Over the past few years, cloud computing has emerged as the de facto infrastructure of choice for the majority of new digital workloads created by organizations. The ease of use, scalability, and diverse set of cloud services are making the move to cloud computing more relevant and adopted.
However, a new IT environment comes with its own set of security challenges. According to SentinelOne’s 2024 Cloud Security Report, over 87% of organizations state that they have too many cloud security tools, resulting in security teams being in perpetual alert fatigue. The Offensive Security Engine™(OSE), an automated red teaming feature of Cloud Native Security, our agentless CNAPP, eliminates false positives to allow cloud security teams to focus on the truly exploitable issues.
This blog explains how the OSE prioritizes critical exploitable vulnerabilities with evidence-backed Verified Exploit Paths™.
Cloud security presents a unique set of challenges that stem from the shared responsibility model for security in the cloud, where cloud service providers and customers share the responsibility for securing infrastructure and data across cloud real estate. Human error also plays a significant role, as even small mistakes in configuration by cloud admins can create exploitable vulnerabilities. These errors are often compounded by cloud environments’ dynamic and scalable nature, making it difficult for customers to understand their risk profile and security posture and maintain consistent security practices.
Beyond a general lack of integration across security tools and data and the shortage of experienced security talent, the biggest challenge plaguing cloud security teams in organizations today is alert fatigue. The plethora of tools used by security teams generates a large volume of alerts, many of which turn out to be false positives. Close to 45% of all alerts reaching the security operations team across organizations are false positives. Without any prioritization amongst alerts, security teams spend most of their time working on alerts that are not the most urgent in their specific cloud infrastructure.
The alert resolution process is human-centric, where each alert is verified by a security team member, directly affecting the mean-time-to-resolve (MTTR) for the security operations team. More than 25% of the 2024 Cloud Security Report respondents felt that their security resolution process was deficient, meaning that less than 70% of alerts are investigated within 24 hours of being notified. In the current age of AI, where attacks are automated and can happen at machine speed, this human-centric validation and prioritization process is highly susceptible to being compromised in a coordinated cyberattack.
Security teams are in dire need of a solution that helps them cut through the barrage of alerts that security tools generate based on an ever-increasing number of cloud events to uncover truly exploitable alerts automatically.
Cloud Native Security (CNS) is the agentless component of SentinelOne’s Singularity Cloud Security solution. Singularity Cloud Security provides the best agentless insights and visibility with a powerful agent-based threat protection and response solution to provide a modern, comprehensive CNAPP. CNS became generally available on May 13th across North America and on July 17th across the EMEA region and was covered in more detail in this launch blog.
The OSE is a differentiating capability of CNS that eliminates false positives and helps security teams prioritize and fix issues that matter the most. Once CNS has inventoried cloud assets, the OSE starts safely simulating harmless attacks on cloud infrastructure to provide Verified Exploit Paths that move beyond theoretical attack paths and identify vulnerabilities that are truly exploitable. Any new cloud asset that instantiates is automatically included in the assessment by the OSE.
The OSE not only prioritizes the exploitable alert but also automatically provides evidence of exploitability along with each alert to save the time that is usually spent on reproducing the exploit and proving its actionability. This evidence or proof is presented along with every alert in the form of a snippet screenshot proving the exploitability and accelerating the communication and collaboration needed across stakeholders such as the cloud, IT, security, and developer teams.
The OSE also integrates into popular ticketing services like JIRA so that the security analyst can create the remediation ticket directly from the CNS console. By smoothly orchestrating the entire prioritization, reproduction, and remediation process, the OSE helps customers prioritize and resolve the issues that matter most.
Here are three examples of cloud exploits to showcase the OSE and show the effectiveness of CNS in identifying and prioritizing verified issues.
One of the techniques the OSE uses is scanning for CVE-based exploits across an onboarded cloud infrastructure. As more CVEs are discovered and listed, new exploits are added to the OSE to verify their applicability to the client’s environment. After the OSE assessment, security teams can skip the long list of potentially impactful CVEs and focus on the alerts highlighted by the OSE, which are the alerts that are actually exploitable. In this example, we will look at how Metabase, a popular open-source data analytics platform that is affected by CVE-2021-41277, is detected by OSE.
Every alert in the CNS console starts with a description of the alert, its impact, and the recommended remediation action. At the bottom of the console, there is a table containing the affected resource and other details for the resource, such as the vulnerable port or subdomain for public accessibility and two other actions for each resource:
The evidence provided for each alert depends on the type of exploit detected by the Offensive Security Engine™ and includes the command and response sufficient to prove the exploitability.
In this case, the evidence showcases the exact curl command used to test the exploit for CVE-2021-41277. The command requests the password file using the GeoJSON map API and then returns a screenshot of the password file as a response.
The alert also allows quick tickets by integrating into common ticket management platforms so remediation action can be quickly assigned, tracked and performed. This end-to-end critical alert prioritization and management makes CNS essential for cloud security. This trust is also reflected in the market, with Singularity Cloud Security from SentinelOne being the most awarded CNAPP platform on G2.
“CNS’ agentless CNAPP platform is significantly less noisy and its alerts powered by Offensive Security Engine are more actionable as compared to alternatives. Along with differentiators like secret scanning capabilities, CNS as part of the larger Singularity Cloud Security platform, is poised to be an integral part of our security landscape for the future,” said Daniel Wong, CISO at Skyflow.
The shift to cloud platforms has enabled rampant adoption of modern tech stacks like containers, Kubernetes, and serverless. A Docker registry is a centralized repository where Docker images are stored, managed, and distributed. It allows users to upload, share, and download container images for their applications.
If a Docker registry is accidentally exposed publicly, it can expose any Docker image-related information, such as the base image and entry point, which the attacker can then use to propagate the attack. In this specific example, the OSE identifies a publicly accessible Docker registry situated in the cloud account.
Accessing the alert on the CNS console, clients can quickly visualize the attack via the Graph Explorer to show the exact Verified Exploit Paths an attacker would take to exploit this specific Docker registry.
This alert provides evidence of exploitability by sharing a screenshot of the registry’s contents that is publicly available. In this specific alert, the vulnerable registry is empty. The OSE also shares the exact curl command sent to access the registry so that the verification can be repeated.
This is an excellent example of how the OSE not only focuses on alerts due to CVEs, backdoors, or software supply chain attacks but also protects other parts of the application development lifecycle, such as misconfigurations of code repositories. Moreover, with integrations across major ticketing platforms, CNS facilitates collaboration between security and developer teams so that quick remediation action can be taken, thereby safeguarding the client from potential code and information theft.
In this example, we showcase how the OSE helps provide coverage for cloud-based assets that are prone to being misconfigured due to human error. Improperly deleted S3 buckets pose significant security risks, including residual access permissions, bucket name reuse vulnerabilities, data exposure, and potential for phishing or social engineering attacks. Attackers could exploit old IAM policies or quickly recreate a bucket with the same name to intercept or manipulate data, leading to unauthorized access, data breaches, and service disruptions.
In this case, we will see how an improperly deleted S3 bucket, once identified, is populated in the CNS console and the proof of exploitability presented with the alert.
The evidence presented in this case is first a simple GET HTTP request to the base path and then the response to the command with a “the specified bucket does not exist” error. From this error message, an attacker can get the deleted bucket name and the domain, which can be used to perform an account takeover.
With the advent and application of malicious AI-based attacks, threat actors have impeded response from cloud security practitioners. As cloud adoption increases, human error and cyberattacks will only get compounded. To comprehensively protect cloud environments from attackers, SentinelOne’s Singularity Cloud Security harnesses the power of AI to provide world-leading cybersecurity to its clients.
With its Offensive Security Engine capability, CNS helps prioritize alerts by providing verified exploitable alerts. This prioritization saves time wasted by security teams sifting through a mountain of alerts that other tools generate and promotes collaboration across security and DevOps teams.
Let us prove it to you in 1 hour. CNS onboards within a few minutes so you can run a cloud assessment and gain insights into where you should focus within your environment. To learn more about CNS, please visit the Cloud Native Security webpage.
Singularity™ Cloud Security
Improve prioritization, respond faster, and surface actionable insights with Singularity™ Cloud Security, the comprehensive, AI-powered CNAPP from SentinelOne.