What the WAF? Beyond the Capital One Breach

waf as a digital padlock illustrationCapital One made world news waves on July 19, 2019, when it was reported they had suffered a security breach that resulted in the loss of 30GB of data. This data loss affected 106 million people in North America and included data submitted on credit card applications from 2005 to early 2019.

Lots of digital ink has been written covering this cyberattack, and anyone interested in learning more about how the entire incident played out can find dozens of online sources, including the information posted by Capital One.

We found the two most striking elements of this incident to be 1) how and when the data loss was discovered, and 2) the point of entry for the intruder.

When you’re not the first to know

Capital One was not aware of the intrusion and loss of data until they received an anonymous tip on July 17, 2019, that their data was being stored out in the open on Github, a software development platform. Github is now named in a lawsuit that claims the data was uploaded to the site in April and that Github made no effort to remove it. It further alleges that GitHub actively encourages hacking and has a responsibility in the matter.

By the end of July, someone had been charged. While no credit card account numbers or log-in credentials were compromised, over 140,000 Social Security numbers, 80,000 bank account numbers, and other personal credit applicant information were downloaded from Capital One’s public cloud provider through this breach. The person arrested had worked for a time for the public cloud provider, and was a frequent and forthcoming user of Twitter where she spoke openly for months about discovering easy access to large amounts of data intended to be fully secure. She made little effort to hide her identity, beyond using a nickname, and the FBI had little difficulty finding her.

What the WAF happened?

How did she get in? Both parties involved in authorized possession of the data are large entities. Her methods had to have been fairly sophisticated, right? Not so much. Investigations have revealed that the entry point was a misconfigured open-source web application firewall (WAF) used in the hosted cloud operation. Once accessed, the WAF was used to pass a server-side request forgery (SSRF) attack that tricked the server into running commands it shouldn’t have been permitted to run.

The misconfiguration of the WAF assigned it too many permissions. This WAF did not ship with detection rules in place for SSRFs or a dozen or so other attack methods, which is not uncommon. Staff turnover within their IT department seems to have played a role in preventing Capital One from doing a deep review of their firewall vulnerabilities and delayed the installation of software purchased to help detect breaches.

According to Verizon’s latest investigative report on data breaches, web application attacks are a top reason for breaches. WAFs are a critical component of web application security and Capital One should have had a more robust version in place. There are multiple considerations in selecting the right WAF that go beyond architecture and form factor, such as detection techniques to monitor incoming and outgoing traffic, SSL and encryption, and integration with web app scanners.

Belt and suspenders for cybersecurity

Like any good cautionary tale, knowing about the cause of the Capital One breach has IT departments everywhere checking the configurations of their WAFs, and rightly so. That’s a good place to start, but not a good place to stop. It takes multiple layers to help detect, respond to and remediate potential gaps in securing your cloud deployments. Additional security approaches that combine both manual and automated approaches can help you prevent a security breach in the cloud. Some that should be considered based on what is now known about this incident include:

Cloud configuration management: The agility and elasticity of cloud platforms and applications make it difficult to maintain a known good state and ensure no gaps are introduced that allow easy access into corporate systems. The goal is to continuously monitor the cloud systems you want to manage, including servers, storage, networking and software, to ensure that any changes that introduce security risks are quickly recognized and remediated. Automation software is available to help with this management to minimize the upfront time commitment needed from staff who are already overwhelmed and overburdened. It’s important to note that a proper change control program must be implemented as well to understand why changes were made and if they are approved.

Cloud compliance monitoring solutions: An automated software solution that enforces internal policies, complies with external regulatory mandates, and assesses the risk of vendors and third parties. For industries that are regulated, this can relieve the burden on IT staff while also enabling closer adherence to the required policies and adding additional mitigation of cloud risks.

Patch management: Organizations need to ensure they extend their current patch management process to the cloud to handle virtual server systems and applications. This can be done internally with a manual process but requires more training, staffing consistency, and the ability to closely follow schedules. Larger entities generally use an automated system, and some organizations choose to outsource to a third party. Patches are rarely perfect when released to the market so it’s important to do proper testing and have rollback procedures in place in case issues arise from patching. As more applications are rewritten to leverage containers, this will allow organizations to increase the speed and efficacy of patching systems.

Red Team activities and vulnerability management: Whether conducted manually or through automation, these exercises are meant to validate configurations and controls. While similar to penetration testing, Red Team methods are more targeted and, rather than just seeking vulnerabilities, can help determine an organization’s detection and response capabilities. Vulnerability scans, often used in conjunction with Red Team activities, look for potential points of exploitation on devices and networks. Attackers also use this method to find vulnerabilities. If it’s worth their time and resources, it’s probably worth yours. This can be done in-house or by an outside vendor. Ideally, both authenticated (replicates a logged-in user) and unauthenticated scans (no login replication) should be done.

Multi-factor authentication (MFA): Once seen as an add-on security measure, this is becoming a standard for many enterprises, especially those supporting a remote workforce. Using an MFA solution lowers your administrators’ and users’ risk of identity theft and the hijacking of credentials and passwords. Selecting an MFA solution that also adds context to the login attempt minimizes impact to the user experience, requiring MFA only to determine the type of factor needed to validate credentials if necessary.

Tokenization of sensitive data: When elements of sensitive data are replaced with non-sensitive elements (tokens), the data no longer offers value, meaning or leverage for exploitation by the unauthorized user. The token “map” must be housed separately from the data processing center and applications, either in a different area of the in-house data center or with a secure provider. Many organizations encrypt their sensitive data, but often fail to prevent the application or OS that accesses the data from accessing the decryption keys, allowing an unauthorized user to download the data unencrypted.

Data exfiltration detection and prevention: Security isn’t only about ingress. It’s also important to know when data is leaving the network, which can signal unauthorized copy, transfer or retrieval of data. Monitoring the syncing of cloud storage services to external locations is not a common practice but should be. It is a critical component of SOC operations. Another successful attack method is DNS tunneling, which is easy to see, but rarely monitored. High volumes of outbound DNS queries should be flagged for review.

Insider threat program: This program should be designed to monitor user behavior on endpoints or the network to identify malicious behavior. If you work with government agencies, this is likely a requirement. A well-constructed program can help you locate and mitigate internal risks. Written policies, the involvement of select personnel, educating employees, and monitoring user access and activity should all play a role. A proper insider threat program should also entail the detection of rogue devices purposefully installed to assist in discovering and extracting data.

Knowledgeable personnel: Skills gaps and staffing resources can make this challenging, but seasoned staff experienced with cybersecurity and what to look for in identifying malicious behavior is critical for any security program to be effective. Utilizing security orchestration and automation software and/or managed security services can help relieve some of the burdens of finding and hiring the right cybersecurity personnel.

The aftermath

The hard-dollar estimates for what this incident will cost Capital One, including technology costs, legal support, and customer messaging, is in the range of $100 million to $150 million. There was additional fallout in the erosion of brand trust, something hard to quantify in real dollars, but certainly highly valuable.

If there was a silver lining for Capital One, it was the fact that they had prepared for what now seems like an eventuality for many enterprises—experiencing a breach or attack. They have programs in place to respond to and recover from a cybersecurity incident as quickly and completely as possible. These included a structured methodology for incident response and responsible disclosure. They have also protected the hard-dollar financial impact of such an incident with cyberinsurance. Policies exist to protect entities of all sizes, and like most protection policies, they can be tailored to meet specific needs.

If you haven’t reviewed your security programs lately—or ever—Sirius offers a team of experts who can help you assess the current state of your security program, determine gaps and threats, and develop specific and actionable recommendations for remediation. Learn more about Sirius Security offerings here or contact us today to get started.

By and |2019-10-30T09:28:24-06:00October 23rd, 2019|Blog|Comments Off on What the WAF? Beyond the Capital One Breach

About the Author: and

Jose Ferreira is a Southeast Security Solutions Territory Manager for Sirius.

Peggy Steckelberg is a corporate communication specialist with Sirius.