GUS EVANGELAKOS is the Director of North American Field Engineering, at XM Cyber. He has extensive experience in cyber security, having managed implementations and customer success for many major global brands such as Varonis, Bromium and Comodo. Gus has spent a decade also working on the client side, supporting IT infrastructure and cybersecurity projects. He has a strong background in micro virtualization, machine learning, deep learning (AI), sandboxing, containment, HIPS, AV, behavioral analysis, IOCs, and threat intelligence.
Identity and Access Management (IAM) has become a key security battleground for attackers and defenders. Unfortunately, many defenders not only lack the expertise to fight this battle, but they are also unaware of its importance.
Here’s the reality: IAM is the new perimeter in the public cloud. By accessing identity, someone outside an organization (or even inside) can gain unfettered access to an organization’s most critical assets. So how should organizations respond to this urgent state of affairs? Let’s take a closer look.
RAISING AWARENESS, PROMOTING ANTICIPATION
In October 2019, MITRE released a key update to its ATT&CK knowledge base including 36 new or updated attack techniques that adversaries are commonly employing against cloud-based platforms. This update will help raise awareness and give defenders the actionable and up-to-date information needed to anticipate likely attacks.
Despite this, however, overall comprehension of the state of cloud security remains somewhat limited. Organizations — including some of the world’s most prominent corporations — continue to make critical configuration errors in cloud environments. As we’ve recently seen, the consequences for doing so are often severe.
In addition to spreading awareness of adversary behavior, tools in the market must focus on compliance checking and different configuration policies in order to effectively defend the IAM perimeter. It’s critical to assess risk posture and to understand how attackers are operating within the cloud context.
OVERCOMING EXISTING CHALLENGES
Efforts to defend the IAM perimeter may be stymied to some degree by the relative newness of the community. For example, organizations seeking to conduct red team penetration testing incorporating cloud infrastructure may be handicapped by a lack of expertise. Existing team members may struggle to identify the best way to conduct tests or anticipate what to look for. Red teamers might also find challenging learning how to test this hidden attack vector which will take time to understand.
The new MITRE ATT&CK update will ameliorate this, as it will help vendors and other members of the community gain a deeper understanding in terms of what’s needed from industry products while increasing knowledge of IAM security best practices. Attackers, however, will continue to move with greater velocity than defenders.
Ultimately, organizations must make raising awareness of a strategic mandate in order to counteract this imbalance. It’s not enough for the savviest vanguard of organizational security leaders to understand the scope of the challenge. This awareness must filter through red teams and the vendor community. We need more vendor offerings and greater expertise and understanding among everyday security professionals. With these conditions in place, defenders can begin to close the gap with attackers.
HOW XM CYBER IS HELPING TO DEFEND THE IAM PERIMETER
We at XM Cyber often hear the same series of concerns outlined by our clients and prospects. Most of them are worried about new attack surfaces, the problems these surfaces create and the specific challenges that arise within the cloud context. More importantly, they want to know how to confront and overcome these challenges.
We’ve heard these concerns and are responding to them. Instead of merely performing attack simulations on cloud servers, we’ve added enhanced capabilities to expose the various attack vectors that adversaries are likely to take.
Here’s an example of how this works:
• An attacker begins somewhere within an enterprise environment, accesses a computer used by a DevOps member and then gains cloud credentials that are weakly protected.
• Next, the attacker elevates permissions in the cloud after exploiting configuration errors. Once this occurs, the intruder can perform actions without his presence being detected.
• Once the cloud server is reached, the attacker can assume total control over the environment by simply impersonating roles and elevating his privileges.
XM Cyber has added the necessary capabilities to simulate how this attacker would perform all such actions. By mapping likely attacker behavior, it’s possible to gain visibility into security gaps that were previously hidden, thereby preventing a total loss of account control.
LEVERAGING MITRE ATT&CK
XM Cyber will continue to work closely with MITRE to help mature the attack techniques listed within the ATT&CK framework. We believe this work is critically important in terms of evening the playing field between attackers and defenders.
While vendors will undoubtedly continue to roll out new cloud security offerings, it’s likely that many of these will continue to be little more than an exercise in box-ticking, or an audit for an organization’s security posture. While this is better than nothing, it does little to anticipate the mindset and likely behavior of attackers.
As distinguished Microsoft security engineer John Lambert once said: “Defenders think in lists. Attackers think in graphs. As long as this occurs, attackers win.” Box ticking or list-based security protocols will always be of limited utility in a dynamic environment. When known threats mutate and new threats are continually on the horizon, anticipatory defenses are more effective.
We need awareness, visibility and a fine-tuned understanding of an attacker’s mindset and likely behavior in order to win. By leveraging MITRE ATT&CK’s new cloud-based techniques, XM Cyber is bringing us one step closer to realizing this vision.