Detecting ‘Multi-Stage’ Cloud Cyber-Attacks from the Start
From small, hardly noticeable beginnings the biggest cloud cyber-attacks grow. Called multi-stage intrusion attacks, it’s how hackers create a virtual machine in a public cloud to penetrate the on-prem portion of companies’ hybrid cloud environments. Multi-stage intrusions are responsible for some of the most notorious cyber-attacks in the retail, banking and entertainment industries, such as those at VTech Holdings (digital toymaker), Citigroup and Sony.
A group of cybersecurity researchers are utilizing an experimental cloud computing test bed, called Chameleon and funded by the National Science Foundation, at the Texas Advanced Computing Center (TACC) at The University of Texas at Austin, and the Computational Institute at the University of Chicago to develop methods for detecting and containing cyber-attacks while still in the early stages.
The research on Chameleon, which went into full production in July 2015, is carried out by white hat hackers at the University of Arkansas at Pine Bluff (UAPB), North Carolina Agricultural & Technical State University (NCA&T), and Louisiana State University to simulate attacks in the cloud and run Open Source intrusion detection and prevention software, such as Snort, that monitor networks for malicious activity and to detect an intruder hiding in everyday network traffic – the first step in a multi-stage attack. The group’s goal is to reengineer intrusion detection systems by creating new pre-defined rules based on the researchers study of sophisticated attack techniques. The new rules will then become open source items in the Snort repository.
“The one thing were seeing especially is the ‘virtual machine attack,’” Dr. Jessie Walker, associate professor of computer science at UAPB and cyber-security project co-PI, told EnterpriseTech. “Companies assume that data is siloed in the cloud and that on-premises data is removed from everyone else’s even though it’s connected to a public cloud. They don’t understand the smart hacker can get the same cloud storage you’re using (on a public cloud), and then they have a virus or a worm there and find other ways to attack.”
The x86-based Chameleon cluster at TACC and the University of Chicago will consist of 650 nodes with 5 petabytes of storage and a 100Gbps network. The test bed environment provides virtualization technologies that assess the reliability, security and performance of cloud computing. According to Dan Stanzione, executive director at TACC and Chameleon co-investigator, Chameleon is adaptable, designed to support a variety of cloud research methods and architectures, enabling researchers to mix-and-match hardware, software and networking components and test their performance.
Led by minority graduate students, the project delivers real-world cloud security problems. "One of the important components of our education experience is exposing our students early on to show them the education they're gaining is not just theoretical, but has practical value to people's everyday lives," Walker said.
Initially, UAPB and NCA&T created their own cloud computing ecosystems between the two universities, an approach that slowed their progress. "We had to buy equipment, set it up, and train students to maintain it, which is very time consuming and tedious as far as the infrastructure requirements for our campuses are concerned," Walker said. “Students are transitory. Once we had trained them, another set of new students came in.”
So Walker and his team turned to Chameleon to set up virtual machines to simulate attacks in the cloud coupled with intrusion detection systems and Kibana, open source software for charting network traffic. He explained that hackers executing virtual machine attacks begin by setting up a VM in Azure, AWS or other public cloud and move into private clouds, and sensitive data, from there.
“Traditional security is not what we’re talking about – the typical thing of hacking in and trying to guess passwords, or isolation of users making sure they don’t get access to HR information,” Walker said. “We’re talking about multi-stage attacks where people build up to larger-scale attacks, that hasn’t really been addressed. They start with a VM in the cloud, they’re outside but inside at the same time. The whole point of getting that virtual space is to attack other nodes in that cloud system, which a lot of companies overlook because it’s off-premises and managed by someone else. The hacker’s been floating around for a long time before they make their attack. Inside threats of that kind have been ignored to a large extent.”
By beginning with small-scale penetration testing, hackers stay below the detection RADAR, stealing small amounts of data in preparation for a full-scale attack.
“Each day, someone is testing the waters, penetrating, testing, ports, testing to see how far they can go,” he said. “Then, all of a sudden, the big attack happens.”
The new detection rules under development by the researchers are based on a cyber-security artificial intelligence technique called Planned Recognition – recognizing the small start to a larger plan. The researchers are analyzing attacks guided by three main questions: 1) how vulnerable is a cloud infrastructure to an attack from the outside; 2) how vulnerable is it to attacks from the inside — virtual machine to virtual machine; and 3) what happens when both of these situations happen simultaneously.
The team has published several papers and presented their findings at conferences around the world, such as the International Conference of Management of Computational and Collective Intelligence and Digital EcoSystems (MEDES) in Brazil. It plans to complete its research by the end of the year.