t have someone who’s doing that, they don’t have someone who’s watching their back and making sure they’re doing things in a secure way. And that really does come down to a cultural shift that needs to happen.

When we think about the world of you know, DevOps, where people are deploying code quickly, and the infrastructure’s all effectively just code, they need to shift more toward DevSecOps where they’re working with their security team at the same time, and not so the security team can slow them down and make them less efficient, because that’s what they’re trying to avoid in the first place. But really, just so that they have access to the right people and the right tools to be able to do that in an effective way. You know, scan that code before you actually go and deploy it, make sure you’re not making these simple configuration mistakes. Do it across all the clouds you’re operating in, because you can’t just rely on one cloud for it. And there are tools available for people to do it. They just need to get to a cultural place where they’re all working together.

LO: So what are some of the other kind of biggest threats that you guys discovered in terms of cloud security?

RO: We published a report in October on what we called Graboid which was the first Docker worm that was mining cryptocurrency, and I’ll explain how it works. So Docker is a containerization system. People can deploy a Docker image, which is basically like a little version of an operating system with all the code built in. So it can go and run something, some sort of service. And what this attacker had done was, they built Docker images, and they scan the internet to find Docker hosts that were exposed. You can deploy Docker without any authentication, so someone can just go and run code on your Docker engine. And that’s what thousands of hosts have been configured and exposed to the internet. This attacker identified those, wrote a Docker image that would run on a first host and then it would start scanning the internet, finding these expose Docker engines, log into them and say, run me, basically the same way a worm would replicate. After it started spreading from host to host it would download another image and run it which mine the cryptocurrency Monero and make money for them, spreading from hundreds to thousands of different Docker engines, making good amount of money for them and really exposing the fact that you can have worms that run on top of Docker. And that’s really, again, just misconfigurations. If those hadn’t, there was no vulnerability exploited, it was just there was no login and password on those hosts. So you could run whatever you wanted to.

LO: Do you think that’s a trend that we’re gonna see continue into 2020 and increase at all in terms of targeting with cryptomining malware?

RO: I definitely think cryptomining malware is a trend we’re going to continue seeing until, or if the price of cryptocurrencies drop, anytime we see the prices go down, we tend to see other kind of cybercrime come up, sort of inverse relationship with ransomware in a lot of cases. But in the public cloud, you have all the CPU time that’s now exposed, and CPU time is all you need to mine cryptocurrency, so in those cases, it is a really lucrative opportunity for them. They make less money than you have to pay for though. You’re gonna pay more money to Amazon or whoever it might be, than the attacker is going to make in Monero, but they don’t care because they’re not paying for it.

LO: Yeah. And looking ahead to 2020 How do you see cloud security trends shifting in terms of kind of any lucrative opportunities that cybercriminals are going to be looking for – or on the defense side, kind of what we’re going to see there.

RO: So I think what we’re seeing, what we will see on the attacker side is these early attacks where we’re seeing people just taking advantage of misconfigurations opportunistically to mine cryptocurrency, let’s say, those exposed to other attackers that things are not in good shape. So that Docker engine that you might be using just to mine cryptocurrency, behind the scenes, it also has your intellectual property, it stores the code that you’re running to run your business, potentially. If an attacker who’s thinking about it realizes that and start stealing that code instead, they might have a new opportunity with it. But from a defensive perspective, there are tools that are available that make these things much more secure. But we we don’t have the same situation where we have these extremely advanced attacks that are poking through every single security control that you have in the cloud. I mean, they’re certainly possible, but we’re just seeing this low hanging fruit right now. So my hope is that more people started adopting these good security practices, and the overall security posture of the public cloud improves.

LO: Well, Ryan, thank you so much for coming on and speaking with us today, and I hope you have a great rest of your RSA.

RO: Thank you, Lindsey. It was great.

Suggested articles

Discussion

  • Stewart on

    Good information here. This is why our security teams need good visibility into their cloud environments. Every time I speak to an IT Security pro, I ask how they gain visibility into their cloud environments, and almost all of them say "its a challenge". Tools like Blackboxauditor's AWS Expert and Cloudsploit are good starts, but more needs to be done to help secure the cloud.
  • Boris Bock on

    Good talk! Fully agree to the issue of misconfiguration. A way to mitigiate them is to introduce automatic compliance checks against your IaaS. CIS recently released their benchmark for Azure. BTW can you add a download link to Palos " second Cloud Threat Report"?

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.