Cloud attacks: How to secure a growing threat vector
The cloud is a double-edged sword.
On the one hand, organizations have used the cloud to transition to Work From Home and hybrid workforces over the past 18 months.
On the other hand, organizations have made this transition quickly and made themselves vulnerable to a wide range of cloud attacks.
In this article, we will show you how to stop many of these cloud attack patterns.
To do so, we will explore:
- What cloud attacks are
- The most common cloud attack patterns you must stop
- How you can defend your organization against cloud attacks with a few steps
Cloud attacks: what they are and why they matter
Cloud attacks — as a group —are attacks that exploit vulnerabilities in cloud servers or services, like Amazon Web Services (AWS), Google Cloud Platform, Microsoft Azure, or any other cloud computing service.
Cloud assets are vulnerable because they are often misconfigured, unpatched, or use weak authentication, making them easy to compromise. They also usually have wide-ranging permissions that give attackers access to a wealth of data, workloads, and other assets. The result – cybercriminals can often easily compromise an organization’s cloud assets and cause catastrophic damages from a single breach.
Unfortunately, these attacks are becoming more common and more dangerous. A report from the Cybersecurity and Infrastructure Security Agency (CISA) illuminates this point. CISA found that multiple recent breaches occurred due to “poor cyber hygiene practices within a victims’ cloud services configurations.”
Cloud attacks are growing and showing no signs of slowing down. While organizations worry about cloud security, they leave their cloud assets open to easy exploitation against common cloud attack patterns.
To defend your new environment against these new attack patterns, you must better understand what they are and how to stop them. Here’s how to do just that.
Dissecting cloud attack patterns: how they work
Cloud attacks come in many shapes and forms. But if you understand this attack’s most common patterns, you will better understand how to stop it.
Common and dangerous cloud attacks include:
- Cross-Cloud attacks: Cybercriminals can use public cloud environments — like Amazon Web Services or Microsoft Azure — to compromise private, on-prem data centers, or vice versa. Often, these attacks occur when an organization moves one of its workloads into a public cloud environment and then uses a VPN tunnel to move between their public and private clouds. Once a cybercriminal breaches one of those environments, they can use the VPN tunnel to access and compromise the other environment.
- Cross-Tenant attacks: A complex cloud attack pattern, where one group of users on a public cloud can gain access to data and workloads from another group of users (often from another organization). This pattern is best known due to the Meltdown and Spectre vulnerabilities. Since then, cloud providers have largely mitigated this threat. However, it can still occur due to misconfigurations or unpatched instances of public cloud applications.
- Active Directory attacks: Cybercriminals can compromise Active Directory accounts to take over cloud consoles. They can do so through various techniques, including using AADinternals to move vertically from on-premise environments to Azure AD. This cloud attack pattern has become more common, and we expect it to continue to grow as organizations continue to install Active Directory on more and more systems.
- Cloud snooper attacks: A relatively new attack pattern, where cybercriminals combine a bypassing technique with a multi-platform payload targeting Windows and Linux systems. At the moment, this attack pattern is not common and is only deployed by highly skilled cybercriminals. However, we expect it will become more common in the coming years as the techniques become easier to perform and the pattern trickles down to lower-level cybercriminals.
- Cloud cryptomining: A well-established cloud attack pattern that is making a comeback as crypto prices increase. Essentially, cybercriminals compromise an organization’s cloud servers and use them to mine cryptocurrency to generate revenue. While this is not a disastrous cloud attack pattern, it does reduce cloud server performance and indicates higher-impact attack patterns could also compromise those servers.
Once an attacker compromises a cloud server or an instance of a cloud application, they gain a wide range of potential “next steps.” They can directly compromise any data or workloads contained within that server or application. They can ride the compromised cloud asset to gain direct access to the network or higher value assets. Or they could gradually spread to other servers or instances, build a foothold, and eventually exfiltrate data or lock down those systems and demand a ransom or both.
How to stop Cloud attacks: simple steps
Nearly every cloud attack pattern can be stopped with a few simple actions.
First, you must be able to detect attacks early in their pattern. To do so, you must develop visibility over your cloud environment. This visibility must include:
- A clear, accurate picture of all cloud assets in your environment.
- A detailed view of security configurations, user access rights and responsibilities, and patch status for each of those assets.
- And understanding of how those assets communicate with each other, and with the rest of your technology assets, under “normal” conditions.
Second, you must reduce your vulnerability to this attack pattern and shrink your cloud attack surface. To do so, you must ensure that each of your cloud assets is properly configured, fully patched, and updated and only assigned the limited access rights that they require to do their jobs.
Additional effective hardening actions you can take include implementing Multi-Factor Authentication (MFA) for all users and performing robust user security awareness training. Lastly, continuously monitoring all cloud assets for anomalous behaviors is essential because preventive controls can only get you so far. The type of platform you choose for monitoring will depend on your use cases, but Artificial Intelligence and analytics-based platforms have the most comprehensive threat coverage.
Cloud attacks are increasingly common but relatively simple to stop with a few best practices. To bring these best practices to life in your organization, reach out to Atos today and schedule a free consultation.