How a Global Engineering Firm Protects its Private Cloud

Part 4 of the Security in the Cloud Series

Global engineering firms typically provide technical, professional, construction, and information services to governments, businesses, and communities throughout the world. They depend on their cloud infrastructure and services, which have a wide-range of information security needs.

In this blog we will be reviewing the cloud security strategies of a global engineering firm that employs tens of thousands of people. Reliable data security is not only critical to their business, it is also a primary component of the solutions they provide to their customers. Specifically, it’s essential that this firm protects their network of virtual machines (VMs) in their private cloud.

We will be examining a security incident that involved a malware infection—an event that could have caused critical customer data to be compromised.

Be aware that the problems we’ve highlighted also apply to public cloud environments. If you work with Amazon Web Services, Google Cloud, or Microsoft Azure, you could face similar exposures as organizations that are using a private cloud architecture.

The cloud platform

Included in many of their offerings, this engineering firm uses and also provides its customers with a hybrid cloud identity and access management (IAM) solution. It safeguards sensitive data that is stored and transmitted within a private cloud, while protecting services that are running on an array of virtual machines. In environments like this, it’s fairly common for privileged users to spin up additional VMs on an as-needed basis.

A malware infection: Pass the hash, please

The firm experienced a malware infection on a physical machine on its network that allowed an attacker access to their private cloud resources through the use of a pass-the-hash exploit.

A pass-the-hash exploit allows a malicious user to gain access to a device or service by using an encrypted version (hash) of a user’s password in place of a normal plain text version. To carry it out, the attacker needs a list of hashes, but they don’t need to decrypt them to plain text. There are several ways to harvest hashes from a machine, but in this case the malware performed that function.

The anatomy of the attack

At some point, perhaps when the infected machine was being accessed through Remote Desktop Protocol (RDP)—a VM access method—the hacker obtained the credentials of a user with elevated privileges. Although such credentials aren’t typically stored locally on a computer, they can be read from memory during a remote session.

Armed with the stolen credentials, the attacker moved laterally through the network, eventually learning how to create VM instances in the private cloud. One can assume the goal was to exfiltrate data from the system by way of the illicit machine connection. But the attacker didn’t get that far.

Discovering the breach

Fortunately the company had deployed Exabeam Advanced Analytics with user entity behavior analytics (UEBA) prior to the attack. Exabeam had created normal baseline behaviors for all their users and devices, the average number of VMs being created, the identity of those creating them, and the company-standard machine naming patterns. Behavior baselining was automatic using Exabeam; no behaviors needed to be manually programmed into the system.

Advanced Analytics was actively and automatically monitoring the company’s network logs. All the while it was continuously analyzing user and entity behaviors across all the user sessions within the IAM solution.

Advanced Analytics then identified several suspicious behaviors and alerted the security operations center (SOC) team. Among the behaviors, there were several anomalies:

• An unusually large number of VMs were being created.
• Their naming convention didn’t follow the normal pattern.

Mitigating the attack

Early in the attack chain, Advanced Analytics created an Exabeam Smart Timeline™, which is a session timeline that captured the behaviors, along with other notable events. Each anomalous event added to the incremental risk score, with the total number ultimately exceeding the predetermined threshold. Analysts were immediately notified about the compromised machine and its user was flagged. It was then a simple matter for the security team to examine the details, quarantine the infected computer, and take additional measures to thwart the attack—long before the attacker had any chance of exfiltrating company data.

Had the company relied on the traditional method of manually collecting log files, assembling disparate bits of data, then painstakingly examining what it had gathered, it’s highly unlikely this malware attack would have been detected in time to prevent a data breach.

In fact, it’s quite likely the incident would never have been discovered at all, given all of the steps involved with legacy approaches to threat detection.

With bad actors continually looking to infiltrate each and every system they can, securing your private and public clouds, and the entire cloud networking environment of your users, devices, machines is mission critical.

For more strategies on securing the cloud, see:

• Part 1 blog: The Challenges of Cloud Security
• Part 2 blog:  Improving Cloud Security Through Monitoring and Analytics
• Part 3 blog: How a Global Apparel Company Prevents Source Code Theft in the Cloud
• Exabeam webinar: Cloud Security Monitoring and Analytics
• SANS Institute: Pass-the-hash attacks: Tools and Mitigation

Tags: cloud security,