What Happened in That Cyberattack? With Some Cloud Services, You
Major cloud platforms, such as Google Cloud Platform (GCP), fail to adequately log the event data that could facilitate the detection of compromises and the forensic analysis during post-compromise response, according to an analysis.
Cloud security firm Mitiga stated in an advisory published on March 1 that the Google Cloud Platform allows customers to turn on storage access logs, but faced with an attacker that successfully compromises a legitimate user’s identity, the logs fail to provide enough detail, creating forensic visibility gaps.
The security issues include failing to generate dedicated log information for critical actions related to exfiltration, failing to collect detailed information about changes to data, and a general lack of visibility that would give a picture of what happened, the advisory stated.
A variety of events, for example, are included under a single type of access — such as reading a file or downloading data — leaving analysts unclear as to what actually happened, says Veronica Marinov, an incident response investigator with Mitiga and author of the advisory.
“Google Cloud storage logging is missing granular log events,” she says. “In the case of interacting with bucket objects, you can’t really differentiate between downloading the object, viewing its content, and just looking at the metadata of the said object.”
As companies move their infrastructure and operations to the cloud, attackers have followed. For instance, the company faced an opportunistic attacker that moved laterally inside a cloud environment to successfully steal sensitive data, only to be stopped by rigorous permissions, according to a report earlier this week.
In its latest annual “Global Threat Report”, cybersecurity services firm CrowdStrike noted that cloud exploitation incidents had increased by 95% in 2022, compared with the previous year, while cloud-conscious threat actors — which the firm defined as those who use “a variety of tactics, techniques, and procedures (TTPs) to exploit cloud environments” — nearly tripled. The increase in cloud-focused attacks means that companies need to focus on visibility and really understanding the changes being made to cloud environments, says Adam Meyers, head of intelligence at CrowdStrike.
“For years, cloud threats have been concerning, but it was pretty low tech, and they generally resulted in a cryptominer being deployed,” he says. “Cloud is clearly in the sights of the threat actors now.”
Logs Need More Detail
A key to understanding what happened during a compromise is having adequate visibility through detailed logging of events in cloud services. Forensics investigators rely on logs to determine what happened, what data may have been at risk, and what threat actors accomplished, Mitiga stated in the advisory.
While attackers often turn off logging as part of their compromise of cloud services, a knowledgeable attacker could also skip that and construct an attack chain that results in very little detail being revealed in Google Cloud Platform log files, Mitiga stated.
“Unfortunately, GCP does not provide the level of visibility in its storage logs that is needed to allow any effective forensic investigation, making organizations blind to potential data exfiltration attacks,” Mitiga said in its advisory. “This prevents organizations from efficiently responding to incidents, as they have no chance to correctly assess what data has been stolen or whether it has been stolen at all.”
Google Cloud acknowledged the issues, while stressing that it does not consider the lack of visibility to impact the security of its platform. The company maintained that there is no risk of data infiltration, that the issue is not a vulnerability, and that customer data is secure (all assertions also made by Mitiga). Google Cloud plans to further investigate the forensics gap, however.
“While improving log forensics hasn’t been an issue raised by our customers, we are continually evaluating ways to improve customers’ insight into their storage,” the company said in a statement sent to Dark Reading. “The highlighted forensics gap in the blog is one of those areas we are examining.”
Among Google Cloud’s recommendations are turning on and configuring VPC Service Controls and organization restriction headers, to limit access and produce additional log events.
Not Just Google
The ability to access detailed logs is part of the shared-responsibility compact between cloud providers and customers. To take responsibility for their infrastructure in the cloud, organizations need to have detailed insight into activity. While the advisory specifically calls out GCP, other cloud providers have similar issues, Marinov says, without naming names.
“We had seen, in other cloud providers, cases where we can’t really understand what happened only by seeing the logs,” she says. “We are in touch with vendors on such specific gaps. Only after completing our responsible disclosure process are we able to share details with the media.”
Amazon’s Simple Storage Service (S3) buckets, for example, collect the right level of detail, the advisory stated: “It is important to note that this deficiency is not inherent to cloud services and could be easily addressed by providing more detailed information in the logs. An example can be seen with AWS S3 access logs, which distinguish each of the event types with its own event log name.”
Mitiga did not say whether AWS’s other services are among those the company is investigating for gaps in forensics information.