Don’t Let Adversaries Cast a Dark Cloud Over Your Cloud Workloads

Cloud adoption is powering digital transformation, bringing levels of speed and scalability that can unlock new efficiencies and revenue streams. As organizations leverage the cloud’s benefits, it is the job of security teams to enable them to do so safely.

In this reality, it is vital that IT leaders understand how threat actors target their cloud infrastructure. As one might suspect, attackers first go after low-hanging fruit — the systems and applications that are the easiest to exploit.

In a recent CrowdStrike Cyber Front Lines Report, our researchers noted:

• Adversaries target neglected cloud infrastructure slated for retirement that still contains sensitive data.
• Adversaries use a lack of outbound restrictions and workload protection to exfiltrate your data.
• Adversaries leverage common cloud services as a way to obfuscate malicious activity.

Neglected or misconfigured cloud infrastructure

Neglected and soon-to-be-retired infrastructure makes for low-hanging fruit for attackers, often because that infrastructure no longer receives security configuration updates and regular maintenance. Security controls such as monitoring, expanded logging, security architecture and planning, and posture management no longer exist for these assets.

Lack of outbound restrictions and workload protection

Unfortunately, CrowdStrike continues to see cases where a neglected cloud infrastructure still contains critical business data and systems. As such, attacks lead to sensitive data leaks requiring costly investigation and reporting obligations. Additionally, some attacks on abandoned cloud environments result in impactful service outages, since they still provide critical services that haven’t been fully transitioned to new infrastructure. Moreover, triage, containment and recovery from an incident in these environments cause a tremendous negative impact on some organizations.

Launching attacks from the cloud

Not only does the CrowdStrike team see attackers targeting cloud infrastructure, we also observe threat actors leveraging the cloud to make their attacks more effective. Over the past year, threat actors used well-known cloud services, such as Microsoft Azure, and data storage syncing services such as MEGA, to exfiltrate data and proxy network traffic. A lack of outbound restrictions combined with a lack of workload protection allows threat actors to interact with local services over proxies to IP addresses in the cloud. This gives attackers additional time to interrogate systems and exfiltrate data from services ranging from partner-operated, web-based APIs to databases — all while appearing to originate from inside victims’ networks. These tactics allow attackers to dodge detection by barely leaving a trace on local file systems.

So, how do I protect my cloud environment?

The cloud introduces new wrinkles to proper protection that don’t all translate exactly from a traditional on-premises data center model. Security teams should keep the following firmly in mind as they strive to remain grounded in best practices.

• Enable runtime protection and obtain real-time visibility. You can’t protect what you don’t have visibility into — even if you have plans to decommission the infrastructure. Central to securing your cloud infrastructure to prevent a breach is runtime protection and visibility provided by cloud workload protection (CWP). It remains critical to safeguard your workloads with next-generation endpoint protection, including servers, workstations and mobile devices, regardless of whether they reside in an on-premises data center or virtual cluster, or hosted in the cloud.

• Eliminate configuration errors. The most common root cause of cloud intrusions continues to be human errors and omissions introduced during common administrative activities. It’s important to set up new infrastructure with default patterns that make secure operations easy to adopt. One way to do this is to use a cloud account factory to create new sub-accounts and subscriptions easily. This strategy ensures that new accounts are set up in a predictable manner, eliminating common sources of human error. Make sure to set up roles and network security groups that keep developers and operators from needing to build their own security profiles and accidentally doing it poorly.

• Leverage a cloud security posture management (CSPM) solution. Ensure your cloud account factory includes enabling detailed logging and a CSPM — like CrowdStrike’s Falcon Horizon — with alerting to responsible parties, including cloud operations and SOC teams. Actively seek out unmanaged cloud subscriptions, and when found, don’t assume it’s managed by someone else. Instead, ensure that responsible parties are identified and motivated to either decommission any shadow IT cloud environments or bring them under full management along with your CSPM. Then use your CSPM on all infrastructure up until the day the account or subscription is fully decommissioned to ensure that operations teams have continuous visibility.

Because the cloud is dynamic, so too must be the tools used to secure it. The visibility needed to see the type of attack that traverses from an endpoint to different cloud services is not possible with siloed security products that only focus on a specific niche. However, with a comprehensive approach rooted in visibility, threat intelligence, and threat detection, organizations can give themselves the best opportunity to leverage the cloud without sacrificing security.

To learn more about cloud security, visit CrowdStrike here.         

Connect with the Author:

David Puzas, Head of Cloud Security Product Marketing, CrowdStrike