【翻译】Threat detection and response in the cloud——云计算中的威胁检测和响应
目录
- 未知领域:检测云中的威胁
- 在云中攻击生命周期
- 顶级云安全威胁
- 真正的云攻击分析
- Cloud Hopper攻击生命周期
- 共同责任模式
- 关键要点
- 管理访问
- 检测并做出响应
- 安全操作
Uncharted territory: Detecting threats in the cloud,未知领域:检测云中的威胁
Cloud environments change fundamental assumptions in how to perform threat detection and response.
云环境改变了如何执行威胁检测和响应的基本假设。
The highly dynamic inventory of cloud workloads means systems come and go in seconds. A heavy focus on automation amplifies the potential for human error in system configurations. Shared responsibility with the cloud service provider (CSP) creates potential threat detection gaps in the attack lifecycle.
云工作负载的高度动态库存(inventory)意味着系统可以在几秒钟内出现。对自动化的高度关注会放大系统配置中人为错误的可能性。与云服务提供商(CSP)的共同责任会在攻击生命周期中造成潜在的威胁检测差距。
Everything in the cloud is moving to an API data access method, and traditional approaches to monitoring traffic flow no longer apply.
云中的所有内容都在转移到API数据访问方法,并且不再使用传统的方法来监视流量。
In addition to challenges in threat detection and response, the pace of innovation in the cloud leaves businesses constantly behind. Increasing business competition means organizations focus more on shipping features first and outsourcing non-core capabilities business models – often at the expense of information security.
除了威胁检测和响应方面的挑战外,云中的创新步伐使企业不断落后。日益激烈的业务竞争意味着组织将更多的精力放在首先提供功能和外包非核心功能业务模型上,这通常是以牺牲信息安全为代价的。
An explosion of cloud services means the concept of a perimeter is gone and using perimeter controls becomes futile. A growth of new infrastructure and deployment tooling results in new environments with new security models and attack surfaces. And finally, the existing shortage in security expertise becomes amplified with all the newly released features and services.
云服务的爆炸式增长意味着外围概念已不复存在,使用外围控件变得徒劳无功。新基础架构和部署工具的增长导致具有新安全模型和攻击面的新环境。最后,所有新发布的功能和服务都加剧了安全专业知识的不足。
Most critically, the introduction of multiple access and management capabilities creates variability that adds significant risk to cloud deployments. It is difficult to manage, track, and audit administrative actions when those users can access cloud resources from inside or outside the corporate environment.
最关键的是,引入多种访问和管理功能会造成变化,从而给云部署带来重大风险。这些用户可以从公司环境内部或外部访问云资源时,很难管理,跟踪和审核管理操作。
Traditionally, accessing a server required authentication to the organization perimeter and monitoring could be implemented inside the private network to track and monitor administrative access.
传统上,访问服务器需要对组织外围进行身份验证,并且可以在专用网络内部实施监视以跟踪和监视管理访问。
Attack lifecycle in the cloud,在云中攻击生命周期
Attackers have two avenues of attack to compromise cloud resources. The first is through traditional means, which involves accessing systems inside the enterprise network perimeter, followed by reconnaissance and privilege escalation to an administrative account that has access to cloud resources.
攻击者有两种攻击途径可以破坏云资源。第一种是通过传统方式,其中包括访问企业网络范围内的系统,然后进行侦察和特权升级到可以访问云资源的管理帐户。
The second involves bypassing all the above by simply compromising credentials from an administrator account that has remote administrative capabilities or has CSP administrative access.
第二个涉及通过简单地破坏具有远程管理功能或具有CSP管理访问权限的管理员帐户的凭据来绕过所有上述问题。
This variability in administrative access models means the attack surface changes with new security threats via unregulated access to endpoints used for managing cloud services. Unmanaged devices used for developing and managing infrastructure exposes organizations to threat vectors like web browsing and email.
管理访问模型的这种可变性意味着通过对用于管理云服务的端点的不受管制的访问,攻击面会随着新的安全威胁而发生变化。用于开发和管理基础架构的不受管理的设备使组织面临诸如Web浏览和电子邮件之类的威胁载体。
When the main administrative account is compromised, the attacker does not need to escalate privileges or maintain access to the enterprise network because the main administrative account can do all that and more. How does the organization ensure proper monitoring of misuse of CSP administrative privileges?
当主管理帐户受到威胁时,攻击者无需升级特权或维持对企业网络的访问,因为主管理帐户可以做所有以及更多的事情。组织如何确保正确监视对CSP管理特权的滥用?
Organizations need to review how the system administration and ownership of the cloud account is handled.
组织需要审查如何处理云帐户的系统管理和所有权。
-
How many people are managing the main account?
-
How are passwords and authentication performed?
-
Who is reviewing the security of this important account?
1.有多少人管理主帐户?
2.如何执行密码和身份验证?
3.谁在审查此重要帐户的安全性?
Who is at fault if there is a security problem? The CSP or the cloud tenant organization? Initially it seems to be dependent on the problem, but some CSPs want to push that responsibility to the tenant organization.
如果存在安全问题,谁有过错? CSP还是云租户组织?最初,它似乎取决于问题,但是一些CSP希望将这种责任推给租户组织。
Most importantly, how does an organization monitor for the existence and misuse of administrative credentials? A lack of visibility to back-end CSP management infrastructure means cloud tenant organizations need to identify misuse of CSP access within their own environments when used as a means of intrusion.
最重要的是,组织如何监视管理凭据的存在和滥用?后端CSP管理基础架构缺乏可见性,这意味着云租户组织在用作入侵手段时需要识别其自身环境中对CSP访问的滥用。
Top cloud security threats
In 2017, the Cloud Security Alliance (CSA) conducted a survey to compile professional opinions about what it believed at the time to be the most pressing security issues in cloud computing.
2017年,云安全联盟(CSA)进行了一项调查,以收集有关其当时认为是云计算中最紧迫的安全问题的专业意见。
Of the 12 identified concerns, five were related to managing credentials and methods of compromising those credentials to gain access to cloud environments for malicious intent. Those five, in order of severity per survey results, are:
在确定的12个问题中,有5个与管理凭据以及破坏这些凭据以获得恶意意图访问云环境的方法有关。按照每个调查结果的严重性,这五个是:
-
Insufficient identity, credential and access management – Lack of scalable identity access management systems, failure to use multifactor authentication, weak passwords, and a lack of ongoing automated rotation of cryptographic keys, passwords and certificates.
1.身份,凭证和访问管理不足–缺乏可扩展的身份访问管理系统,无法使用多因素身份验证,弱密码以及缺乏持续不断的自动轮换使用密码密钥,密码和证书。
-
Insecure interfaces and APIs – From authentication and access control to encryption and activity monitoring, these interfaces must be designed to protect against both accidental and malicious attempts to circumvent policy.
2.不安全的接口和API –从身份验证和访问控制到加密和活动监视,这些接口必须设计为可以防止意外和恶意企图规避策略。
-
Account hijacking – Attackers can eavesdrop on user activities and transactions, manipulate data, return falsified information and redirect your clients to illegitimate sites.
3.帐户劫持–攻击者可以窃听用户的活动和交易,操纵数据,返回伪造的信息以及将您的客户重定向到非法站点。
-
Malicious insiders – A current or former employee, contractor or other business partner who has or had authorized access to an organization’s network, systems or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity or availability of the organization’s information or information systems.
4.恶意内部人员–现有或以前的员工,承包商或其他业务伙伴,他们已经或已经授权访问组织的网络,系统或数据,并且有意超出或滥用了这种访问方式,从而对以下人员的机密性,完整性或可用性产生负面影响 组织的信息或信息系统。
-
Insufficient due diligence – Not performing due diligence exposes a company to a myriad of commercial, financial, technical, legal and compliance risks that jeopardize its success.
5.尽职调查不足–不进行尽职调查会使公司面临各种商业,财务,技术,法律和合规风险,危及其成功。
Analysis of a real cloud attack,真正的云攻击分析
The APT10 group has been credited for a tactical campaign known as Operation Cloud Hopper, a global series of sustained attacks against CSPs and their customers. These attacks aimed to gain access to sensitive intellectual and customer data.
APT10小组因一次称为“ Cloud Hopper行动”的战术活动而获得赞誉,这是针对CSP及其客户的持续全球攻击。这些攻击旨在获取敏感的知识分子和客户数据。
US-CERT noted that a defining characteristic of Operation Cloud Hopper was that upon gaining access to a CSP, the attackers used the cloud infrastructure to hop from one cloud tenant to another, gaining access to sensitive data in a wide range of government and industrial entities in healthcare, manufacturing, finance and The final stage of Operation Cloud Hopper was data exfiltration biotech in at least a dozen countries.
US-CERT指出,Operation Cloud Hopper的一个定义特征是,一旦获得了CSP的访问权限,攻击者便会使用云基础架构将其从一个云租户跳到另一个云租户,从而获得对广泛的政府和工业实体中敏感数据的访问权限在医疗,制造,金融和医疗领域,运筹帷The的最后阶段是至少十多个国家的数据泄露生物技术。
The Cloud Hopper attack lifecycle,Cloud Hopper攻击生命周期
In Operation Cloud Hopper, attackers initially used phishing emails to compromise accounts with access to CSP administrative credentials. This is the most common method of infection for any attack and is still the easiest way of getting initial access to a network. The attacker would leverage malware designed to collect the necessary credentials to pivot directly into the CSP and client managed infrastructure.
在Operation Cloud Hopper中,攻击者最初使用网络钓鱼电子邮件来破坏具有CSP管理凭据访问权限的帐户。对于任何攻击,这都是最常见的感染方法,并且仍然是初始访问网络的最简单方法。攻击者将利用旨在收集必要凭据的恶意软件直接进入CSP和客户端管理的基础架构。
Once access is attained on the management infrastructure, PowerShell could be used inside client managed infrastructure for command-line scripting to perform reconnaissance and gather information used for lateral movement to get access to additional systems.
一旦在管理基础架构上获得访问权限,就可以在客户端管理的基础架构内部使用PowerShell进行命令行脚本执行侦察并收集用于横向移动的信息,以访问其他系统。
The attackers continued to leverage compromised credentials to cross security boundaries, effectively using cloud service providers as a step to gain access to corporate data of multiple organizations.
攻击者继续利用受到破坏的凭据来跨越安全边界,从而有效地利用云服务提供商来获取对多个组织的公司数据的访问权限。
To ensure persistent connectivity to the cloud infrastructure in the event an administrative account no longer worked, the attackers installed remote access trojans for command and control to sites spoofing legitimate domains.
为了在管理帐户不再起作用的情况下确保与云基础架构的持久连接,攻击者安装了远程访问木马,用于对欺骗合法域的站点进行命令和控制。
These were open source, off-the-shelf malware used in many attacks like Poison Ivy and PlugX. Many of the systems compromised with remote access were non-mission critical, which could be used to continue lateral movement and avoid detection by system administrators.
这些是开源的,现成的恶意软件,用于Poison Ivy和PlugX等许多攻击中。许多受远程访问影响的系统不是关键任务,可以用来继续横向移动并避免被系统管理员检测到。
The final stage of Operation Cloud Hopper was data exfiltration of intellectual property. Data was collated, compressed and exfiltrated from the CSP infrastructure to the infrastructure controlled by the attackers.
Cloud Hopper行动的最后阶段是知识产权数据泄露。数据已从CSP基础结构整理,压缩和泄露到攻击者控制的基础结构中。
As CSPs take on responsibilities from tenants in the managed infrastructures, the amount of control and visibility those cloud tenants maintain diminishes. APT10 took advantage of this diminished visibility and leveraged credentials and systems that had access to both CSP and enterprise infrastructures.
当CSP承担托管基础架构中租户的职责时,这些云租户保持的控制量和可见性就会减少。 APT10充分利用了可视性降低,凭证和系统均可以访问CSP和企业基础结构的优势。
Because cloud tenants do not have visibility or control in the CSP infrastructure itself, it is a formidable challenge to monitor and detect attackers who access one system then quickly pivot within the CSP infrastructure to access another system.
由于云租户在CSP基础架构本身中不具有可见性或控制力,因此监视和检测攻击者访问一个系统然后迅速在CSP基础架构内进行枢纽访问另一个系统是一个艰巨的挑战。
It is important to note that the complexity of hybrid environments that involve CSPs and on-premise systems makes it difficult to adequately address problems like stolen credentials or lateral movement by attackers from a cloud tenant to a CSP and then to a second cloud tenant. One careless and inattentive cloud tenant can increase the risk for other cloud tenants who exercise greater diligence.
重要的是要注意,涉及CSP和本地系统的混合环境的复杂性使得难以充分解决攻击者从云租户到CSP再到第二云租户的凭据被窃取或横向移动等问题。一个粗心而疏忽的云租户可能会增加其他勤奋的云租户的风险。
Shared responsibility model,分担责任模型
Ensuring threat detection and response capabilities in cloud environments starts with a basic understanding of the shared responsibility model and the impact that model has on security management and monitoring capabilities.
确保云环境中的威胁检测和响应功能从对共享责任模型及其对安全管理和监视功能的影响的基本理解开始。
The security of cloud services is a partnership and a shared responsibility between cloud tenants and the CSP. The CSP is responsible for the cloud platform and the physical security of its data centers.
云服务的安全性是云租户与CSP之间的伙伴关系和共同责任。 CSP负责云平台及其数据中心的物理安全性。
Tenants own their cloud data and identities, the responsibility for protecting them, the security of on-premises resources, and the security of cloud components over which they have control. CSPs deliver security controls and capabilities to help protect data and applications, and the degree of tenant responsibility for security is based on the type of cloud service.
租户拥有其云数据和身份,保护它们的责任,本地资源的安全性以及他们可以控制的云组件的安全性。 CSP提供安全控制和功能以帮助保护数据和应用程序,并且租户对安全的责任程度取决于云服务的类型。
The level and balance of control by CSPs and cloud tenants depends on the computing model used. The model below provided by Microsoft for Azure illustrates the level of shared responsibility based on a cloud platform.
CSP和云租户的控制水平和平衡取决于所使用的计算模型。 Microsoft为Azure提供的以下模型说明了基于云平台的共享责任级别。
On-premises deployments involve data centers that leverage a virtualized infrastructure owned by the enterprise. In this model, an enterprise is responsible for the entire security stack, from physical devices to data.
本地部署涉及利用企业拥有的虚拟化基础架构的数据中心。在此模型中,企业负责从物理设备到数据的整个安全堆栈。
An infrastructure-as-a-service (IaaS) virtual data center model replicates existing internal data centers. In this instance, physical segregation of hardware is not possible and requires hypervisor-level capabilities to create security zones and for remote access.
基础架构即服务(IaaS)虚拟数据中心模型可复制现有内部数据中心。在这种情况下,硬件的物理隔离是不可能的,并且需要虚拟机管理程序级别的功能才能创建安全区域和进行远程访问。
When choosing between managing the infrastructure in a private or public cloud, most organizations find themselves with a hybrid cloud, a combination of the private and public cloud with shared resources and distribution components. Usually, the critical back-end infrastructure is private and the access and distribution is public.
在管理私有云或公共云中的基础结构之间进行选择时,大多数组织会发现自己拥有混合云,即私有云和公共云与共享资源和分发组件的结合。通常,关键的后端基础结构是私有的,访问和分发是公共的。
Security and compliance concerns are first-order priorities for virtualized data center and cloud deployments. Security requirements for virtualized data centers and clouds include the ability to monitor virtualized environments while maintaining the highest levels of VM host capacity and performance. Techniques include hypervisor-based stateful firewall, network detection and virtualization-specific endpoint protection.
安全和合规性问题是虚拟化数据中心和云部署的首要任务。虚拟化数据中心和云的安全性要求包括监视虚拟化环境的能力,同时保持最高级别的VM主机容量和性能。技术包括基于虚拟机管理程序的状态防火墙,网络检测和特定于虚拟化的端点保护。
In a platform-as-a-service (PaaS) model, applications are installed and managed on existing outsourced platforms. A server can be provided for exclusive access or a server is shared between multiple applications.
在平台即服务(PaaS)模型中,在现有外包平台上安装和管理应用程序。可以提供服务器以进行独占访问,或者可以在多个应用程序之间共享服务器。
Confidential information can be exposed to other users or to the service provider because no control is provided over existing hardware. Controls must be applied to the data within the applications and databases using encryption and external key management designed for virtual environments.
机密信息可能会暴露给其他用户或服务提供商,因为不会提供对现有硬件的控制。必须使用针对虚拟环境设计的加密和外部密钥管理,将控件应用于应用程序和数据库中的数据。
With software-as-a-service (SaaS), third-party applications like Salesforce are utilized to provide a specific service. Data is stored on the application providers’ back-end using access controls they provide.
借助软件即服务(SaaS),可以使用诸如Salesforce之类的第三方应用程序来提供特定的服务。数据使用他们提供的访问控制存储在应用程序提供商的后端。
Enterprise applications now support integration with Active Directory using ADFS and SAML for communication. Controls must be provided for authentication and access management as well as monitoring to ensure the enterprise retains control over how these applications are used.
企业应用程序现在支持使用ADFS和SAML与Active Directory集成进行通信。必须提供用于身份验证,访问管理以及监视的控件,以确保企业保留对如何使用这些应用程序的控制。
Key takeaways,关键点
In the APT10 Operation Cloud Hopper attack, the method of initial intrusion was cloud specific, but the attack behaviors within those cloud environments were the same behaviors found in private cloud and physical data centers.
在APT10 Operation Cloud Hopper攻击中,初始入侵的方法是特定于云的,但是这些云环境中的攻击行为与私有云和物理数据中心中的行为相同。
This is because all attacks must follow a certain attack lifecycle to succeed, especially when the goal is data exfiltration. Preventing a compromise is increasingly difficult but detecting the behaviors that occur – from command and control to data exfiltration – are not. More importantly, when an attack is carried out in hours rather than days, the time to detect becomes critically more important.
这是因为所有攻击都必须遵循一定的攻击生命周期才能成功,尤其是在目标是数据泄漏的情况下。防止妥协的难度越来越大,但要检测发生的行为(从命令和控制到数据泄露)却并非如此。更重要的是,如果攻击是在数小时而不是数天的时间内进行的,那么检测时间就变得尤为重要。
A key takeaway from the shared responsibility model is that regardless of the data center model deployed – infrastructure, platform or software as a service – the enterprise organization is always responsible for data, endpoints, accounts, and access management.
共享责任模型的一个关键之处在于,无论部署了数据中心模型(基础架构,平台还是软件即服务),企业组织始终负责数据,端点,帐户和访问管理。
Managing access,管理访问
While CSPs need to ensure their own access management and controls that limit access to cloud tenant environments, tenants themselves must assume this can be compromised and focus on learning the who, what, when and where of access management.
虽然CSP需要确保自己的访问管理和控制措施来限制对云租户环境的访问,但租户本身必须假设这会受到影响,并专注于了解访问管理的对象,时间和地点。
Properly assigning user access rights helps by reducing instances of shared credentials so cloud tenants can focus on how those credentials are used. Resource access policies can also reduce opportunities for movement between the CSP infrastructure and cloud tenants.
适当分配用户访问权限有助于减少共享凭据的实例,从而使云租户可以专注于这些凭据的使用方式。资源访问策略还可以减少CSP基础架构和云租户之间迁移的机会。
Detect and respond,检测并响应
When it comes to cloud and on-premises monitoring, it is necessary to monitor both as well as determine how to correlate data and context from both into actionable information for security analysts.
当涉及到云和本地监控时,有必要进行监控,并确定如何将数据和上下文从这两者关联为可用于安全分析人员的可行信息。
Monitoring cloud-deployed resources by cloud tenants is essential to increase the ability to detect lateral movement from the CSP infrastructure to tenant environments and vice versa.
云租户监视云部署的资源对于提高检测从CSP基础架构到租户环境(反之亦然)的横向移动的能力至关重要。
Coordinating with the CSP – as well as CSP coordination with cloud tenants – can provide a powerful combination of information that can increase the likelihood of detecting the post-compromise activities.
与CSP协调,以及与云租户的CSP协调,都可以提供强大的信息组合,从而增加检测威胁后活动的可能性。
More importantly, visibility into attacker behaviors is dependent on the implementation of proper tools that can leverage cloud-specific data.
更重要的是,对攻击者行为的可见性取决于可以利用特定于云的数据的适当工具的实现。
Security operations,安全操作
Knowing and managing the infrastructure as a part of due diligence should help to identify systems and operations that are compromised by malware implants like those used in Operation Cloud Hopper.
作为尽职调查的一部分,了解和管理基础架构应有助于识别被恶意软件植入程序(如Operation Cloud Hopper中使用的恶意软件植入程序)破坏的系统和操作。
Changes to production systems can be difficult to detect. But when visibility is available in the cloud infrastructure, it is much easier to detect attacker behaviors in compromised systems and services that are clearly operating outside of expected specifications.
生产系统的变更可能难以发现。但是,如果云基础架构中具有可见性,则可以很容易地检测出明显运行超出预期规格的受感染系统和服务中的攻击者行为。
Ideally, security operations teams will have solid information about expectations for that infrastructure, so deviations from normal activity are more likely to identify malware and its activity.
理想情况下,安全运营团队将获得有关对该基础架构期望的可靠信息,因此偏离正常活动的位置更有可能识别恶意软件及其活动。