Amazon declined to testify at congressional hearing on SolarWinds hack

From scandalous headlines to knowledge in cybersecurity

Part of my blog series on the SolarWinds Breach and Data Breaches.

Free Content on Jobs in Cybersecurity | Sign up for the Email List

Part of my blog series on the SolarWinds Breach.

I used to write for a security blog as Director of Security Research for a security vendor. I wrote a contrarian article at the time about how some companies may be more secure in the cloud — if they use the platform correctly. I also wrote a white paper based on my experiences on the Capital One cloud engineering and later security operations team about the need to balance security and innovation.

As soon as the first S3 bucket breach hit the news, the public relations team at the company came running to me and wanted me to write about how the cloud is not secure. They wanted to pin the blame on Amazon and write scandalous headlines about the company’s cloud platform. I still get questions during presentations from people who think AWS should handle all their security for them and try to shift responsibility to elsewhere when they misconfigure their systems hosted on a cloud platform and fail to follow cybersecurity best practices.

This misunderstanding of cloud platforms, secure configurations, contractual obligations, and cybersecurity in general lead to a lot of misinformed and alarmist headlines by news organizations. Instead of trying to truly understand the technology and the root problems that caused the SolarWinds hack, news organizations are now writing articles with headlines that imply Amazon is somehow an accessory to the criminal activity in the SolarWinds hack.

Read my prior blog post if you want to understand how AWS and Azure platforms were leveraged by attackers in the SolarWinds breach. I wrote a more detailed technical explanation a few days after the breach was announced in December of last year. You can find the link at the bottom of this article.

If Amazon had anything to do with this attack via the SolarWinds malware they would be completely inept. I don’t have the evidence to review, so I’m just explaining why it makes no sense. The trail the malware takes leads squarely and obviously back to AWS. The fact the DNS names resolve to Amazon hosts is so blatant that a junior cybersecurity engineer or IT person would be able to figure this out. Anyone who knows anything about cybersecurity knows an attacker who wanted to avoid attribution would not use servers in their own data center.

If Amazon wanted to attack these systems for some reason they would get systems hosted in Russia or China to try to deflect attribution to a third party. They would not undermine their entire business model by hosting servers that support malware or malicious actors on their platform. Some other cloud providers have potentially malicious traffic coming from their networks, but to my knowledge and based on inspection of network traffic Amazon is not blatantly allowing criminals to reside on their cloud platform. If someone has evidence to the contrary that would stand up in a court of law, let me know.

More likely in this case, someone is trying to leverage US cloud platforms because so many organizations in the US are throwing network security out the window and allowing all traffic to and from these platforms in favor of identity alone as a security mechanism. This is a mistake as I explain in a prior post on Zero Trust for Software Updates: Consider network requirements before purchasing software products and my book on Cybersecurity for Executives in the Age of Cloud. Organizations that block international IP addresses belonging to potential foreign adversaries leave their networks wide open to AWS, Azure, and other US networks.

But why did Amazon decline to attend the congressional hearing? I’m not privy to Amazon’s legal decision-making processes. They have already provided information to the government about this matter as explained in this article by the Wall Street Journal. Perhaps they were concerned about inflammatory and misconstrued headlines and articles based on their statements in a public hearing made by people who don’t fully understand cybersecurity or cloud platforms. Showing up to the hearing to “testify” sounds like Amazon is on trial, when in fact they are not the perpetrator of this crime according to any information known publicly at this time.

There are some in congress who may be angered by the fact that Amazon shut down Parler, a right-wing social media platform after users called for politicians and police to be killed. Perhaps those same people would like to attack Amazon in the public eye and the company is avoiding this politically-motivated confrontation. However, the irony is that just like Amazon shut down Parler, they would have shut down this malware for violating terms of service had they been notified of its presence.

I don’t know exactly when AWS was notified that this malware was running on their platform, but Microsoft took down the infrastructure in its cloud, Azure, which effectively prevented the malware from reaching the AWS servers. At that point, the infrastructure in AWS was a non-issue. Microsoft testified in front of congress and “took a grilling” according to this Reuter’s news article. Perhaps Amazon did not want that same grilling because, as I explained in my last article, the SolarWinds hackers were customers of AWS and Azure. Those customers should be on trial, not the cloud providers.

I despise speculation in news articles. I tell my students in my cybersecurity class that any time a scandalous news article comes out, wait two days for the truth. I know one reporter who is still digging for the truth. The WSJ article also highlights the fact that Amazon has, in fact, already provided information to the proper authorities regarding this crime though the headline is a bit questionable. Sometimes information related to crimes is not publicly disclosed during an investigation for a reason. Check multiple sources for information before jumping to conclusions. Be cautious with click-bait headlines and wait for some real news.

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2021

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab

Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation

Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab