The attack surface is continuously expanding in the cloud. While there are a number of cloud-native security tools which can help reduce risks created by this, organisations need to understand what makes cloud workloads so vulnerable, how attacks play out, and why adopting runtime protection is the best practice approach.
There are many ways in which the cloud can be rendered vulnerable, enabling an attacker to gain access:
- If root accounts are not protected by robust passwords and multi-factor authentication (MFA), attackers may gain access with full administrator rights. They can then extract and delete data, delete user accounts and deploy their own resources to enable further criminal activity.
- If an attacker gains access to privileged identity access management (IAM) credentials, they can remain undetected within a system. At the same time, they explore it at length to determine how they can gain maximum advantage from it.
- If security groups or firewalls are misconfigured, they can expose secure shell protocol (SSH) passwords to brute force attacks or provide access to web applications that are not otherwise protected.
- If an attacker can get through firewalls and other security measures, they achieve their ultimate goal: the ability to run their own code in a virtual machine, container or serverless function.
Why cloud workloads are so vulnerable
Once an attacker has penetrated a cloud environment, they have enormous opportunities to wreak havoc: the cloud's large attack surface enables them to move laterally with intense speed. In a public cloud, an attacker's range can span multiple data sources, network segments, IAM users and their roles.
In addition, pre-existing vulnerabilities and misconfigurations can give them access to other hosts within the same virtual private cloud. They may even provide access to resources outside the public cloud, such as a private data center.
The highly publicised Capital One data breach was an example of a wide-ranging attack. The attacker, an Amazon Web Services employee, took advantage of a misconfiguration in the AWS web application firewall (WAF) to make a server execute unauthorised commands on behalf of a remote user and gain access to Capital One data. As a result, data on approximately 100 million customers was stolen.
Generally, an attacker aims to access the data an organisation values most, its crown jewels. Gaining access to this requires attackers to run legitimate code for their own purpose (living off the land).
This enables their activities to remain hidden while they explore the environment, with the eventual goal of running their own code on a CPU and gaining access to the crown jewels.
How to better protect cloud workloads
There are plenty of cloud-native options for organisations to choose from. Just about every major cloud player has its own in-built security tools that claim to offer protection, but realistically, these tools are insufficient.
Attackers have many ways to subvert cloud instances for their nefarious purposes. To minimise these opportunities, the cloud attack surface must be reduced, and there are several ways in which this can be achieved.
1. Use Infrastructure-as-Code. This improves oversight of cloud resources, enabling them to be tracked and helping to minimise the chance of residual resources remaining after applications are decommissioned. Maintaining compliance is a continual process that requires dedicated human resources to ensure no assets are exposed.
2. Scan for vulnerabilities. It's essential to keep track of all known vulnerabilities, monitor their presence and remediate them if found on the network. This can be challenging, so organisations should focus their attention on the most important ones, as identified by a risk analysis.
3. Collect and analyse endpoint activity. Endpoint detection - response (EDR) tools can help identify malicious activities, enable threats to be contained, and notify the appropriate personnel. However, many EDR tools available in the market are far from perfect. They leverage machine learning and algorithms to identify threats and often produce many false positives.
Furthermore, they only raise the alarm after the threat occurs, up to 30 minutes later in some products. A malicious actor needs mere seconds to cause significant damage, so the reaction time needs to be within 60 seconds (at a bare minimum) for these tools to be effective.
4. Invest in runtime protection. All layers of the server workload in the cloud combine to form an organisation's attack surface. Runtime protection aims to minimise this attack surface; it creates a 'perfect' image of a workload's runtime, enabling any variation from the norm to be immediately spotted and protection implemented. Furthermore, runtime protection is immediate – and happens before an attacker can execute any code they may have managed to plant into the network.
Some organisations have a defeatist approach to security; they believe compromise of their systems by an attacker to be inevitable. However, even if this is the case, there are many options to make access more difficult by minimising the attack surface and ensuring cloud server workloads have the highest level of protection possible.