Protecting Against Insider Attacks with Dome9

Over the last few years, the rise of attacks from within the enterprise (aka insider attacks) has started to gain significant attention of IT security teams. Potential threats can range anywhere from shadow IT abuse, all the way to stealing and compromising sensitive data.

Whether the threat comes from employees, former employees, contractors, or malware that was installed on an infected endpoint, the end guidance is the same – anyone without authorized access should not have the ability to touch and interact with critical organizational assets.

Several types of security solutions exist in the industry today, yet most of these solutions provide detection and mitigation after the breach has happened, or focus on the endpoint, rather than the data source.

Dome9 is a purpose-built platform that focuses on preventative security for the public cloud. Dome9 builds guardrails that help SOC teams to:

1. Detect misconfigureations early

2. Enforce a clean security posture

3. Leverage automatic remediation capabilities

I. Prevent attacks by detecting misconfigurations early on

The Dome9 Compliance Engine is an automation framework that allows admins to monitor the security configuration of their cloud environments on an ongoing basis. Alongside extensive baseline of rules written by Dome9 research and compliance team, the engine is highly customizable and can be adapted to the specific needs. By early detection of misconfiguration, organizations can quickly fix issues before the vulnerability can be further exploited by malicious insiders. The Dome9 Compliance Engine is based on proprietary Governance Specification Language that is both simple and powerful. Here are few examples of rules that can be written:

Ensure Correct Security Group Scope

Security teams need to ensure that internal assets/resources should not be accessible from the entire internal network. The following GSL can make sure that the security groups attached to databases can be accessed from a specific subnet – for example the web applications network:

SecurityGroup where name like '%Database%' should have inboundRules with [ scope='' ]

Related rule can make sure that specific ports, mainly administrative ports, are accessible from small range of IPs. Port 22 is the port for SSH protocol, and should be accessible for system admins only:

SecurityGroup should not have inboundRules contain [port = 22 and protocol in ('TCP','ALL') and scope numberOfHosts() > 32]

Reducing the scope can significantly reduce the risk of someone accessing sensitive resources.

Leverage User Management Best Practices

User Management is never an easy task, especially when managing dozens of cloud accounts. For example, you should avoid the use of the ‘root’ account and generate dedicated users for the different tasks. Here is a GSL that validates that root user was not used in the last 90 days:

IamUser where name regexMatch /^<root_account>$/i should not have passwordLastUsed after(-90, 'days')

Taking over an unused user can lead to malicious behavior going under the radar, and so unused IAM users should be removed regularly from the system. Password rotation policy would also ensure that stolen credentials would become useless within reasonable time. Enforcing a 90-days password rotation across all the accounts is easy:

Iam should have passwordPolicy.maxPasswordAge>0 and passwordPolicy.maxPasswordAge<91

The use of multi-factor authentication reduces the risk of account takeover, and Dome9 provide a GSL that helps you to enforce the use of MFA. Here is how to validate the use of hardware MFA on root account:

IamUser where name like '%root_account%' should have mfaActive=true and virtualMfaEnabled=false

Dome9 provides dozens of IAM related rules that reduce the chance of insiders using cloud users for executing malicious activities.

Manage Access Permissions Appropriately

Another important task is making sure that users and resources are provided with the minimal permissions possible – based on the principle of least privilege (POLP). Setting the minimal permissions allows to reduce the risk of unauthorized persons accessing sensitive information.

Here is an example of a GSL that examines an AWS lambda function to ensure that the policy statements do not include “allow” actions on S3 or DynamoDB:

Lambda should not have executionRole.combinedPolicies with [ policyDocument.Statement contain [ (Effect = 'Allow') and (Action contain [$ regexMatch /^dynamodb/ ] or Action contain [$ regexMatch /^s3/ ] ) ] ]

Similar GSL can be written to enforce the configuration of IAM users and roles or other types of resources.

II. Prevent attacks by enforcing an airtight security posture

After making sure that the configured security complies with the organizational policy or regulations – organizations should enable just-in-time (JIT) access control to secure their cloud services.  JIT access means that the default state of the environment is “locked”, and a lease is needed to perform actions. All the leases are granted by one centralized system, which only authorized personnel can access and as a result, malicious insiders and malwares will be blocked. The Dome9 philosophy is that access needs to be granted only to the right person, in the time it is needed, for a limited period.

Dome9 provides on-demand access leases for ports and service as well privileges to perform sensitive operations. By default, these ports and operations are denied at all times, and only available when the operation is required, a lease can be obtained through Dome9 console. The lease elevates access and/or privilege for a specific duration after which it is denied. Similar capabilities exist for operations that involve Security Group(SG) changes. Any SG marked as protected will be monitored and if changes are made outside of Dome9, it would be reverted immediately.

III. Prevent attacks by enabling auto-remediation

Dome9 continuously scans all the accounts for security misconfigurations and provides extensive reports on any entity that does not comply with standards. These policy violations from the Dome9 Compliance Engine can trigger automatic remediation via Dome9 CloudBots. By enabling auto-remediation, security gaps are automatically closed once they are detected, thereby reducing the attack window and potential exploitation. Checkout Dome9’s Github repository for more details.

To learn more get started at