Ops 401: Class 16

This topic matters as it relates to what I'm studying in this module because it would help me gain insights from real-world security incidents, improve my organization's security posture, and enhance incident response capabilities. Studying past breaches helps professionals identify common pitfalls, learn from others' mistakes, and understand attackers' tactics. This knowledge can also assist in meeting compliance requirements, raising security awareness, and fostering continuous professional development in the ever-evolving cybersecurity landscape.

The three commands used for the attack were:

http://169.254.169.254/iam/security-credentials - to call the metadata service endpoint and get the role name.
http://169.254.169.254/iam/security-credentials/*****-WAF-Role - to gain access to temporary credentials using the role name.
AWS S3 list (aws s3 ls) and Sync (aws s3 sync s3://somebucket) CLI commands - to list all accessible S3 buckets and download resources from a specific S3 bucket, respectively.

The misconfiguration of AWS components that allowed the attacker to access sensitive data was a misconfigured Web Application Firewall (WAF) that enabled accessing the corresponding AWS EC2 instance/ECS task metadata using Server-side Request Forgery (SSRF). This, combined with excessive permissions set by the financial institution, allowed the attacker to gain access to data stored in S3 buckets.

Two of the AWS Governance practices that could have prevented such an attack are:

Review all access paths and permissions from human identities or non-human identities (e.g., EC2 machine) to data storages (e.g., S3 buckets). Use Cloud Infrastructure Entitlement Management (CIEM) solutions to automate the detection of over-privileged identities and over-exposed data.
Use CloudTrail, CloudWatch, and/or AWS Lambda services to review and automate specific actions taken on S3 resources, ensuring better monitoring and control of access to S3 resources.

Based on the Capital One scenario, things I want to know more about are detection and response times, insider threats, post-incident actions, financial and reputational impact, threat intelligence sharing, emerging attack techniques, and security culture and awareness training.

References

Anatomy of a Cloud Breach: How 100 Million Credit Card Numbers Were Exposed. Zscaler. Retrieved May 02, 2023 from Capital One Data Breach

Ops 401: Class 16

The three commands used for the attack were:

Two of the AWS Governance practices that could have prevented such an attack are:

Based on the Capital One scenario, things I want to know more about are detection and response times, insider threats, post-incident actions, financial and reputational impact, threat intelligence sharing, emerging attack techniques, and security culture and awareness training.

References

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally