A former AWS systems engineer, Paige A. Thompson of Seattle, Washington, has been arrested in connection with hacking a Capital One Bank cloud database, resulting in the breach of over 100 million banking records. The news of an arrest may lull companies and consumers into a false sense of resolution. Yes, the bank acted quickly, and yes the FBI made an arrest, but there are valuable lessons for security and risk teams in this incident. Here are the top three lessons to take away from this breach.
Security & Risk Teams Need Intelligence Gathering
Thompson exploited a firewall vulnerability to execute commands on Capital One's servers. However, the hack was first discovered and then traced across posts on GitHub, Twitter, and Slack. Security and risk teams need to go beyond the firewall, and beyond the network infrastructure altogether. Attackers operate and communicate across channels, so the capability to conduct proactive digital intelligence is mission critical. Scanning social media, and the deep/dark web can locate the first signs of leaked or stolen assets or provide indications of an impending attack. From a Twitter account named Erratic, which prosecutors say belonged to Thompson, she posted: “I’ve basically strapped myself with a bomb vest [...] dropping capitol ones dox and admitting it. I wanna distribute those buckets i think first. There ssns [sic]... with full name and dob.”
Security and risk teams need more tools. Digital intelligence capabilities can help stop attacks before they happen, or in the event of a breach, they can provide invaluable evidence to law enforcement.
This Was Effectively an Inside Job
Some headlines have incorrectly referred to Thompson as a "hacker." This moniker conjures a different persona in the popular imagination than was really the case in this incident. The conflation is dangerous. Thompson was an AWS employee. Of course, Capital One built, controlled, and maintained it own web applications on AWS. All of this is not to implicate AWS as an organization, but this breach should be a wake-up call to security teams to examine the possible gaps and vulnerabilities when using third-party services and cloud structures.
As more and more business operations migrate to cloud environments, teams need to:
- Closely examine vendor relationships
- Review permissions
- Run red team exercises simulating both external and insider threats
- Establish an accurate inventory of apps in use.
Placing digital endpoints at the account level of internal apps like Slack or Microsoft Teams can help detect and stop both accidental and malicious data loss, regardless of device. Similarly, this endpoint protection can be placed on official social media accounts or vulnerable employees' accounts, such as executives or frontline sales teams.
A Criminal Caught Is No Reason to Rest
It is tempting to take a measure of relief from knowing the identity of the attacker and that she has been arrested. All too often we hear about the breach, but are left wondering who has the data. Complacency, however, is the enemy. Although Capital One has said no credentials or passwords were compromised, the bank's customers would do well to change passwords and move to password managers. Other banks should not rest. They should be spending today reviewing all of their own network and cloud database configurations. They should be examining permissions. In short, they should be running around today as if they had been the victims. Every breach is an opportunity to learn.
Security and risk teams should look to close the gaps that made this intrusion possible. Go beyond the network. You have to scan the wilderness to build a comprehensive defense in a cross-channel threat landscape. Be ever vigilant in reviewing architectures, permissions, and insider threats.
Photo credit: Tdorante10
July 6, 2020