Back to square one: The Capital One breach proved we must rethink cloud security

Justin Fier, Director of Cyber Intelligence & Analytics | Monday August 5, 2019

By all accounts, Capital One defended its customers’ data with the imposing array of cyber security tools that you’d expect from one of the largest banks in the United States. And yet a lone hacker managed to bypass those tools and obtain the sensitive personal information of more than one hundred million people, a breach that will likely cost the bank well over a hundred million dollars when all is said and done.

The hacker — a former employee of Amazon Web Services, which hosted the data that was exfiltrated — gained access to the sensitive files by exploiting a misconfiguration in one of Capital One’s application firewalls. This firewall was meant to secure a Capital One web application and when the hacker found the misconfiguration vulnerability, they were able to steal critical passwords. This initial credential compromise allowed the threat actor to escalate privileges and consequently gain access to the valuable AWS-hosted data.

Such customer-side cloud security misconfigurations have become a favorite target for cyber-criminals. In fact, Gartner predicts that 99% of cloud security failures through 2023 will have occurred in the customer’s portion of the Shared Responsibility Model.

The fundamental flaw

At a time when virtually all enterprises have adopted cloud infrastructures that expand and evolve as needed, configuring firewalls and other endpoint protections to remain properly positioned can be a daunting challenge. Moreover, modern developers now have the ability to spin up a cloud instance in minutes, often without having to consult their firm’s security team. As a consequence of the speed, scale, and complexity of development in cloud ecosystems, the overwhelming majority of organizations lack visibility over their own cloud environments.

While nearly half of organizations don’t even bother looking for malware on the cloud, Capital One had a relatively mature cloud security posture — at least by traditional standards. It is therefore all the more alarming that the bank didn’t become aware of the breach until more than three months after the fact, when it received a tip from an outsider who’d stumbled upon the stolen data. That a major financial institution was blind to this level of compromise demonstrates the urgency of rethinking cloud security.

Cloud platforms are changing the network perimeter paradigm, complexifying digital borders and creating new threat surfaces. Meanwhile, cloud security controls that offer a static, rules-based approach fail to respond to this new landscape and protect against today’s attacks.

Of course, there is no silver bullet when it comes to cyber defense — and that goes double for the cloud. Motivated attackers will inevitably find a way inside the dynamic perimeters of IaaS and SaaS environments, whether via insider knowledge, critical misconfigurations, personalized phishing emails, or mechanisms that have yet to be seen. The path forward, then, is to use artificial intelligence to understand how users behave across digital infrastructure, an understanding that shines a light on the subtle behavioral shifts indicative of a threat.

Demystifying the cloud

The latest Cyber AI security tools aim to do just that: observing traffic activity across AWS and other CSPs to learn an evolving sense how each unique company uses their cloud environment. Indeed, this ability to distinguish between normal and abnormal behavior proved decisive when a financial services company using Darktrace AI to secure their cloud ecosystem faced an attack strikingly similar to the Capital One breach. The firm was hosting a number of critical applications on virtual machines in the cloud — some of which were meant to be public-facing, some of which were not. When configuring its native cloud controls, however, the firm mistakenly left one of its private applications exposed to the Internet, rather than isolated behind a firewall.

The exposed application was eventually discovered and targeted by cyber-criminals who were scanning the Internet via Shodan, a search engine that locates Internet-connected assets. Within seconds, Darktrace’s AI detected that the application was receiving an unusual amount of incoming connection attempts from a wide range of rare external sources and alerted the security team — which had been unaware of the misconfiguration. This “unusual” volume of “rare” connections might well have been normal for a different company, application or virtual machine, but Cyber AI’s bespoke knowledge of ‘self’ for the organization revealed the activity to be anomalous in this exact case.

By employing such AI systems, we can gain the necessary knowledge of complex cloud environments to catch threats in their nascent stages — before they escalate into crises. Ultimately, the cloud promises to unlock new heights of efficiency and novel forms of collaboration, so long as we’re willing to adopt equally innovative security tools. Because while there may never be a silver bullet for safeguarding cloud services, AI does offer hope for a silver lining.

Correction: An earlier version of this blog characterized cloud infrastructure as ‘borderless’; it has since been edited with attention to the complexity of the changing network perimeter paradigm presented by cloud infrastructure.

Justin Fier

Justin is one of the US’s leading cyber intelligence experts, and holds the position of Director for Cyber Intelligence & Analytics at Darktrace. His insights on cyber security and artificial intelligence have been widely reported in leading media outlets, including the Wall Street Journal, CNN, The Washington Post, and VICELAND. With over 10 years’ experience in cyber defense, Justin has supported various elements in the US intelligence community, holding mission-critical security roles with Lockheed Martin, Northrop Grumman Mission Systems and Abraxas. Justin is also a highly-skilled technical specialist, and works with Darktrace’s strategic global customers on threat analysis, defensive cyber operations, protecting IoT, and machine learning.