Halo detects cloud breaches

How Halo can help detect cloud breaches

jack marsal / 06.22.17

What happens to companies when they are using a public cloud infrastructure like AWS or Azure and hackers obtain login credentials to manage the cloud account?

Three years ago, this happened to a company called Code Spaces. They went out of business when the attacker deleted EC2 machines, storage volumes, and backup data via the company’s AWS management console.

More recently, a company suffered a significant security incident when an attacker obtained access to a set of AWS keys that the company used to create AWS instances. The attacker created several AWS EC2 instances and used them to perform reconnaissance for several hours before being detected and shut down.

How Halo can help

For years, CloudPassage has made available to our customers an Audit Servers Without Halo script that could have detected this sort of breach within a couple of minutes. Here is how it works: every minute, the script fetches a list of instances within the organization’s AWS environment and compares that to a list of authorized instances which are known to Halo. In the typical Halo environment, every authorized instance includes a Halo agent. If an attacker were to steal a set of AWS keys and create unauthorized instances, those instances would certainly not contain a Halo agent.

Let me emphasize the time dimension: In this situation, Halo can detect within two minutes that something fishy is going on in your AWS environment.

This script can be used just as easily to detect shadow IT – AWS instances created by bona fide employees who are operating outside of the guardrails setup by the security organization.

This script is publicly available in our GitHub, and when it’s combined with other diligent practices– like a continuous compliance system– it can actually enable incident responders to quickly identify outliers (the instances that don’t involve Halo) so you can find and address the issue immediately rather than a month, or several months, down the line.

That’s why, along with our Audit Servers Without Halo script, we recommend always automating your compliance practices as much as possible.