Netskope named a Leader in the 2022 Gartner® Magic Quadrant™ for Security Service Edge. Get the Report.

  • Products

    Netskope products are built on the Netskope Security Cloud.

  • Platform

    Unrivaled visibility and real-time data and threat protection on the world's largest security private cloud.

Netskope Named a Leader in the 2022 Gartner Magic Quadrant™ for SSE Report

Get the report Go to Products Overview
Netskope gartner mq 2022 sse leader

Netskope delivers a modern cloud security stack, with unified capabilities for data and threat protection, plus secure private access.

Explore our platform
Birds eye view metropolitan city

Make the move to market-leading cloud security services with minimal latency and high reliability.

Learn more
Lighted highway through mountainside switchbacks

Prevent threats that often evade other security solutions using a single-pass SSE framework.

Learn more
Lighting storm over metropolitan area

Zero trust solutions for SSE and SASE deployments

Learn more
Boat driving through open sea

Netskope enables a safe, cloud-smart, and fast journey to adopt cloud services, apps, and public cloud infrastructure.

Learn more
Wind turbines along cliffside
  • Customer Success

    Secure your digital transformation journey and make the most of your cloud, web, and private applications.

  • Customer Support

    Proactive support and engagement to optimize your Netskope environment and accelerate your success.

  • Training and Certification

    Netskope training will help you become a cloud security expert.

Trust Netskope to help you address evolving threats, new risks, technology shifts, organizational and network changes, and new regulatory requirements.

Learn more
Woman smiling with glasses looking out window

We have qualified engineers worldwide, with diverse backgrounds in cloud security, networking, virtualization, content delivery, and software development, ready to give you timely, high-quality technical assistance.

Learn more
Bearded man wearing headset working on computer

Secure your digital transformation journey and make the most of your cloud, web, and private applications with Netskope training.

Learn more
Group of young professionals working
  • Resources

    Learn more about how Netskope can help you secure your journey to the cloud.

  • Blog

    Learn how Netskope enables security and networking transformation through security service edge (SSE).

  • Events & Workshops

    Stay ahead of the latest security trends and connect with your peers.

  • Security Defined

    Everything you need to know in our cybersecurity encyclopedia.

Security Visionaries Podcast

Bonus Episode: The Importance of Security Service Edge (SSE)

Play the podcast
Black man sitting in conference meeting

Read the latest on how Netskope can enable the Zero Trust and SASE journey through security service edge (SSE) capabilities.

Read the blog
Sunrise and cloudy sky

SASE Week

Netskope is positioned to help you begin your journey and discover where Security, Networking, and Zero Trust fit in the SASE world.

Learn more
SASE Week

What is Security Service Edge?

Explore the security side of SASE, the future of network and protection in the cloud.

Learn more
Four-way roundabout
  • Company

    We help you stay ahead of cloud, data, and network security challenges.

  • Why Netskope

    Cloud transformation and work from anywhere have changed how security needs to work.

  • Leadership

    Our leadership team is fiercely committed to doing everything it takes to make our customers successful.

  • Partners

    We partner with security leaders to help you secure your journey to the cloud.

Netskope enables the future of work.

Find out more
Curvy road through wooded area

Netskope is redefining cloud, data, and network security to help organizations apply Zero Trust principles to protect data.

Learn more
Switchback road atop a cliffside

Thinkers, builders, dreamers, innovators. Together, we deliver cutting-edge cloud security solutions to help our customers protect their data and people.

Meet our team
Group of hikers scaling a snowy mountain

Netskope’s partner-centric go-to-market strategy enables our partners to maximize their growth and profitability while transforming enterprise security.

Learn more
Group of diverse young professionals smiling
Blog Threat Labs MITRE Att&ck View: Securing AWS Temporary Tokens
Jan 31 2020

MITRE Att&ck View: Securing AWS Temporary Tokens

We have previously blogged about the risk and challenges in Securing AWS Temporary Tokens.

In this blog, we will take a fresh look from the MITRE Att&ck chain viewpoint, in order to highlight new insights and specific cloud techniques used by adversaries, in an effort to help users be more effective in detecting, mitigating, and preventing different but similar attacks.

Recap: Securing AWS Temporary Tokens

Let’s summarize the challenges with temporary tokens and the common mitigation steps, before we contrast this with what we can glean from an Att&ck analysis. 

Here is the original attack scenario:

Image of original attack scenario
Original Attack Scenario

The key steps are:

  1. A permanent Access Key A is compromised
  2. Key A is used immediately to generate an extra credential i.e. Temporary Token B (for backdoor purposes and obfuscation)
  3. Key A is used to escalate privileges via AssumeRole, which returns Temporary Token C
  4. Temporary Token C is then used to access an S3 Bucket
  5. Temporary Token C is used to exfiltrate data from the S3 Bucket

When mitigating this scenario, the defender first deleted/inactivated Access Key A, then also had to remember to “revoke” Temporary Token C. Revocation in this case meant using a specific role policy to deny all API calls by Temporary Token C based on its creation time.

However, this did not remove the adversary’s access, as there was still the existing Temporary Token B, which could also be used to escalate privileges and generate more temporary tokens (D) in order to continue access to the S3 Bucket:

Image of secondary attack scenario
Secondary Attack Scenario

To completely mitigate the situation, the Temporary Token D must be “revoked” in the same manner as Temporary Token C (using the role policy based on creation time). However, this mitigation approach doesn’t work for Temporary Token B, which was created not by AssumeRole, but by GetSessionToken. In this case, the only way to mitigate/remove Temporary Token B is to delete the IAM user that “owns” it (i.e. the same IAM user that had the compromised Key A) or to restrict that IAM user’s permissions.

These mitigation steps and their differences can be summarized here:

Table outlining mitigation scenarios

This table reflects an incident-focus in dealing with temporary tokens. When taking a larger viewpoint, it’d be reasonable to think about a more complete set of preventative, detection, and mitigation measures:

Table showing set of preventative, detection, and mitigation measures

MITRE Att&ck

Let’s now look at the scenario from the Att&ck viewpoint and see what new insights we have. The original attack scenario has been reorganized in more of an attack chain flow along with MITRE references for the tactics/techniques involved:

Diagram showing attack chain flow, along with MITRE references for the tactics/techniques involved

Notice how this primary attack scenario reflects what a defender might be focused on if they were in the middle of an incident. These would be the primary artifacts seen when tracing back from data exfiltration events to the originating credentials. Role Assumption is a good example of a new technique that isn’t yet in the Privilege Escalation tactic in Att&ck, but is common in cloud attacks. Netskope is working to identify additional techniques such as this, so that defensive measures can be specific and clear.

This Att&ck reorganization is easier to understand and also allows a defender to mine the Att&ck knowledge base for ways to detect and mitigate this attack at each step.

Let’s now look at the secondary attack:

Diagram with Att&ck reorganization showing ways to mine Att&ck knowledge base for ways to detect and mitigate this attack at each step.

Here, it is more obvious, that Temporary Token B is part of an attempt at Persistence (backdoor access) and possibly Defense Evasion, and it’s clearer how it provides the same access to the S3 Bucket.

Here’s a summary of the tactics and techniques in the attack:

(1) A permanent Access Key A is compromised

Tactics: Initial Access
Techniques: Valid Accounts
Mitigations: User Training, Network Segmentation, Multi-factor Authentication

IP allow list credential use, multi-factor authentication, and user training can be effective measures to help prevent and mitigate compromised access keys.

(2) Key A is used to generate an extra credential (create Temporary Token B using GetSessionToken)

Tactics: Persistence, Defense Evasion
Techniques: Redundant Access
Mitigations: n/a

GetSessionToken calls cannot be prevented, as they are part of authentication. Mitigation techniques involve early detection by looking for calls to GetSessionToken in CloudTrail events.

(3,2a) Key A or Temporary Token B is used to escalate privileges (create Temporary Token C or D using AssumeRole)

Tactics: Privilege Escalation
Techniques (proposed): Role Assumption and User Impersonation 
Mitigations: Multi-factor Authentication, Privileged Account Management

To mitigate compromised temporary tokens generated by AssumeRole, use a revoke session token policy with a condition based on the creation time of the token. Requiring multi-factor authentication for manual calls to AssumeRole is also a good measure. Ensuring minimal access rights are granted to PassRole and AssumeRole can also mitigate problems. In some specific cases, such as EC2 instance creation, the AssumeRole temporary token can be allow listed to the EC2 instance IP using a metadata proxy, helping reduce the chances for abuse when the tokens are compromised.

(4,2b) Temporary Token C or D is used to access/exfiltrate data from an S3 Bucket

Tactics: Exfiltration
Techniques: Data from Cloud Storage Object
Mitigations: Audit, Encrypt Sensitive Information, Multi-factor Authentication, Restrict File and Directory Permissions, User Account Management

To mitigate unauthorized access to S3 Buckets, ensure S3 bucket permissions are not public, try to simplify bucket/object policies, and monitor event logs for suspicious API access. Multi-factor authentication in a resource-based policy can help ensure manual access is authorized. Finally, encrypt sensitive data, so that impact from loss of data is minimized.

By classifying the Att&ck techniques and tactics used, we can see commonality and differences in the original and secondary attack scenarios. Namely, step 2 involved a different API call to generate a temporary token (GetSessionToken) vs. the assumption of a role (AssumeRole). Further, the escalation of privileges and data exfiltration in both scenarios are the same. This allows us to focus on what is different in the mitigations, detections, and preventions for temporary token creation (GetSessionToken vs AssumeRole). Additionally, we can look to reuse/leverage common mitigations, detections, and preventions for the escalation of privilege and exfiltration (AssumeRole and S3 bucket access).

Detection, Mitigation, Prevention

Let’s dive deeper into the analysis by overlaying not only common detection, mitigation, and prevention measures from Att&ck, but also other measures, such as best practices or the defender’s own policies. We get this view:

More detailed Att&ck view, delving into detection, mitigation, prevention, and best practices

The advantages of this Att&ck view are:

  • Defenders can be more comprehensive along all of the attack chain not just with mitigations but with better detection and prevention.
  • Defenders can reuse knowledge as captured in Att&ck for common detections or mitigations, to make planning, implementation, and response quicker and more standardized.
  • Defenders can also analyze measures as to their efficacy (potential for FP or FN). An example of this is that simple alerting on AssumeRole is too noisy (FP) as it is called by many services when passing roles during invocation (e.g. EC2, Lambdas), so #3 (blue) above was determined to not be a good detection measure.

The analysis from the Att&ck diagram above can be detailed in a structured table:

Table showing an analysis of the Att&ck diagram shown above

The highlighted (yellow) measures are some of the points that either weren’t obvious or weren’t a priority from the first analysis done. 

Conclusion

Taking an Att&ck viewpoint on incidents or attack vectors can be useful for several reasons:

  • It provides a common, more repeatable framework for analysis, reducing tribal knowledge or inconsistent approaches
  • It allows for easier reuse of defensive measures for mitigation, detection, and prevention
  • It allows for a more comprehensive checklist by making it clear what each step of the attack chain is, making it less likely to forget to analyze steps
  • It can highlight new cloud techniques being used by adversaries (as the cloud providers continue to add services and APIs). In this case, Role Assumption is a common technique used that is more specific than just using Valid Accounts within the Privilege Escalation tactic, and it’s worth calling this out so the community can share specific practices for mitigating, detecting, and preventing abuse via this technique

By looking at the original attack scenarios in several ways from an Att&ck viewpoint, first by classified tactic/technique, then by wider-ranging analysis in a flow diagram, we are able to better evaluate the attack scenario and effective measures for detection, mitigation, and prevention.

author image
About the author
Jenko has 15+ years of experience in research, product management, and engineering in cloud security, AV/AS, routers/appliances, threat intel, Windows security, vulnerability scanning and compliance. At Netskope, he researches new cloud attacks.
Jenko has 15+ years of experience in research, product management, and engineering in cloud security, AV/AS, routers/appliances, threat intel, Windows security, vulnerability scanning and compliance. At Netskope, he researches new cloud attacks.