Lacework Labs Uses Censys to Enable Security in the Cloud
"Censys has the freshest data, which is critical for researchers like me. If the searches result in a bunch of data that’s no longer accurate, you waste a lot of time trying to explore and pivot off that data."- James Condon
Lacework is a cloud security company that focuses on automation, speed, and scale to enable innovation. The Lacework Labs team, led by Director of Research James Condon, focuses their research on areas they feel aren’t getting enough attention in the cybersecurity community. Primarily, the team finds and analyzes new threats and attack surface risks within the public cloud.
We sat down with James to understand how his team uses Censys data to locate, explore, and detect patterns in new and emerging threats to better protect their customers. Prior to joining Lacework Labs, James was the founder of ProtectWise (acquired by Verizon) 401TRG (Threat Research Group) where he was responsible for threat intelligence development, management, and automation. Before that, James was an analyst at Mandiant (acquired by FireEye) where he worked on forensics and analysis for incident response and managed services engagements. Add to James’ impressive resume a stint as a Special Agent with the Air Force Office of Special Investigations (AFOSI) working on computer crime investigations and you’ll see that he knows a thing or two about threat intelligence and what tools are best for tracking adversaries and emerging threats.
Tracking Cloud Security Threats with Censys
Since Lacework Labs is most interested in cloud security, they use Censys to see the full attack surface, including all cloud services and applications where researchers often find a slew of vulnerabilities and misconfigurations. James first heard about Censys several years ago through one of his former colleagues who was using it to track threat actors.
“One of the things I really like about Censys,” said James, “is that there’s a lot of depth in the attributes you can search. For instance, you can search for a very common string but decide you only want to see it on a certain port and in a specific HTTP header.”
Other interesting data points they pivot from are SSL certificates for threat intelligence. The SSL certificate data in Censys helps them discover adversary infrastructure by searching for unique attributes not available from other data sources.
Fresh Data Helps Researchers Analyze Security Without the Noise of False Positives
“Censys has the freshest data, refreshing the crawling at a really high rate,” said James. “I’ve noticed that when I go explore the Censys search results, most of the IPs and associated services I find are still live on the Internet. That data freshness is critical for researchers like me. If the searches result in a bunch of data that’s no longer accurate, it’s frustrating because you waste a lot of time trying to explore and pivot off that data, but the server is no longer active or the data has changed since it was scanned by other data tools.”
For both corporate security practitioners and researchers, Internet security data freshness is just as important as the breadth of data scanned. IT security folks are bombarded with noise and alerts all day long to encourage them to take action to secure new risks, new domains, or services that require patching. If, in trying to locate those affected hosts, they are searching based on data that is weeks old, they’re not going to see an accurate picture of their risks and vulnerabilities. The overall concern here is that newly reported critical vulnerabilities and out-of-date software is then missed and not appropriately patched or mitigated, putting the entire organization at risk.
There Are a Huge Number of Services Exposed on the Internet
“One of the things we see that we’re continually surprised by in Censys,” said James, “is just the overwhelming number of open services on the Internet.”
This is an issue that we hear from a lot of our users and it points to a larger opportunity for companies who can use tools like Censys to get a full view of their attack surfaces so that they can get the same view their attackers have. Highly skilled threat researchers like James and the Lacework Labs team aren’t the only one who can see and target these open, vulnerable services, unfortunately. Malicious actors can also see anything that’s open on the Internet. So if you have exposed assets that can serve as easy targets for your adversaries, you can actually get ahead of the game and start protecting those services once you locate them using a product like Censys.
Exploring Kubernetes Security Issues with Censys
James presented at BSides San Francisco in 2019 about his research on the security risks inherent in Kubernetes, a popular container orchestration tool. For this project, the team relied on Censys scan data on HTTP based Kubernetes components dashboards and API servers.
In his work, James and his team used Censys alongside some other well-known tools to find more than 20,000 publicly accessible management nodes open to the Internet. Lacework Labs was able to discover APIs and dashboards completely open to the internet. There’s a full video of his talk available from BSidesSF and it’s certainly worth viewing for all the threat hunters and researchers reading this. Here’s a little sneak peek (thanks to BSidesSF for the amazing graphic):