Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Connect Directly
E-Mail vvv

Capital One Breach: What Security Teams Can Do Now

Knowing the methods of the attacker, as laid out in the federal indictment, allow us to prevent similar attacks.

Oh, the Monday blues. You start the week moody because the weekend is over, though the feeling typically subsides once you're in the office. But for the 106 million people with stolen data affected by the Capital One data breach, the Monday blues on July 29 were dark indeed.  

That's when Capital One first announced it had determined "there was unauthorized access by an outside individual who obtained certain types of personal information" relating to its customers on July 19, 2019. The compromised data included names, addresses, phone numbers, self-reported income, credit scores, and payment histories, among other personal information belonging to approximately 100 million customers in the United States and 6 million in Canada. The alleged perpetrator of this breach, Paige Thompson, has already been arrested by federal law enforcement.

The team at Digital Shadows has been closely following the indictment and the resulting fallout, including the media coverage. Using the MITRE ATT&CK and PRE-ATT&CK framework, we've identified what we know and a number of practical steps to help security teams avoid similar situations.

What We Know
On July 17, 2019, an email was received by Capital One's responsible disclosure inbox claiming that internal data was posted to GitHub. Capital One's investigation revealed a file time-stamped April 21, 2019, containing the IP address of one of Capital One's cloud instances. Upon review, there were indications that its cloud environment had been compromised by an attacker who subsequently exfiltrated data from it.

Here is what we know about the attacker's process:

1. Initial Access: T1190 Exploit Public-Facing Application, T1133 External Remote Services
Execution: T1059 Command-Line Interface
"A firewall misconfiguration permitted commands to reach and be executed by that server," according to the indictment. It is unclear precisely which misconfiguration was used to compromise the cloud instance but there are some possibilities:

  • A vulnerable web application was inadvertently exposed to the Internet and exploited, possibly via a server-side request forgery attack.
  • A remote access service was inadvertently exposed to the Internet with no or weak credentials.

Mitigation: It's critical to continuously assess cloud environments for security issues, especially those at risk of external access from the public Internet. Reviewing security group configurations regularly can help ensure that services are not accidentally exposed and access controls are correctly applied.

2. Credential Access: T1098 Account Manipulation
The attacker was able to gain unauthorized access to temporary role credentials once in Capital One's cloud instance. Three commands were retrieved from the GitHub file, according to the indictment, which the attacker used for post-exploitation activities. Temporary credentials were generated by the first command.

Mitigation: When an authorized entity, such as a user or an application, requires access to an AWS service, the identity access management (IAM) system issues a set of temporary credentials. However, continuously monitoring these credential sets is challenging in complex cloud environments due to their dynamic nature. Although it does take significant effort to make this mitigation technique work effectively, it can prove effective when dealing with an infiltration.

3. Discovery: T1007 System Service Discovery
The second post-exploitation command was to list the Amazon S3 buckets that the attacker assumed they had access to given their identity.

Mitigation: While real-time alerting is an issue, AWS CloudTrail logging can help an organization track this type of activity. CloudTrail keeps a log of activity on your AWS account and stores it in an S3 bucket for you for further analysis.

4. Exfiltration: T1048 Exfiltration Over Alternative Protocol
According to the indictment, syncing the S3 bucket contents with an attacker-controlled server was the third post-exploitation command executed. This relied on access granted via the assumed identity providing the attacker with access to more than 700 buckets.

Mitigation: As with the previous issue, AWS CloudTrail logging can help an organization track this type of activity, despite the real-time alerting issue.

5. PRE-ATT&CK Establish and Maintain Infrastructure
T1329 Acquire and/or Use Third-Party Infrastructure Services
The attacker used a combination of Tor and IPredator (a paid VPN provider) to hide her network identity when attacking the Capital One cloud environment, as stated in the indictment.

Mitigation: Whitelisting access to resources from a set of known-good IP addresses, if possible, can help prevent unauthorized access. IP whitelisting should only be used in conjunction with other, strong authentication mechanisms — it can only be applied in environments where it is known from where an authorized user will be accessing an environment.

What We Don't Know
The attacker worked for Amazon in the past so the "insider" angle has been played up in the media. However, the indictment does not imply that the attacker had any privileged access based on previous employment. Instead, it appears that the attacker used her knowledge and experience to exploit a vulnerability in the misconfigured firewall. 

The attacker's motives remain unconfirmed. While many data breaches conducted against banks are financially motivated, the Capital One hack was publicized by the attacker, a known member of a hacking club. It is possible that this hack was conducted for personal motives, but details are still unfolding.

Related Content:

Richard Gold is a hands-on information security professional who has over a decade's worth of experience in understanding and securing computer networks. With his background as a Certified SCADA Security Architect and a Ph.D. in computer networking, Richard uses knowledge ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Ninja
8/25/2019 | 9:16:30 AM
Excellent write up
Excellent write-up, you brought up some valid and key points. One thing that may have been overlooked by Capital one is that this may have been planned from the beginning. But I do think the infiltration or compromise was much easier than that.

When she worked for capital one, she intentionally created a back door where she had implemented credentials under another name as well as misconfigured the WAF intentionally; remember, she had full access to the security section of AWS therefore she had access to all of the access and secret keys. But it will be interesting to see what unfolds in the next few months as more case information is brought to the public.


User Rank: Ninja
8/27/2019 | 10:18:55 AM
Re: Some people

"Amazon Web Services "was not compromised in any way and functioned as designed," Amazon said in a statement, adding that the reason for the breach was a misconfiguration of firewall settings managed on the cloud server by Capital One, not a vulnerability in the cloud server itself."

This was done intentionally because of the WAF's configuration, it has to be configured to allow such entry (she had insider knowledge). She intentionally modified permissions from the AWS WAF-Role to allow for this type of attack. One thing that they left out, how did she gain access to the AWS cloud environment when the SG (Security Groups) and VPN access should have blocked this intrusion from an mgmt standpoint (again another area of weak security rules and no one reviewing the work).

Also, there is something that was left out, if they (Capital-One) were not notified of the incident and she did not share her experience online, then how long would this have gone on before they would have known (years)?

This is what I mean by organizations who have been lax in their security mechanisms even though they profess to ensure data integrity at all costs (why didn't they know about customer account data being moved or copied, NSA had the same problem with Ed Snowden, if he had not said anything to the public, they would have never known, seems as though history is repeating itself and we continue to miss our lessons-learned).


7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Take me to your BISO 
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-11
In JetBrains UpSource before 2020.1.1883, application passwords were not revoked correctly
PUBLISHED: 2021-05-11
In JetBrains WebStorm before 2021.1, code execution without user confirmation was possible for untrusted projects.
PUBLISHED: 2021-05-11
In JetBrains WebStorm before 2021.1, HTTP requests were used instead of HTTPS.
PUBLISHED: 2021-05-11
In JetBrains TeamCity before 2020.2.3, information disclosure via SSRF was possible.
PUBLISHED: 2021-05-11
In JetBrains TeamCity before 2020.2.3, reflected XSS was possible on several pages.