SEI Insights

Insider Threat Blog

Real-World Work Combating Insider Threats

Insider Threats Related to Cloud Computing--Installment 3: Insiders Who Exploit Cloud Vulnerabilities

Posted on by in

Hi, this is Bill Claycomb and Alex Nicoll with installment 3 of a 10-part series on cloud-related insider threats. In this post, we discuss a second type of cloud-related insider threat: those that exploit weaknesses introduced by use of the cloud.

Last week we discussed the rogue administrator, one type of cloud-related insider threat. A second type of cloud-related insider threat, often overlooked by security researchers, is the insider who exploits vulnerabilities exposed by the use of cloud services to gain unauthorized access to organization systems and/or data. This type of attack may be malicious or accidental, and is sometimes enabled by differences in security policies or access control models between cloud-based and local systems.

This type of threat may also be successful because direct administrative control of systems and data can be difficult for an organization to affect quickly. This type of insider is most likely looking to gain access to sensitive information to sell (i.e., fraud) it or use it for future employment opportunities (i.e., theft of intellectual property); and the cloud may provide the easiest way to compromise security measures with the least chance of detection.

But once again, sabotage attacks should not be discounted. It is unlikely a local insider would try to sabotage the cloud infrastructure itself, considering the resilience and stability of cloud-based systems in addition to the remote location of cloud systems. A local system may be a better target for sabotage, unless the insider seeks to harm the company by leaking sensitive or embarrassing company information. This type of incident is described in the following excerpt from an actual case in the CERT insider threat database:

An employee in the victim organization was tricked by a malicious outsider into opening a document infected with malware. Using that exploit, the attacker was eventually able to gain access to the organization's email service, hosted by a cloud computing provider. Though aware of the attack in progress, the victim organization was unable to terminate email service quickly enough to prevent sensitive data loss. This delay was exacerbated by the inability of the organization to validate its identity with cloud provider support personnel.

This attack describes an unintentional insider attack, which means the employee did not intend to cause harm to the organization. However, the outside attacker was able to obtain credentials of an inside administrator and use those credentials to attack as an inside administrator might. The exploited weakness that allowed this attack to succeed was the lack of direct control of email services for the victim organization.

To further illustrate this type of insider, but from the perspective of fraud, consider an attack exploiting the increased latency, or replication lag, between servers in a cloud architecture. With constraints such as high server load, multiple network segments and layers between servers, and geographic separation, replication of changes from one server to others can take significantly longer for cloud systems than those hosted on site, dedicated to the organization, and using the same network infrastructure.

An insider who understands the hosted application environment can take advantage of that knowledge to devise an attack. First, he must be aware of an upcoming change (or be able to initiate one), which is introduced at the top of the hierarchy and replicated to nodes further down. He would then introduce a malicious change at a point further down the replication hierarchy, knowing his change will only exist for a very short period of time. The insider would take advantage of that short window to carry out the attack on the target node. This attack is very similar to the Byzantine Generals Problem, which deals with malicious nodes during message replication. However, the situation described here does not assume malicious nodes; it simply inserts what appears to be an authorized message immediately prior to replication and takes advantage of the temporary inconsistency caused.

As a specific example, consider a sample organization with authoritative price server A, which replicates prices to servers B1 and B2, which have 1 and 2 seconds of latency, respectively. Server B1 replicates prices to servers C1 and C2, which have 2 seconds of latency each. Server B2 replicates prices to server C3 with 4 seconds of latency.

Assume an insider wants to buy a large number of a $20 item from his company, but he only wants to pay $10 each. If he knows about an upcoming price change for the item, say from $20 to $18, he could stage a false replication notice incorrectly listing the new sales price as $10, and send that notice to server C3 so that it arrives four seconds after the initial price change is initiated. Then he carefully times his purchase, from C3, before the correct replicated message is received two seconds later, overwriting the incorrect price and potentially removing evidence of the attack.

Coming up next: We'll discuss a third type of cloud-related insider threat, those that use cloud services to attack the organization itself.

More from CERT Insider Threat Center


View other blog posts by CERT Insider Threat Center.