Stopping cloud attackers in their tracks: A guide

Gil Shulman is Illusive Networks’ VP of Products. Gil has over 20 years’ experience in the technology industry focusing on cyber defense. Before joining Illusive Networks, Gil worked with a wide variety of market-leading companies, from Check Point Software, where he led the High-End Products team, to Radware and Verint Systems, where he managed the product organization for national cyber defense. In recent years Gil has focused on virtualization and cloud technologies, traffic and application management, and network appliances and platforms, creating new product categories and design strategies. Gil served at the technological unit of the Israel Defence Forces Unit 8200.

As more organizations shift from an on-premises model to the cloud, Gartner has predicted that the cloud services industry will grow almost three times faster than overall IT services through 2022. The typical business relies on a hybrid mix of public and private clouds, coupled with traditional on-premises infrastructure. As more businesses move critical operations to cloud applications – such as choosing Salesforce as their CRM or using Microsoft Azure for hosting their databases – new attack vectors evolve.

It’s not enough to simply secure assets in the cloud, though, as the adoption of hybrid cloud and multi-cloud strategies continues. Organizations also need to secure pathways to and from the cloud, as well as between and within clouds. Externally-hosted services and applications don’t stand in isolation—they are connected to the corporate environment. A risk to one part of the extended ecosystem is a risk to all.

In addition, the major cloud providers offer only limited native security controls. These typically include security groups, web application firewalls and flow logs. By themselves, however, these security controls are greatly insufficient in defending against nation-state attacks and advanced persistent threats (APTs). There are scores of vulnerabilities, especially those that leave attacker lateral movement in and between clouds almost completely unimpeded.

Threats on all sides

However, organizations can protect the business across hybrid ecosystems to stop malicious activity long before attackers are able to reach business-critical assets. There are four potential vectors a cloud security strategy needs to address:

  • From one cloud to another: Having created a beachhead in one cloud environment, the attacker’s objective could be to pivot to another cloud network or other systems segmented within the same cloud infrastructure
  • Between cloud assets: For instance, an attempt to gain higher privileges to get access to critical services such as storage or configuration assets. Or to compromise an application server (like Tomcat) in order to attack its respective, connected cloud database
  • From the corporate network to cloud networks: A malicious actor might attempt, for instance, to capture Microsoft Azure credentials used by an internal DevOps team to gain high-privilege access to cloud systems. This effort would likely be preceded by significant lateral movement within the corporate network to reach DevOps machines. Once inside the Azure environment, the attacker could begin efforts to move laterally between systems and services, seeking valuable data and privileged users and roles
  • From the cloud to on-premises assets: A malicious actor in this instance would use any number of techniques (such as a brute force attack) to compromise a public-facing web app server and use it as a beachhead to capture credentials to back-end enterprise systems. Once an attacker has access, he may ultimately be targeting an on-premises database and will look to connect from the cloud back to the on-premises environment. Or perhaps there is a malicious insider with Azure access who then tries to move toward a different target

To combat all these vectors, the approach remains familiar: discovering, monitoring and eliminating connection and credential violations, while advocating for an endpoint-based deception strategy to spread fake objects on endpoints and servers throughout the network that appear useful to an attacker. There are also new capabilities available today that address many challenges specific to cloud environments, protecting against attacker movement from anywhere to anywhere.

Extensive deceptions and greater visibility

The following best practices will empower security teams with increased visibility and potential vulnerability context in cloud ecosystems.

  • Discover and remediate privileged credential violations: Get visibility into insecure usage and users on all common SaaS applications, including G Suite, Box, Salesforce and many more. Mitigate the violations created by shadow admins, users without multi-factor authentication enabled, external and disabled accounts
  • Manage the cloud attack surface: Visualize and automate the discovery of which cloud data are “crown jewels” that needs to be protected. Find and eliminate common attacker pathways toward that data
  • Link privileged access and violations to the cloud and back. Map and connect high-privileged users of cloud service providers, and connect them to information from on-premises directory services. Discover and identify credentials and cached connections to SaaS applications, and the existence of credential information to SaaS applications from an authorized department (human resources into Salesforce, for example). This gives security teams comprehensive visibility and remediation capabilities both inside and outside the cloud
  • Create monitoring and remediation rules: Implement procedures for deciding on misconfigurations or insufficient protection layers applied on cloud users and applications, and the remediation of these violations

Cloud migration continues apace because organizations see the efficiencies and cost reduction possibilities. But an expanded risk landscape is also a real possibility. Enterprises must take stock of these risks and take advantage of today’s capabilities to increase visibility into and monitoring of the cloud environment. Deception technology plays a vital role in keeping attackers away from critical data, no matter how they try to approach it. This breadth of security will give enterprises the confidence to expand business activities both on-premises and in the cloud.

Photo by Nadine Shaabana on Unsplash

Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.

View Comments
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *