Capital One Breach Shines Light on Cloud Security Risks, Human Error, and Insider Threats
On June 17, 2022, a former Amazon Web Services (AWS) employee was convicted of seven federal crimes related to her hacking of Capital One. This massive cloud data breach and crypto-mining incident stands out not just for the number of records breached but also for the nature of the attack. Misconfiguration in cloud environments is on the rise — especially as environments become more business-critical and grow in complexity, outstripping the ability of in-house IT and security teams to manage them securely. However, cybersecurity researches uncover and responsibly disclose most of the cloud security incidents that make the news headlines.
Capital One’s breach was the first major cyberattack of its kind that showed people with nefarious intent are looking for those same cloud misconfiguration security gaps to exploit. It’s time for organizations to get better at configuring and securing their cloud infrastructure — or face the consequences.
Cloud Computing is King — and Requires Strong Security Controls
Organizations of all sizes are moving sensitive data to the cloud in droves. Gartner predicts that by 2025, over 95% of new digital workloads will be deployed in cloud computing environments, up from 30% in 2021. The challenge is that many of these cloud service providers (CSPs) are constantly adding more and more complexity, making it harder for teams to know exactly how to configure those cloud platform tools — especially for the 92% of enterprises with multi-cloud environment strategies.
From a security perspective, this surfeit cloud complexity makes it harder to do the right thing. There simply aren’t enough skilled practitioners in even the biggest enterprises with the detailed knowledge to understand when something is wrongly configured.
The result is an epidemic of cloud misconfiguration and security risk. One vendor estimated that cloud security incidents increased 10% year-on-year in 2021. Another claims to identify 230 million misconfigurations for its global customers every single day.
Good to Know: Application Programming Interfaces (APIs) are a critical component of mobile, SaaS, and web apps but require special attention to data security because insecure APIs have the potential to expose data.
What happened to Capital One?
Often, cloud misconfigurations expose data directly to the public internet. That was not the case with the Capital One breach — but the impact was still catastrophic. Paige Thompson is said to have used her insider knowledge as a former AWS software engineer to scan for misconfigured cloud accounts. She then compromised these, stole data on 100 million prospective and existing banking customers, and planted crypto-mining software on the hijacked servers to monetize the attack. She posted the stolen data to a public GitHub page and apparently bragged about the compromise on social media.
The misconfiguration in question was an open-source web application firewall (WAF) the bank was running in its AWS environment. Although WAFs enhance security, the irony is that in this case, settings allowed broader permissions than best practices would stipulate, enabling Thompson to access resources she shouldn’t have been able to. She did so as part of a Server-side Request Forgery (SSRF) attack on the WAF server, which tricked it into running commands that it should not have been permitted to run. This enabled Thompson to obtain temporary access credentials from the AWS metadata service and then open up S3 storage buckets containing not just Capital One data but sensitive information from more than 30 AWS customers.
Good to Know: Multi-factor Authentication (MFA) requires users to verify their identity with credentials above and beyond the username and password. Using MFA for access management, and preventing unauthorized access, is crucial to data protection and should be part of a robust security strategy.
What lessons can we learn about cloud security threats?
Although this was a sophisticated attack performed by a former AWS insider, cyber-criminals and state actors have also proven themselves to be highly capable and determined adversaries. So there are a number of broader lessons organizations should learn to help prevent something similar from happening to them:
- Misconfigurations are the source of many cloud security incidents. Organizations should continuously run cloud security posture management (CSPM) tools to help ensure any cloud systems are correctly set up. Access control that applies the principle of least privilege to any system, including WAFs, should be a given.
- An SSRF exploit was used in combination with the WAF misconfiguration. Organizations should create golden configurations and regularly scan for non-compliance.
- A shared responsibility model is an important tenet of cloud security policies. Organizations should exercise due diligence and familiarize themselves with it to understand where the CSP’s security responsibilities stop and what they need to take care of.
- Breach prevention is tough, especially against determined attackers. But rapid detection and response are absolutely possible and should be organizations' top cloud security focus. With continuous cloud monitoring, Capital One could have spotted Thompson’s suspicious behavior earlier on to minimize the impact of her attack.
- Monitoring the dark web can also provide a useful source of threat intelligence. In this case, Thompson is not thought to have sold the stolen data. But a professional hacker would likely have used underground sites to do so. By scanning such sites for customer data, organizations can take action (reset passwords, cancel cards, alert customers) to further reduce the impact of breaches.
- Zero Trust, the IT security model that requires strict identity verification for every user and device trying to access network resources, regardless of whether inside or outside the network perimeter, should be part of every company’s network security. ZTNA is also an essential element of the SASE architecture.
Why should you care about cloud computing security?
Capital One learned all this the hard way. It also suffered significant financial and reputational damage. That should be enough to focus boardroom attention on cloud security solutions and avoid following in its footsteps. Specifically, the firm:
- Replaced its CISO following the breach.
- Was fined $80m for violating federal regulatory compliance requirements.
- Was ordered to pay nearly $200m in class action damage.
- Suffered intangible damage to the brand, which will be forever associated with the breach.
We’ve not seen a breach on this scale stemming from a flawed cloud configuration since 2019. But that doesn’t mean there isn’t one in the pipeline. Threat actors are past masters at collaboration and improving on previous attack techniques. CISOs and their teams must also take the opportunity to learn from the mistakes of others. It’s ultimately how we’ll all get better at developing cloud security measures that mitigate security issues such as malware, denial-of-service attacks, phishing, and data loss.
Interested in trying OpenVPN Cloud, the only cloud-based virtual networking platform with built-in security functions offered as a service? Get started today — no commitment or credit card required.