kras99 - stock.adobe.com
The rise in cloud adoption, which requires users to have more access, is fueling credential-based attacks, according to new research by Ermetic.
During a Black Hat USA 2022 session on Wednesday titled "IAM The One Who Knocks," Igal Gofman, head of research at Ermetic, and Noam Dahan, research lead at Ermetic, discussed weak spots they observed in multi-cloud infrastructure environments. The researchers broke down what AWS, Microsoft Azure and Google Cloud Platform (GCP) are implementing for identity and access management (IAM), its security approach and the risks involved.
One of those risks is the use of nonhuman identities, like tokens, to access devices and machines. During the session, Gofman warned that if companies are not careful, nonhuman identities can expose their infrastructure to new risks.
Though Gofman told SearchSecurity it's a big trend now, the use of nonhuman identities is nothing new. AWS has had it for ages. However, it is new for some cloud providers, such as Microsoft Azure, and has been added to many new services released by the vendor.
While cloud providers are pushing users to implement nonhuman identities because they are considered more secure, Gofman told SearchSecurity there are some techniques attackers can use to compromise that access for malicious purposes.
Gofman said attackers don't care about thousands of permissions inside each of the cloud providers -- all they care about is access to servers. For that, all they need is a token or compromised credentials.
Additionally, he said it can be easier for attackers to use cloud misconfigurations over exploiting a zero day.
The problem gained momentum post-COVID-19, when Ermetic began to see an influx of companies move their infrastructure to the cloud and specifically start using multi-cloud deployments. Gofman cited several possibilities for the shift, including cost reduction.
However, he told SearchSecurity that enterprise deployment in multi-cloud infrastructure is much more challenging to follow the principle of least privilege model, which is why Ermetic focused on IAM for the research. Multi-cloud deployment requires a company's security team to have intimate knowledge of each cloud provider's IAM service and be familiar with its internals, Gofman said. Additionally, each cloud provider has different credential privileges that allow users to add or edit users.
"Recently, we see a lot of credential attacks being used by attackers," Gofman said. "The way I see it, there is not a rise in credential-based attacks but rather now with high cloud adoptions, teams are getting more and more access to resources in the cloud. That's why credential attacks are so significant these days, and of course, attackers are leveraging those."
One example he cited during the session was the SolarWinds attack in 2021, where one of the methods attackers used was credential theft.
Another problem Gofman highlighted during the session was how IAM mistakes are not the cloud providers' responsibility. That falls on the enterprises. Even for Fortune 500 companies with dedicated security teams for each cloud vendor, he said things can become too complex. One aspect that complicates multi-cloud deployment is each vendor has its own implementation for nonhuman identities.
Another top takeaway from the session focused on the varying IAM default approaches among cloud vendors. While AWS allows inherently broad permissions, Azure sets custom role limits, and GCP implements strong and broad permissions for basic roles like viewer.
Dahan described Azure's approach as a prefabricated construct where users select the right one and use it for their identities, as opposed to AWS, which starts broad and tapers down to achieve least privilege access.
"Whether you take the first approach or the second approach, IAM defaults being vulnerable in their inherent property is very, very common, which makes for a dangerous cocktail," Dahan said during the session.
One challenge includes knowing exactly what permissions users need, which can result in overpermissive risks. Dahan recommended editing the permissions for the default service account to limit mistakes.
"IAM systems in all three cloud providers we discussed are complex," Dahan said during the session. "We find that organizations will make mistakes. One of the most important things you can do is stick to one AWS account or GCP project per workload."
In March, Ermetic launched a new tool called AWS Access Undenied to address the problems discussed during the session.