SSRF Attacks: Difficult to Detect But Largely Preventable

The security of Rackspace and our customers is of the utmost importance to us, and so, when a cybersecurity breach makes the news, we always want to put it in context, and offer recommendations when appropriate.

First, a reassurance: it is possible to have a secure cloud environment, provided cloud users understand the threat landscape and employ a robust security strategy, including proper cyber hygiene.

That said, constant vigilance is required. The recent attack is an example of a cyber hygiene problem resulting in significant business risks. Server-side Request Forgery, or SSRF, attacks are enabled when overly permissive entitlements granted to cloud components are mis-used by attackers, leading to a preventable breach.

When unnecessary  entitlements are allocated to application components or users, they can be misused to accomplish malicious or unintended goals, such as capturing and exfiltrating sensitive data. SSRF attacks are well known but are currently difficult to detect and block while they are occurring.

However, they are largely preventable, by employing “least privilege” configurations in the cloud environment. Ideally, the best practice of least privilege is included in initial system architecture, deployment and ongoing system operation and maintenance.

For existing environments, we recommend review the configuration of their environments, confirm that any components or user accounts, particularly those facing the Internet, do not have excess privileges or entitlements, and eliminate any identified excess privileges.

To minimize SSRF risks, Rackspace security experts recommend cloud users:

• Establish preventative protections in the form of tuned web application firewalls or intrusion prevention systems that specifically include protections against SSRF attacks.
• Ensure least privilege for all accesses and entitlements for components and users of your cloud applications.
• Review firewall and security group configurations to ensure least privilege connectivity for both inbound and outbound traffic.
• Monitor cloud telemetry for indications of anomalous activity that could represent an SSRF attack.
• Use multi-factor authentication where possible.

SSRF attacks are but one of a constellation of potential vulnerabilities cloud users must be aware of. This potential vulnerability can be addressed by employing good cyber hygiene based upon least privilege concepts, proactive patching and configuration control and continuous security monitoring.

Our Support Center contains articles on basic security and best practices. If you need assistance, please contact your support team for more information. We are here to help.