Saturday, 7 April 2018

Use Amazon Web Services Honey Tokens to identify Security breaches at scale

AWS access key


Black Hat Asia Researchers reported that you can detect security with AWS Honey Tokens. Security Analyst demonstrates how to identify security breaches with Amazon Web Services Keys as the honey tokens to ambush cybercriminals. Daniel Grzelak, Head of Security at Atlassian explained that a honey form is a form of resource or credential that you can utilize for logging or monitoring but it doesn’t apply in the practical terms. It can generally be anything such as an email address that doesn’t belong to anyone and is available, URL that nobody visits or DNS name no one should ever resolve. 

Dan Bourke and Daniel Grzelak, a senior security analyst at Atlassian in their presentation showed how the AWS keys can be configured as the honey tokens at scale. Such honey tokens can be kept at a place anywhere in your environment or in the supply chain and also where the threat actor can find them which will try to use them. So, as a result, you will come to know where and when the security breach occurs. 

Grzelak said that these keys will be valuable to attackers and interesting for some reasons. Hackers who find the Amazon Web Services keys know how to use them to control someone’s infrastructure so whenever the account gets compromised then one of the first things attackers do is look for another credential that will give them access to something more. 

Amazon Web Service offers complex, full-featured policy access management infrastructure and keys to the infrastructure and also keys to the infrastructure that are placed everywhere. There are also found frequently in the GitHub repositories but also on the desktop, txt files and much more. AWS access key is like the scratch-off lottery ticket so if the attacker wins then they gain control over the infrastructure but if they lose then the key is just an information disclosure vector that provides them more chances to win. However, they have to test it first. If the attacker finds the access key then there will no other way to find it other than to utilize the access key. When the access key is the keys to the kingdom then they don’t have to be. It could either provide them a lot of power or nothing at all. This can also help the businesses identify breaches in the networks.

AWS Token Key


The logging capability in the Amazon Web Services means denial actions are logged and businesses can utilize them. If the AWS keys are set up as the honey tokens then the security team can come to know when exactly someone has tried to use the specific token to log in. You can create a single access token key where you can also do on Thinkst and put the honey token on the desktop. Bourke and Grzelak wanted to generate tokens at scale to specify whether the implications if the business could place the thousands of honey token on the enterprise. You can watch this video here where to learn more about AWS honey token.

Project Spacecrab:

Project Spacecrab was build to generate many tokens by letting its users create, annotate and alert on Amazon Web Services Keys which does not offer access to anything at mass scale. All keys get deny all policy so when anyone tries to access then such action will be loaded into the S3 bucket. When AWS has per account user limit of 5000 users and each can have two token then there can be a limit of 10000 tokens per account. But it was observed there is a need to cover plenty of micro service for cloud services or the number of desktops in the enterprises. 

With the experiment, they have learned that the AWS monitors public repositories closely and will open support cases when the public keys are placed into the GitHub repository. Posting hundreds of AWS Keys to the internet violates the Amazon Web Services terms of use. Project Spacecrab also said that when someone post credentials to the public repository on the GitHub then there is an 83% chance that someone will use them. They pointed out that it takes average time only 30 minutes to get exploited. They also made an observation that in Pastebin only 9% tokens were exploited if compared with the 80% exploitation of tokens on Github. 

No comments:

Post a Comment

Amazon Aurora Serverless Accessible in more Regions

Amazon Aurora Serverless is an on-demand, auto-scaling configuration for Amazon Aurora is a MySQL and PostgreSQL-compatible relational da...