Cloud computing has revolutionized how businesses store and process data, providing greater agility and scalability to meet business needs. However, with new technology comes new risks, and cybercriminals are not far behind in exploiting the cloud's security vulnerabilities.
In this post, we’ll delve into six predominant challenges that compromise cloud security and offer practical solutions for CISOs to fortify their defenses.
The intricate nature of the cloud, encompassing user identities, machine identities, and software identities, complicates distinguishing between legitimate and illegitimate behavior. Additionally, the sheer volume of APIs and permissions, numbering in the thousands, poses significant challenges even for seasoned cloud professionals. Cybercriminals can exploit this confusion by impersonating legitimate users or machines to bypass security controls. For those companies that operate a hybrid environment, it’s extremely difficult to get right and stay secure. Seamlessly integrating on-premises systems with cloud infrastructure, and maintaining secure bi-directional communication, presents more challenges than it might initially seem.
A lack of security knowledge can lead to risky configurations in AWS. For instance, developers might be tasked with building a product or designing an architecture without fully grasping the security implications of their decisions. Consider a scenario where a developer modifies a security group to allow inbound traffic from the internet by setting the source to 0.0.0.0/0. They might not be aware that several other EC2 instances are associated with this same security group. This oversight could expose multiple EC2 instances to threats like brute force attacks, port scanning, injection, and server-side request forgery (SSRF).
Companies often grant excessive permissions to expedite processes and meet deadlines, inadvertently paving the way for threat actors when they compromise the identities. These cybercriminals can exploit such permissions, potentially accessing an organization's most sensitive data. The principle of least privilege—granting only necessary access—becomes crucial. Coupled with regular security audits, this ensures businesses can leverage the cloud's benefits without compromising security.
Many organizations lack effective disaster recovery (DR) and/or business continuity (BC) plans for breaches or incidents, leaving them vulnerable to escalating issues. I always emphasize the mindset of "when you get breached" rather than "if you get breached" when developing DR & BC plans. This allows threat actors to lurk for longer in an account, often creating backdoors and other persistence methods, while organizations are scrambling to figure out what to do and how to contain the threat because they lack these plans.
We often see this when customers with an on-prem security strategy try to bring it to the cloud. It's like mixing oil and water – it just won't work. Traditional on-prem environments are protected by a single hardware firewall, whereas a cloud environment has many services that can come with their own mini-firewall (e.g. security groups). On-prem security strategies adopted for the cloud create blind spots because they aren't familiar with the cloud. They fail to consider important aspects like multiple identities, thousands of APIs, and different permissions. So, it's crucial to understand the challenges and adapt to the cloud environment for a successful cloud security strategy.
Creating a cloud-focused DR & BC plan and consistently testing its effectiveness equips businesses with robust security, emphasizing readiness for "when" rather than "if" they face a breach.
Every developer has experienced this scenario working in the cloud: we dive into a cloud environment, make numerous changes, and inadvertently forget about them. This forgetfulness increases the attack surface, leaving us vulnerable. Often, we also rely on default settings within the cloud environment without questioning their adequacy.
Let's delve into a common scenario that highlights this issue. Take, for example, the default security group in AWS. By default, it allows outbound connections but blocks all incoming traffic. However, as a potential threat actor, exploiting this default security group becomes a possibility. By attaching the security group to an EC2 instance and injecting user data with a reverse shell to the EC2 instance, we can establish a connection back to our IP and gain unauthorized access. This is due to the stateful nature of security groups. Once inside, we have the power to then scrape metadata for the attached role, which could allow for data exfiltration, lateral movement, and more. Surprisingly, even when examining the 'inbound security group' rules, experts may overlook this hidden vulnerability.
In the pursuit of secure cloud environments, we often grant permissions to our peers out of trust and empathy. Unfortunately, relying solely on good intentions isn't enough. Striking a balance between allowing all and allowing none becomes crucial. Embracing the zero trust model presents challenges and friction, but opting for the latter can result in an overwhelming influx of pleas for help via Slack messages.
Cloud environments are inherently dynamic and constantly evolving. With the rapid creation and destruction of resources, identities frequently change, creating a perpetually moving target. This ephemeral nature makes monitoring and maintaining full visibility across the cloud exceedingly challenging. Teams feel overwhelmed as they try to manage, assess, and secure every aspect, often resorting to a 'fingers crossed' approach instead of an ideally robust strategy. While acknowledging the difficulty of achieving comprehensive visibility, striving towards complete oversight across all platforms and all resources in each environment remains crucial.
Cloud environments are vast and expansive. Picture the scale of a cloud infrastructure or cloud security provider like AWS. From the start, you gain access to a wide range of permissions and APIs across different regions and even continents. Your company might primarily use us-east-1 and us-west-2 as the default regions. However, a malicious actor could easily exploit other regions if you're not actively monitoring and paying attention to them. Sometimes organizations have great visibility into resources within one or more virtual private clouds (VPCs), but what about newly-created VPCs? Threat actors have been known to spin up a new VPC, deploy resources, and start mining cryptocurrency, all unknown to you until you receive a sky-high bill.
This scope of the cloud hinders visibility and control. The ephemeral nature of the cloud means things are constantly changing and evolving - new software, new services, and constantly shifting identities. It's a challenge to comprehend and track everything in your cloud environment. Detecting threats becomes harder, and responding promptly becomes more difficult. How do you distinguish between legitimate and nefarious behavior? You may have a threat-hunting team, but it may be too late. So, you really need to strategize your cloud security approach. How can you uncover these suspicious activities in a vast, multi-regional environment with an overwhelming volume of logs?
The complexity of it all means you're bound to have blind spots. And guess what? To a threat actor, those blind spots are opportunities. They'll exploit these weak points by conducting reconnaissance and figuring out where your monitoring falls short. Have you configured metric filters for your CloudWatch log group to detect suspicious APIs? They'll know all about it and exploit the areas you're not watching closely. It's like they sniff out the areas of vulnerability and carefully navigate around them, avoiding anything that might give them away.
Monitor resources that are not in use, such as VPCs, regions, services, etc., since they are frequently overlooked by organizations. For enhanced security, restrict the use of these unused resources using Service Control Policies in AWS, Organizational Policy Service in GCP, or Azure Policy in Azure.
New services and technologies are emerging rapidly, causing a buzz in the tech world. For instance, containers have gained wide adoption, along with Kubernetes. Containers are incredible for transitioning from on-prem to the cloud and breaking down applications into microservices. However, the challenge lies in the scarcity of container & Kubernetes knowledge and container & Kubernetes security expertise. Many companies, in their trial-and-error approach, fail to prioritize security measures and end up leaving vulnerabilities open to exploitation.
Here's the thing: threat actors are cloud security experts. They know the ins and outs of container & Kubernetes security. They know exactly which APIs to manipulate to achieve their goals. AWS, for example, essentially operates through APIs that connect to various services, making it essential to be vigilant about API usage and permissions when managing these services at scale across regions and accounts. Once threat actors gain access, they adeptly exploit Kubernetes' command-line interface, kubectl. Its inherent complexity and the challenges in managing it often provide opportunities for these malicious actors to maneuver.
In summary, staying ahead of the game in this rapidly evolving landscape requires a deep understanding of container & Kubernetes technologies, strong security measures, and strategic management of services.
When it comes to cloud breaches, humans are the primary cause. We all know that humans are often the easy targets because they tend to take the easiest route. However, humans are also the key to our success. We need skilled cloud security experts, but unfortunately, this area has a significant shortage.
As someone who leads the offensive security research team at Uptycs, I have directly experienced this shortage while interviewing cloud security researchers. While many candidates could architect a secure environment, few could answer critical questions regarding privilege escalation, data exfiltration, lateral movement, suspicious API utilization, and more.
Due to the lack of overall cybersecurity skills and knowledge, we are forced to rely on more junior individuals, encouraging them to learn and grow in their roles, even if it means making mistakes in the short term. However, this approach presents challenges as misconfigurations are introduced, whether knowingly or unknowingly. Sometimes, developers simply leave security settings open after requesting temporary access and forget to close them. In other instances, we tend to grant users too many privileges, granting them more access than necessary to avoid friction within the environment.
Improving the skills of cloud security professionals through hands-on exercises and fostering a culture of secure practices are vital in addressing these issues. Encourage your organization to adopt the mindset of 'think like a threat actor'. This approach helps teams understand how threat actors think, behave, and the tools they employ. While security teams typically focus on defensive techniques, it's crucial to flip that narrative. By teaching them how to also simulate attacks on cloud environments, they become better equipped to anticipate, recognize, and counteract real threats.
It's time for us to reassess our approach to cloud security, ensuring that humans become proactive defenders rather than vulnerabilities, thus strengthening the protection of our systems and data.
Understanding and addressing these six issues is crucial for safeguarding cloud infrastructure. As cybercriminals refine and evolve their tactics, maintaining a proactive and adaptable stance on security becomes paramount. Adopting the mindset of 'when we get breached' rather than 'if we get breached' equips teams to be better prepared when an incident occurs, ensuring timely and effective response mechanisms.
By diligently addressing the aforementioned challenges, CISOs and cloud security teams can significantly reduce vulnerabilities, thereby safeguarding their organization's cloud infrastructure against potential threats.
While understanding threat actors' tactics is important, being equipped with the right tools to counteract their actions is critical. That's where Uptycs comes into play. From detecting abnormal API calls to flagging suspicious user activities and configurations, the Uptycs platform is designed to detect and remediate threats in real time.
Request a demo to learn more about how Uptycs can help you improve your cloud security and become more proactive in your defense strategy.