As cloud computing grows in popularity across all use cases, cloud workloads have never been more attractive to malicious actors. A recent McAfee report points to a 630 percent increase in attacks aimed at cloud services since January 2020.
There are several reasons why hackers are targeting the cloud.
Cloud environments are complex, consisting of thousands of assets from different vendors where each have different defaults and methods for setting authorizations. Often, there is confusion about the borders of security between internal organizations and cloud vendors.
Cloud environments are also highly dynamic and require new approaches for preventing cyberattacks. While defending on-premises setups is about detecting suspicious communications, cloud security is about closing open doors due to loose authorizations and misconfigurations.
Here are some examples of the different threats and lines of defense for on-premises and cloud attacks.
On-prem: Detecting fake communications
Let’s take, for example, the most common on-premises threat that starts with a phishing attack. After a user mistakenly clicks on a malicious link, a reverse shell is downloaded and initiated from a hacker’s machine. The hacker can dump LSASS.exe (Local Security Authority Subsystem Service) to pull NTLM protocols enabling them to authenticate without knowing the actual password.
The attacker can then send spoofed Address Resolution Protocol (ARP) messages onto a local area network to associate the attacker’s MAC address with the IP address of another host, such as the default gateway. Now, any traffic meant for that IP address will be sent to the attacker instead. From here, the hacker can perform a Man-in-the-Middle (MitM) attack either to eavesdrop or to impersonate one of the parties, making it appear as if a legitimate information exchange is underway.
The information obtained can now be used for many malicious purposes, including identity theft, unapproved fund transfers, or an illicit password change.
To protect against these attacks, companies typically use on-premises endpoint detection and response (EDR) (aka endpoint threat detection and response – ETDR) systems to monitor and detect any communication anomalies that hint at a cyberattack.
Cloud: Reining in misconfigurations and default permissions
There is no possibility of an ARP spoofing attack or a Man-in-the-Middle threat on the cloud.
Cloud threats have entirely different objectives and methods. Take, for example, Denial-of-Wallet attacks that target cloud-based applications and microservices with the end goal of driving resource utilization far beyond the allocated budget, ultimately resulting in an application Denial-of-Service situation.
Misconfigurations and loose permissions – many of them vendor defaults – are the biggest threat to cloud environments. A user or a team can easily specify settings that fail to provide adequate security for their cloud data since the cloud environment is very dynamic. There is little to no standardization between different cloud platforms. Mistakes are often unintentional, such as having loose permissions for DevOps or development teams and then forgetting to change the permissions after the system goes into production.
Default settings are often too generous and require immediate adjustment. For example, failing to customize default settings for User Account and Authentication (UAA) from the Cloud Foundry Foundation can lead to a platform takeover. Exposing ArgoCD, a GitOps continuous delivery tool for Kubernetes, to the internet can allow attackers to take over the whole cluster. AWS Lambda, a service that enables programmers to run code without provisioning or managing servers, can be easily mistakenly configured to allow hackers access to the cloud infrastructure.
Since the largest source of vulnerabilities can be human error, cloud security requires rigorous education and inspection to ensure that authorizations are configured only after having a complete understanding of the risks.
Digital transformation brings more data to the cloud and adds new levels of flexibility while increasing the pace of innovation. However, at the same time, cloud computing has introduced new security risks. The traditional approach of monitoring to check for anomalies is by itself not enough. Today, security teams need to prevent default loose permissions and cloud misconfigurations to reduce the risk of a cyberattack.