Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Rapid7 Analyzes Attacks In, Across, Against the Cloud

Security analytics and testing firm Rapid7 this week unveiled Project Heisenberg Cloud, a research project designed to use the cloud to get a closer look at what attackers are doing, both in the cloud and across the Internet.

Security analytics and testing firm Rapid7 this week unveiled Project Heisenberg Cloud, a research project designed to use the cloud to get a closer look at what attackers are doing, both in the cloud and across the Internet.

Heisenberg (PDF) itself is a honeypot framework distributed within the Amazon, Azure, Digital Ocean, Rackspace, Google and SoftLayer clouds. Since these six providers make up nearly 15% of available IPv4 addresses on the internet it was an opportunity to examine activity in, across and against individual and collective cloud environments.

There was no preconceived intent on what to look for. Indeed, Bob Rudis told SecurityWeek that the two projects leads, himself and Derek Abdine, had different opinions: one thinking that they would learn more about general internet attack activity, and the other thinking they would learn more about activity within the cloud. In the event they saw both.

For example, following the Mirai attack against Brian Krebs, they configured the honeypot to detect Mirai connection attempts — and identified nearly 100,000 devices that are or were part of the botnet. Focusing within the individual clouds, however, Heisenberg detected unexpected differences in ARM activity (attackers, researchers and misconfigurations) between the clouds.

The Heisenberg honeypots are lightweight configurable nodes that send back full packet captures for post-interaction analysis by Rapid7, used for both live monitoring and historical data mining. There are currently 136 honeypots within the six providers; although Rapid7 hopes this will increases as the project proceeds. 

Project Heisenberg Cloud Data

The initial intent was to examine ‘activity’ rather than solely attacks. The ‘misconfiguration’ aspect of ARM turned out to be not uncommon. The fluid nature of cloud usage means that IP addresses readily come and go within an individual organization’s cloud configuration. Configuration files are used to control users’ cloud environments; but are not always managed efficiently. As a result, devices can continue to poll other devices that may no longer be part of the original cloud configuration. 

This is not likely to be a serious problem beyond minimal unnecessary bandwidth use — but technically if both parties use the same default credentials, company A could ‘accidentally’ access devices now being used by company ‘B’. It is, at the very least, an indication that an organization is not adhering to best IT practices.

Specific attacks coming against the honeypots were myriad. These, says the associated Heisenberg report, included “active attempts to exploit the recent Juniper NSA backdoor, PHP services, remote desktop environments, point-of-sale systems databases, and more. The data also showed that sites that illegally scrape and aggregate pornography content and services that ‘mashup’ data sources — such as airline price data — seek out anonymous proxies in an attempt to cover their tracks. There is also active use of logging and reporting infrastructure injection attacks in HTTP referrer and user agent fields.”

Advertisement. Scroll to continue reading.

The expectation was that the project would unearth similar statistics across all of the clouds. The reality is that this does not happen. There are significant differences in the services exposed by users within the different clouds (data from Rapid7’s earlier Project Sonar 2016 National Exposure Index). Not only do these differences exist, it seems that they are known. “The kinds of services exposed by each cloud provider’s user populations are varied according to the provider,” says the report. “These differences are being tested and exploited today by a range of adversaries who are clearly aware of these differences.”

While Rapid7 is already able to offer advice from this initial analysis, it is likely that more benefits will follow in the future. Immediate advice includes a range of ports that should be avoided because “the team observed a far greater number of attacks, anonymous proxy probes, and misconfigured service traffic coming at these ports;” log everything, because your own logs may be the only available forensic evidence if things fail; and, not unusually, stay up to date with patches and updates, because “the research team detected exploits against known CVEs, both old and new, and at the operating system and application infrastructure level.”

In the future, however, more concrete developments may ensue. Project lead Bob Rudis confirmed that Microsoft is already looking at the Azure-specific data from Heisenberg. There is the strong possibility that the ‘ARM’ data could be used by both cloud providers and cloud users to improve future cloud security.

Rapid7 announced Project Heisenberg Cloud at its UNITED 2016 Security Summit this week in Boston, which SecurityWeek was a media sponsor.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...