Wave Systems Corp. (fka WAVXQ)

[Genz2]

Detecting attackers obfuscating their IP address inside AWS

https://www.helpnetsecurity.com/2021/05/18/detecting-attackers-inside-aws/

Security researchers have documented an attack technique that may allow attackers to leverage a legitimate Amazon VPC feature to mask their use of stolen API credentials inside AWS.

The feature and its exploitation potential

“Amazon Virtual Private Cloud (Amazon VPC) is a service that lets you launch AWS resources in a logically isolated virtual network that you define,” AWS explains.

Customers have complete control over their virtual networking environment, and can select their own IP address range, create subnets, and configure route tables and network gateways.

Unfortunately, the feature that allows customers to control their IP addresses also allows attackers to control the IP address written to AWS CloudTrail logs when accessing a compromised account via a newly created VPC endpoint.

“This can potentially enable an attacker to fool various security protections that rely on the Cloudtrail logs, such as SIEMs and cloud security tools. In addition, analysts looking for evidence of an attack might miss it,” Hunters researchers noted.

Attackers can obfuscate their IP address by making it look like an “organizational” public IP address, an employee “home” external IP address, a (potentially whitelisted) third party service provider public IP address, or a special private, reserved, testing or documentation-only IPv4 subnet block.

They could thus make it seem that a malicious action has been performed by an employee, or make it fly under the radar of threat intelligence and reputation services.

What attackers can’t do with this technique is to change the IAM permissions the attacker has when using victims’ compromised AWS API credentials, nor bypass IP-based IAM policies.

There is a solution

This technique may allow attackers to bypass security measures that rely solely on AWS CloudTrail, an AWS web service that allows customers to log, continuously monitor, and retain account activity related to actions across their AWS infrastructure (including AWS API activity).

Defenders should not rely on the contents of the “sourceIPAddress” field in the logs to detect attackers inside AWS, making API requests/calls, the researchers noted. Instead, they should review the “vpcEndpointID” field.

“If you use VPC endpoints in your environment, the only significant difference between the logs created by legitimate actions and the attacker’s actions is the specific VPC endpoint IDs logged. We recommend addressing this use-case with more anomalous-based detection logic, detecting usage of a new VPC endpoint ID never seen before in the organization,” the researchers advised.

They also recommended AWS CloudTrail users to cross-reference their cloud events with other sensors on endpoints, on-premises, email, identity, etc, to trace inconsistent logging and missed threats.
=================================================================
Using Wave and the TPM to identify known and approved devices on your network sounds better than the method used in this article!!! Device authentication and Wave VSC 2.0 has another great use rather than using IP addresses in AWS to validate identity!!! This could be another great avenue for Wave to help the market with its awesome solutions (ie. Wave VSC 2.0)!!!
==================================================================
http://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management

Excerpts:

Secure device & user authentication

Sometimes it feels like security is more effective at deterring your users than hackers. But you still have to protect your enterprise resources, and we’re here to help. We take pride in securing your network, data, and resources to an unprecedented level, without causing a revolt from either IT or your users. In fact, your users probably won’t even know we’re there.

Here’s how it works:

Trusted Platform Module (TPM) + Wave’s ERAS for TPM Management = hardware-secured, fully-managed authentication

Most of your devices already come with TPMs (check out our “What is a TPM?” brochure if you’re not sure why this is exciting). This security chip comes attached to the motherboard of most enterprise-class PCs. There’s nothing “add-on” about it. The TPM provides a verifiable, unique identity for each machine.

Wave’s ERAS for TPM Management gives IT remote, centralized management of all TPMs on enterprise computers and tablets.

With this control, IT can set policies and dictate which machines and users have authority to access which resources. IT can ensure that only known and approved devices are accessing your network. And what’s more, IT can prove it with detailed activity logs.
=================================================================
http://www.wavesys.com/

http://www.wavesys.com/contact-information

Contact Wave

Wave Systems
401 Congress Avenue
Suite 2650
Austin, TX 78701
sales@wavesys.com

Gold Customer Support:

goldsupport@wavesys.com

1-800-928-3638

Support:

support@wavesys.com

1-844-250-7077

Sales:

1-877-228-WAVE