Using Cloud Infrastructure to Gain Privacy and Anonymity
Why would a security professional need anonymity?
Anonymity and the need for privacy are often associated with suspicious or even criminal activity. For instance, in the Cyber Security sector, one of the major challenges around breach detection and attribution is the fact that most attackers use technologies such as the TOR network, VPN providers, and encryption. There are other much more ethical reasons why an individual would need to use such tools, however. Think of a human rights activist within a country controlled by a suppressive regime. In such cases preserving anonymity is sometimes a matter of life and death.
Cyber Security professionals sometimes need to preserve their anonymity as well. When gathering threat intelligence from unofficial sources, it is best practice to operate in such a manner that the operator of the system hosting the intelligence cannot trace the collector back to their source. A malware author or a DDoS-as-a-Service operator could monitor visitors to their hosted information for instance and change tactics or even hide their services from being visible to the interested threat intelligence gatherer altogether. As an example, quite often malware hosting infrastructure servers block any connection from IP ranges belonging to certain targeted companies.
The need for legitimate anonymous internet access becomes especially important when dealing with dynamic malware analysis systems such as Cuckoo sandboxes. These systems can optionally reach out to the internet when a first stage malware sample tries to connect to a server to download its second stage. These outgoing, so-called “dirty-lines” need to be untraceable otherwise the malware controller could learn their code is detected and is being analyzed and act.
Traditional tools to preserve privacy and anonymity have mainly focused on rerouting the traffic via public nodes such as exit nodes on the TOR network or (usually paid) VPN services. This usually works quite well. VPN services have gained a lot in popularity since the media are covering privacy breaches by companies, hackers, and governments more and more. A user can sign up to a private VPN service such as NordVPN, IPVanish and PureVPN by paying a monthly or yearly fee (about 30 USD to 100 USD per year) although there are some free options as well. These services come with agents full of security features such as automatic blocking of network traffic if the VPN tunnel unexpectedly disconnects (to preserve privacy). Most providers also allow connections from other agents, such as the ones built into the users Operating System.
Apart from the fact that that the use of private VPN’s is usually not free, there is another issue. Most of the providers of these services are well known or easily traceable. This can arouse some suspicion from the intended destination. Why would someone visit their server or website anonymously? Because of the increased popularity of private VPN services, however, this is becoming less and less suspicious. A final much discussed issue around private VPN providers and is that many claim their service is log-free (so no evidence is stored), but it has been proven that some providers to in fact keep logs and do provide these to authorities if required. This is not so much an issue for security researchers, but it is important to understand.
The use of the TOR network is (only) slightly more complex, but it is free and much harder to trace. Because there is no central authority that governs any of the traffic (this is the principle behind the architecture of the network) traffic is virtually untraceable. This comes with an important issue, however. Any traffic coming from an exit node on the TOR network is highly suspicious, both for companies (that usually block or monitor such traffic) and for controllers of malware and botnet infrastructure.
Many organizations will also have a policy against the use of the TOR network for employees, including their security staff. All these issues make TOR a less than the favorable option to preserve anonymity.
Using the cloud
There is another option however. In the world of Internet Technology there is hardly anything that has changed the landscape more over the last decade than the adaptation of cloud technologies. The (public) cloud has made it possible to widely distribute systems with great flexibility, independent of where organizations and users are located. Bringing this back to the challenge of preserving anonymity, such a highly distributed platform with hundreds of thousands of shared servers performing hundreds of thousands of different tasks is a great tool. If a security professional or an automated sandbox system is located within for instance a shared Amazon environment and requests data from a suspicious external system, it is virtually impossible to trace that request back to the interested party. Someone monitoring for such incoming requests will know something or someone was interested in the information, but that person cannot precisely determine who it was and for what reason. It simply looks far less suspicious than a source indicating a private VPN or the TOR network.
It is also much harder to block requests originating from cloud platforms. Where it is not very complex to block a few IP addresses of web crawlers, targeted companies, and security companies, a block on the entire address ranges of Azure and Amazon would be too broad and would need regular updating as well.
Because of the limited hardware requirements for a simple research system within the cloud, quite often the very lowest specifications will be sufficient. The Amazon Free Tier will easily run a Kali Linux host for 12 months at no cost whatsoever.
With some (small) costs it is also possible to build a sandbox system inside a public cloud or to divert a “dirty line” via the cloud (with a VPN for instance).
Law enforcement can request the associated logs from the cloud providers to identify the researcher, but considering the setup is to be used for legitimate work, this should not be an issue. Of course, for additional privacy, one can always connect to the cloud instance using a private VPN if needed.
We looked at some of the complexities of preserving anonymity on the internet. The issue is not so much trying to hide one’s identity; it is doing so while not raising suspicions. Using cloud systems is a good and affordable way to avoid this, usually at little or no costs at all.