What is doxing? This term may be unfamiliar to some and all too familiar to others. Doxing is when attackers collect extensive amounts of personal information about targets and then use that information to embarrass or possibly harm them.
In Hollywood, the word is detested. Criminals made the word well-known after using doxing methodologies to access and publicly post nude photographs of celebrities. Most people associate doxing with a negative connotation, as it implies a methodology used by threat actors against individuals and organizations alike. Doxing tactics, however, can also be useful for defenders when testing cloud environments.
What Does Doxing Have to Do With Cloud Security?
The cloud has created an environment where there is no physical place to attack, yet many companies apply the same controls and processes to cloud security as they do to on-premises security. That strategy works in some cases. For example, application penetration testing can be a transferable service from on-premises to cloud environments. Applications should be tested before and after deployment to uncover and fix exploitable vulnerabilities, and since many organizations use containerization nowadays and host their applications in the cloud, the testing can take place there as well.
Other forms of on-premises penetration testing such as network testing, however, do not apply when it comes to the cloud. That is because there is no network. Whereas a serverless application can be tested in the same way as on-premises applications, for network testing, you need IP addresses.
So which cloud defense mechanism should be swapped with network testing? Enter attacker reconnaissance, which incorporates a simulation of doxing tactics.
How Can Pen Testers Use Doxing to Secure the Cloud?
To shed more light on this topic, I spoke with X-Force Red’s hacking chief technology officer (CTO) and leading cloud tester, Steve Ocepek.
Question: Steve, thank you for speaking with me today. First, for readers who do not know what the tactic entails, what is doxing?
Ocepek: Doxing is aggressive open-source intelligence gathering about a person to collect personally identifiable information (PII). It may include researching their social media presence, looking at websites and performing open searches — pretty much anything that an external attacker can access to find out information about a target.
Attackers then use that information to publicly embarrass or harm their target. In many cases, doxing can entail the exposure of a target’s personal information, photos, addresses, emails, communication contents and other details online, publicly and without that person’s consent.
Why does doxing have such a negative connotation? Is it because doxing is mainly used by criminals instead of offensive security teams?
Ocepek: Yes. Doxing is an edgy word. To a potential victim, it can imply, “I am going to get you. I will find out the sweet spots and take advantage of them.” Criminals use doxing to inflict harm on individuals, abuse their rights to privacy and, in some cases, extort them. It is typically not associated with anything positive.
So how does doxing relate to cloud security?
Ocepek: Attacker reconnaissance could be the new external penetration test for serverless cloud environments. The service can identify publicly available information and human security flaws that, if used nefariously, can significantly harm a company. Attacker reconnaissance uses the same open-source intelligence sources that attackers use when doxing. It simulates doxing tactics to paint a picture of what attackers can learn about your organization.
Today’s cloud providers are creating their own customized suite of technologies for developers to use to write and run application code hosted on the cloud provider’s infrastructure. Developers have typically not had to worry about being a target of attackers. Their main concerns have been to complete projects on time.
Since many cloud services don’t have a specific set of IP addresses, however, attackers are shifting their focus to the people who have the most significant level of access: the developers who built the applications. Looking at this from an offensive security viewpoint, I do not consider it hard to find out, often through social media, who develops a company’s cloud applications. Through some public forums, I can also see if they are using, for example, Node.js, x libraries and y technology stacks. Attackers could then potentially send them a spear phishing email to get keys into their cloud environment. In that sense, developers are the new targets for cloud-based attacks and from a criminal’s perspective, attacker reconnaissance is a good way to glean information about targeted developers.
So, if the bad guys are using doxing to shame and hurt their targets, the good guys could incorporate those same tactics to protect targets. Offensive security teams should include attacker reconnaissance in their testing programs to see what information they can find about a target and how they can use it. They can then help companies remediate human security mistakes, like preventing employees from posting information on social media, that could be used to compromise their employer.
I am sure you can learn all kinds of things about people and companies by looking on social media alone.
Ocepek: Yes, and when you find the right information, the consequences can be detrimental. When it comes to cloud security, attackers are only one credential set away from compromising a company’s entire environment. From an attacker’s perspective, if they could get a secret key and the user ID of a cloud developer, they could potentially log in as that person. Attackers could then impersonate that developer and, if successful, access every piece of information in their cloud environment and possibly go unnoticed for an indefinite amount of time.
For companies looking to improve their cloud security posture, do you recommend attacker reconnaissance and application testing? Anything else?
Ocepek: When it comes to cloud security, two of the best strategies in my opinion are attacker reconnaissance and application testing. With no specific IP address space, network testing makes no sense. Swap in attacker reconnaissance instead. When some security experts talk about the cloud, they say the same on-premises processes should also be used to protect cloud environments. In some cases, like with Amazon Elastic Compute Cloud (EC2), that strategy works because it’s essentially virtual hardware. The same flaws may exist on a regular Windows box in a data center.
On the cloud front, however, if your team is spinning up a bucket on S3 or using AWS Lambda to run code, there is no server or network. While application testing is necessary for cloud applications, even those that are serverless, there is still application logic, deployment processes and other avenues for abuse. Attacker reconnaissance can help uncover vulnerabilities across those avenues.
Learn More About Cloud Security at AWS Re:Inforce
X-Force Red is at the AWS Re:Inforce conference taking place this week. We welcome you to stop by the IBM Security booth (#719) to chat with Steve about top threats and vulnerabilities exposing cloud environments.