Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

8/23/2019
10:30 AM
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

Capital One Breach: What Security Teams Can Do Now

Knowing the methods of the attacker, as laid out in the federal indictment, allow us to prevent similar attacks.

Oh, the Monday blues. You start the week moody because the weekend is over, though the feeling typically subsides once you're in the office. But for the 106 million people with stolen data affected by the Capital One data breach, the Monday blues on July 29 were dark indeed.  

That's when Capital One first announced it had determined "there was unauthorized access by an outside individual who obtained certain types of personal information" relating to its customers on July 19, 2019. The compromised data included names, addresses, phone numbers, self-reported income, credit scores, and payment histories, among other personal information belonging to approximately 100 million customers in the United States and 6 million in Canada. The alleged perpetrator of this breach, Paige Thompson, has already been arrested by federal law enforcement.

The team at Digital Shadows has been closely following the indictment and the resulting fallout, including the media coverage. Using the MITRE ATT&CK and PRE-ATT&CK framework, we've identified what we know and a number of practical steps to help security teams avoid similar situations.

What We Know
On July 17, 2019, an email was received by Capital One's responsible disclosure inbox claiming that internal data was posted to GitHub. Capital One's investigation revealed a file time-stamped April 21, 2019, containing the IP address of one of Capital One's cloud instances. Upon review, there were indications that its cloud environment had been compromised by an attacker who subsequently exfiltrated data from it.

Here is what we know about the attacker's process:

1. Initial Access: T1190 Exploit Public-Facing Application, T1133 External Remote Services
Execution: T1059 Command-Line Interface
"A firewall misconfiguration permitted commands to reach and be executed by that server," according to the indictment. It is unclear precisely which misconfiguration was used to compromise the cloud instance but there are some possibilities:

  • A vulnerable web application was inadvertently exposed to the Internet and exploited, possibly via a server-side request forgery attack.
  • A remote access service was inadvertently exposed to the Internet with no or weak credentials.

Mitigation: It's critical to continuously assess cloud environments for security issues, especially those at risk of external access from the public Internet. Reviewing security group configurations regularly can help ensure that services are not accidentally exposed and access controls are correctly applied.

2. Credential Access: T1098 Account Manipulation
The attacker was able to gain unauthorized access to temporary role credentials once in Capital One's cloud instance. Three commands were retrieved from the GitHub file, according to the indictment, which the attacker used for post-exploitation activities. Temporary credentials were generated by the first command.

Mitigation: When an authorized entity, such as a user or an application, requires access to an AWS service, the identity access management (IAM) system issues a set of temporary credentials. However, continuously monitoring these credential sets is challenging in complex cloud environments due to their dynamic nature. Although it does take significant effort to make this mitigation technique work effectively, it can prove effective when dealing with an infiltration.

3. Discovery: T1007 System Service Discovery
The second post-exploitation command was to list the Amazon S3 buckets that the attacker assumed they had access to given their identity.

Mitigation: While real-time alerting is an issue, AWS CloudTrail logging can help an organization track this type of activity. CloudTrail keeps a log of activity on your AWS account and stores it in an S3 bucket for you for further analysis.

4. Exfiltration: T1048 Exfiltration Over Alternative Protocol
According to the indictment, syncing the S3 bucket contents with an attacker-controlled server was the third post-exploitation command executed. This relied on access granted via the assumed identity providing the attacker with access to more than 700 buckets.

Mitigation: As with the previous issue, AWS CloudTrail logging can help an organization track this type of activity, despite the real-time alerting issue.

5. PRE-ATT&CK Establish and Maintain Infrastructure
T1329 Acquire and/or Use Third-Party Infrastructure Services
The attacker used a combination of Tor and IPredator (a paid VPN provider) to hide her network identity when attacking the Capital One cloud environment, as stated in the indictment.

Mitigation: Whitelisting access to resources from a set of known-good IP addresses, if possible, can help prevent unauthorized access. IP whitelisting should only be used in conjunction with other, strong authentication mechanisms — it can only be applied in environments where it is known from where an authorized user will be accessing an environment.

What We Don't Know
The attacker worked for Amazon in the past so the "insider" angle has been played up in the media. However, the indictment does not imply that the attacker had any privileged access based on previous employment. Instead, it appears that the attacker used her knowledge and experience to exploit a vulnerability in the misconfigured firewall. 

The attacker's motives remain unconfirmed. While many data breaches conducted against banks are financially motivated, the Capital One hack was publicized by the attacker, a known member of a hacking club. It is possible that this hack was conducted for personal motives, but details are still unfolding.

Related Content:

Richard Gold is a hands-on information security professional who has over a decade's worth of experience in understanding and securing computer networks. With his background as a Certified SCADA Security Architect and a Ph.D. in computer networking, Richard uses knowledge ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tdsan
50%
50%
tdsan,
User Rank: Ninja
8/27/2019 | 10:18:55 AM
Re: Some people

"Amazon Web Services "was not compromised in any way and functioned as designed," Amazon said in a statement, adding that the reason for the breach was a misconfiguration of firewall settings managed on the cloud server by Capital One, not a vulnerability in the cloud server itself."

This was done intentionally because of the WAF's configuration, it has to be configured to allow such entry (she had insider knowledge). She intentionally modified permissions from the AWS WAF-Role to allow for this type of attack. One thing that they left out, how did she gain access to the AWS cloud environment when the SG (Security Groups) and VPN access should have blocked this intrusion from an mgmt standpoint (again another area of weak security rules and no one reviewing the work).



Also, there is something that was left out, if they (Capital-One) were not notified of the incident and she did not share her experience online, then how long would this have gone on before they would have known (years)?

This is what I mean by organizations who have been lax in their security mechanisms even though they profess to ensure data integrity at all costs (why didn't they know about customer account data being moved or copied, NSA had the same problem with Ed Snowden, if he had not said anything to the public, they would have never known, seems as though history is repeating itself and we continue to miss our lessons-learned).

T

 
bwing
50%
50%
bwing,
User Rank: Apprentice
8/26/2019 | 8:53:18 AM
Some people
Just want to watch the world burn

 

'The attacker's motives remain unconfirmed. While many data breaches conducted against banks are financially motivated, the Capital One hack was publicized by the attacker, a known member of a hacking club. It is possible that this hack was conducted for personal motives, but details are still unfolding.'
tdsan
100%
0%
tdsan,
User Rank: Ninja
8/25/2019 | 9:16:30 AM
Excellent write up
Excellent write-up, you brought up some valid and key points. One thing that may have been overlooked by Capital one is that this may have been planned from the beginning. But I do think the infiltration or compromise was much easier than that.

When she worked for capital one, she intentionally created a back door where she had implemented credentials under another name as well as misconfigured the WAF intentionally; remember, she had full access to the security section of AWS therefore she had access to all of the access and secret keys. But it will be interesting to see what unfolds in the next few months as more case information is brought to the public.

 

T
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19071
PUBLISHED: 2019-11-18
A memory leak in the rsi_send_beacon() function in drivers/net/wireless/rsi/rsi_91x_mgmt.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering rsi_prepare_beacon() failures, aka CID-d563131ef23c.
CVE-2019-19072
PUBLISHED: 2019-11-18
A memory leak in the predicate_parse() function in kernel/trace/trace_events_filter.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption), aka CID-96c5c6e6a5b6.
CVE-2019-19073
PUBLISHED: 2019-11-18
Memory leaks in drivers/net/wireless/ath/ath9k/htc_hst.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption) by triggering wait_for_completion_timeout() failures. This affects the htc_config_pipe_credits() function, the htc_setup_complete() function, ...
CVE-2019-19074
PUBLISHED: 2019-11-18
A memory leak in the ath9k_wmi_cmd() function in drivers/net/wireless/ath/ath9k/wmi.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption), aka CID-728c1e2a05e4.
CVE-2019-19075
PUBLISHED: 2019-11-18
A memory leak in the ca8210_probe() function in drivers/net/ieee802154/ca8210.c in the Linux kernel before 5.3.8 allows attackers to cause a denial of service (memory consumption) by triggering ca8210_get_platform_data() failures, aka CID-6402939ec86e.