Threat actors used to rely on malware payloads to crack enterprise defenses and burrow into corporate networks. But a shift is underway as workloads migrate to public clouds en masse. This has challenged the conventional notions of a cyberattack.
Abuse of identity and cloud access has become an increasingly popular attack method over malware delivery. Instead of risking malware injection that may trip alarms, more and more cybercriminals are zeroing in on inherent weaknesses in cloud infrastructure and applications to sneak into networks.
As the cloud’s popularity has soared (roughly two-thirds of enterprise infrastructure is already in the cloud), under-resourced or tech-averse companies may look for “easy” workload migration and may deprioritize security, at least initially. Plus, due to the cloud's scale and complexity, management of these assets can become fragmented or ineffective over time. These oversights enable threat actors to successfully target cloud environments.
Here, I’ll explore elements of the cloud threat landscape that are opening doors for attackers, even without deploying conventional malware tools. I’ll close by proposing some proactive measures that companies can consider to fortify defenses.
Identity and Access Exploitation
Identity has become the new perimeter, going from a secondary consideration in on-premises environments to the foundation of organizational security in the cloud. Here, human and machine identities must be quickly verified, onboarded and continuously monitored to ensure business success and continuity.
Despite these additional layers, the cloud’s convenience and customizable nature have made it a business imperative. For instance, more than 80% of organizations today are implementing or planning multi-cloud strategies, which entails using more than one cloud provider.
To secure them, organizations rely on identity and access management (IAM) solutions. However, IAM products are not a silver bullet.
Security professionals using IAM tools are challenged with managing a growing number of users and devices. This complexity can lead to tool sprawl and insufficient oversight of cloud credentials. To get access to this sensitive data, cybercriminals use brute-force attacks, which involve systematically guessing passwords. They are then able to use those credentials to stealthily elevate privileges and steal, modify or delete critical data.
Lower Barrier to Entry
The allure of the cloud lies in its scalability and flexibility, as resources can be easily provisioned or deprovisioned.
Yet, these very attributes lower the barriers for cybercriminals. They no longer have to fashion complicated malware strains that outsmart traditional defenses or phish users into clicking malicious links to jumpstart the process. Instead, by focusing their attention on cloud credentials, attackers can more easily gain a foothold in corporate networks.
The widespread adoption of public clouds like Azure, AWS and Google Cloud has greatly scaled the attack surface. A breach of one of these cloud service providers puts all of their millions of customers at risk.
We’ve seen cases where downstream organizations were compromised after one of their service providers suffered a breach. For instance, more than 500 million Facebook user records were exposed on Amazon’s cloud computing service in 2019.
Misconfiguration Dangers
Cloud misconfigurations happen a lot and are often leveraged by cybercriminals. Because of the volume and diversity of resources that need provisioning in the cloud — things like storage buckets, databases, virtual machines, containers and servers — it can be easy to overlook certain steps.
Companies are deploying these resources at a rapid pace, in fact, nearly 9 in 10 organizations aim to be “cloud-first” by 2025. This makes it even harder for IT to keep up with the organization’s cloud footprint.
Common oversights include leaving storage buckets or databases publicly accessible and unencrypted, or improperly configuring network access control lists, which may allow attackers to hit critical resources. Attackers can scan for these weaknesses and ultimately acquire access to data and systems.
Fragmented Oversight
For some organizations, cloud computing remains a trial use case. Many are still early in their respective journeys or their on-premise cybersecurity experts are actively learning a new "language" and adapting to the new patterns of thinking that come with cloud adoption.
These variables can lead to early deployment before standardized security protocols are established.
The cloud also brings a shared responsibility model, which can cause confusion at the organizational level around what facets of security are the organization’s responsibility versus the responsibility of the CSP. Without proper in-house cloud security expertise, organizations can be left without the guidance they need to implement strong governance measures and stay secure.
Oversight of cloud security is also murky, falling to a range of internal stakeholders from cloud architects and security analysts to a host of other executives and risk and compliance teams. This crowded kitchen can lead to more confusion and inaction, with teams failing to address vulnerabilities and leaving their organizations susceptible to other attacks.
Be Proactive in Your Cloud Journey
I’ll close with some best practices that can mitigate the aforementioned cloud risks, and it starts with remaining proactive. Organizations can do the following:
● Clearly delineate security ownership over cloud assets to ensure optimal management of the tools
● Ensure internal teams have visibility into how cloud infrastructure is configured and can validate any changes made by service providers
● Conduct regular audits of user permissions to help identify and rectify potential weaknesses
● Implement the “principle of least privilege” (providing minimal level of access) and “just-in-time access” (temporary and unique access, mostly for developers) to restrict unnecessary use
● Continuously monitor threat actors’ tactics, techniques and procedures to ensure that assets are not uniquely compromised
● Employ robust threat detection solutions that work in real-time to identify anomalous behavior and unauthorized access
Remember that when it comes to cloud security, it’s not all bad news. There is increasing awareness about the vulnerabilities cybercriminals are exploiting in the cloud – and security teams are improving their oversight.
The scalability and flexibility of cloud deployments means that once organizations have the right tools and procedures in place, they can rapidly and dramatically improve their security posture. In fact, we have a number of case studies where customers achieved measurable and significant improvements in weeks.
As cloud environments evolve and cybercriminals exploit those changes, IT teams need to understand the weaknesses in their new systems and make sure they are prioritizing and proactively addressing cybersecurity risk.
Shai Morag is the SVP, General Manager Cloud Security at Tenable. He has over 20 years of experience as a security executive and in product management and technology leadership. Shai joined Tenable through the acquisition of Ermetic, where he was the CEO and a co-founder. Before Ermetic, Shai was the co-founder and CEO of Secdo, from inception to a successful acquisition by Palo Alto Networks. Before Secdo, Shai was the CEO of Integrity-Project (acquired by Mellanox (now part of Nvidia)).