The Gately Report: Cybersecurity Top Priority for AWS Since Day 1, LastPass Breached Again
The massive scale of AWS means it can better fend off cybercriminals.
![Priority List Priority List](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blt792e9e635ec087c7/65240e9d9e569bade7766157/Priority-List.jpg?width=700&auto=webp&quality=80&disable=upscale)
Shutterstock
Channel Futures: What sorts of cyber threats is AWS facing? Is it constant?
AWS’ Mark Ryland: We run these public APIs on the internet, so there’s constant probing and attacking going on. We deal a lot with the distributed denial of service (DDoS) issues, which being a very large infrastructure provider, of course we’re seeing the impact of that. But also from the start, we’re building and engineering our capability, and our networking facilities and presence to deal with that effectively. So actually many customers come to the cloud precisely because we can actually help defend them much more successfully, because of our scale, than they could do on their own or with a smaller hosting provider. So that’s a good example.
We also run a lot of telemetry and sensors that are looking for the kind of routine attacks that you see constantly, trying to measure those, looking for new types of malware, analyzing those and building protections into our security services. We have a service called the Web Application Firewall or WAF, and we’re constantly improving the WAF protections by actually running sensors that look for attacks and analyze those, and automatically then generate new protections that customers can benefit from. So it’s a … full closed loop of both looking for the kind of typical malware and probing attackers, analyzing what they’re doing, and then adding protections to either our Guard Duty service, which gives you indications of potential problems in your environment, or our WAF service, which actively protects you from those exact attacks.
CF: When it comes to cybersecurity, is AWS’ partner ecosystem growing?
AWS’ Ryan Orsi: It is growing, yes. Actually the newest program we have is the Level 1 MSSP Competency Program. That has more than triple our expectations in terms of number of partners that have joined and been a part of the validation process. And it’s about an equal split in terms of your traditional software companies that are putting a managed service around it for 24/7 threat monitoring and response, and service-based companies that utilize other software tools and they package it together. So I’d have to say it’s beating expectations in terms of partners coming into the program, wanting to do joint educational events with us, wanting to bring customers together, working with our service and product teams about what’s coming next so they can put that into their product or their service and address those use cases.
There are over 140 already in the security competency. And it’s a great talent pool. As you know, a cybersecurity professional is kind of a rare person, and then cloud cybersecurity professionals, the field narrows even more. So we look at these partners as a great scaling mechanism for our best practices to get out into that customer community.
CF: What’s fueling that partner ecosystem growth?
Orsi: I’d say the level of awareness at the line-of-business owner. If we’re speaking to the customer community, and thes are enterprises to the SMBs … the line-of-business owners are starting to understand that security is not a blocker. It’s not a thing of frustration for them. It’s actually a business enabler. If they can take the concerns away from their development team, their application team, their security team by selecting more automatic ways to deal with certain kinds of threat types, they actually pull undifferentiated heavy lifting away from those teams and now they can focus more on an outcome they want. So I’d say that that persona at the customer level is much more interested about let’s make security easier. Maybe they’re not going to do it on their own. They might need to acquire either a third-party tool or a third-party service. My job and my team’s is to make sure that we’re validating all of those tools, the services, the procedures of how these companies operate and work with customer data and customer access. And it’s all about building that trust, that ecosystem of trust among us, our security partners and ultimately our end customers.
CF: How does scale help AWS better fend off attackers for it, and its partners and customers?
Ryland: Scale helps simply because the sheer capacity of our cloud platform. There’s what are called public peering databases, which anyone can go analyze. And you can see like what is the total terabits per second capacity of AWS as we face the internet. It’s massive. And so, for example, DDoS attacks that would overwhelm any individual customer, at our scale they’re just … noise. But we can also sense that, detect it and then mitigate, and help customers be protected. And many of our protections are automatic.
For example, DDoS attacks are based on something called a SYN flood, which is a sort of illegal TCP connection where you start the connection, but don’t follow up, and you can overwhelm a server by just continually sending these initialization packets. We can detect that at the edge of our network and just drop those packets. So the customer literally never sees the attack at all because we’re engineered to resist a lot of these kind of commonplace problems.
Reflection attacks, similarly, that’s where you send a packet to a server with a false reply address, and then that server will then respond to the actual victim and you get what are called amplification. So I can send out a small number of packets and get lots of servers now attacking the innocent servers then attacking the target. We can also detect those kinds of reflection attacks and we can mitigate those. So the customer doesn’t even experience those. So there are a lot of things that come from scale and capacity, which make it safer to essentially be inside of this large, powerful kind of envelope running your little smaller workload in this very large environment.
CF: What are partners’ biggest needs when it comes to cybersecurity and how is AWS addressing those needs?
Orsi: From a toolset perspective, they want something that is reliable and they want something that’s extensible because every SI, ISV, GSI, you name it, they are unique in their own way and they want their differentiators to make it into that value chain to their customer. And we specifically want that as well. We don’t want every integrator to do it the same because there are very specific needs by vertical, customer size and regulatory compliance requirements in different locations around the world. And I think that’s where AWS really shines. We’ll focus on making sure that releases come frequently. They come often and it’s incremental value in terms of a use case addressed, like Guard Duty EKS, where we’re inside the container runtime environment versus just outside. So they do want to see that road map continue, but they want to see it be extensible.
And that’s been one of our big focuses recently, to make sure that, especially in my team, we educate all the partners that we are working with on best practices and some advice on the way they can integrate our own products together, but theirs as well, and leave enough room for them to go create an idea on their own because that’s when the magic happens, when they’re leveraging the scale, the resilience and the security of AWS.
CF: Is it a challenge helping partners stay ahead of cybercriminals?
ROrsi: They are great at what they do. This is what I love about working in my daily life with some of the best and brightest minds in cybersecurity. In the MSSP community, where they’re monitoring and managing multiple customer environments, and each one of those is the crown jewels, what the bad actors will always try to find are different avenues to get to those crown jewels. The partners we work with truly understand that, though. There’s no question in my mind in every conversation we’ve had is they take their own security posture very seriously. We add another layer, and my team specifically adds another layer of education and awareness on their own security practices when they join one of our partner programs. They get a dedicated team and it’s not just a business development team. They get an engineering team as well, and they go through a very detailed qualification and validation process so that there should be no keys stored anywhere, for example. We do a thorough audit and checking of all their procedures and how that works.
And there’s a reason why we’re checking for these kinds of things in their overall procedure. The weakest link in multilayered security posture is typically the human element. And so we definitely go through that process together. It is a journey, and we do stay in contact throughout the month with all these partners sharing best practices. In some cases, we get down to the tactics, techniques and procedures (TTP) level with these folks and we do say, “Hey, we are seeing something here, make sure you’re aware of this, and here’s what it looks like, the common patterns of how that kill chain typically looks and acts in the wild.
CF: Are supply chain attacks a major threat to AWS?
Ryland: It’s something we have to absolutely work on and be careful about. And for us, that includes hardware supply chain because we actually custom-produce a lot of the equipment that we operate as our cloud platform, also software as well. And the whole ecosystem is now very focused on making sure that our software supply chains remain secure. We’ve made a big investment through the Open Source Security Foundation (OpenSSF), which is a subsidiary or component of the Linux Foundation. We’re on the board of advisors. We’ve committed to spend more $10 million over the next three years on open source projects to help raise the bar for that part of the supply chain, because there are a lot of small engineering teams out there that build very useful components that are widely used because of their open source nature. And we want to make sure that is also a safe place to go get software. So we’re doing a lot and we’re investing a lot to help other companies improve the security of their software.
We, in turn, use open source software, but we also invest very heavily in the security of the software that we’re developing and then deploying into our services. So there’s a big investment and a big focus on that, trying to get ahead of the problem. SolarWinds was one example where there was a successful supply chain attack. But in general, there hasn’t been too much of a problem relative to other kinds of cyberattacks. But we want to get ahead of that. We know that’s a real concern and a real issue. And we’re doing a lot to make sure that that doesn’t become a big one.
CF: Are you seeing improvement among partners and customers as far as doing the basic things to protect themselves?
Ryland: Yes, I definitely see more of an emphasis on the importance of this, IT modernization generally, but cloud being a big part of that. You really have to think of security from the start and design into your system from the beginning, understand the threat model and build and engineer a system that is more inherently secure as you develop it. And then the whole distinction between engineering and operations is collapsing because people are now doing DevOps, which is, I write code, but I also deploy and operate it, and then I build security into that pipeline.
So now where I see a very large improvement is a realization that we can’t treat security as a bolt-on at the end of a process. It has to permeate the process and we have to do what’s called “shift left” in the industry. It’s the jargon of, let’s bring our security engineering and our security concepts as far to the beginning as we can of the engineering and writing the code, and testing and deploying, and not treat it as the last layer that we add when everything else is done. And that’s a very broad industry trend that I think is helping and will improve security as we go forward.
CF: Are you seeing any new or emerging threats, or are the main threats still the basics, like phishing?
Orsi: We still have the basics to get to the end customer, the mutual customers with our partners. That is why the Level 1 MSSP program has been so successful and beating expectations. Level 1 managed security is actually a standard now. It’s a way to define 10 key areas in AWS that should be monitored 24/7 and exactly how to monitor them and what logs to look for. And a lot of that is the basics. Make sure that somebody is responding to a specific event type … here are the characteristics of an event type that should be considered high severity versus medium, versus low. So some of the basics still exist. There are, of course, reasons why we’re looking at containers. The adoption of containers and modern application design, thankfully, has been amazing. It’s been beyond expectation. I really love to see the builders out there use those. But yeah, I think getting into the runtime environment recently has been a great step forward for us and a lot of our our partners that I work with on the access point name (APN) — they’re there with us. They’re with us helping enrich those findings and really understand container escapes, container elevated permission access, to make sure that code is staying where it should be running and not trying to go outside to the orchestration layer. It’s been really important, I believe, and it’s just a product of adoption of containerization in general.
CF: What can partners expect from AWS in terms of cybersecurity in 2023?
Orsi: Expect a continuous drumbeat, I would say, of not just feature capability of our own services, but from the partner community. I think they can expect a lot more of that solutioneering from us, from the use case of could be data protection, and identity and access management. Instead of point conversations, we are talking more and more about the whole big picture solution. And again, the ultimate goal is just to make security easier for our mutual customers. Let’s let the cloud do that undifferentiated heavy lifting. Let’s now focus more of our energy and our talent pools together on the analytics, the threat intelligence, the investigation process on top of that, and try to automate to the best of our abilities and the comfort level of our mutual customers. Because automation is excellent, I would say look out for more ways that AWS is going to be enabling different use cases for security teams to leverage automation. Let us take care of that undifferentiated heavy lifting in the security base.
Archives are now the most popular file type for delivering malware, according to HP Wolf Security’s Q3 threat insights report.
Attackers are encrypting archives then releasing malware. Some 44% of malware was delivered via archive files in the third quarter. That’s 11% more than the previous quarter and far more than the 32% delivered through Office files.
The report identified several campaigns that were combining the use of archive files with new HTML smuggling techniques. Cybercriminals embed malicious archive files into HTML files to bypass email gateways, and then launch attacks.
For example, recent QakBot and IceID campaigns used HTML files to direct users to fake online document viewers that were masquerading as Adobe. Users were then instructed to open a zip file and enter a password to unpack the files, which then deployed malware onto their PCs.
“As the malware within the original HTML file is encoded and encrypted, detection by email gateway or other security tools is very difficult,” HP Wolf Security said. “Instead, the attacker relies on social engineering, creating a convincing and well-designed web page to fool people into initiating the attack by opening the malicious zip file. In October, the same attackers were also found using fake Google Drive pages in an ongoing effort to trick users into opening malicious zip files.”
James Quinn is a malware analyst at Intel 471.
“We believe the HTML files described by HP are generated using a toolkit,” they said. “Some campaigns we have observed use several randomly generated passwords (protecting the zip archives). The use of several different passwords in a single campaign suggests that the build process for these payloads is automated, i.e. a builder tool or script creates the final HTML and potentially also intermediary payloads. Another clue is that we observe several disparate threat actors using the same technique. This suggests that a single threat actor is offering a service or tool to other threat actors that use this tool in their spreading campaigns. Besides the Qbot and IcedID (aka Bokbot) campaigns, we have also seen the same HTML smuggling technique used to spread Bumblebee.”
Despite the apparent success in bypassing security controls, this technique has drawbacks as well, Quinn said.
“The end user has to jump through several hoops to make this attack work,” they said. “They must unzip the payload using the provided password, find the malicious ISO file that is extracted, mount the ISO image and finally browse to the script/document to open it. The threat actors behind this new tool continue to refine the technique and add new features. The latest iteration uses Javascript in the HTML payload to only move to the next stage when mouse-movement is detected.”
Archives are now the most popular file type for delivering malware, according to HP Wolf Security’s Q3 threat insights report.
Attackers are encrypting archives then releasing malware. Some 44% of malware was delivered via archive files in the third quarter. That’s 11% more than the previous quarter and far more than the 32% delivered through Office files.
The report identified several campaigns that were combining the use of archive files with new HTML smuggling techniques. Cybercriminals embed malicious archive files into HTML files to bypass email gateways, and then launch attacks.
For example, recent QakBot and IceID campaigns used HTML files to direct users to fake online document viewers that were masquerading as Adobe. Users were then instructed to open a zip file and enter a password to unpack the files, which then deployed malware onto their PCs.
“As the malware within the original HTML file is encoded and encrypted, detection by email gateway or other security tools is very difficult,” HP Wolf Security said. “Instead, the attacker relies on social engineering, creating a convincing and well-designed web page to fool people into initiating the attack by opening the malicious zip file. In October, the same attackers were also found using fake Google Drive pages in an ongoing effort to trick users into opening malicious zip files.”
James Quinn is a malware analyst at Intel 471.
“We believe the HTML files described by HP are generated using a toolkit,” they said. “Some campaigns we have observed use several randomly generated passwords (protecting the zip archives). The use of several different passwords in a single campaign suggests that the build process for these payloads is automated, i.e. a builder tool or script creates the final HTML and potentially also intermediary payloads. Another clue is that we observe several disparate threat actors using the same technique. This suggests that a single threat actor is offering a service or tool to other threat actors that use this tool in their spreading campaigns. Besides the Qbot and IcedID (aka Bokbot) campaigns, we have also seen the same HTML smuggling technique used to spread Bumblebee.”
Despite the apparent success in bypassing security controls, this technique has drawbacks as well, Quinn said.
“The end user has to jump through several hoops to make this attack work,” they said. “They must unzip the payload using the provided password, find the malicious ISO file that is extracted, mount the ISO image and finally browse to the script/document to open it. The threat actors behind this new tool continue to refine the technique and add new features. The latest iteration uses Javascript in the HTML payload to only move to the next stage when mouse-movement is detected.”
Amazon Web Services (AWS) launched 16 years ago with cybersecurity as a top priority, knowing it could be a “business-ending” issue. And that’s helped keep the cloud giant safe from data breaches and ransomware attacks.
AWS’ Mark Ryland
That’s according to Mark Ryland, AWS’ director of the office of the CISO. His team’s function is handling customer engagement on behalf of AWS cybersecurity.
Cybersecurity was a hot topic at this week’s AWS re:Invent in Las Vegas. AWS unveiled Amazon Security Lake, a service that automatically centralizes an organization’s security data from cloud and on-premises sources into a data lake in a customer’s AWS account so customers can act on security data faster.
Security analysts and engineers can use the service to aggregate, manage and optimize large volumes of disparate log and event data. That aims to enable faster threat detection, investigation and incident response.
AWS Cybersecurity Priorities
We spoke with Ryland and Ryan Orsi, AWS‘ worldwide cloud foundations partner lead for security — MSSP/identity/ops/management, to find out more about AWS’ cybersecurity priorities.
Channel Futures: Was there an overall message at re:Invent for partners in terms of cybersecurity?
AWS’ Ryan Orsi
Ryan Orsi: I would say absolutely. I kind of tie this back to CEO Adam Selipsky‘s keynote where he announced Amazon Security Lake. It’s yet again the next evolution. Let AWS do the undifferentiated heavy lifting. We work with a lot of partners. And they have to develop their software to integrate with so many sources of logging telemetry. Wth Security Lake, they can sort of boil that down to one because now it’s a single common file-logging format. They have less code to maintain, [fewer] integrations to maintain, and they can focus more on the analytics side, the threat intelligence and threat investigation side.
See our slideshow above for more from Ryland and Orsi, and more of the week’s cybersecurity news.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like