Identities lie at the heart of cloud security. One of the most common tactics used to breach cloud environments is Credential Access. User credentials may be obtained using various techniques. Credentials may be cracked through brute force attempts, obtained in social engineering campaigns, or stolen from compromised resources, where they are stored and used.
In this blog, we demonstrate that properly securing cloud environments requires securing credentials in the organization’s non-cloud environments. To this end, we dive into our innovative capability to detect cloud credentials in on-premises environments and user devices. By integrating it with Microsoft Security Exposure Management, customers are able to identify attack paths starting in non-cloud environments and reaching critical cloud assets using cloud credentials. Customers are then able to effectively prioritize and mitigate those attack paths, thereby improving their enterprise and cloud security posture.
Credentials in On-premises Environments and User Devices: the Achilles Heel of Cloud Security
Awareness of the risk of credential theft in cloud environments is increasing, with security vendors offering secret scanning in various cloud-based resources, such as virtual machines and code repositories. However, cloud-credential theft from on-premises environments and user devices is a substantial blind spot in cloud protection solutions.
Consider the following attack scenario: To work with cloud infrastructures, employees must constantly use credentials on their personal computers. Most predominantly, users access cloud provider services either using the web portal or a CLI tool. Both methods can leave long-term credentials on the employee’s computer, such as authentication cookies and access tokens. A malicious actor who gains access to the user’s computer can easily steal those credentials and breach the customer’s cloud environment. The attacker immediately gains all the current permissions of the compromised user.
This scenario is a reality that we witness over and over with our customers. Our security research team has recently uncovered a crypto mining campaign targeting a large financial organization. The attack began by executing malware on an endpoint machine used by one of the organization’s administrators. The attacker then extracted a browser cookie from the compromised machine, which allowed them to bypass MFA and gain an initial foothold in the cloud environment with global administrator permissions.
The Technical Challenge: Identifying and Mapping Browser Cookies
The most widespread credential type that is used to access the cloud from user devices are authentication cookies. When logging in to a cloud provider’s website, authentication cookies are saved on the user’s browser to enable easy, password-free access in future sessions.
While the exact format varies, these cookies appear as long, randomized strings, and do not contain any identifier of the user that they be used to authenticate as. This poses a significant challenge to the security vendor, who needs to infer this exact connection.
The trivial way to solve the challenge this out would be to collect the authentication cookie from the user’s machine, and actively send it to the relevant website. This solution has several disadvantages which make it complex and unattractive:
- Authentication cookies are highly sensitive secrets. Collecting and saving those cookies adds an unwanted risk to the customer.
- Actively sending the cookies on a mass scale may look suspicious and cause false alarms on the website’s side.
- High operational and engineering costs on the vendor’s side.
The Solution: Smart Analysis of Browser Artifacts
To overcome this challenge, we have come up with an innovative solution that is based on analysis of browser artifacts. The artifacts, saved by the website upon successful user authentication, contain the identifier of the authenticated user. This solution also provides information on the cookie’s validity, as the artifacts also indicate when a user logs out, or when a cookie is expired due to lack of usage.
The analysis runs periodically over Microsoft Defender for Endpoint and supports detection of both Azure Portal and AWS Console authentication cookies. On the first release, all Chromium-based browsers are supported.
In addition, we’re introducing an ability to detect cloud secrets used by the CLI tools of Azure, AWS and GCP. These secrets are stored locally and include refresh tokens, certificates, and access keys. Here, too, we’re able to correlate them to the relevant user that they can be used to authenticate as.
Reducing the Attack Surface and Enhancing Threat Detection
This new ability to detect cloud credentials in on-premises environments and user devices is fully integrated into Microsoft Security Exposure Management. This comes in addition to our existing abilities to detect credentials in cloud and hybrid environments. By ingesting the data to the exposure graph, customers are now able to:
- Gain Visibility to the Attack Surface created by Cloud Credentials: Effectively prioritize protection on critical areas of the network which should be better protected.
- Reduce the Attack Surface: Identify and mitigate attack paths involving cloud credentials.
- Enhance Threat Detection of Hybrid Attacks: Having knowledge of the connection between on-premises and cloud environments provides important context in threat detection, enhancing detection and response of hybrid attack incidents.
Below is a screenshot from the Exposure Management user interface showing an on-premises to cloud attack scenario involving cloud credentials. The scenario begins with a vulnerable on-premises machine, which contains a browser cookie of an Azure user with the global administrator role. The cookie may be used to access a sensitive Azure storage account, which contains customer credit card details. This scenario and many more will soon be available in Microsoft Security Exposure Management.
Learn More