Chapter 2 - 07 - Understand IoT, OT, and Cloud Attacks - 03_ocred_fax_ocred.pdf

Full Transcript

Certified Cybersecurity Technician
Information Security Attacks

Exam 212-82

Cloud-specific Attacks
Most organizations adopt cloud technology because it reduces the cost via optimized and
efficient computing. Robust cloud technology offers different types of services to end-users;
however, many people are concerned about critical cloud security risks and threats, which
attackers may take advantage of to compromise data security, gain illegal access to networks,
etc.
This section covers cloud-based attacks such as man-in-the-cloud attacks, cloud hopper attacks,
and cloud cryptojacking.

Module 02 Page 370

Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.

Certified Cybersecurity Technician
Information Security Attacks

Exam 212-82

Cloud-based vs. On-premises Attacks
o

Cloud is not always the solution

g

Cloud-based security reduces cost but increases risk

Probability of redirection risks

Lower detection capability in the cloud

On-premises security increases productivity and availability

L*
n

Lack of on-premises infrastructure reduces cloud view

Cloud-based vs. On-premises Attacks
Organizations and security professionals who decide to shift their IT infrastructure from onpremises to the cloud need to assess the security risks and benefits before deploying cloud
services.
=

Cloud is not always the solution
Some organizations believe that cloud is the best solution for efficient cyber threat
management. Although cloud services provide a comprehensive security strategy for
organizations, it still includes inherent weaknesses that make them less preferable for
organizations that require complete protection.

*

Cloud-based security reduces cost but increases risk
Organizations utilizing
security infrastructure
party cloud provider.
organization by adding

=

cloud-based security are not required to maintain dedicated
and data centers, as all these facilities are provided by the thirdIn other words, on-premises-based security can burden the
the cost of data centers and infrastructure to its expenses.

Probability of redirection risks
Although forwarding potentially malicious network traffic away from on-premises
infrastructure has benefits, it still has some implications that require consideration.
Always-on cloud services require the full-time redirection and monitoring of traffic from
a remote security center. This type of redirection can increase the network latency and
degrade the performance of the applications used by end customers. For the efficient
management of application infrastructure, many applications expect minimal latency.
Therefore, organizations that use always-on and cloud-only cyber security protection

Module 02 Page 371

Certified Cybersecurity Technician Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.

Certified Cybersecurity Technician
Information Security Attacks

Exam 212-82

must assess risks such as the risk of a targeted attack on a growing customer base that
can compromise the security of all customers.
Organizations that leverage both cloud-based and on-premises infrastructure do not
have such types of risks and can easily detect evolving threats and attacks without
switching the traffic between on-premises and cloud infrastructure.
*

Lower detection capability in the cloud
For organizations that need cloud services providing cyber-attack protection, speed and
accuracy in detection are major considerations. Many cloud-based security solutions
advertise that they are very efficient in detecting various attack vectors and can further

identify and isolate malicious traffic from legitimate traffic efficiently. However, these
security solutions detect attacks by monitoring network traffic using network
monitoring tools that detect malicious traffic based on specific traffic patterns and
thresholds, instead of performing deep packet inspection to identify malicious behaviors
that lead to an attack.
*

On-premises security increases productivity and availability
Organizations maintaining cyber-security teams on-premises can ensure the security of

all the resources round the clock. These teams can conduct frequent security checks on
the IT infrastructure. Conversely, on-premises security can result in additional
maintenance and equipment costs.
*

Lack of on-premises infrastructure reduces cloud view
Many cloud solutions redirect traffic from target resources to a security center for
identifying malicious traffic and implementing mitigation strategies. This processing
increases the latency and reduces the speed of mitigation. Alternatively, hybrid
solutions that utilize both on-premises infrastructure and cloud resources have the
benefit of advanced attack visibility.

Module 02 Page 372

Certified Cybersecurity Technician Copyright © by EG-Gouncil

All Rights Reserved. Reproduction is Strictly Prohibited.

Certified Cybersecurity Technician
Information Security Attacks

Exam 212-82

Side-Channel Attacks or Cross-guest
VIVI Breaches
O

The attacker compromises the cloud by placing a
a side-channel attack

near to a target cloud server and then launches

O

In a side-channel attack, the attacker
i
i
takes advantage of the shared physical resources (processor cache) to

0

Side-channel attacks can be implemented

by any

i

i
ine
(cryptographic keys) from the victim

due to the vulnerabilities in shared technology resources
Multi-tenant
Cloud

Cache

(RO >

(ol
>

Attacker impersonates

and

Timing Attack

D

E

Data Remanence

""".
Victim’s VM.................................. N

88

Cryptographic Keys/ :

'y DDDA

Plain Text Secrets

Acoustic Cryptanalysis

-

Power Monitoring Attack

Steals victim's

2

credentials

-

i

J :

i

o

Attacker

A

Differential Fault Analysis

¢

Side-Channel Attacks or Cross-guest VM Breaches
Attackers can compromise the cloud by placing a malicious virtual machine near a target cloud
server and then launch a side-channel attack. The below figure shows how an attacker can
compromise the cloud by placing a malicious VM near a target cloud server. The attacker runs
the VM on the same physical host as the target VM and takes advantage of the shared physical
resources

(processor

cache).

Then,

he

launches

side-channel

attacks

(timing

attack,

data

remanence, acoustic cryptanalysis, power monitoring attack, and differential fault analysis) to
extract

cryptographic

keys/plain

text secrets

to steal the victim’s

credentials.

Side-channel

attacks can be implemented by any co-resident user and are mainly related to vulnerabilities in
shared technology resources. Finally, the attacker uses the stolen credentials to impersonate
the victim.

E

Multi-tenant..............................

Cloud

-

User

ey 0
:
-------------- A

Cryptographic Keys/
Plain Text Secrets

Attacker impersonates
victim using the

stolen credentials........................

s

—

Victimls

R
S,

L

—

s Y - Y——

ge

:
:
V

i

Attacker’s

> N é................. A

Steals victim’s
credentials

VM

VM.

OO

OO

OO

L

g

Attacker
Figure 2.73: Example of Side-Channel attacks

Module 02 Page 373

Certified Cybersecurity Technician Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.

Certified Cybersecurity Technician
Information Security Attacks

Exam 212-82

Man-in-the-Cloud (MITC) Attack
MITC attacks are an advanced version of Man-in-

the-middle (MITM) attacks.

The attacker tricks the victim into installing a
malicious code, which plants the attacker’s
synchronization token on the victim’s drive

3

Then, the attacker steals the victim’s

synchronization token and uses the stolen token
to gain access to the victim’s files
Later, the attacker restores the malicious token with

\q

the original synchronized token of the victim, thus
returning the drive application to its original state

—

-—

—

0

and stays undetected
L All Rights Reserved.

Reproduction

s Strictly Prohibited.

|
|

Man-in-the-Cloud (MITC) Attack
MITC attacks are an advanced version of MITM attacks. In MITM attacks, an attacker uses an
exploit that intercepts and manipulates the communication between two parties, while MITC
attacks are carried out by abusing cloud file synchronization services, such as Google Drive or
DropBox,

for data

compromise,

command

and

control

(C&C),

data

exfiltration, and

remote

access. Synchronization tokens are used for application authentication in the cloud but cannot
distinguish malicious traffic from normal traffic. Attackers abuse this weakness in cloud
accounts to perform MITC attacks.

/

|\\

\N

—=)
*%1

0
q

/

N

|

|

(2

|\

(S
/

|

|

Figure 2.74: Example of Man-in-the-Cloud attacks

Module 02 Page 374

Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.

Certified Cybersecurity Technician
Information Security Attacks

Exam 212-82

As shown in the figure, the attacker tricks the victim to install
attacker’s synchronization token on the victim’s drive. Then,
synchronization token and uses it to gain access to the victim’s
the malicious token with the original synchronized token of
application to its original state and stays undetected.

Module 02 Page 375

a malicious code that plants the
the attacker steals the victim’s
files. Later, the attacker restores
the victim, returning the Drive

Certified Cybersecurity Technician Copyright © by EG-Council

All Rights Reserved. Reproduction is Strictly Prohibited.