The news broke earlier today that a Seattle-based miscreant and former AWS employee compromised millions of CapitalOne credit applications.
Reading between the lines of the court filing, it appears that the attack vector was the compromise of a server due to a firewall misconfiguration. From there, ephemeral AWS credentials were extracted from the instance role (usually rotated every hour, with a 6 hour validity lifetime), then used to raid a bunch of S3 buckets belonging to CapitalOne, all back on April 21st. On July 17th someone emailed CapitalOne and sparked an investigation. Today, twelve days later, an arrest was made.
What did CapitalOne get right?
- They didn’t ignore the report to their responsible disclosure email address.
- They didn’t bury this and wait for an iPhone keynote or something else to eclipse it during a news cycle.
- They announced this today–twelve days after their first notification. For enterprise businesses such as “large banks” that’s underwear-on-outside-the-pants quick.
- They didn’t screw up their S3 bucket permissions!
What did CapitalOne get wrong?
- No heuristic flagged the exfiltration. When a credential set starts behaving atypically (and yes, scanning all of the S3 buckets and then looting them systematically should count as atypical), that should flag something somewhere for review. Amazon Macie itself claims to be able to do just this, though its pricing means it’s a bit out of reach for many shops. That may seem a bit above and beyond for most environments. I agree, but counter with “most environments aren’t a large bank.”
- The weakness identified was “a misconfigured firewall.” That’s obviously not a full Cause of Error report, but if a single firewall misconfiguration can cause an issue like this, there are other systemic issues at play.
- They didn’t restrict access to the S3 buckets containing highly sensitive information to known IP ranges.
What’s the takeaway here? I don’t fault CapitalOne for their response; this stuff is hard. I further don’t fault AWS for hiring someone (years ago) with this kind of ethical vacuum; there’s no reasonable interview that would detect these kinds of things.
To be clear, this isn’t to blame CapitalOne overtly, but to caution that cloud (while far more secure than on-prem would be in this use case) is far from a security panacea. You’ve gotta pay attention…