%20(3)-1.png?quality=high&width=1900&height=1250&name=CSS%20-%20Blog%20(Featured%20Images)%20(3)-1.png)
%20(1).png?width=2000&height=1125&name=CSS%20-%20Blog%20(Featured%20Images)%20(1).png)
In the past 6 months, a number of high-profile data breaches, namely cryptocurrency exchange Coinbase, have resulted in the loss of millions of records and millions of dollars in fines, pipeline depletion, and restitution for the affected customers. In many ways, these data breaches are not the result of a lack of commitment to security by these companies, but are rather indicative of the evolving (and improving) tactics utilized by bad actors.
The simple truth is that no toolbox, regardless of the number of solutions contained within, is able to cover every part of the attack surface. However, by utilizing an effective activity monitoring system, data loss via exfiltration, credential escalation, and other consequences of an ongoing attack can be mitigated and/or stopped in their tracks.
Why Activity Monitoring?
The Coinbase attack was out of the ordinary in a number of characteristics. First, and most prevalent, was the fact that the attack was actually more of a social engineering scheme rather than a Cyberattack. In order to obtain the sensitive customer information, cyber actors bribed overseas Coinbase support employees to exfiltrate the data on their behalf. While it seems simple, this attack path brings up a number of considerations:
- Why did the overseas employees have access to so much sensitive customer information? Was it required as a part of their role?
- Why were overseas employees allowed to download or exfiltrate this sensitive customer information?
- What other malicious actions could these employees have taken if bribed to perform them?
Modern organizations with thousands of employees maintain infrastructure that sprawls further each and every year. While it’s highly likely that the overseas employees’ permissions to access and download sensitive data was some sort of mistake, the implementation of an activity monitoring solution would have prevented data exfiltration regardless of these permission mishaps.
How Activity Monitoring Works
Activity monitoring usually consists of two separate functions; signature-based monitoring and anomaly detection. While signature-based monitoring looks for telltale signs of a ransomware attack, such as ransom notes being written to a bucket, anomaly detection sets a baseline for “regular activity” and alerts on deviations from those. Here is how activity monitoring could have prevented the Coinbase attack in a cloud environment:
- Upon installation, the anomaly detection portion monitors regular log activity to determine a “normal” level of activity.
- After taking the bribe, the Coinbase employees move to access and exfiltrate the sensitive information.
- Upon attempting to download the information, the following actions are taken by the activity monitoring solution:
- The signature-based monitoring system alerts on sensitive data being downloaded. The employees’ permissions are shut down immediately and the attack is stopped.
- The anomaly detection system notices a mass download of sensitive information. The employees’ permissions are shut down immediately and the attack is stopped.
While the verdict and result are the same between the two monitoring methods, the redundancy, in many cases, is important. While signature-based detection may be simpler in nature, more complicated attacks such as the Ingram Micro incident may have been caught by anomaly detection methods instead.
Conclusion and Recommendations
To prevent similar attacks from affecting your organization, Casmer Labs recommends that the following best practices are followed:
- Implement a robust backup strategy, which is key to protecting against ransomware
- Adding a condition element in IAM to conditionally disable SSE-C encryption
- Enable S3 lifecycle event notifications
- Practicing basic digital security hygiene; changing passwords frequently, enabling multi-factor authentication (MFA), etc.
- Implement a signature-based and anomaly detection activity monitoring solution that proactively parses logs to identify early indicators of breaches and ransomware attacks
DataDefender by Cloud Storage Security automates the detection and mitigation of threats, internal or external, preventing data exfiltration, ransomware, and other threats at the source. Sign up for the DataDefender beta here.
About Cloud Storage Security
Cloud Storage Security (CSS) offers customers the ability to protect the storage layer in their cloud environments. DataDefender by Cloud Storage Security offers customers complete protection over the entirety of their cloud storage environment. Make sure your organization:
- Knows where its sensitive data resides
- Configures their storage resources in a secure manner
- Prevents the ingestion and distribution of malware, including ransomware
- Identifies and stops internal and external attacks against storage, and the data within
The DataDefender beta program is open for applications now. Sign up at cloudstoragesecurity.com/datadefender to request access to the solution.
Cloud Storage Security’s cloud antivirus solution is also available in AWS Marketplace with a 30-day free trial.
Share:
