In late August, Imperva suffered a security incident, resulting in the compromise of sensitive information of some of their Cloud WAF customers.
On Thursday, Imperva CTO Kunal Anand finally explained how it all happened.
The first indication that something went wrong was when, on August 20, 2019, the company received a data set from an unnamed third-party requesting a bug bounty.
The notification triggered an investigation and they discovery that, in October 2018, an administrative API key in one of their production AWS accounts had been misused and a snapshot of a database containing customer information was exposed.
The dataset was from a snapshot as of September 15, 2017, meaning that if contained data of customers who set up Cloud WAF accounts prior and up to that date. This data included email addresses, hashed and salted passwords, API keys, and customer-provided TLS keys.
How did it happen?
Anand shared that the foundation for the breach was laid in 2017, when their product development team migrated to AWS Relational Database Service (RDS) to scale the company’s user database.
“Some key decisions made during the AWS evaluation process, taken together, allowed information to be exfiltrated from a database snapshot. These were: (1) we created a database snapshot for testing; (2) an internal compute instance that we created was accessible from the outside world and it contained an AWS API key; (3) this compute instance was compromised and the AWS API key was stolen; and (4) the AWS API key was used to access the snapshot,” he explained.
He made sure to note that the investigation revealed that the data exfiltration was not the result of a Cloud WAF vulnerability and that databases and snapshots for their other products were not exfiltrated.
“We have since gone back and looked for malicious activity, leveraging threat intelligence feeds in conjunction with audit logs related to accounts in the dataset. Thus far, we have not found any malicious behavior targeting our customers (logins, rule changes, etc.) and have implemented procedures to continue monitoring for such activity. We remain vigilant, however, and will continue to monitor for malicious behavior,” he added.
Mitigation actions taken and prevention measures employed
When they first discovered the nature of the data that was compromised, Imperva urged all Cloud WAF customers to change their user account passwords, implement Single Sign-On (SSO), enable two-factor authentication, generate and upload a new TLS certificate, and reset API keys.
Since then their customers changed over 13,000 passwords, rotated over 13,500 SSL certificates, and regenerated over 1,400 API keys.
Imperva also implemented improved security protocols to prevent similar future incidents, and these include:
- Tighter security access controls
- Increased auditing of snapshot access
- Regular decommissioning of inactive compute instances
- Putting all internal compute instances behind their VPN by default
- Rotation of credentials and strengthening of credential management processes
- Increased frequency of infrastructure scanning.
“We take ownership of the fact that the incident was a result of our choices, actions we took and failed to take before, during, and after our database migration,” Anand noted.
He recommended all organizations take the time to understand the shared responsibility of deploying and managing applications and data in Infrastructure as a Service (IaaS) solutions and said that they’ve learned a lot from the incident and used that knowledge to change the way they manage their own Secure Software Development Lifecycle (SSDLC).