Protecting Your Cloud Infrastructure
Companies are moving their infrastructure to the cloud. Typically, the cloud is defined as being hosted or provided by one of the big three – Microsoft, Google or Amazon. As organizations make the move, there is a tendency to also rely on that same provider for their organization’s security and auditing. Auditing must begin with the cloud provider, but it shouldn’t end with it. Doing so puts all of an organization’s ‘eggs’ in one basket, as the saying goes.
For example, we will discuss an event from an organization that used Microsoft 365, previously known as Office 365, for its infrastructure need.
An adversary, once gaining access to an administrator account belonging to one of the organization’s c-level executives, attempted to subvert the very system they relied on to protect them. This adversary knew the workings of MS365 enough to be able to hide their activities from the organization, but the adversary did not count on an off-site third-party security solution, in this case it was Fluency Security. In an attempt to empty the organization’s bank accounts, the adversary circumvented what they thought were visible indicators, such as:
Creating email inbox rules to automatically delete or mark as read anything from either Microsoft, such as an alert, or the company’s financial institution, which the attacker was attempting to contact.
Granting ‘SendAs’ and ‘SendOnBehalf’ permissions in order to be able to send emails from the appropriate executives.
Creating a new user account for backdoor access at a later time.
Creating an exchange-wide transport rule to hide all emails from Microsoft in case others were on the alert list. As Microsoft sends emails as the primary means to alert the user, this stops Microsoft warnings from being seen.
Using the file preview feature instead of downloading files in order to view the organization’s financial data.
These actions are designed to:
Remove alerts being sent by Microsoft.
Hide compromised activity from the user’s own interaction with their email account.
Provide a means to reconnect if discovered and removed.
How to Address Such an Attack
Unfortunately, the attack described above is common place. For organizations that rely on the cloud, care must be taken to ensure that events are logged and recorded outside of the cloud should an adversary access said infrastructure.
Some of the recommended alerts and actions below provide critical alerting to completement protection when protection fails. Fluency Security alerts occurs when:
A user logs in from a new internet address, geolocation, or provider depending upon frequency of change/noisiness. This is a machine learning capability built into Fluency Security.
A new user is created that falls outside of normal naming conventions: For example, the naming convention of firstname.lastname@example.org compared to that of email@example.com.
A user creates inbox rules for multiple mailboxes
A user creates a new exchange-wide transport rule
A user grants ‘SendAs’ or ‘SendOnBehalfOf’ permissions to another user (this can be validated for assistants that typically use this feature)
Unusual file previews (vs file downloads) by a user such as a large number of previews in a short time (machine learning or patterns)
A new inbox rule is created that automatically deletes or marks as read e-mails with certain keywords or from certain addresses (such as from Microsoft or a financial institution)
An API Key for the third-party security provider/auditing solution is revoked
Multiple users are using the same internet addresses when they are working off-site (this can be verified for business trips)
If you are concerned that adversaries may use these tactics against you, speak with your security provider(s) to ensure they have implemented behavioral alerting rules mentioned above. One additional consideration for your security provider is if they are able to interrogate the audit data as it is streaming in or if it has to go to a data lake first then be searched.
If you do not have a third-party security party (or your current one does not have these capabilities) then you should speak with Fluency Security about options. Whatever you do, whether it’s with Fluency or another provider, do not rely solely on your cloud provider for your security. The same mechanisms that provide your infrastructure and security can easily be turned against you in a one-stop shop.