Security analytics and testing firm Rapid7 this week unveiled Project Heisenberg Cloud, a research project designed to use the cloud to get a closer look at what attackers are doing, both in the cloud and across the Internet.
Heisenberg (PDF) itself is a honeypot framework distributed within the Amazon, Azure, Digital Ocean, Rackspace, Google and SoftLayer clouds. Since these six providers make up nearly 15% of available IPv4 addresses on the internet it was an opportunity to examine activity in, across and against individual and collective cloud environments.
There was no preconceived intent on what to look for. Indeed, Bob Rudis told SecurityWeek that the two projects leads, himself and Derek Abdine, had different opinions: one thinking that they would learn more about general internet attack activity, and the other thinking they would learn more about activity within the cloud. In the event they saw both.
For example, following the Mirai attack against Brian Krebs, they configured the honeypot to detect Mirai connection attempts -- and identified nearly 100,000 devices that are or were part of the botnet. Focusing within the individual clouds, however, Heisenberg detected unexpected differences in ARM activity (attackers, researchers and misconfigurations) between the clouds.
The Heisenberg honeypots are lightweight configurable nodes that send back full packet captures for post-interaction analysis by Rapid7, used for both live monitoring and historical data mining. There are currently 136 honeypots within the six providers; although Rapid7 hopes this will increases as the project proceeds.
The initial intent was to examine 'activity' rather than solely attacks. The 'misconfiguration' aspect of ARM turned out to be not uncommon. The fluid nature of cloud usage means that IP addresses readily come and go within an individual organization's cloud configuration. Configuration files are used to control users' cloud environments; but are not always managed efficiently. As a result, devices can continue to poll other devices that may no longer be part of the original cloud configuration.
This is not likely to be a serious problem beyond minimal unnecessary bandwidth use -- but technically if both parties use the same default credentials, company A could 'accidentally' access devices now being used by company 'B'. It is, at the very least, an indication that an organization is not adhering to best IT practices.
Specific attacks coming against the honeypots were myriad. These, says the associated Heisenberg report, included "active attempts to exploit the recent Juniper NSA backdoor, PHP services, remote desktop environments, point-of-sale systems databases, and more. The data also showed that sites that illegally scrape and aggregate pornography content and services that 'mashup' data sources -- such as airline price data -- seek out anonymous proxies in an attempt to cover their tracks. There is also active use of logging and reporting infrastructure injection attacks in HTTP referrer and user agent fields."
The expectation was that the project would unearth similar statistics across all of the clouds. The reality is that this does not happen. There are significant differences in the services exposed by users within the different clouds (data from Rapid7's earlier Project Sonar 2016 National Exposure Index). Not only do these differences exist, it seems that they are known. "The kinds of services exposed by each cloud provider's user populations are varied according to the provider," says the report. "These differences are being tested and exploited today by a range of adversaries who are clearly aware of these differences."
While Rapid7 is already able to offer advice from this initial analysis, it is likely that more benefits will follow in the future. Immediate advice includes a range of ports that should be avoided because "the team observed a far greater number of attacks, anonymous proxy probes, and misconfigured service traffic coming at these ports;" log everything, because your own logs may be the only available forensic evidence if things fail; and, not unusually, stay up to date with patches and updates, because "the research team detected exploits against known CVEs, both old and new, and at the operating system and application infrastructure level."
In the future, however, more concrete developments may ensue. Project lead Bob Rudis confirmed that Microsoft is already looking at the Azure-specific data from Heisenberg. There is the strong possibility that the 'ARM' data could be used by both cloud providers and cloud users to improve future cloud security.
Rapid7 announced Project Heisenberg Cloud at its UNITED 2016 Security Summit this week in Boston, which SecurityWeek was a media sponsor.