SSRF Attacks: Difficult to Detect But Largely Preventable

We recommend reviewing the configuration of your cloud environment for excess privileges.

Rackspace security analyst at work in the company's Customer Security Operations Center.

The security of Rackspace and our customers is of the utmost importance to us, and so, when a cybersecurity breach makes the news, we always want to put it in context, and offer recommendations when appropriate.

First, a reassurance: it is possible to have a secure cloud environment, provided cloud users understand the threat landscape and employ a robust security strategy, including proper cyber hygiene.

That said, constant vigilance is required. The recent attack is an example of a cyber hygiene problem resulting in significant business risks. Server-side Request Forgery, or SSRF, attacks are enabled when overly permissive entitlements granted to cloud components are mis-used by attackers, leading to a preventable breach.

When unnecessary  entitlements are allocated to application components or users, they can be misused to accomplish malicious or unintended goals, such as capturing and exfiltrating sensitive data. SSRF attacks are well known but are currently difficult to detect and block while they are occurring.

However, they are largely preventable, by employing “least privilege” configurations in the cloud environment. Ideally, the best practice of least privilege is included in initial system architecture, deployment and ongoing system operation and maintenance.

For existing environments, we recommend review the configuration of their environments, confirm that any components or user accounts, particularly those facing the Internet, do not have excess privileges or entitlements, and eliminate any identified excess privileges.

To minimize SSRF risks, Rackspace security experts recommend cloud users:

  • Establish preventative protections in the form of tuned web application firewalls or intrusion prevention systems that specifically include protections against SSRF attacks.
  • Ensure least privilege for all accesses and entitlements for components and users of your cloud applications.
  • Review firewall and security group configurations to ensure least privilege connectivity for both inbound and outbound traffic.
  • Monitor cloud telemetry for indications of anomalous activity that could represent an SSRF attack.
  • Use multi-factor authentication where possible.

SSRF attacks are but one of a constellation of potential vulnerabilities cloud users must be aware of. This potential vulnerability can be addressed by employing good cyber hygiene based upon least privilege concepts, proactive patching and configuration control and continuous security monitoring.

Our Support Center contains articles on basic security and best practices. If you need assistance, please contact your support team for more information. We are here to help.

Karen is the Chief Security Officer at Rackspace where she leads, develops and implements the Enterprise Cyber, Compliance and Physical Security strategies. Karen brings extensive knowledge and experience to the information security practice in developing strategic and innovative approaches to manage security risk. Most recently she served as Chief Information Security Officer (CISO) for International and PayFlex businesses at Aetna/CVS Health. Her role included the areas of Data Protection, Policy Management, Sales Support and Audit. She was responsible for developing, communicating and implementing strategies for the deployment of information security across the Enterprise. Prior to joining Aetna/CVS Health, Karen was Managing Director at Citigroup, where she built and led a global team to administer access across Citi’s global network and enterprise. Her responsibilities included developing and implementing transformation projects, addressing risk and regulatory commitments and implementing process re-engineering solutions to increase operational efficiencies, improve customer relationships and reduce overall costs, while maintaining a customer–centric approach. Karen has worked for Barclays, Wells Fargo, IBM and American Express. She has over 20 years focused in the practice of Information security. Along with her information security expertise, she has in depth working experience in technology, and operational re-engineering. She has led global, multicultural teams across the financial and technology services. Karen graduated from Arizona State University, with a Bachelor’s of Science in Political Science. She has been a senior member of Information Security Operating Committees. She is involved in Women and Security Technology forums. She resides in San Antonio, Texas with her husband and children.


Please enter your comment!
Please enter your name here