Lack of clarity in log files can allow for stealthy data exfiltration.
Mitiga on forensic visibility and the Google Cloud Platform.
Mitiga has published research looking at Google Cloud Platform (GCP), concluding that the service has a “significant forensic security deficiency in Google Cloud Storage that enables a threat actor to exfiltrate in a covert manner.”
Data theft could fly under the radar.
The researchers found that an attacker with access to a GCP storage bucket could steal data without leaving any obvious signs. The problem stems from the fact that GCP uses the same log description for a variety of different actions, including reading files, downloading files, copying files to an external server, or reading the metadata of a file. As a result, all of these actions will simply be logged as “storage.objects.get.”
Mitiga explains, “It is important to note that in normal usage, files (or objects) inside storage objects are read multiple times a day as part of day-to-day activity of the organization. This could easily lead to thousands or millions of read events. Not being able to identify specific attack patterns such as download or copy to external buckets, makes it exceedingly difficult for the organizations to determine if and which information has been stolen.”
Google’s response and mitigations.
Google offered the following response to Mitiga’s findings:
“The Mitiga blog highlights how Google’s Cloud Storage logging can be improved upon for forensics analysis in an exfiltration scenario with multiple organizations. We appreciate Mitiga's feedback, and although we don't consider it a vulnerability, have provided mitigation recommendations.”
Google and Mitiga worked together to come up with the following mitigations:
- “VPC Service Controls - with the use of VPC Service Controls administrators can define a service perimeter around resources of Google-managed services to control communication to and between those services
- “Organization restriction headers - organization restriction headers enable customers to restrict cloud resource requests made from their environments to only operate resources owned by select organizations. This is enforced by egress proxy configurations, firewall rules ensuring that the outbound traffic passes through the egress proxy, and HTTP headers.
- “In case neither VPC Service Controls nor Organization restriction headers are enabled we suggest searching for the following anomalies: anomalies in the times of the Get/List events, anomalies in the IAM entity performing the Get/List events, anomalies in the IP address the Get/List requests originate from, and anomalies in the volume of Get/List events within brief time periods originating from a single entity.
- “Restrict access to storage resources and consider removing read/transfer permissions.”