US20230247043A1

US20230247043A1 - Techniques for detecting cybersecurity vulnerabilities in a cloud based computing environment based on forensic analysis of cloud logs

Info

Publication number: US20230247043A1
Application number: US18/060,763
Authority: US
Inventors: Ami Luttwak; Yinon COSTICA; Roy Reznik; George PISHA; Liran Moysi; Alon SCHINDEL
Original assignee: Wiz Inc
Current assignee: Wiz Inc
Priority date: 2022-01-31
Filing date: 2022-12-01
Publication date: 2023-08-03
Also published as: US20230247039A1; US20230247042A1; WO2023144806A1

Abstract

A system and method detects an exploited vulnerable cloud entity. The method includes: detecting in at least one cloud log of a cloud computing environment a plurality of events, each event corresponding to a failed action, each event further corresponding to a cloud entity deployed in the cloud computing environment; extracting from the cloud log an identifier of the cloud entity; traversing a security graph to detect a node representing the cloud entity, based on the extracted identifier, wherein the security graph includes a representation of the cloud computing environment; detecting a node representing a cybersecurity vulnerability connected to the node representing the cloud entity; and initiating a mitigation action for the workload based on the cybersecurity vulnerability.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims the benefit of U.S. Provisional Application No. 63/267,365 filed on Jan. 31, 2022, the contents of which are hereby incorporated by reference.

TECHNICAL FIELD

The present disclosure relates generally to cloud computing, and more specifically to performing forensic analysis in a cloud computing environment.

BACKGROUND

Cloud computing technologies have allowed to abstract away hardware considerations in a technology stack. For example, computing environments such as Amazon® Web Services (AWS), or Google Cloud Platform (GCP) allow a user to implement a wide variety of software and provide the relevant hardware, with the user only paying for what they need. This shared provisioning has allowed resources to be better utilized, both for the owners of the resources, and for those who wish to execute software applications and services which require those resources.
This technology however does not come without its disadvantages. As the computing environment is now physically outside of an organization, and exposed in terms of access to and from the computing environment, vulnerabilities may be more likely to occur.
While many solutions exist which attempt to block cyberattacks, the reality is that at least some of these attacks will inevitably be successful. An attack may be, for example, unauthorized access to sensitive information, such as information stored in a database. Attacks can be categorized based on severity, for example an attack that merely allows the attacker to see that a file exists on a workload is probably less severe than an attack which allows the attacker to view, or download, that same file.
Digital forensics, or cybersecurity forensics, is a field of art which includes actions that attempt to identify what an attacker was able to accomplish in a computing environment which was attacked. Typically, an individual who has knowledge of the computing environment will manually examine workloads to attempt to discover the extent of damage performed by an attacker, if at all such damage exists. This process requires specialized knowledge which is not easily transferable, and is labor intensive in terms of human hours.
It would therefore be advantageous to provide a solution that would overcome the challenges noted above.

SUMMARY

A summary of several example embodiments of the disclosure follows. This summary is provided for the convenience of the reader to provide a basic understanding of such embodiments and does not wholly define the breadth of the disclosure. This summary is not an extensive overview of all contemplated embodiments, and is intended to neither identify key or critical elements of all embodiments nor to delineate the scope of any or all aspects. Its sole purpose is to present some concepts of one or more embodiments in a simplified form as a prelude to the more detailed description that is presented later. For convenience, the term “some embodiments” or “certain embodiments” may be used herein to refer to a single embodiment or multiple embodiments of the disclosure.
Certain embodiments disclosed herein include a method for detecting an exploited vulnerable cloud entity. The method comprises: detecting in at least one cloud log of a cloud computing environment a plurality of events, each event corresponding to a failed action, each event further corresponding to a cloud entity deployed in the cloud computing environment; extracting from the cloud log an identifier of the cloud entity; traversing a security graph to detect a node representing the cloud entity, based on the extracted identifier, wherein the security graph includes a representation of the cloud computing environment; detecting a node representing a cybersecurity vulnerability connected to the node representing the cloud entity; and initiating a mitigation action for the workload based on the cybersecurity vulnerability.
Certain embodiments disclosed herein also include a non-transitory computer readable medium having stored thereon causing a processing circuitry to execute a process, the process comprising: detecting in at least one cloud log of a cloud computing environment a plurality of events, each event corresponding to a failed action, each event further corresponding to a cloud entity deployed in the cloud computing environment; extracting from the cloud log an identifier of the cloud entity; traversing a security graph to detect a node representing the cloud entity, based on the extracted identifier, wherein the security graph includes a representation of the cloud computing environment; detecting a node representing a cybersecurity vulnerability connected to the node representing the cloud entity; and initiating a mitigation action for the workload based on the cybersecurity vulnerability.
Certain embodiments disclosed herein also include a system for detecting an exploited vulnerable cloud entity. The system comprises: a processing circuitry; and a memory, the memory containing instructions that, when executed by the processing circuitry, configure the system to: detect in at least one cloud log of a cloud computing environment a plurality of events, each event corresponding to a failed action, each event further corresponding to a cloud entity deployed in the cloud computing environment; extract from the cloud log an identifier of the cloud entity; traverse a security graph to detect a node representing the cloud entity, based on the extracted identifier, wherein the security graph includes a representation of the cloud computing environment; detect a node representing a cybersecurity vulnerability connected to the node representing the cloud entity; and initiate a mitigation action for the workload based on the cybersecurity vulnerability.

BRIEF DESCRIPTION OF THE DRAWINGS

The subject matter disclosed herein is particularly pointed out and distinctly claimed in the claims at the conclusion of the specification. The foregoing and other objects, features, and advantages of the disclosed embodiments will be apparent from the following detailed description taken in conjunction with the accompanying drawings.

FIG. 1 is a network diagram utilized to describe the various disclosed embodiments.

FIG. 2 is a network log of a cloud based computing environment, in accordance with an embodiment.

FIG. 3 is a role log of a cloud based computing environment, in accordance with an embodiment.

FIG. 4 is another role log of a cloud based computing environment, in accordance with an embodiment.

FIG. 5 is security graph, implemented in accordance with an embodiment.

FIG. 6 is a flowchart of a method for generating a forensic analysis report based on a security graph, implemented in accordance with an embodiment.

FIG. 7 is a schematic diagram of a forensic analyzer according to an embodiment.

FIG. 8 is a flowchart of a method for detecting an exploited vulnerable cloud entity, implemented in accordance with an embodiment/

DETAILED DESCRIPTION

It is important to note that the embodiments disclosed herein are only examples of the many advantageous uses of the innovative teachings herein. In general, statements made in the specification of the present application do not necessarily limit any of the various claimed embodiments. Moreover, some statements may apply to some inventive features but not to others. In general, unless otherwise indicated, singular elements may be in plural and vice versa with no loss of generality. In the drawings, like numerals refer to like parts through several views.
The various disclosed embodiments include a method and system for detecting an exploited cloud entity in a cloud computing environment based on utilizing a cloud log and a security graph. In certain embodiments, a cloud entity, such as a principal, resource, and the like, is exploitable, for example by exploiting a vulnerability, misconfiguration, and the like. It is advantageous to detect in as little time as possible, when an exploitable cloud entity becomes an exploited cloud entity. Exploiting a cloud entity, e.g., encrypting a database with ransomware, deploying cryptominers, and the like, utilize cloud resources over time, and take time to accomplish. Therefore, the faster such exploits are detected, the less time an attacker has to successfully deploy their attack. Further, reducing the time an attack happens also reduces the impact of the attack on the target system.
In an embodiment, a cloud log is searched to detect failed action. In some embodiments, a plurality of failed actions are detected as a series of events.
A failed action includes a record extracted from the cloud log, according to an embodiment. A record includes data describing a failed action, such as communication attempt between a workload in the cloud computing environment and a public network, an attempt to change permissions of a user account, initiation of a privilege escalation, and the like. For example, communication between a workload and a public network includes, in an embodiment, a source identifier, a destination identifier, a number of packets transmitted, and the like.
In an embodiment, the system is configured to extract from a record of a failed action an identifier of a cloud entity, such as a resource (e.g., workload), principal (e.g., user account), and the like. A query is generated for a security graph based on the identifier, to detect in the security graph a node representing the cloud entity. In an embodiment the security graph includes a representation of the cloud computing environment. The security graph is traversed to detect additional nodes connected to a node representing the cloud entity. For example, the node representing the cloud entity is connected, in an embodiment, to a node representing a cybersecurity issue, a node representing a secret, and the like. A node representing a cloud entity is connected to a node representing a cybersecurity issue to indicate that the cloud entity includes the cybersecurity issue.
In certain embodiments, a mitigation action is initiated in response to detecting the failed action on a cloud entity which has a cybersecurity issue. In an embodiment, the mitigation action is initiated in response to detecting that the cybersecurity issue node is connected to the cloud entity node. This indicates that the cloud entity has a cybersecurity issue, and based on the event detected in the cloud log, the cybersecurity issue has been exploited.
It is recognized in this regard that a human can search through digital records to detect an event corresponding to a failed action, and in fact this is how certain forensic approaches are carried out. However, such solutions are often carried out as a response to a previously recognized or suspected cybersecurity breach. This is due to the fact that cloud logs include a tremendous amount of records, sometimes terabytes, or event petabytes in size. For a human operator, to constantly review such a log is impossible, and even if it were possible, is impractical due to the time constraints when performing cybersecurity mitigation.
By the time a human has sifted through petabytes of data, any damage caused by a breach will have already been done. Additionally, failed actions are not always isolated to a single record, action, and the like, in a cloud computing environment. Often a failed action is indicated as a cybersecurity breach in context of a plurality of actions, for example when a plurality of actions are initiated in temporal proximity to each other. Where hundreds and thousands of records are generated each second, it is not practical or possible for a human to consistently apply objective criteria to determine what constitutes a failed action which indicates a cybersecurity exploitation based on a plurality of actions in a cloud environment.
FIG. 1 shows an example network diagram 100 utilized to describe the various disclosed embodiments. In the example network diagram 100, two cloud environments are shown for simplicity, though it should be readily apparent that different configurations may be utilized without departing from the scope of this disclosure.
A production environment 110 is implemented in a first cloud computing environment. The first cloud computing environment is deployed on a cloud computing infrastructure in an embodiment, for example, Amazon® Web Services (AWS), Google® Cloud Platform (GCP), Microsoft® Azure, and the like.
The production environment 110 is implemented as a virtual private cloud (VPC), Virtual Network (VNet), and the like, according to an embodiment. A production environment 110 is a cloud computing environment which is utilized as a computing environment from which an organization operates, provides services, and the like. An organization may utilize multiple such cloud computing environments (e.g., an AWS environment, an Azure environment, etc.). In certain embodiments a production environment 110 has a corresponding a staging environment, which in an embodiment is substantially identical to the production environment 110, but is used for testing purposes in order to test services, workloads, policies, and the like, before implementing them in a production environment.
The production environment 110 includes a plurality of cloud entities. In an embodiment, a cloud entity is a resource, a principal, and the like. A resource is a cloud entity which is configured to perform an action in the cloud computing environment, provide access to a service, provide access to a hardware resource, a combination thereof, and the like. For example, in an embodiment, a resource is a workload, such as a serverless function 112, a virtual machine 114, and a container cluster 116. The production environment 110 includes a plurality of each of a different resource type, in some embodiments.
In an embodiment a serverless function 112 is, for example, Amazon® Lambda. A virtual machine 114 is, for example, Oracle® VirtualBox, according to an embodiment. In some embodiments a container cluster 116 is implemented utilizing a Kubernetes® Engine, a Docker® Engine, and the like.
In an embodiment the production environment 110 further includes principals (not shown). A principal is a cloud entity which is authorized to perform actions on a resource, initiate an action in a cloud computing environment, a combination thereof, and the like. In some embodiments a resource is also a principal, for example when operating on another resource.
In an embodiment a principal is, for example, a user account, a service account, a role, and the like. In certain embodiments a workload in the production environment 110 generates activity which is logged in a network log 118. In an embodiment the network log 118 is implemented as a file that contains events (also known as records), which correspond to actions by one or more applications. Events may be, for example, user calls to objects, process calls to objects, authentication attempts, and the like. An example network log is discussed in more detail in FIG. 2 below.
In an embodiment, a network log 118 is a type of cloud log. In some embodiments the network log 118 is generated by a service executed by, for example the serverless function 112. In an embodiment the service is configured to monitor a workload in the production environment 110 and write events to the network log 118. In some embodiments the service is configured to write events to the network log 118 based on a predefined data schema.
In an embodiment, the production environment 110 is communicatively coupled with a public network 120, such as the Internet, and a security environment 130. In an embodiment the security environment 130 is implemented as a VPC deployed on a cloud computing infrastructure, such as AWS. In an embodiment, the production environment 110 and the security environment 130 are implemented using the same cloud computing infrastructure, different cloud computing infrastructures, combinations thereof, and the like.
In certain embodiments the security environment 130 includes a forensic analyzer 132, and a security graph 134. The security graph 134 is discussed in more detail with respect to FIG. 3 below, which is an example of a portion of a security graph. In an embodiment, the security graph 134 is implemented on a graph database, such as Neo4j®. In certain embodiments, the security graph 134 includes a representation of a production environment 110. For example, principals, resources, and the like, are represented as nodes on the security graph 134. In some embodiments, the security graph 134 further includes enrichment nodes, such as a node indicating a vulnerability, a node indicating access to a public network, and the like.
In an embodiment, the security environment 130 further includes a plurality of inspectors (not shown). In some embodiments, each inspector is configured to detect a cybersecurity object. For example, a cybersecurity object is, in an embodiment, a secret, a weak password, a certificate, a vulnerability, a misconfiguration, an exposure, a malware, a hash file, and the like. In some embodiments the forensic analyzer 132 is implemented as a workload, such as a node in a container cluster.
In an embodiment the forensic analyzer 132 is configured to access cloud logs, network logs, and the like logs generated in a cloud computing environment. Examples of logs are discussed in more detail below. In some embodiments the forensic analyzer 132 is further configured to access the security graph 134. In an embodiment, providing access to a forensic analyzer 132 includes providing access to a service account associated with the forensic analyzer 132. A service account associated with a workload, such as the forensic analyzer 132 allows the forensic analyzer to assume a role in a cloud computing environment. In an embodiment, permission to access a log, and the like, in a cloud computing environment, is provided to a service account which is associated with the forensic analyzer 132.
In an embodiment the forensic analyzer 132 is configured to generate a forensic report. In some embodiments, the forensic report is based on a cloud log, a network log, the security graph, a combination thereof, and the like. In some embodiments the forensic report includes, for example, portions extracted from a cloud log, a network cloud, and the like, wherein the extracted portions each correspond to a node of the security graph 134. An example of a method for generating a forensic report is described in more detail below with respect to FIG. 4 .
FIG. 2 is an example of a network log 200 of a cloud based computing environment, utilized to describe an embodiment. A network log 200 is a type of cloud log that includes, in an embodiment, a plurality of events, each event recorded as a row in the log. In an embodiment an event includes a plurality of data fields and their values. In certain embodiments a data field is, for example, an account identifier, an interface identifier, a source address, a destination address (for network messages), a port, a protocol, a number of bytes transferred, a number of packets transferred, an action (e.g., accept, reject, etc.), and the like.
FIG. 3 is an example of a role log 300 of a cloud-based computing environment, in accordance with an embodiment. The role log 300 includes events which are associated with user accounts. For example, a first record 310 includes an event by which a new user account was created. The first record 310 includes a plurality of data fields which are unique to the event. For example, the event has an event name 320, which indicates that the event is related to creating a user account, at an event time 322. Other identifiers, such as the username 324 of the created user account are also recorded.
FIG. 4 is another example of a role log 400 of a cloud-based computing environment, in accordance with an embodiment. The role log 400 includes a second record 410, which indicates that a user Alice (of FIG. 3 above) which previously (based on the event time 412) created a user account Bob, added the user account Bob to an Admin group. The event name 420 indicates that the user account 422 was added to an admin group. Adding administrator accounts is not common, and if it is performed through a machine that may include a vulnerability, as explained herein, this may be an indication that the new administrator-level account is in fact an exploitation.
FIG. 5 is an example of a security graph 500, implemented in accordance with an embodiment. A security graph 500 may represent a cloud computing environment, such as the production environment 110 of FIG. 1 above, in a graph database, according to a predefined data schema. A cloud computing environment may be represented in a graph by mapping resources, principals, enrichments, and the like, to nodes in the security graph 500. A resource node may represent a resource, such as a workload. A principal node may represent a user account, service account, role, and the like. An enrichment node may represent an endpoint, such as a public network (e.g., the Internet), a vulnerability, and other attributes of a workload, for example.
An enrichment node 510 represents internet access, such that any node which is connected (e.g. by an edge) to the enrichment node 510, is configured to access the internet. A resource node 520 represents a gateway workload, which may be implemented for example as a node in a container cluster. A second resource node 530 represents a load balancer workload, which is connected by an edge to the resource node 520 representing the gateway, and a network interface node 540. The network interface node 540 is connected to a resource node 550 which represents a virtual machine, such as virtual machine 114 of FIG. 1 . The virtual machine 114 may include, for example, an operating system represented by OS node 542, an application which is executed on the OS of the virtual machine, represented by application node 544, a user account node 546 which represents a user account which is tied to the virtual machine 114, and a vulnerability node 548, which represents a vulnerability which was detected as being present on, or pertaining to, the virtual machine 114. A vulnerability may be, for example, an outdated software, a specific open port, a user account with high permissions, and any combination thereof.
FIG. 6 is an example flowchart 600 of a method for generating a forensic analysis report based on a security graph, implemented in accordance with an embodiment.
At S610, a cloud entity selection is received. A cloud entity may be, for example, a workload type (e.g. VM, container, serverless function, etc.), an application type (e.g. software application, appliance, OS, gateway, load balancer, etc.), a principal (e.g. user account, service account, etc.), enrichment, vulnerability, and the like. In an embodiment, a cloud entity selection may be received through a user interface. For example, a user may select one or more cloud entities from a predetermined list, and may further select a relationship between the cloud entities. For example, a user may indicate a selection of a virtual machine (workload type) that runs (relationship) a first application (application type) and has (relationship) a user account (principal) with (relationship) certain privileges and is connected to the internet(enrichment).
At S620, a threat is determined for the cloud entity based on the security graph. A threat may be, for example, a vulnerability, misconfiguration, exploitation, and the like. A misconfiguration may be, for example, a database which is not password protected, and should be password protected. For example, a forensic analyzer may receive the cloud entity selection, and query a security graph to detect nodes which match the selected cloud entity. A vulnerability on a workload, for example, is not necessarily exploited, or even exploitable. For example, a workload may have a vulnerability which allows broad access, however if the workload is determined not to be accessible to an external network, then the vulnerability is not exploitable. It is therefore beneficial to reference cloud logs to further detect if a vulnerability was exploited.
At S630, a cloud log is inspected to detect events based on the selected cloud entity and the determined vulnerability. A cloud log may be, for example, a network log, and a role log. In some embodiments, a plurality of cloud logs are inspected. In an embodiment, a forensic analyzer workload is configured to inspect a cloud log, based on data from a security graph. For example, the forensic analyzer 132 of FIG. 1 is configured to query a security graph based on a received cloud entity selection, and is further configured to receive a node identifier, node attributes, identifiers of enrichment nodes connected to the cloud entity, and the like. Node attributes may be data field values, such as unique identifier, IP address, workload type, user account name, authentication status, and the like. The forensic analyzer may extract from an output received from the security graph values of the data fields, and perform a search on a cloud log for the extracted values. An event is detected when a match is generated between a data field value of the event, and a value extracted from an output of the security graph query.
At S640, a forensic analysis output is generated. The forensic analysis output includes at least a portion of the cloud log, having the detected events. By generating the forensic analysis output, a user can significantly reduce the amount of information they need to sift through in order to determine if a vulnerability resulted in an exploitation of the same. A cloud log may contain, even for a small window of time, a massive amount of information which is time consuming for a human to sift through, in order to find an indication that a vulnerability was exploited. By determining what are relevant events based on the security graph, and only providing the relevant events to the user, the amount of information which the user sifts through is reduced, and therefore it is beneficial.
FIG. 7 is an example schematic diagram of a forensic analyzer 700 according to an embodiment. The forensic analyzer 700 includes a processing circuitry 710 coupled to a memory 720, a storage 730, and a network interface 740. In an embodiment, the components of the forensic analyzer 700 may be communicatively connected via a bus 750.
The processing circuitry 710 may be realized as one or more hardware logic components and circuits. For example, and without limitation, illustrative types of hardware logic components that can be used include field programmable gate arrays (FPGAs), application-specific integrated circuits (ASICs), Application-specific standard products (ASSPs), system-on-a-chip systems (SOCs), graphics processing units (GPUs), tensor processing units (TPUs), general-purpose microprocessors, microcontrollers, digital signal processors (DSPs), and the like, or any other hardware logic components that can perform calculations or other manipulations of information.
The memory 720 may be volatile (e.g., random access memory, etc.), non-volatile (e.g., read only memory, flash memory, etc.), or a combination thereof.
In one configuration, software for implementing one or more embodiments disclosed herein may be stored in the storage 730. In another configuration, the memory 720 is configured to store such software. Software shall be construed broadly to mean any type of instructions, whether referred to as software, firmware, middleware, microcode, hardware description language, or otherwise. Instructions may include code (e.g., in source code format, binary code format, executable code format, or any other suitable format of code). The instructions, when executed by the processing circuitry 710510, cause the processing circuitry 710 to perform the various processes described herein.
The storage 730 may be magnetic storage, optical storage, and the like, and may be realized, for example, as flash memory or other memory technology, or any other medium which can be used to store the desired information.
The network interface 740 allows the forensic analyzer 700 to communicate with, for example, a security graph, a cloud environment, and the like.
It should be understood that the embodiments described herein are not limited to the specific architecture illustrated in FIG. 7 , and other architectures may be equally used without departing from the scope of the disclosed embodiments.
Furthermore, in certain embodiments the [other system] may be implemented with the architecture illustrated in FIG. 7 . In other embodiments, other architectures may be equally used without departing from the scope of the disclosed embodiments.
FIG. 8 is an example flowchart 800 of a method for detecting an exploited vulnerable cloud entity, implemented in accordance with an embodiment. Cybersecurity defense benefits from detecting exploitable cloud entities, such as workloads (e.g., workloads that can be exploited through an exposure, misconfiguration, vulnerability and the like) and exploited cloud entities (e.g., workloads which have already been exploited). Detection of exploited workloads is desirable to occur as soon as possible, as the longer a workload is exploited the more opportunity a hacker has, for example, to do harm, subvert system resources, cause financial damage, steal data, and the like.
This flowchart discusses workloads as an example of a cloud entity which can be potentially exploited and detection of such workloads which are actually exploited. It is readily apparent that these teachings apply to other cloud entities, such as principals and resources. A principal is, for example, a user account, a service account, a role, and the like, according to an embodiment. A resource is, in an embodiment, a workload (e.g., such as explained above), a managed resource, a bucket, a database, and the like.
At S810, a plurality of events are detected in a cloud log. In an embodiment, the cloud log is a log generated in a cloud computing environment. In certain embodiments, the cloud log includes a plurality of records, each record corresponding to an event. A record is a data structure, which in an embodiment is a predetermined data structure which describes an event. For example, an event is, according to an embodiment, an action initiated in the cloud computing environment, a communication between a first workload and a second workload in the cloud computing environment, a communication between a first workload and an external component (e.g., through a public network such as the Internet), and the like.
In some embodiments, the plurality of events correspond each to data record that have a common attribute. For example, the common attribute is, in an embodiment, an action type (e.g., assumeRole), a workload identifier, a principal identifier, a workload type (e.g., virtual machine, container node, serverless function, etc.), a principal type (e.g., user account, service account, role, etc.), a network origin address, a network destination address, combinations thereof, and the like.
In certain embodiments, an event corresponds to a failed action. A failed action is, for example, a failed access to a workload, a failed access to a file, a failed access to a folder, a failed access to a directory, a failed change in user account permissions, and the like. For example, a failed change in user account permissions is tagged as a failed “assumeRole” event, where a user account attempts to assume a role (i.e., a set of permissions) and does not succeed.
In some embodiments, a failed action is an indication of a cybersecurity vulnerability which is being exploited, an attempt is being made to exploit the cybersecurity vulnerability, and the like. For example, where a hacker achieves control of a workload, user account, and the like, a typical attempt will be to increase permissions of the user account (also known as permission escalation). To do this the hacker attempts to initiate actions sequentially to see what works (i.e., what will result in success). By providing early detection of this attack, early mitigation can be performed, thereby reducing the damage of the attack. In an embodiment, the failed action is failed based on insufficient permission to initiate the action.
In certain embodiments, a plurality of events are detected, where a first event corresponds to a failed action, and a second event corresponds to a successful action. For example, according to an embodiment the failed action is an assumeRole of a first role having a first set of permissions, and the successful action is an assumeRole of a second role having a second set of permissions. In some embodiments, a time threshold is utilized to determine if an amount of time elapsed between the failed action and the successful action is within a threshold. In some embodiments, the failed action is of a first type, and the successful action is of a second type.
In some embodiments, a failed action, a successful action, a combination thereof, and the like, correspond to a predetermined action. For example, in an embodiment a failed assumeRole followed by a successful assumeRole is suspicious. As another example, a failed access to a disk, followed by a failed assumeRole, followed by a successful assumeRole which all originate from a single user account is likewise suspicious activity. A disk access, an assumed role, and the like, are examples of a predetermined action, according to an embodiment. In an embodiment, a failed action is an action in a series of events, each event corresponding to a failed action, a successful action, and the like. A series of events includes an event order, i.e., an order by which events occurred, for example based on a timestamp of a record, according to an embodiment.
In certain embodiments, a failed action, a successful action, and the like are any one of: deletion of a record, changing a permission of a principal account, changing a configuration of a resource, encrypting a database, deploying multiple workloads, deactivating multiple workloads, generating a secret, generating a certificate, generating a key, deleting a secret, deleting a certificate, deleting a key, exposing a resource to a public network, exfiltrating data, planting a malicious entity, initiating a privilege escalation, encrypting a record, assuming a role, a combination thereof, and the like.
At S820, an identifier of a workload is extracted from an event corresponding to a failed action. In an embodiment, extracting the identifier includes reading a cloud log, extracting an event record, parsing the event record, and detecting a predetermined record attribute. For example, in an embodiment the identifier of a workload is detected by parsing the event record and searching for a term “resourceID”.
In some embodiments access to the cloud log is provided prior to reading the cloud log. In certain embodiments, access to the cloud log is granted to a service account associated with an inspection environment.
At S830, a node is detected in a security graph corresponding to the workload. In an embodiment, the security graph includes a representation of the cloud computing environment in which the workload is deployed. Such a representation and an embodiment thereof is discussed in more detail herein. The node is also referred to as a workload node.
In certain embodiments, detecting a node in the security graph includes generating a query which includes the workload identifier, and executing the query on a database management system of the graph database hosting the security graph. A graph database is, in an embodiment, Neo4j®.
At S840, a cybersecurity issue node is detected. In an embodiment, the cybersecurity issue node represents a cybersecurity issue, such as a misconfiguration, an exposure, a threat, a vulnerability, a weak password, an exposed password, an out of date software version, and the like. In certain embodiment, the cybersecurity issue node is connected to the workload node to indicate that the workload includes the cybersecurity issue, is susceptible to the cybersecurity issue, and the like.
By storing a representation in the security graph of a cybersecurity issue and connecting workload nodes representing workloads having the cybersecurity issue to the cybersecurity issue node, a more compact representation is achieved, as rather than store duplicate information for each workload node with respect to the cybersecurity issue, data of the cybersecurity issue is stored only in the cybersecurity issue node, thereby reducing the amount of storage required to store the representation on the graph database.
At S850, a mitigation action is initiated. In an embodiment, the mitigation action is initiated in response to detecting that the cybersecurity issue node is connected to the workload node. This indicates that the workload has a cybersecurity issue, and based on the event detected in the cloud log, the cybersecurity issue has been exploited. In some embodiments, where a failed action is followed by a successful action, the mitigation action includes initiating a mitigation action based on the successful action. For example, according to an embodiment where the successful action is access to a disk by a user account, the mitigating action includes removing access granted to the user account to access the disk.
In some embodiments, the mitigation action includes generating a notification to indicate that the workload is compromised (i.e., the cybersecurity issue is exploited). In certain embodiments, the mitigation action includes updating a severity of an alert to indicate that a workload which is potentially exploitable, has now been verified as exploited. This is advantageous as an alert is generated, in an embodiment, for a workload having a cybersecurity issue, and in certain embodiments the alert further includes a severity alert. However, it is clear that a potential threat is less urgent than a threat which is currently, or has recently been, carried out. It is therefore advantageous to update the severity of an alert (e.g., from medium to critical).
In certain embodiments, the mitigation action is initiated based on a principal, the workload, the cybersecurity issue, a combination thereof, and the like. For example, a mitigation action based on a principal includes, in an embodiment, removing an access, a permission, a role, a combination thereof, and the like, associated with a principal.
In an embodiment, the mitigation action includes any one of: revoking a permission associated with the cloud entity, changing a configuration of a resource, reducing a network exposure of the cloud entity, isolating the cloud entity, blocking network traffic to the cloud entity, blocking network traffic from the cloud entity, a combination thereof, and the like.
The various embodiments disclosed herein can be implemented as hardware, firmware, software, or any combination thereof. Moreover, the software is preferably implemented as an application program tangibly embodied on a program storage unit or computer readable medium consisting of parts, or of certain devices and/or a combination of devices. The application program may be uploaded to, and executed by, a machine comprising any suitable architecture. Preferably, the machine is implemented on a computer platform having hardware such as one or more central processing units (“CPUs”), a memory, and input/output interfaces. The computer platform may also include an operating system and microinstruction code. The various processes and functions described herein may be either part of the microinstruction code or part of the application program, or any combination thereof, which may be executed by a CPU, whether or not such a computer or processor is explicitly shown. In addition, various other peripheral units may be connected to the computer platform such as an additional data storage unit and a printing unit. Furthermore, a non-transitory computer readable medium is any computer readable medium except for a transitory propagating signal.
All examples and conditional language recited herein are intended for pedagogical purposes to aid the reader in understanding the principles of the disclosed embodiment and the concepts contributed by the inventor to furthering the art, and are to be construed as being without limitation to such specifically recited examples and conditions. Moreover, all statements herein reciting principles, aspects, and embodiments of the disclosed embodiments, as well as specific examples thereof, are intended to encompass both structural and functional equivalents thereof. Additionally, it is intended that such equivalents include both currently known equivalents as well as equivalents developed in the future, i.e., any elements developed that perform the same function, regardless of structure.
It should be understood that any reference to an element herein using a designation such as “first,” “second,” and so forth does not generally limit the quantity or order of those elements. Rather, these designations are generally used herein as a convenient method of distinguishing between two or more elements or instances of an element. Thus, a reference to first and second elements does not mean that only two elements may be employed there or that the first element must precede the second element in some manner. Also, unless stated otherwise, a set of elements comprises one or more elements.
As used herein, the phrase “at least one of” followed by a listing of items means that any of the listed items can be utilized individually, or any combination of two or more of the listed items can be utilized. For example, if a system is described as including “at least one of A, B, and C,” the system can include A alone; B alone; C alone; 2A; 2B; 2C; 3A; A and B in combination; B and C in combination; A and C in combination; A, B, and C in combination; 2A and C in combination; A, 3B, and 2C in combination; and the like.

Claims

What is claimed is:

1. A method for detecting an exploited vulnerable cloud entity, comprising:

detecting in at least one cloud log of a cloud computing environment a plurality of events, each event corresponding to a failed action, each event further corresponding to a cloud entity deployed in the cloud computing environment;

extracting from the cloud log an identifier of the cloud entity;

traversing a security graph to detect a node representing the cloud entity, based on the extracted identifier, wherein the security graph includes a representation of the cloud computing environment;

detecting a node representing a cybersecurity vulnerability connected to the node representing the cloud entity; and

initiating a mitigation action for the workload based on the cybersecurity vulnerability.

2. The method of claim 1, further comprising:

detecting a principal identifier in an event corresponding to a failed action; and

detecting an event corresponding to a successful action associated with the principal identifier.

3. The method of claim 2, further comprising:

determining that the successful action is an action which corresponds to a predetermined action; and

initiating a mitigation action based on the successful action.

4. The method of claim 3, wherein initiating the mitigation action includes any one of: revoking a permission associated with the cloud entity, changing a configuration of a resource, reducing a network exposure of the cloud entity, isolating the cloud entity, blocking network traffic to the cloud entity, blocking network traffic from the cloud entity, and a combination thereof.

5. The method of claim 2, wherein the principal identifier corresponds to any one of: a user account, a service account, and a role.

6. The method of claim 2, further comprising:

detecting a series of events and principal identifier, each event in the series of events corresponding to a unique failed action.

7. The method of claim 1, wherein the failed action is failed based on insufficient permission to initiate the action.

8. The method of claim 1, wherein the cybersecurity vulnerability is any one of: a weak password, an exposed password, a misconfiguration, an exposure, and a combination thereof.

9. The method of claim 1, further comprising:

generating a notification to indicate that the workload is compromised, as part of the mitigation action.

10. The method of claim 1, further comprising:

updating a severity of an alert associated with the cybersecurity vulnerability as part of the mitigation action.

11. The method of claim 1, further comprising:

detecting a node representing a principal connected to the node representing the workload; and

initiating a mitigation action based on the principal.

12. The method of claim 1, wherein the failed action corresponds to any one of: deletion of a record, changing a permission of a principal account, changing a configuration of a resource, encrypting a database, deploying multiple workloads, deactivating multiple workloads, generating a secret, generating a certificate, generating a key, deleting a secret, deleting a certificate, deleting a key, exposing a resource to a public network, exfiltrating data, planting a malicious entity, initiating a privilege escalation, encrypting a record, assuming a role, and a combination thereof.

13. A non-transitory computer readable medium having stored thereon instructions for causing a processing circuitry to execute a process, the process comprising:

extracting from the cloud log an identifier of the cloud entity;

14. A system for detecting an exploited vulnerable cloud entity, comprising:

a processing circuitry; and

a memory, the memory containing instructions that, when executed by the processing circuitry, configure the system to:

detect in at least one cloud log of a cloud computing environment a plurality of events, each event corresponding to a failed action, each event further corresponding to a cloud entity deployed in the cloud computing environment;

extract from the cloud log an identifier of the cloud entity;

traverse a security graph to detect a node representing the cloud entity, based on the extracted identifier, wherein the security graph includes a representation of the cloud computing environment;

detect a node representing a cybersecurity vulnerability connected to the node representing the cloud entity; and

initiate a mitigation action for the workload based on the cybersecurity vulnerability.

15. The system of claim 14, wherein the memory contains further instructions which when executed by the processing circuitry further configure the system to:

detect a principal identifier in an event corresponding to a failed action; and

detect an event corresponding to a successful action associated with the principal identifier.

16. The system of claim 15, wherein the memory contains further instructions which when executed by the processing circuitry further configure the system to:

determine that the successful action is an action which corresponds to a predetermined action; and

initiate a mitigation action based on the successful action.

17. The system of claim 16, wherein the memory contains further instructions which when executed by the processing circuitry further configure the system to:

initiate the mitigation action including any one of: revoking a permission associated with the cloud entity, changing a configuration of a resource, reducing a network exposure of the cloud entity, isolating the cloud entity, blocking network traffic to the cloud entity, blocking network traffic from the cloud entity, and a combination thereof.

18. The system of claim 15, wherein the principal identifier corresponds to any one of: a user account, a service account, and a role.

19. The system of claim 15, wherein the memory contains further instructions which when executed by the processing circuitry further configure the system to:

detect a series of events and principal identifier, each event in the series of events corresponding to a unique failed action.

20. The system of claim 14, wherein the failed action is failed based on insufficient permission to initiate the action.

21. The system of claim 14, wherein the cybersecurity vulnerability is any one of: a weak password, an exposed password, a misconfiguration, an exposure, and a combination thereof.

22. The system of claim 14, wherein the memory contains further instructions which when executed by the processing circuitry further configure the system to:

generate a notification to indicate that the workload is compromised, as part of the mitigation action.

23. The system of claim 14, wherein the memory contains further instructions which when executed by the processing circuitry further configure the system to:

update a severity of an alert associated with the cybersecurity vulnerability as part of the mitigation action.

24. The system of claim 14, wherein the memory contains further instructions which when executed by the processing circuitry further configure the system to:

detect a node representing a principal connected to the node representing the workload; and

initiate a mitigation action based on the principal.

25. The system of claim 14, wherein the failed action corresponds to any one of: deletion of a record, changing a permission of a principal account, changing a configuration of a resource, encrypting a database, deploying multiple workloads, deactivating multiple workloads, generating a secret, generating a certificate, generating a key, deleting a secret, deleting a certificate, deleting a key, exposing a resource to a public network, exfiltrating data, planting a malicious entity, initiating a privilege escalation, encrypting a record, assuming a role, and a combination thereof.