Trusting the cloud: Unencrypted data upload by government body

Max Heinemeyer, Director of Threat Hunting | Monday July 16, 2018

Managing misconceptions

As the market increasingly moves to the next wave of computing models, over 90% of organizations are expected to adopt hybrid infrastructures by 2020. This move to the cloud brings undeniable benefits for most organizations - from start-ups looking for minimal up-front costs to large organizations striving to boost efficiency, scale on demand, and benefit from constant availability of services and increased agility.

Alongside this growth, the challenge of securing critical data in the cloud has taken on a new dimension. As internal servers are so commonly affected by malware infections or insider threats, there exists a common misconception that the data stored within the cloud is somehow more secure than the data resting on company fileservers. However, this is not necessarily the case – the information stored on cloud infrastructure may be just as (un)safe as any other corporate data store.

Much of this risk comes from the misconception of the network position of cloud servers themselves. Although rented out for use by the company and used every day as part of fundamental business purposes, connections to cloud servers (if not facilitated by a VPN or other strong encrypted channels) cross the perimeter of the network and traverse the public internet. This means that data uploaded to and from the cloud is a prime target for man-in-the-middle attacks, carried out by opportunistic actors hoping to sniff usernames, passwords, and other sensitive details that they could then leverage for direct corporate data theft.

The reality is that while organizations can outsource their IT services, they cannot outsource their security function altogether. In fact, protecting the cloud comes with its own challenges, with most of the existing native security controls and third-party security solutions suffering from significant limitations.

Customer use case

A city government in the United States had outsourced the storage of SQL databases to a cloud storage provider. However, it had not interrogated the protocols that the server by default employed to upload and download information. Addresses, phone numbers, vehicle registration plate numbers: the city government was uploading it all to the external database via unencrypted connections. This highly sensitive data was intended for limited access by select employees within the city government, but the security oversight had made the data available to any attacker clued-up enough to park themselves on the perimeter of the network and collect the data-rich MySQL packets that came their way.

Sample of the plain text containing sensitive data.

Darktrace Cloud detected an unusual SQL connection to a rare external IP from a desktop device within the company. This communication was verified as being SQL-related via packet capture, which then revealed the sensitive public data.

The customer was unaware of this vulnerability, which remained under the radar of its entire security stack. An attacker could easily exploit it to gather material for spear phishing attacks or potentially even identity fraud.

Conclusion

In order to reduce risk and identify atypical or suspicious behavior, full visibility of all cloud services is critical, as hosting data on external servers can create dangerous blind spots and introduce subtle threats that circumvent traditional signature-based tools.

Already over 500 Darktrace customers use Darktrace Cloud to defend cloud environments and SaaS applications, including AWS, Microsoft Azure, Salesforce, and Google Cloud Platform. Darktrace provides businesses with fundamental visibility and real-time threat detection across their entire distributed infrastructures. Through the power of unsupervised machine learning, businesses are now able to confidently tackle the potential risks of data leakage and man-in-the-middle attacks that can affect cloud users.

Max Heinemeyer

Max is a cyber security expert with over nine years’ experience in the field, specializing in network monitoring and offensive security. At Darktrace, Max works with strategic customers to help them investigate and respond to threats, as well as overseeing the cyber security analyst team in the Cambridge UK headquarters. Prior to his current role, Max led the Threat and Vulnerability Management department for Hewlett-Packard in Central Europe. In this role he worked as a white hat hacker, leading penetration tests and red team engagements. He was also part of the German Chaos Computer Club when he was still living in Germany. Max holds a MSc from the University of Duisburg-Essen and a BSc from the Cooperative State University Stuttgart in International Business Information Systems.