Threat Management In The Cloud

Bad actors are constantly looking for new ways to attack the enterprise. There are many known patterns of execution that are still very effective such as phishing, BEC scams, vulnerability searches on exposed websites/systems, lack of hardened systems, and misconfigurations left unaddressed/unscreened before releasing to production, leaving company’s assets exposed. In the cloud-oriented world, where many new services are getting released every day, it is hard to keep up with the speed of a business who wants to use those services to gain a competitive advantage over competitors to stay viable, requiring security to move faster. 

While understanding possible attack vectors is crucial, threat management starts with proper architecture and hygiene that needs to be wrapped around it with automated processes and an ability to instantly report and fix what is required. IR and forensics processes must also be well understood and embedded in everyday activities. It is also very rare to see a maturity level within the security department where threat modeling is one of key steps in designing a protection over organizational assets. 

We often preach that visibility is one of the most important capabilities in the security space, but understanding your attack surface is high on that list too. Knowing what you need to protect, where it is, why, and how to protect it is usually isn’t very hard to address. Even so, it’s fascinating that security teams always seem to miss  steps prior to releasing specific systems or services, which leads to exposures. Is this a process problem, a lack of quality resources, poor project/program management execution, or can it be a little bit of all of these? 

As a bad actor, you look for exposed devices and identities first. This method is still unrivaled. 

We have way too much exposure, leaving so many doors open for somebody just to walk through it. Hacking a VPN service is a perfect example of this, where “ticket to ride” gives a bad actor the ability to wander around the organizational perimeter for as long as they want or until they get caught. What if we start thinking about how to provide specific connectivity to only “individual resources” during a network session, where any access request, movement, or activity can be monitored, analyzed, and addressed in the present? The objective is to minimize the attack surface. This is simple and available today, but it requires thinking outside of the box. 

As a result, the legacy mindset has to disappear. 

Threat Trends In The Cloud

Based on several threat research articles, it’s obvious that bad actors are using the cloud more and more. This isn’t just because they want to utilize the scalability and speed of execution, but they also realize something many security teams forget: that moving workloads to the cloud in improper ways, actually increases organizational risk to exposure and potential data loss. 

For context, I asked Ray Canzanese, leader of Netskope Threat Research Labs, what are the attack vectors we need to be aware of and defend against? Here’s what he had to say in his March research report:

Nearly half (44%) of threats are cloud-based

Attackers are moving to the cloud to blend in, increase success rates, and evade detection. Attackers launch attacks through cloud services and apps using familiar techniques including scams, phishing, malware delivery, command and control, formjacking, chatbots, and data exfiltration.They are successfully abusing the implicit trust users place in cloud apps.

More than half of data policy violations come from cloud storage, collaboration, and webmail apps

These are the apps and services that organizations are most worried about and are proactively setting policies to help control the flow of cloud data. The types of violations include privacy, healthcare, finance, source code, and passwords and credentials.

One-fifth (20%) of users move data laterally between cloud apps

From OneDrive to Google Drive, from Google Drive to webmail, from webmail to Slack. We see data crossing many boundaries: moving between cloud app suites, managed and unmanaged apps and instances, app categories, and app risk levels. The scale of cloud data sprawl is enormous. In total, we saw data movement among 2,481 different cloud apps and services. Our new series on cloud data leaks highlights one of the risks of cloud sprawl: data leaks caused by misconfiguration.

One-third (33%) of enterprise users work remotely

We see one-third of users working remotely each day, accessing both private and public apps in the cloud. We also see private app deployment in the cloud increasing, with organizations deploying private apps across multiple cloud service providers and multiple regions. Our previous posts about AWS, GCP, and Azure demonstrate some of the risks surrounding these apps.

Another activity I have found through my discussions with organizations is ransomware escalating to a new level. It is no longer just about blocking access to the system or data for ransom, where many can just restore the system or data to the previous level.  Now attackers realize that after discovering sensitive data and its value, they have additional leverage when threatening to release that data to the public if ransom is not paid, tarnishing the organization’s brand. 

It is interesting, in this case, that bad actors are classifying the data, so why wouldn’t we do it? You might be confident about your backup or disaster recovery process, but if your data protection program is weak, the negative consequences could be huge. 

Here are a couple of more trending activities: 

• Domain fronting – DNS attacks attacking identities and trying to takeover domain ownership
• Cloud on Cloud activities – Malicious actors focusing on laundering their connections by hiding within CSP’s infrastructure

We need to redefine how we go about solving problems by creating tighter security with a modern architecture, transparency for users (to enable adoption), and enabling the business to innovate. 

There is not enough education and collaboration about organizational risk tolerance within many enterprises. Acceptable business risk is a step that has to be embedded in any department that is tasked to design, implement or run any technology solution because protecting a brand is not a small task but understanding the potential negative impact can drastically decrease a risk exposure.