Back to square one: The Capital One breach proved we must rethink cloud security

Justin Fier, Director of Cyber Intelligence & Analytics | Monday August 5, 2019

By all accounts, Capital One defended its customers’ data with the imposing array of cyber security tools that you’d expect from one of the largest banks in the United States. And yet a lone hacker managed to bypass those tools and obtain the sensitive personal information of more than one hundred million people, a breach that will likely cost the bank well over a hundred million dollars when all is said and done.

The hacker — a former employee of Amazon Web Services, which hosted the compromised database — gained access to the sensitive data by exploiting a misconfiguration in one of Capital One’s application firewalls. Such misconfigurations along the customer’s interface with the cloud have become a favorite target for cyber-criminals. In fact, according to Gartner, 99% of cloud security failures will be the customer's responsibility through 2023.

The fundamental flaw

At a time when virtually all enterprises have adopted cloud infrastructures that expand and evolve as needed, configuring firewalls and other endpoint protections to remain properly positioned can be a daunting challenge. These conventional security tools are designed to defend the digital perimeter — an antiquated strategy given today’s borderless networks. Moreover, modern developers now have the ability to spin up a cloud instance in minutes, often without having to consult their firm’s security team. As a consequence, the overwhelming majority of organizations lack visibility over their own cloud environments.

While nearly half of organizations don’t even bother looking for malware on the cloud, Capital One had a relatively mature cloud security posture — at least by traditional standards. It is therefore all the more alarming that the bank didn’t become aware of the breach until more than three months after the fact, when it received a tip from an outsider who’d stumbled upon the stolen data. That a major financial institution was blind to this level of compromise further demonstrates the urgency of rethinking cloud security.

Of course, there is no silver bullet when it comes to cyber defense — and that goes double for the cloud. Motivated attackers will inevitably find a way inside the nebulous perimeters of IaaS and SaaS environments, whether via insider knowledge, critical misconfigurations, personalized phishing emails, or mechanisms that have yet to be seen. The path forward, then, is to use artificial intelligence to understand how users behave within those perimeter walls, an understanding that shines a light on the subtle behavioral shifts indicative of a threat.

Demystifying the cloud

The latest cyber AI security tools aim to do just that: observing traffic activity on AWS and other CSPs to learn an evolving sense of ‘self’ for each unique cloud environment they protect. Indeed, this ability to distinguish between normal and abnormal behavior proved decisive when a financial services company faced an attack strikingly similar to the Capital One breach. The firm was hosting a number of critical servers on virtual machines — some of which were meant to be public-facing, some of which were not. When configuring its native cloud controls, however, the firm mistakenly left one of its private servers exposed to the internet, rather than isolated behind a firewall.

The exposed server was eventually discovered and targeted by cyber-criminals who were scanning the internet via Shodan, a search engine that locates internet-connected assets. Within seconds, Darktrace’s AI detected that the device was receiving an unusual amount of incoming connection attempts from a wide range of rare external sources and alerted the security team — which had been unaware of the misconfiguration. This “unusual” volume of “rare” connections might well have been normal for a different company or a different server, but the AI’s knowledge of ‘self’ revealed the activity to be anomalous in this exact case.

By employing such AI systems, we can gain the necessary knowledge of complex cloud environments to catch threats in their nascent stages — before they escalate into crises. Ultimately, the cloud promises to unlock new heights of efficiency and novel forms of collaboration, so long as we’re willing to adopt equally innovative security tools. Because while there may never be a silver bullet for safeguarding cloud services, AI does offer hope for a silver lining.

To learn more about how cyber AI security tools detect advanced attacks on the cloud, check out our Cloud Threat Report 2019.

Justin Fier

Justin is one of the US’s leading cyber intelligence experts, and holds the position of Director for Cyber Intelligence & Analytics at Darktrace. His insights on cyber security and artificial intelligence have been widely reported in leading media outlets, including the Wall Street Journal, CNN, The Washington Post, and VICELAND. With over 10 years of experience in cyber defense, Justin has supported various elements in the US intelligence community, holding mission-critical security roles with Lockheed Martin, Northrop Grumman Mission Systems and Abraxas. Justin is also a highly-skilled technical specialist, and works with Darktrace’s strategic global customers on threat analysis, defensive cyber operations, protecting IoT, and machine learning.