Cloud is the powerhouse that drives today’s digital organisations. It is increasingly vital to business continuity and daily operations.
Over the past few years, fuelled by the pandemic, organisations rushed to deploy infrastructure to the cloud to accommodate a newly remote workforce.
This hasty adoption led to ‘cloud sprawl’, in other words, the uncontrolled proliferation of an organisation’s cloud instances, services or providers.
Now, the cloud is so vital that organisations would struggle to maintain daily operations.
However, with its growing popularity and the struggle to achieve full visibility, there is an increased risk of security breaches.
Cyber threat actors are acutely aware of the wealth of valuable data the cloud houses, making the cloud a prime target for data breaches and ransomware attacks.
Read on to find out more about cloud security, the risks involved in the cloud and how to mitigate them.
Often, these cloud deployments were installed without the proper cloud security policies or guardrails in place. The attack surface has expanded, and the likelihood of misconfigurations has grown.
Furthermore, organisations have expanded their supply chain to integrate the cloud with many third-party organisations, thus exposing them to additional risk.
Many organisations are now unclear on how to get full visibility and an understanding of their entire attack surface, including their cloud environment.
Firstly, understand the attack surface you want to protect: on-premise, cloud environments and any third parties.
By understanding and managing your attack surface, you can effectively monitor it for misconfigurations – most likely to be exploited by an attacker.
Threat intelligence, control validation, and adversarial emulation can be applied to people, processes, and technologies to improve the detection and response capabilities of the organisation.
Continuously identifying and remediating every security issue is not practical due to finite resources. Therefore, organisations need to focus resources and remedial efforts on their most critical assets. To become more efficient, security teams must understand the concepts of attack vectors and attack paths.
Attack vectors are the methods leveraged by adversaries to gain unauthorised access to systems and data. Such methods are extremely varied but could include system misconfigurations, exploitable vulnerabilities, user privileges, or risky user behaviours.
Adversaries will leverage tactics, techniques, and procedures to exploit attack vectors and perform privilege escalation or lateral movement. Chaining multiple exploitable attack vectors together defines the attack path.
While it is essential that organisations gain and maintain visibility of the attack vectors that make up their attack surface, validating attack paths posing the most risk to critical business assets provides the most security benefit.
Often, multiple attack paths will share a single attack vector along the path, which is known as a choke point. Identifying and eliminating choke points will significantly increase the value of remediation efforts performed security resources.
Not all company assets and data are equal.
Attack vectors in isolation do not provide sufficient context of business risk.
For example:
- Asset A is a system affected by a critical vulnerability including a publicly available exploit. The vulnerability is rated 10 using a Common Vulnerability Scoring System (CVSS) score.
- Asset B is a system determined to have no vulnerabilities and is fully patched. However, it is used by a member of the Google Cloud DevOps team to manage cloud resources via the Google Cloud CLI.
While each system represents an attack vector, the lack of context prevents the security team from understanding the risk posed by each.
If we add the following context, the associated risk becomes more apparent:
- Asset A is located in an isolated network segment on the corporate network and does not contain a local administrator account and has no access to email or any sensitive data. However, it does contain a legacy Microsoft Access database which stores the serial numbers associated with decommissioned printers.
- Asset B is a laptop used by a remote member of the Google Cloud DevOps team. Due to the nature of their work, they have been provisioned with an Identity & Access Management (IAM) role that contains sufficient permissions to provision, modify and delete resources within the Google Cloud environment. As part of their daily activities, numerous service account keys are being stored on the laptop.
Attack path management is a process that supports identifying such obscured risk. Using the oversimplified example provided, the organisation’s security team would understand that a compromise of asset B provides significantly more risk than that of asset A.
In fact, asset B is part of an attack path that would permit lateral movement not only between the laptop and the Google Cloud environment, but potentially further privilege escalation and lateral movement within the cloud environment.
Third-party providers, or supply chain risk, is a hot topic. As organisations become more agile, there are often some gaps in decision making leading to potential risks in the ecosystem.
Even if the decision-making process was not driven by speed and agility, vendor selection should be a more thorough process than perhaps it once was.
So, how do we understand and deal with the potential risk a third-party partner may introduce to an organisation’s ecosystem?
Step 1) Accessing and understanding all the third-party providers that exist in the ecosystem.
This includes everything from malware and backup solutions to finance systems and data lake connections via an API. The list is almost endless and is very dependent on the type of business.
Step 2) Record and map third-parties
Map the third-parties accordingly with the services and data that is consumed as well as how they are consumed, from what location, and on what network, etc. In larger environments, there are specific tools to help with this process.
Step 3) Ensure third-party supplies meet security measures
Naturally, ensure sufficient security measures are met by third-party suppliers. It may not always be appropriate to accept their methods. An effective partner relationship is bi-directional, and third parties should be included in risk mitigation and planning processes as it creates a fruitful and trustworthy relationship. The aim is for end-to-end supply chain visibility and mutually agreed communication contracts.
Effective protection from risk introduced by third party providers often starts internally.
Here is how to strengthen your organisation’s supply chain:
-
Ensure all insider threats are identified, as threats are not always intentionally malicious.
Perform an attack surface management discovery exercise. This is the continuous discovery, monitoring, evaluation, prioritisation, and remediation of attack vectors within an organisation’s IT infrastructure.
-
Have a strong IAM policy and control mechanism, including privileged access management.
This is a critical component of not only risk mitigation but forms the basis of any good cloud deployment process.
-
Implement a zero trust architecture.
This will go a long way in protecting against both internal and external threats.
-
Minimise access to sensitive data
It almost goes without saying – pay extra attention to data that is sensitive to your organisation.
-
Implement strict shadow IT controls
Monitoring the cloud applications and data flow from employees is an important way to understand and control data breaches.
-
Educating Employees
Staff awareness and understanding plays a big role in stopping malicious activity. At a minumim, help employees understand phishing, smishing and ransomware threats.
Following from internal protection, best practices for managing third-party risks include the following steps:
- Assume you will suffer a data breach and create an effective incident response plan.
- Map out vulnerable resources or the resources that are at higher risk and make sure they are protected effectively.
- Regular third-party risk assessments are paramount in effective protection.
- Follow DevSecOps practices by integrating security into the development lifecycle.
Furthermore, there are several areas not particular to managing third-party risk but can reduce potential issues, especially for organisations with a diverse environment encompassing hybrid architectures.
- Monitor your Public Cloud and SaaS environments for misconfigurations that could lead to a breach or attack.
- Consider an automated threat prevention and threat hunting environment. A Security Operation Center (SOC) plays a big role in improving endpoint, network, cloud and mobile security.
Cloud misconfigurations present a major opportunity for cybercriminals to attack your organisation and steal your data.
The main cause is that users build cloud infrastructure without the knowledge of building a secure infrastructure.
In the early days of cloud adoption, the teams using the cloud would be developers creating cutting-edge applications, usually under the radar of the cybersecurity teams tasked with protecting the corporation.
In our experience as threat management specialists, the best way to deal with cloud misconfiguration is to use security posture tools.
Many tools deal with public cloud environments but not SaaS environments. Ideally, it’s beneficial to find tools that can deal with both environments as it will save on managing two different environments.
Most security posture tools define cloud benchmarks like CIS, NIST, and CSA and let you determine which configurations are correct and which are incorrect.
A good security posture tool will provide remediation advice and also categorise the misconfiguration, for example:
- Identity
- Management
- Databases
- Data
- Computer
- Network
- Security
Continually monitor for misconfigurations in your cloud environments and integrate the results into a SIEM environment so that the Security Operations Centre has visibility and can respond quickly.
Most tools integrate into the major SIEM environments or provide the ability to export to an event bus or cloud storage environment. So, in theory, it should be possible to integrate with anything.
Complimentary to a security posture tool is ensuring you have coverage of all your cloud assets. Gaining visibility over everything that exists in your cloud environments goes a long way to selecting the correct security posture and required vulnerability tools.
Cloud environment misconfiguration may be the result of some fundamentally flawed configuration, particularly in public cloud environments like Azure, AWS and GCP.
There are several steps required to fix this:
-
User education
A key component in understanding and fixing the issue. Make sure the appropriate training and guidance is provided for cloud configuration users. AWS certifications provide a good foundation for understanding the cloud and the shared security model.
-
Sandbox environments
It is important to have development/sandbox environments, no matter how big or small the environment. Identifying misconfigurations here will stop the leak into production.
-
Infrastructure as Code
Adopting automation practices and building Infrastructure as Code (IaC) using security best practices will ensure that infrastructure remains secure and is repeatable as it transitions from development to production. There are also several tools that can assist with misconfiguration and vulnerabilities in the build pipeline and repositories for IaC deployments. These tools check issues during the build process and won’t allow deployment if a misconfiguration or vulnerability exists.This is an important step to providing DevOps/DevSecOps capability and becoming more mature with Cloud deployments.
Having visibility over everything that exists in your cloud environments goes a long way to selecting the correct security posture and vulnerability tools required.
Develop policies and define guardrails to control what users and developers can and can’t do in the cloud and log any discretions. Understand the Cloud Assets in your environment, both SaaS and Public Cloud environments.
In summary:
- Carefully select a security posture tool that fits with your Cloud environment
- Build security posture into an ongoing process
- Integrate the security posture results into a SOC environment
- Fix the configurations close to the source to avoid them re-appearing
- Log everything
Cloud infrastructure generates a massive volume of data in real-time, which makes monitoring, tracking, and securing an IT environment a serious security challenge for cybersecurity teams.
Creating a monitoring strategy for your cloud environments is a critical step in providing effective security practices.
There are 5 key factors to monitoring a cloud environment:
- Security
- Performance
- Configuration
- Reliability
- Costs
A key question is: what do you want to achieve through monitoring? Performance, security, or reliability?
How do you prioritise these often-competing factors to support the business aims? For example, customer access or high throughput at the expense of security? Or high security at the expense of data flow?
In adopting cloud environments, organisations are exposed to new threats, alongside the associated challenges of monitoring their complete IT estate.
A security monitoring and response solution that fits both multi-cloud and on-premises environments should be scalable, adaptable to change and deliver the benefits of cloud investment that align with the long-term business strategy.
A main driver behind a monitoring capability is to keep up with skilled attacker groups who are employing automation to discover and exploit misconfigured cloud assets (for example, Unrestricted RPC Access) within hours of their deployment.
When considering a security monitoring solution for your cloud environment, assess these 6 key concepts:
1) Scalability
The ability to monitor ever-increasing volumes of data across many distributed locations.
2) Visibility
Monitoring to provide more visibility into application, user, and file behaviour can improve the identification of potential compromises or attacks.
3) Real-Time
Capture activity within event logs in real-time. Collect and process the monitoring solution as quickly as possible to support a short Mean-Time-To-Detection (MTTD).
4) Integration
Integrate with disparate tools and cloud services.
5) Auditing and Reporting
Provide auditable trials proving controls are effective and meet compliance requirements.
6) Data Normalisation
Map various data sources to a common information model to correlate between the different data types using standard field names and formats to ensure detections cover the whole environment.
When factoring in these criteria and concepts, remember that one solution doesn’t fit all business profiles.
Each organisation has their own current and planned level of SOC maturity, plus a blend and proportion of workloads in different clouds and data centres.
Threat levels depend on a multitude of factors: tooling investment, in-house skills and experience, internal responsibilities and spans of control. Moreover, these factors also determine the most suitable solution for each business, whether that be internally managed, externally managed or a hybrid solution.
When selecting a solution spanning multiple environments, consider the following:
1) Careful design and cost management to maximise the value and reduce the complexity of adoption.
2) A thorough Target Operating Model (TOM) is needed to ensure the right skill set is available to manage and coordinate a unified detection and response strategy.
3) Leverage the expertise and experience of managed service providers and internal stakeholders. Understand your broader security requirements to develop a strategy and choose the right combination of security tools that fit your specific environment as well as meet the rapid pace of digital transformation and technology evolution.
We have evaluated 4 key areas to consider when understanding the expanse of your attack surface, how you can consolidate it and up defences.
To summarise, achieve visibility, understand your attack surface and third-party risk, identify and fix cloud misconfigurations, and implement cloud monitoring. Once this is achieved, you have gone a long way to protecting your organisation from a disruptive cyber-attack.
![adarma_logo_twgt-black[11615449]](https://adarma.com/wp-content/uploads/2022/10/adarma_logo_twgt-black11615449.png){kind=logo}
