Access Denied: The Role of Deception in Cloud ID Access Management
Authored by: Carolyn Crandall, Chief Deception Officer – Cloud security is garnering quite a bit of attention these days, demonstrating now more than ever the need for tighter controls and visibility to when they fail. Identity and Access Management (IAM) is a topic focus for every organization as it controls the rights and privileges for specific accounts. Given the sheer volume of security responsibilities held by both the cloud provider and the owner of the data stored in the cloud, failure to correctly set these permissions leads to misconfigurations, overlapping privileges, shared account access, and other issues that can put the entire network at risk of a breach. Unfortunately, we are seeing these issues arise all too often, creating opportunities that threat actors are readily waiting to exploit.
In addition to typical IAM solutions that provide account rights and privileges to the cloud environment, organizations are actively using deception technology to identify intruders using stolen or shared credentials or exploiting misconfigurations to gain unauthorized access. By laying traps and lures, deception technology attracts attackers away from user information and production assets and into a deception environment for intelligence gathering and quick remediation.
More specifically, deception technology:
- Works by placing fake user and admin credentials on endpoints that appear authentic and attractive. These breadcrumb the adversary into the deception environment and raise an immediate alert of intrusion.
- Sets decoy landmines throughout the cloud network so threat actors attempting to use real employee credentials to access decoy applications, buckets, databases, or documents will trigger an alert substantiated with the attempted actions.
- Creates cloud-specific deceptions such as decoy storage buckets, containerized applications, cloud-based applications, and serverless functions to detect attacker activity targeting these objects.
- Provides Active Directory (AD) deceptions that include fake AD environments, as well as the ability to intercept advanced (APT) and automated attackers to contain them automatically at the endpoint. When attackers query AD, a deception module alters the response and adds deceptive content, creating an altered reality for the attacker. Organizations can now hide valuable enterprise resource information and reduce attack surfaces.
- Redirects malicious activities and policy violations into the deception environment so that the organization can safely study the attack and gather Tactics, Techniques, and Procedures (TTPs), along with company-specific threat intelligence.
- Facilitates third-party integrations so that security teams can accelerate incident response with automated blocking, isolation, and threat hunting. Findings can also feed into standard SOC tools.
By adding in deception technology to existing IAM defenses, organizations gain a more comprehensive cloud security solution, making it harder for attackers to gain access, remain undetected, and exploit vulnerabilities within cloud networks. It also provides an additional layer of defense with eyes-inside-the-network visibility to policy violation and malicious activities of employees, suppliers, and external threat actors.
The Truth About Privileged Access Security On AWS and Other Public Clouds (Forbes)
Another AWS Leakage Due to Misconfiguration (TechTarget)
Cloud application monitoring takes a multipronged approach (TechTarget)