- Understanding your attack surface is critical to deploying the right security controls. The attack surface in cloud environments differs significantly from on-premises environments. - Web application attacks are now the leading cause of data breaches. However, less than 5% of data center security budgets are spent on application security. - Common cloud misconfigurations expose organizations to attacks. The most frequent misconfigurations relate to EC2 instances, S3 object storage, and IAM user policies.

1. Thank you.

2. Thank you.Reducing Your Attack Surface
Misha Govshteyn– SVP Products & Marketing, Alert Logic

3. Summary
• Understanding your attack surface is critical to deploying
the right security controls
• Attack surface in cloud environments is significantly
different than on-premises
• Dominant cloud exposures are often misunderstood

4. 2nd attack HVAC vendor application
Result Successful. Never detected.
Vector SQL Injection
Las Vegas
Bethlehem
1st attack Account Brute Force
Result Detected by the SIEM. Blocked
#1 Sands Casino Breach

5. 2nd attack HVAC vendor application
Result Successful. Never detected.
Vector SQL Injection
Las Vegas
Bethlehem
1st attack Account Brute Force
Result Detected by the SIEM. Blocked • Compromised
admin credentials
• Moved laterally
through Windows
AD
• Used malware to
destroy all hosts
on the network
Sands Casino Breach

6. 1
49
56
86
125
155
172
197
525
908
Denial of Service
Crimeware
Physical Theft / Loss
Payment Card Skimmers
Everything Else
Cyber-espionage
Privilege Misuse
Miscellaneous Errors
POS Intrusions
Web App Attacks
Security risk is shifting to unprotected web applications
Web app attacks are now the #1
source of data breaches
But less than 5% of data center security
budgets are spent on app security
Source: Verizon
UP 500% SINCE 2014
$23 to $1
Percentage of Breaches
10% 20% 30% 40%
Source: Gartner
Web App Attacks

7. 1
49
56
86
125
155
172
197
525
908
Denial of Service
Crimeware
Physical Theft / Loss
Payment Card Skimmers
Everything Else
Cyber-espionage
Privilege Misuse
Miscellaneous Errors
POS Intrusions
Web App Attacks
Security risk is shifting to unprotected web applications
Web app attacks are now the #1
source of data breaches
But less than 5% of data center security
budgets are spent on app security
Source: Verizon
UP 500% SINCE 2014
$23 to $1
Percentage of Breaches
10% 20% 30% 40%
Source: Gartner
Web App Attacks
Underreported. Misunderstood.

8. What Drives This Awareness Disconnect?
• Breach disclosure in a number of states is mandatory,
but technical details are not in disclosure scope
• News media naturally gravitates towards human interest security stories
- Mobile phones
- Endpoint malware
- Email theft
Ransomware
Malware
All other terms: SQL injection,
web application attack, Wordpress vulnerability,
PHP vulnerability, Apache Struts vulnerability

9. Our Perspective on Cloud Attack Surface
• 4,000+ customers
• 80% of deployments in data centers
• 50% of deployments in
public and hybrid cloud
• Dominant workload: business
critical web applications

10. Real world view from our SOC

11. #2 Yahoo
Impact
Number of exposed accounts increased
from 1B to 3B.
How it happened
Exploited a WordPress/PHP vulnerability in
2013
Where are they now?
Sold to Verizon. Valuation revised by
$350M

12. Meet “M4g” AKA Alexsey Belan
• One of the most
prolific hackers
between 2013 - 2015
• Estimated to have
compromised 1.2
billion user accounts
• Prime suspect in
numerous breaches

13. Alexsey Belan’s Techniques
1. Identified peripheral sites and key people via Google and
LinkedIn
2. Initial compromise via CVE-2011–4106 WordPress
vulnerability. Modified authentication mechanisms to
capture credentials
3. Used NMAP & internal Wiki to learn the environment and
move laterally
4. Reused cookies from development staging systems, client
certificates from emails and trouble tickets
5. Used developer credentials to introduce backdoors into
code
Source: https://medium.com/@chrismcnab/alexseys-ttps-1204d9050551

14. Why WordPress?
Used in 28% of all web
sites on the internet
• WP CVE-2011–4106 vulnerability in resulted in 1.2 million compromised sites
• 53 similar vulnerabilities in last 10 years (CVSS 6+)

15. #3 RNC breach
Impact
200M voter records exposed
How it happened
Misconfiguration in Amazon Web Services
S3 service
Where are they now?
Survived the breach. Operational impact
unclear.

16. AWS S3 Data Leaks Due To Misconfigurations

17. Most common AWS Misconfigurations
1. Misconfigured EC2 instance single-point-of-
failure and/or auto scaling issue
2. S3 logging not enabled
3. S3 object versioning is not enabled
4. User not configured to use MFA
5. User access key not configured with rotation
6. IAM policies are attached directly to user
7. Dangerous user privileged access to S3
8. ELB security group allows insecure access to
ports or protocols
9. IAM access keys unused for 90 days
10. Dangerous user privileged access to RDS
Across
31,235 EC2 instances / workloads
155,911 vulnerabilities and
exposures sampled
On 381 VPC’s in Dec 2017

18. Cloud Insight Essentials check
Misconfigurations

19. #3 Equifax
Impact
143M Social Security numbers, names,
addresses
How it happened
Exploited flaw in Apache Struts
Where are they now?
CEO, CIO, CISO fired
$3B erased from market capitalization

20. Apache Struts
CVE-2013-2115
CVE-2013-2134
CVE-2013-2135
CVE-2013-1965
CVE-2013-1966
2013
2017
March 6
New Apache Struts
Vulnerabilities Released
Alert Logic coverage update
for
CVE-2017-5638 released
within 36 hours
May 13
2017
Equifax Breach
Equifax Breached
through CVE-2017-5638
Hackers install 30+ webshells
2017
July
August
September
2017
Equifax Discovers the breach
July 29 – network team detects abnormal activity
July 30 – Vulnerable Struts application taken offline
Aug 2 – Mandiant is contracted for incident response
Equifax publicly discloses the
breach to customers
67 days 108 days

21. Importance of Eliminating Dwell Time

22. Cloud Attack Surface
Attacks
Web App
Attacks
OWASP
top 10
Platform /
library
attacks
App /
System
misconfig
attacks
Web Apps
Server-side Apps
App Frameworks
Dev Platforms
Server OS
Hypervisor
Hardware
The Application Stack
Databases
Attackersaremovingupthestack
1. Wide range of attacks at
every layer of the stack
2. Rapidly changing
codebase can introduces
unknown vulnerabilities
3. Long tail of exposures
inherited from 3rd party
development tools
4. Extreme shortage of cloud
and application security
expertise

23. Attack Surface Factors
Factor Impact Technology Triggers
Custom built
complex web code
Broad attack surface and
numerous opportunities for
hidden vulnerabilities.
Open or
commercial
development
frameworks
Vulnerabilities inherited from
open source community or
software vendors.
3-tier architecture
with relational
databases
Increased risk of SQL injection -
#1 web attack method in volume
and impact
Open and
Interconnected
Easily accessible from outside
world by valid users and
attackers alike

24. Thank you.