Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lessons Learned from Capital One Breach & More

Published byMeagan Rich Modified over 5 years ago

Similar presentations

Presentation on theme: "Lessons Learned from Capital One Breach & More"— Presentation transcript:

1 Lessons Learned from Capital One Breach & More
Leon Jiang Sep 2019

2 Leon - Who is this guy? Current: Director of InfoSec at Roostify, a fintech startup in SF Past: 11 years with Oracle, MBA An experienced information security practitioner with strong business acumen.

3 Disclaimer Many facts are obtained from the federal document or other public sources. However, some parts are hypothetical analysis for research and future reference purpose only which may not necessarily be truthful or pertained to Capital One breach.

4 Capital One Breach - What Happened
7/29 - Capitale announced a breach. On the same day, a federal criminal complaint filed against the alleged hacker known as ‘Erratic’. 7/17 - A reporting sent to Capital One alleging there appeared to be leaked data belonging to Capital One. 4/21 - Erratic uploaded a file to GitHub gist (a code sharing feature separated from GitHub main site, similar to pastebin) which contains commands to access Capital One data but NOT the data itself 8/28 - From the released indictment, not just Capital One, 30+ other companies were being victims of the same hacker between March and July 2019

5 Analysis Efforts from My End

6 How Could it Happen? -From the Criminal Complaint
1st Command Obtain (AWS) Credential 2nd Command List (S3) Buckets 3rd Command Sync (S3) Data

7 How Could it Happen? - From Her Twitter

8 Key Point - IAM Role on EC2 Instances
What is it? According to AWS, We designed IAM roles so that your applications can securely make API requests from your instances, without requiring you to manage the security credentials that the applications use. To simplify, no more username/password or API Key, you have the right once you’re on the machine. How did it go wrong in these cases? Too much privilege were given to the roles - i.e. violating LEAST PRIVILEGE principle

9 Last Line of Defense - App/Field Level Encryption
100 million individuals was affected, but only 140,000 social security numbers and 80,000 bank account numbers were disclosed. Why? It could be encryption Encrypted data at field or application level so much of the leaked data is not readable As a comparison - Instance/database/bucket level encryption won’t help much in this scenario

10 Questions Remain Unclear
How were the instances compromised in the first place? For Capital One case, different theories Federal Doc: Misconfigured firewall (but how?) Evan J: SSRF (server side request forgery) Instance is not compromised but rather a temporary AWS credential is obtained and following attacks remains the same except not directly launched from the compromised instance Why has it never been detected until reported? Enough suspicious activities: Connection coming from TOR, S3 files sync, data dump, instance launch, malicious software deployed. AWS has some tools such as Guard Duty, Macie, and now Security Hub Of course, running a SOC with thousands of alerts everyday is never easy!

11 Summary of Lessons Learned
Least privilege on IAM role assignment and anything else Extra caution on AWS access Examine the need of IAM roles for Internet facing servers Lock down the IP that those credentials can be used Application level encryption of data or file elements to be stored in DB or S3 Secure and patch vulnerable instances Detection and monitoring A lot of ML/AI based tool is on the rise but the effect is to be examined.

12 References charges-wire-fraud-and-computer-data-theft

Download ppt "Lessons Learned from Capital One Breach & More"

Similar presentations

Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
Day 4-1-1 anti-virus 3-3-1.anti-virus 1 detecting a malicious file malware, detection, hiding, removing.

Day anti-virus anti-virus 1 detecting a malicious file malware, detection, hiding, removing.
ICT & Crime Data theft, phishing & pharming. Data loss/theft Data is often the most valuable commodity any business has. The cost of creating data again.

ICT & Crime Data theft, phishing & pharming. Data loss/theft Data is often the most valuable commodity any business has. The cost of creating data again.
Honeypot 서울과학기술대학교 Jeilyn Molina 121336101. Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.

Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.
8 Mistakes That Expose You to Online Fraud to Online Fraud.

8 Mistakes That Expose You to Online Fraud to Online Fraud.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Wireless Security Threats and Solutions By: Shirene Turpin & Rob Waight.

Wireless Security Threats and Solutions By: Shirene Turpin & Rob Waight.
Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer

Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer
Www.softwareassist.net Protecting Mainframe and Distributed Corporate Data from FTP Attacks: Introducing FTP/Security Suite Alessandro Braccia, DBA Sistemi.

Protecting Mainframe and Distributed Corporate Data from FTP Attacks: Introducing FTP/Security Suite Alessandro Braccia, DBA Sistemi.
Malware  Viruses  E-mail Virus  Worms  Trojan Horses  Spyware –Keystroke Loggers  Adware.

Malware  Viruses  Virus  Worms  Trojan Horses  Spyware –Keystroke Loggers  Adware.
Csci5233 Computer Security1 Bishop: Chapter 27 System Security.

Csci5233 Computer Security1 Bishop: Chapter 27 System Security.
Lesson 2- Protecting Yourself Online. Determine the strength of passwords Evaluate online threats Protect against malware/hacking Protect against identity.

Lesson 2- Protecting Yourself Online. Determine the strength of passwords Evaluate online threats Protect against malware/hacking Protect against identity.
GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Thomas Jenkins.

GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Thomas Jenkins.
Malicious Attack Corporate Awareness and Walk through Date 29 September 2011.

Malicious Attack Corporate Awareness and Walk through Date 29 September 2011.
Introduction to Computer Ethics

Introduction to Computer Ethics
Honeypot and Intrusion Detection System

Honeypot and Intrusion Detection System
Computer & Internet Security Sean Lanham, CISSP - ISO University of Texas at Arlington Information Security Office.

Computer & Internet Security Sean Lanham, CISSP - ISO University of Texas at Arlington Information Security Office.
CYBER CRIME.

CYBER CRIME.
Smart Machines, Smart Privacy: Rules of the Road and Challenges Ahead The views expressed are those of the speaker and not necessarily those of the FTC.

Smart Machines, Smart Privacy: Rules of the Road and Challenges Ahead The views expressed are those of the speaker and not necessarily those of the FTC.
INTRODUCTION. The security system is used as in various fields, particularly the internet, communications data storage, identification and authentication.

INTRODUCTION. The security system is used as in various fields, particularly the internet, communications data storage, identification and authentication.

Similar presentations

Ads by Google