Canary Infrastructure vs. Real World TTPs

Effective cloud security focuses on the techniques used by threat actors in real world incidents. I maintain aws-customer-security-incidents to consolidate public data on these incidents and actors.

Tracebit outlines the benefits in greater depth, but the basic idea is to seed your cloud environment with tripwires that trigger high signal alerts based on common attacker TTPs.

Let’s look at three recent (sophisticated) AWS security incidents, and talk about how canaries could help you detect these early, and throughout the attack lifecycle.

The first case comes from Yotam Meitar, who shared the details in his talk at fwd:cloudsec 2024: “Responding to Sophisticated Ransom Attacks in the Cloud: A Real-World Case Study”

In this incident, an engineer had deployed a known-vulnerable application to an EKS Pod. This application was intended for testing and only exposed internally, but was deployed to production. A second employee accidentally changed the shared Security Group that managed access to that application, and left it publicly accessible.

An attacker quickly discovered the exposed vulnerability during an untargeted scan. They compromised the Kubernetes Pod, which allowed them to assume the EC2 Instance IAM Role. This role had over-privileged access to Secrets Manager. One accessible secret granted the ability to bypass a custom Identity Provider that was in use. Finally, with access from the Identity Provider, the attacker was able to exfiltrate MongoDB backups from an S3 bucket.

Leave a Comment