Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

3/22/2018
01:00 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Hunting Cybercriminals with AWS Honey Tokens

Researchers at Black Hat Asia demonstrated how they used AWS honey tokens to detect security breaches at scale.

BLACK HAT ASIA - Singapore - Security analysts here today demonstrated how to detect security breaches by using Amazon Web Services (AWS) keys as honey tokens to lure cybercriminals.

A honey form is any form of credential or resource that you can use for monitoring and logging on, but doesn't exist anywhere in practical terms, explained Daniel Grzelak, head of security at Atlassian. It can be anything: an email address that doesn't belong to anyone and is generally available, a DNS name no one should ever resolve, a URL that nobody ever visits.

In their presentation, Grzelak and Dan Bourke, senior security analyst at Atlassian, showed how AWS keys can be configured as honey tokens at scale. These tokens can be placed anywhere across your environment or the supply chain and when threat actors find them, they'll try to use them. As a result, you'll know when and where a security breach occurs.

These keys are valuable to attackers and interesting for a few reasons, Grzelak said. Hackers who find AWS keys know they could use them to control someone's infrastructure. "Whenever some account gets compromised, one of the first things attackers do is look for another credential that lets them get into something more," he continued.

AWS provides complex, full-featured policy access management infrastructure, and keys to this infrastructure are placed everywhere. They're frequently found in GitHub repositories but also in .txt files, on the desktop, etc.

An AWS access key is like a scratch-off lottery ticket. If the attacker wins, they gain control over someone's infrastructure. If they lose, the key is simply an information disclosure vector that gives them more chances to win. However, they have to test it first.

"If an attacker finds an access key, there's no other way to find if it's useful other than to use the access key," Grzelak said. "One important property is, while access keys might be the keys to the kingdom, they don't have to be."

These keys could potentially grant hackers a lot of power or grant them nothing. They could also help businesses detect breaches in their networks. The logging capability in AWS means denial actions are logged and businesses can use them. If AWS keys are configured as honey tokens, a security team can know when, exactly, someone tried to use a specific token to log in.

If you want to generate a single access token, you can do so on Thinkst and put the token on your desktop. However, Grzelak and Bourke wanted to create tokens at scale to determine the implications if a business could place thousands of honey tokens across an enterprise.

Project Spacecrab

To generate this many tokens, the researchers built Project Spacecrab, which let users create, annotate, and alert on AWS keys, which don't provide access to anything, at mass scale. All keys get the deny-all policy so if anyone tried to use them, their actions are loaded into an S3 bucket.

Since AWS has a per-account user limit of 5,000 users and each can have two tokens, there is a limit of 10,000 tokens per account. However, as the researchers pointed out, that would be plenty to cover microservices for cloud services, or the number of desktops in an enterprise.

A few interesting lessons came from this experiment. The first: AWS closely monitors public Github repositories and will open support cases when public keys are put into a public GitHub repository. The second: Posting hundreds of keys to the Internet violates the AWS terms of use.

Project Spacecrab also showed that when someone posts their credentials to a public repository on GitHub, there's an 83% chance someone will use them. The average time to exploit after posting is almost exactly 30 minutes, the researchers pointed out.

Pastebin, in contrast, has a completely different exploitation profile. Only 9% of tokens posted on Pastebin were exploited, compared with more than 80% on GitHub.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Ritu_G
50%
50%
Ritu_G,
User Rank: Moderator
8/19/2018 | 11:41:35 PM
hi
We have to tackle this problem regardless of what it takes. We have to come up with means and measures to ensure we take them down one way or another. It might be costly, it could get tough but we still need to get it done right. Whatever methods we might think of, we need to try them out to see if we finally can get this whole cyber crimes under control.
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-3154
PUBLISHED: 2020-01-27
CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.
CVE-2019-17190
PUBLISHED: 2020-01-27
A Local Privilege Escalation issue was discovered in Avast Secure Browser 76.0.1659.101. The vulnerability is due to an insecure ACL set by the AvastBrowserUpdate.exe (which is running as NT AUTHORITY\SYSTEM) when AvastSecureBrowser.exe checks for new updates. When the update check is triggered, the...
CVE-2014-8161
PUBLISHED: 2020-01-27
PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to obtain sensitive column values by triggering constraint violation and then reading the error message.
CVE-2014-9481
PUBLISHED: 2020-01-27
The Scribunto extension for MediaWiki allows remote attackers to obtain the rollback token and possibly other sensitive information via a crafted module, related to unstripping special page HTML.
CVE-2015-0241
PUBLISHED: 2020-01-27
The to_char function in PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a (1) large number of digits when processing a numeric ...