Cloud Computing: Attack Vectors and Counter Measures
I can bet that some of you might have missed the news about Star Wars, but there will be hardly any who do not know what Cloud computing is, as this has been the buzz for last several years. In this article, we will learn about various types of attacks that are possible in a cloud environment and the methodology that is being used. Let’s start first with the definition of cloud computing, its model and then the focus will be on attack vectors and their countermeasures.
What is Cloud Computing?
Cloud computing is a model to give ubiquitous, on-demand access to a shared pool of resources and these resources can be provisioned and released with minimal management effort.
Cloud Computing: Models
Cloud Computing has following Models
- Infrastructure as a Service (IaaS): This is the lowest of all layers and in this model customer owns the software and purchases the virtual power to execute it.
- Platform as a Service (PaaS): This is the middle layer and in this layer platform is provided which include API’s, portal etc. on which the customer can develop their applications.
- Software as a Service (SaaS): This is the topmost layer. It provides everything and simply rent out the software to user.
Cloud Computing: Attacks
When it comes to Cloud Security, unfortunately vulnerabilities have been found in the Cloud environment which leads to attacks. Following are some of the well-known attack in the cloud environment.
- Denial of Service Attacks (DoS Attacks): DoS attack definition remains same in the Cloud i.e. it prevents users from accessing a service. However, in a Cloud environment, DoS attacks get nasty. Cloud by its design will keep on adding more computational power thus making the attack even stronger. The Cloud model gives the DoS attack even more computational power. This problem is further aggravated when DDoS comes into picture as more machines will be compromised to attack large number of systems.
- Malware Injection Attack: This attack focuses on adding/injecting a service implementation or evil virtual machine to cloud environment. The main goal of this type of attack is to take control of victim’s data in cloud, so the attacker uploads a crafted image and tricks the image to be part of the victim’s cloud environment. After the adverse system/service is added to the cloud environment, user requests will start forwarding to it causing the vulnerable code to execute.
Side Channel Attack: This attack is directed to compromise IaaS by placing a virtual machine co-resident to the victim VM and then it targets cryptographic implementation in system. By co-resident means that the VM has to be in the same host. As you might have guessed this attack is done is 2 phases. First placement of malicious VM as co-resident to target VM. Second phase is to extract useful information from the target VM. Attacker has to be sure that he has placed hos VM as a co-resident to the target VM. How can he be sure? Is there a way to check it? Answer to this is Yes. There are ways in which in which co-residency can be checked. Some of the ways are described below:
Network based co-residence check: This can be done in following ways. However, this is specific to EC2:
- Dom0 IP address: This is specific to Xen hypervisor and is referred to as the initial domain started. For an instance the Dom0 IP can be checked for the first hop on any route form the host. So this Dom0 IP can be determined from another instance if the target is uncontrolled by performing a TCP SYN probe and tracing the last hop.
- Packet Round trip times: According to research, round trip times for VM’s in a same host show a pattern.
- Closeness of Internal IP address: Co-Residency can be checked in how internal ip address is allotted to a set of VM’s from a single box.
- Brute forcing: In this, the attacker brings up VM and then checks for target in a Zone repeatedly. For VM’s spawned up in wrong Zone, attacker shut down that VM and repeat the process.
- Authentication and MiTM Attack: As most of the upfront services being offered relies on username/password combination, authentication is considered to be the weak point in Cloud Security Model. Also if attacker can place themselves between the user and the service provider then the MiTM attacks are also possible.
Cloud Computing: Attack’s Countermeasures
- As customers lose control over their data as soon as they move that to cloud, Customers must make sure that the data stored in cloud is encrypted and if possible should retain the keys with them only.
- Detect the side-channel attack during the placement phase only. This can be done by collecting logs for new machines starting and stopping and feed them to a SIEM solution. High number of new machines being spawned and shut down within a defined time interval could be an indicator of an attacker perform the co-residency check.
- Instead of simple username and password authentication check, multifactor authentication must be implemented.
- Hiring a CCSP (Certified Cloud Security Professional) to manage the cloud.
- Check for the integrity of data by implement encryption /decryption for the data over wire.
- Implement Firewalls, IPS and other ACL filters at perimeter. Apply black holing and sink holing.
- Implement a combination of Virtual Firewall and Randomized Encryption/Decryption: Placement can be protected by enabling virtual firewalls at VM level which restricts traffic between VM’a and to protect against 2nd step in side-channel attack, implement randomized encryption and decryption thus making the process more complex to break.