Going ahead, the Threat Stack Security Operations Center (SOC) will be publishing a quarterly report summarizing lessons we’ve learned, trends we’ve identified, and recommendations you can follow to strengthen your cloud security observability and overall security maturity.
While the Threat Stack SOC encounters everything from exotic malware campaigns to issues we’ve seen a thousand times before, at this time, we recommend that you focus on problems that will make an immediate difference to your security posture instead of chasing things that have a low likelihood of affecting your organization.
Our reasoning? Malicious actors realize that attacking a fully hardened system is extremely difficult, and therefore, the majority have shifted to constantly scanning public cloud accounts, looking for the slightest mistake they can use as a foothold into the system.
With that in mind, the report discusses three of the most common shortcomings we observed among users in Q3 2019. Highlights are provided in the remainder of this blog post.
For complete details on findings of the Threat Stack SOC in Q3, download the Threat Stack SOC Report – Q3 2019.
Overview of Threat Stack SOC Findings for Q3, 2019
The Threat Stack Agent is installed on more than 150,000 machines, and hundreds of AWS accounts feed data to our backend. This gives the Threat Stack SOC a vast amount of data that provides insights into how modern companies are deploying in the cloud along with insights into some of the common pitfalls that can affect their operations and security.
In Q3 2019, our focus was on the most common patterns of risky behavior that customers are exhibiting as well as steps they can take to reduce risk, remediate issues, and strengthen their fundamental security posture. The main concerns we want to comment on center on issues created by:
- Over-permissioned service users
- Incorrect use of root
- Misuse of the tmp directory
1. Over Permissioned Service Users
Incorrectly assigned user permissions, or user permissions that are too broad, create significant risk, and therefore Threat Stack always reminds users to follow best practices for managing users, roles, and permissions.
The recent Capital One breach dramatically underscores the importance of permissions — and in particular, the importance of applying the Principle of Least Privilege (limiting access rights for users to the bare minimum permissions they need in order to perform their work). One of the components of that breach was server-side request forgery (SSRF), where an attacker could give an application instructions to read or even execute files. When correct settings are used, this type of attack can be prevented at the application level, and if that application does get compromised, the attack can be detected at the infrastructure level.
2. AWS Root Usage
AWS strongly recommends that users avoid using root for everyday tasks, but that recommendation is not always followed. In the Q3 SOC Report, we discuss some of the more common misuses of root, including:
- Root with access keys
- Root without having MFA enabled
- Root usage without requiring root level privileges
We also include tips on how to use root securely.
3. Activity Out of /tmp
We have seen a number of pieces of malware at Threat Stack over the years, and all of them used /tmp or /dev/shm as part of the original infection/setup step. Because /tmp is universally available, many other systems leverage it as a place to store build files, which can lead to difficulty identifying malicious /tmp activity. In the Q3 SOC Report, we discuss ways to monitor and manage the /tmp directory so it doesn’t become a point of compromise.
Applying the Lessons Learned
While our job in the Threat Stack SOC is to detect, analyze, and recommend appropriate responses to threats of all kinds, our Q3 SOC Report centers on the abuse of identify access and the exploitation of short-term mistakes, and recommends that you concentrate on the basics — things that will make an immediate difference to your security posture.
Doing this in the context of an iterative security strategy that builds observability throughout your stack and covers the SDLC from end to end, will put you firmly on the path to having a comprehensive approach to cloud security that proactively identifies risk and addresses threats in real time. If you’d like to read the entire Threat Stack SOC Report – Q3 2019, download it here, and if you’re interested in learning more about how we can help to address your organization’s security issues, please feel free to contact us for a demo of the Threat Stack Cloud Security Platform®.
Threat Stack SOC Report – Q3 2019
Read the report for full details, including an update on Shellbot.