The SolarWinds hack was a body blow to the cybersecurity industry. The incident brought a number of legacy shortcomings into focus and drew attention to the potential for others to inflict harm if left unchecked. One of these, according to CloudKnox’s Mike Raggo, is the pervasive trend of granting excessive permissions to users of cloud-based environments.
The Orion supply chain attack was shocking in terms of its scale, the sophistication of the tradecraft employed in its execution, and the kinds of groups that were impacted. It resulted in potential compromises to an estimated 1800 organisations. Private companies affected included giants such as Microsoft, Intel, and Cisco; while several US government agencies were also impacted, from the Treasury Department to the Pentagon.
“It was definitely novel and innovative in terms of how it was able to leverage the software and exploit it to allow a malicious update to be pushed out automatically,” explains Mike Raggo, who is a security researcher and cloud security engineer.
The initial path of the attack provided infiltration and a beachhead inside each impacted SolarWinds customer. This, in turn, allowed further infestation, Raggo notes — “Whether that was with global on-premises Windows servers or going as far as pivoting to the cloud.”
It is there, in the cloud, that Raggo and his team concentrate their research. One of their observations was something the security community has been preaching about for at least 20 years: the necessity of signing code, and validating the signature used to sign that code, before it is sent to customers. Otherwise, code is just assumed to be okay and provided by the authentic vendor of that software. This exposes anyone downstream of a vendor who has been compromised.
An excess of privilege
Another crucial focus of Raggo’s research was on how, once a cloud environment has been breached, attackers make use of over-privileged identities to move laterally, elevate privileges, and exfiltrate data from across the network.
In fact, CloudKnox’s true focus lies here, in the permissions space. Sometimes referred to as rights and privileges, permissions are access settings assigned to users of an environment that determine what they can and cannot access, and what they can do with files once accessed. Unnecessary, overlooked permissions are used by hackers to find cracks in the system and bypass security features.
Many areas of a company’s storage should only be retrieved by recognised network admins; other users have no business being there. As such, most do not need permissions for accessing this data — and this privilege will usually be denied as part of a coherent security policy.
The problem is that as organisations deploy single-cloud, multi-cloud, and hybrid-cloud environments, the quantity of permissions across the organisation begins to surge; things can get very complicated, Raggo notes. Simply keeping track of permissions can become a herculean task.
“We hear about least privileges in zero-trust, and in the context of the cloud that means looking at what permissions are given out, and finding a better way of doing that,” Raggo explains.
How do you know, of those assigned, who is getting admin permissions? And crucially, how do you avoid giving people far too many permissions?
What Raggo and his colleagues have learned is that every organisation has this systemic problem of over-permissioned access. “The average user is using 5% of the permissions provided. With so many — 95% of permissions – sitting out there unused, there is a lot of avoidable risk?” he says.
Trust in real behaviours
CloudKnox provides cloud infrastructure permissions management, taking a behavioural approach and combining this with analytics and automation. What the company has found is that the behaviours of a genuine user are far different from the permissions that are typically being set for their functions. The gap can be enormous.
“We look at the activity of what permissions people are using over a long period of time — it’s very calculated,” Raggo explains. This is based on data analysis that is formed into a new, better least-privilege policy, Raggo says.
CloudKnox uses patented activity-based monitoring to remove the permissions that have never been used by an account before, while leaving the permissions that are used intact. By reducing over-permissioned access, the company’s solution minimises the attack surface left available to would-be threat actors, keeping businesses more secure.
Tidying industry practices in this area could be a crucial step in bringing around the next generation of cloud infrastructure. Time will tell if organisations are willing to tighten up their practices.
