Check out all the on-demand sessions from the Intelligent Security Summit here.
Cloud services are crucial elements of many business processes. Cloud computing allows businesses to reduce costs, accelerate deployments, develop at scale, share files easily and collaborate efficiently without needing a centralized location.
However, these same services are increasingly abused by malicious actors — a trend that is likely to continue in the foreseeable future. Threat actors are now fully aware of how vital cloud services are, making them a perfect breeding ground for eCrime. These are the key findings from 2022 research by CrowdStrike.
Unlike traditional on-premises infrastructure, the public cloud has no defined perimeters. The lack of clear boundaries poses several cybersecurity challenges and risks, especially to more traditional approaches. As more businesses seek hybrid work environments, these boundaries will continue to be blurred.
Security threats and the vulnerability of the cloud
One of the key intrusion techniques adversaries have been using is opportunistically exploiting known remote code execution (RCE) vulnerabilities in server software. This involves scanning for vulnerable servers without focusing on particular sectors or regions. Once acquiring initial access, threat actors then deploy a variety of tools to access sensitive data.
Event
Intelligent Security Summit On-Demand
Learn the critical role of AI & ML in cybersecurity and industry specific case studies. Watch on-demand sessions today.
Watch Here
Credential-based intrusions against cloud environments are among the more prevalent exploitation vectors used by eCrime and targeted intrusion adversaries. Criminal actors routinely host fake authentication pages to harvest legitimate authentication credentials for cloud services or online webmail accounts.
Actors then use these credentials to attempt to access accounts. For example, Russian cybercrime espionage group Fancy Bear has recently decreased the use of malware and increased the use of credential-harvesting tactics. Experts have found that they have been using both large-scale scanning techniques and even victim-tailored phishing websites that convince the user that a website is legitimate.
And, despite the use of reduced use of malware as an intrusion technique, some adversaries are still leveraging such services for command and control. They carry this out by using legitimate cloud services to deliver malware.
This tactic is advantageous, as it allows adversaries to evade signature-based detections. This is because many network scanning services typically trust top-level domains of cloud hosting services. Using legitimate cloud services (such as chat) can allow adversaries to evade security controls by blending into normal network traffic.
Adversaries are using cloud services against businesses
Another tactic bad actors use is leveraging a cloud service provider to abuse provider trust relationships and gain access to additional targets through lateral movement. The goal here is to elevate privileges to global administrator levels to take over support accounts and make changes to customer networks, thereby creating multiple opportunities for vertical propagation to many more networks.
At a lower level come attacks leveled at containers such as Docker. Criminal actors have found ways to exploit improperly configured Docker containers. These images can then be used on a standalone basis to interact with a tool or service directly, or as the parent to another application.
Because of this hierarchical model, if an image has been modified to contain malicious tooling, any container derived from it will also be infected. Once malicious actors gain access, they can abuse these escalated privileges to accomplish lateral movement and then proliferate throughout the network.
Critical elements of robust cloud security
There is an assumption that cloud security is automatically provided when a business purchases cloud space from a provider. Unfortunately, this is not the case. Organizations need a comprehensive cybersecurity strategy designed around vulnerabilities specific to the cloud.
Zero trust is one key cloud security principle that businesses need to adopt. This is the gold standard for enabling cloud security; it involves not assuming trust between any services, even if they are within the organization’s security perimeter.
The main principles of a zero-trust approach involve segmentation and allowing minimal communication between different services in an application. Only authorized identities should be used for this communication aligned with the principle of least privilege. Any communication that happens within an organization or with outside resources should be monitored, logged and analyzed for anomalies. This applies to admin activities as well.
A mature zero trust model includes a visualizing stage that aims to understand all of the organization’s resources, access points and risks. This is followed by a mitigating stage to detect and stop threats, and an optimizing stage that extends protection to every aspect of IT infrastructure while continuously improving and learning.
Extended detection and response
Another core and crucial element of effective cloud security is extended detection and response (XDR). An XDR solution can collect security information from endpoints, cloud workloads, network email and much more. With all this threat data, XDR enables security teams to rapidly and efficiently hunt and eliminate security threats across multiple domains.
XDR platforms provide granular visibility across all networks and endpoints. They also offer detections and investigations, thus allowing analysts and threat hunters to focus on high-priority threats. This is because XDR weeds out anomalies determined to be insignificant from the alert stream. Finally, XDR tools should provide detailed, cross-domain threat data and information from impacted hosts and root causes to indicators and timelines. This information guides the entire investigation and remediation process.
Security breaches are becoming more and more commonplace in the cloud as threat vectors keep evolving daily. Therefore, it is essential for organizations to understand current cloud threats to implement the right tools and best practices to protect cloud-hosted workloads and to continually evolve the maturity of security practices.
Adam Meyers is SVP of intelligence at CrowdStrike.
/cdn.vox-cdn.com/uploads/chorus_asset/file/25453625/247116_GE_Indoor_Smoker_JTuohy_0013.jpg)
/cdn.vox-cdn.com/uploads/chorus_asset/file/25452427/Sugar_Photo_010810.jpg)
/cdn.vox-cdn.com/uploads/chorus_asset/file/25453128/1265758482.jpg)
/cdn.vox-cdn.com/uploads/chorus_asset/file/25452998/MSI_Claw_Verge_Sean_Hollister_1_10.jpg)
