Help your organization avoid being the next Capital One cloud resource breach with this one weird trick that hackers hate.

Capital One has joined the ever-growing list of companies (including Facebook, Dow Jones, Netflix, and Ford) that have had data stolen out of improperly secured cloud resources.

“The perpetrator gained access to card application data of approximately 106 million individuals across the United States and Canada through a misconfiguration of a web application and not the underlying cloud-based infrastructure,” as told to Newsweek a couple of days ago.

It appears this attack involved exploiting a flaw in a web application to gain enough privilege to read the system’s instance metadata via the AWS API.  The metadata contained credentials to access the highly sensitive data outlined in the breach disclosure.

Instance metadata is a well-known, widely used, but only occasionally scrutinized feature that each AWS instance is deployed with. It is enabled by default to provide easily accessible information about the EC2 instances themselves and how they are deployed to an AWS account as a whole including any IAM credentials the instance needs to talk to other AWS services.

For a more in-depth look at this attack vector, check out this blog post from Redlock.

So how do you keep your company from falling victim to this same attack?  There’s a simple and extremely cost-effective solution that would have very quickly alerted Capital One (or others in the same situation) to the inappropriate access of their EC2 metadata: Thinkst’s Canary tokens.

Canary tokens can be thought of as a tripwire in environments, alerting security teams when accessed or executed without tipping their hand to the attacker. Canary tokens come in many different varieties and specifically include a token that notifies when EC2 metadata is accessed.

These tokens are very similar to a web bug, an object that can be placed within a web page or email that allows the creator to monitor user behavior.

Unlike a web bug though, Canary tokens are designed to have multiple personalities based on various deployment use cases, including an EC2 metadata Token. Once created, these tokens can be deployed by installing Thinkst’s Apeeper application to your EC2 instances, separated by region, with virtually no maintenance required.

With these Canaries in place, if an attacker then attempts to query the metadata of your EC2 instances, an alert will be triggered in real time, alerting you or your team of potential exploitation while also providing valuable information regarding the incident.

Apeeper can also be configured to run in three different modes depending on your environment’s architecture and security program needs:

  • Blacklist

Alert on certain paths that are queried

  • Whitelist

Do not alert on certain paths that are queried

  • All

Alert on all paths that are queried  

At CYDERES, we provide the best “blue team as a service” with our solutions for managed detection and response that include comprehensive coverage of both on-prem and cloud environments.

The CYDERES Cyber Defense Platform includes a wide range of technologies including Thinkst’s Canary tokens.  With Thinkst, you can have a whole flock of Canary token sensors deployed quickly.

With CYDERES, you can have those sensors monitored 24/7 by our award-winning Cyber Defense Center.  Our surveillance team can not only architect and deploy your Thinkst deception solution, we will actively monitor all of the security telemetry and events from your environment to quickly triage and respond to threats – freeing your precious internal security team to focus on enabling the business to move faster, but securely.