Organizations continue to slide headfirst into cloud adoption, but studies show that IT leaders and decision-makers are feeling unsteady about their organization’s ability to understand all the risks – all the while cybercriminals keep a close eye.
Part of the problem for security teams is the cloud threat paradigm is still not completely understood (even though, if done right, the cloud can be more secure than most on-premises environments).
[ESG Paper] Downoad The SOC Modernization Journey
When it comes to the cloud, are these new threats, or old and familiar threats against relatively new assets? What does the future potential hold for your adversaries? And what can your security operations team do to get ahead of this fast-moving landscape?
The cloud remains an “alien land” for many organizations because it is an environment – and attack surface – that can look quite a bit different than the traditional data center, including in these ways:
The cloud is ephemeral and scaled: Short-lived assets predominate the cloud and are obviously easy to manage and overlook, due to their transient nature.
The cloud is API driven: With the increasing cloud migration of systems and assets, businesses are using application programming interface calls as their digital “storefront” to connect with customers and partners – but it has fancied the interest of cybercriminals.
The Identity layer of the cloud is critical: Securing privileges in the public cloud, hybrid cloud and multi-cloud environments, where there live huge numbers of identities and entitlements, is much more complex than controlling access across the traditional data center perimeter.
The scale of logging is much higher in the cloud: With SOC teams already overwhelmed by alerts, cloud environments are only intensifying this burden. But collecting logs and making sure the right ones make it to the SIEM is no guarantee in the cloud world, largely due to uncommon log collection methods (compared to on-premises systems
While these characteristics may appear exotic, the threats currently impacting cloud environments remain – at least for now – not all that different from what SOC teams are used to encountering. To help make sense of what threat hunters are observing in the cloud, the Google Cloud Security Podcast recently welcomed James Condon, director of security research at Lacework, a Google Cloud partner, for a fascinating conversation. You can listen to it here.
He answered a few key questions about the state of threats in the cloud, drawing on a recent Lacework research report. Here are his paraphrased answers.
1. What are adversaries after in the cloud?
While the high-level tactics to achieve a task remain the same in the cloud (initial access/lateral movement/privilege escalation) the techniques being used and the end objectives may differ. For example, when analyzing traditional attacks on enterprise networks, intellectual property is often the goal, and typically phishing and social engineering are the means by which miscreants gain initial access. But when it comes to the cloud, attackers usually target vulnerable web-facing applications and misconfigured servers, web applications, or buckets while being solely focused on financial gain, which is evidenced by a continuing surge in cryptomining and cryptojacking, an attack type especially scalable in the cloud.
2. Why are misconfigurations and vulnerabilities happening with such frequency in the cloud?
Attackers traditionally choose the path of least resistance to identify and compromise their victims – and carry the same mindset into the cloud. That is why misconfigurations and vulnerabilities are the preferred launching pads for attacks. The danger of misconfigurations has been well documented (for example, accidentally making a private storage bucket public) and generally ranks as the top cloud risk facing organizations. Vulnerabilities also frequently occur because many businesses rely on a lot of third-party code to build SaaS applications. This creates a vulnerability management nightmare because often flaws are difficult to address and prioritize, especially if they are present in applications that are bundled into a number of different distributions.
3. What about ransomware and other malware in the cloud?
While not as prolific of a threat as data leakage due to misconfigurations, malware attacks specific to the cloud, such as container escape attacks and cryptomining worms, are “bubbling up beneath people’s radars,” Condon said.
This includes ransomware, arguably the most pressing threat facing security teams, although the modus operandi of cloud ransomware attackers is generally to go the extortion route by accessing cloud control planes, downloading sensitive data and threatening to release the information if payment is not made (versus locking system or data access with encryption until a ransom is paid). Performing backups and other disaster recovery is easier in the cloud, which makes lodging traditional ransomware attacks less profitable. As a result, most ransomware purveyors will continue to target on-premises systems because there is considerably more money to be made in grinding a victim organization to a halt by freezing its operations.
Another criminal motive to keep an eye on is the selling of cloud account access via the underground market. Prices will be determined by factors such as how many buckets sit on the account and what type of data they contain.
4. What can organizations do to stay resilient in the cloud?
Even though the cloud may be the new frontier – at least compared to typical enterprise perimeter – protecting it is a tale as old as infosec time: plan for security upfront and not as an afterthought. In the context of cloud security, this means investing in a governance, risk, and compliance (GRC) team to help your organization determine how to store and handle sensitive data data, as well as hire skilled analysts and engineers who make scaling cloud security controls a priority.
Do this all “before you need it,” Condon warned. Organizations should not be surprised by this advice. From software development to the culture of employees, those businesses that considered security from the jump (or sometime around then) are generally better equipped to counter attacks.
How Google Cloud can help
The public cloud platform you use also matters. Can the cloud be as secure as an on-premises environment? You bet. Google Cloud’s baseline security architecture adheres to zero-trust principles—the idea that every network, device, person, and service is untrusted until it proves itself. It also relies on defense in depth, with multiple layers of controls and capabilities to protect against the impact of configuration errors and attacks. In addition, cloud-native technologies like Chronicle SIEM and Siemplify SOAR can deliver modern threat detection, investigation, and response at unprecedented speed and scale.
You can listen to the full podcast with Condon here.