Cloud security for military ops: It’s complicated

As the U.S. Department of Defense () embraces , () attacks, and other forms of are increasing in sophistication and severity, which makes it extremely challenging for the DoD to ensure availability, reliability, and security.

Cloud computing is convenient way to provide on-demand access to a shared pool of , and it’s helping the DoD rapidly scale up its capabilities, achieve economies of scale, and maintain resiliency. But it also brings along undesirable baggage in the form of a new attack surface and threats to data security.

Beginning in 2015, the DoD started offering a wide selection of commercially owned and operated cloud services to DoD mission owners – as a way to help the military save time and reduce costs.

As the military moves to take advantage of the many benefits provides, security is understandably a key concern.

Cloud security threats
So what are the biggest cloud security risks for the military?

“There are many good things to be gained from the cloud, but some bad goes along with the good,” says George Kamis, chief technology officer for government markets for Forcepoint in Austin, Texas. “If good failover and backup policies aren’t in effect, data and services can be easily disrupted or lost to denial-of-service or physical attacks.”

Another factor Kamis cites as increasingly problematic is the broad dependence on a to protect and separate the machines operating within the cloud.

“If a successful attack is made on the hypervisor, all hosted virtual machines are instantly vulnerable – no matter how the operating systems and applications are secured,” he says. “And there will be no indication within the virtual machines that those systems are compromised because the internal secu-rity mechanisms will be blind to the hypervisor attack.”

DDoS attacks
Cloud attacks can come in many forms, but distributed-denial-of-service (DDoS) attacks can be particularly devastating. And DDoS attacks appear to be escalating in both frequency and severity.

“On January 2, 2016, the BBC [British Broadcasting Corpora-tion] suffered an attack on all of its applications, which resulted in unavailability for at least three hours,” points out Carl Herberger, vice president of security products for Radware in Mahwah, New Jersey. “At the time it was the largest DDoS attack ever recorded – at more than 600 Gbps.” There have been several recent examples of stronger, worse attacks, portending even more brutal DDoS attacks in the future.

The group that claimed responsibility for the BBC attack is called the New World , and they reportedly carried it out via (AWS) after bypassing security measures and helping themselves to administrative privileges.

AWS, by the way, was the first approved by the Defense Information Systems Agency () to handle the DoD’s sensitive – but – workloads back in 2014. To date, the DoD has granted provisional authorizations to 59 commercial cloud service offerings.

“Amazon makes a huge amount of infrastructure resources available to its users, so the risk of abuse of these resources for ill purposes via launching a mega DDoS attack has been previously debated,” Herberger says.

Large cloud providers tend to leverage several measures to prevent DDoS attacks, including anti-spoofing, network monitoring and protection, and proprietary DDoS prevention. They also tap other common indirect measures like access control, anti-scanning, encryption, and segregation.

“Amazon EC2 [Elastic Compute Cloud] instances can’t send spoofed network traffic,” Herberger explains. “The AWS-controlled, host-based firewall infrastructure won’t permit an instance to send traffic with a source or MAC address other than its own. So almost all network layer attacks that result in high volumes such as spoofed floods, reflection, and amplifi-cation floods, are ruled out.”

In terms of network monitoring and protection, AWS relies on “a wide variety of automated monitoring systems to provide a high level of service performance and availability,” he continues. “Its monitoring tools are designed to detect unusual or unauthorized activities and conditions at ingress and egress communication points. These tools monitor server and network usage, port-scanning activities, application usage, and unauthorized intrusion attempts. They also have the ability to set custom performance-metrics thresholds for unusual activity, so any unusual volume leaving the environment is expected to be detected and cause the relevant nodes to be shut down.”

21
Figure 1: U.S. Navy ships, which are essentially moving data centers, can host their own clouds. Pic-tured is the guided-missile destroyer USS Fitzgerald (DDG 62) as it is underway in the Pacific Ocean. U.S. Navy photo by Mass Communication Specialist 3rd Class Paul Kelly/Released.

 

(Click graphic to zoom)

Then there’s DDoS protection: In the BBC case, “a proprietary protection system was deployed,” Herberger says. “While the detailed description of the system wasn’t exposed, there is an additional level of monitoring and automated protection targeted at protecting those systems.”

Amazon’s customers can also report abuse of an account, notes Herberger. “Each report is investigated by the Amazon abuse team and actions are taken accordingly,” he adds. “So supposedly an attack would have been reported and actions taken in a timely manner to resolve it.”

Dynamic IP attacks
Herberger questions whether the BBC attackers’ goal – rather than a high-volume attack – was really a sophisticated, sneaky dynamic IP attack.

What’s a dynamic IP attack? “It targets the application layer,” he explains. “By using a real IP address, you can generate a three-way handshake with the server and also bypass mitiga-tion techniques such as JavaScript challenges.” Such an attack would make it nearly impossible to distinguish between attackers and legitimate users.

In this case, “application attacks require a full session, so no IP spoofing is relevant and actual sessions will be created,” Herberger continues. “Nevertheless, the IP can be changed fre-quently via the huge ranges Amazon has to offer.”

It’s sneaky in terms of network monitoring and protection because it “uses a low bandwidth per each source node and high distribution to hide it so that each source looks legiti-mate,” he adds. “The low volume of the attack will keep it under the radar of any monitoring and it’ll converge only at the final destination. In this destination, it will still be very difficult to distinguish friend from foe.”

So while the task of generating an attack using Amazon or any other public cloud service certainly wouldn’t be easy with existing security measures, Herberger notes that most measures are designed to prevent traditional, network-related types of DDoS attacks.

“We believe attackers are increasingly aware of high-complexity attacks, which are more difficult to detect and handle but equally devastating,” Herberger says.

Beyond attacks: cloud benefits and misconceptions
Potential attacks aside, what are the main benefits of using the cloud for military operations? Its primary appeal appears to be the ability it provides for quickly provisioning and setting up new capabilities for warfighter.

“Previously, hardware and software had to be procured, network drops had to be added, etc. But now systems can be quickly deployed,” says Forcepoint’s Kamis. “In the case of IC DTE [intelligence community desktop environment] and JIE [joint information environment], it enables users’ MS Windows desktops to be centrally managed and secured.”

Other benefits of the military using the cloud are similar to those adopted by private industry, Herberger says, but center on the “ubiquity, lower costs, higher quality, extensibility, scale, self-provisioning, autonomy, and agility” it can provide.

Misconceptions surrounding the military’s cloud use abound, and one of the biggest, according to Kamis, is that “everything will shift to the cloud and be secured.”

This is highly unlikely, because “the cloud” is essentially running software on some else’s hardware remotely. “All of the security issues, as with running locally, remain an issue and must be addressed and protected,” Kamis continues. “Not everything can be cloud-based – and this is especially true for tactical deployments with limited communications.”

Yet agencies are increasingly “forcing everything to the cloud without taking into consideration the impact of the move,” Kamis notes. “It doesn’t always make sense to move a capability to the cloud.”

And viewing the situation from another perspective, perhaps the biggest misconception surrounding DoD use of the cloud “is that the military knows how to effectively leverage it,” Herberger points out. “For years, they’ve run isolated and fundamentally controlled infrastructures … so migrating to the cloud means more than a policy change … it’s a cultural shift as well.”