CrowdStrike’s Global Threat Report 2024 reported a 110% spike in compromised cloud workloads. Raj Rajamani, Chief Product Officer at CrowdStrike, shares about the common cloud misconfigurations that cyber attackers often take advantage of to infiltrate and compromise organizations.
Today, cloud adoption has become a prerequisite for businesses to succeed in the digital economy. However, rapid growth without robust cloud data security regulations and guidelines can make Southeast Asian countries a prime target for cyberattacks. Last year, two Asia-based data centres — including one in Singapore — used by major global corporations were breached, exposing credentials used by customers to access cloud services.
As cloud adoption continues to increase, businesses in Southeast Asia must take steps to better understand the nuances of managing the security of their data on the cloud. Efforts to further strengthen cybersecurity for Southeast Asia’s growing cloud environment will require understanding how threat actors operate: how they’re breaking in and moving laterally, which resources they target and how they evade detection.
Cloud misconfigurations — the gaps, errors or vulnerabilities that occur when security settings are poorly chosen or neglected entirely — provide adversaries with an easy path to infiltrate the cloud. Multi-cloud environments are complex, and it can be difficult to tell when excessive account permissions are granted, improper public access is configured or other mistakes are made. It can also be difficult to tell when an adversary takes advantage of them.
Misconfigured settings in the cloud clear the path for adversaries to move quickly.
A breach in the cloud can expose a massive volume of sensitive information including personal data, financial records, intellectual property and trade secrets. The speed at which an adversary can move undetected through cloud environments to find and exfiltrate this data is a primary concern.
Malicious actors will speed up the process of searching for and finding data of value in the cloud by using the native tools within the cloud environment, unlike an on-premise environment where they must deploy tools making it harder for them to avoid detection. Proper cloud security is required to prevent breaches with far-ranging consequences.
A breach in the cloud can expose a massive volume of sensitive information including personal data, financial records, intellectual property and trade secrets. The speed at which an adversary can move undetected through cloud environments to find and exfiltrate this data is a primary concern. Malicious actors will speed up the process of searching for and finding data of value in the cloud by using the native tools within the cloud environment, unlike an on-premise environment where they must deploy tools making it harder for them to avoid detection. Proper cloud security is required to prevent breaches with far-ranging consequences.
So what are the most common misconfigurations we see exploited by threat actors and how are adversaries exploiting them to get to your data?
Ineffective Network Controls: Gaps and blind spots in network access controls leave many doors open for adversaries to walk right through.
Unrestricted Outbound Access: When you have unrestricted outbound access to the Internet, bad actors can take advantage of your lack of outbound restrictions and workload protection to exfiltrate data from your cloud platforms. Your cloud instances should be restricted to specific IP addresses and services to prevent adversaries from accessing and exfiltrating your data.
Improper Public Access Configured: Exposing a storage bucket, or a critical network service like SSH, SMB or RDP to the Internet, or even a web service that was not intended to be public, can rapidly result in a cloud compromise of the server and exfiltration or deletion of sensitive data.
Public Snapshots and Images: Accidentally making a volume snapshot or machine image (template) public is rare. When it does happen, it allows opportunistic adversaries to collect sensitive data from that public image. In some cases, that data may contain passwords, keys and certificates, or API credentials leading to a larger compromise of a cloud platform.
Open Databases, Caches and Storage Buckets: Developers occasionally make a database or object cache public without sufficient authentication/authorization controls, exposing the entirety of the database or cache to opportunistic adversaries for data theft, destruction or tampering.
Neglected Cloud Infrastructure: You would be amazed at just how many times a cloud platform gets spun up to support a short-term need, only to be left running at the end of the exercise and neglected once the team has moved on. Neglected cloud infrastructure is not maintained by the development or security operations teams, leaving bad actors free to gain access in search of any sensitive data that may have been left behind.
Inadequate Network Segmentation: Modern cloud network concepts such as network security groups make old, cumbersome practices like ACLs a thing of the past. But insufficient security group management practices can create an environment where adversaries can freely move from host to host and service to service, based on an implicit architectural assumption that “inside the network is safe,” and that “front end firewalls are all that is needed.” By not taking advantage of security group features to permit only host groups that need to communicate to do so, and to block unnecessary outbound traffic, cloud defenders miss out on the chance to block the majority of breaches involving cloud-based endpoints.
Monitoring and Alerting Gaps: Centralized Visibility into the logs and alerts from all services would make it easier to search/hunt for anomalies.
Disabled Logging: Effective data logging of cloud security events is imperative for the detection of malicious threat actor behaviour. In many cases, however, logging has been disabled by default on a cloud platform or gets disabled to reduce the overhead of maintaining logs. If logging is disabled, there is no record of events and therefore no means of detecting potentially malicious events or actions. Logging should be enabled and managed as a best practice.
Missing Alerts: Most cloud providers and all cloud security posture management providers provide alerts for important misconfigurations and most detect anomalous or likely malicious activities. Unfortunately, defenders often don’t have these alerts on their radar, either due to an excess amount of low-relevance information (alert fatigue) or a simple lack of connection between those alert sources and the places they look for alerts, such as a SIEM.
Ineffective Identity Architecture: The existence of user accounts not rooted in a single identity provider that enforces limited session times and multifactor authentication (MFA), and can flag or block sign-in for irregular or high-risk signing activity, is a core contributor to cloud data breaches because the risk of stolen credential use is so high.
Exposed Access Keys: Access keys are used to interact with the cloud service plane as a security principal. Exposed keys can be rapidly misused by unauthorised parties to steal or delete data; threat actors may also demand a ransom in exchange for a promise to not sell or leak it. While these keys can be kept confidential, albeit with some difficulty, it is better to expire them or use automatically rotated short-lived access keys in combination with restrictions on where (from what networks and IP addresses) they can be used.
Excessive Account Permissions: Most accounts (roles, services) have a limited set of normal operations and a slightly larger set of occasional operations. When they are provisioned with far greater privileges than needed and these privileges are misused by a threat actor, the “blast radius” is unnecessarily large. Excessive permissions enable lateral movement, persistence and privilege escalation which can lead to more severe impacts of data exfiltration, destruction, and code tampering.
Just about everyone has a cloud presence at this point. A lot of organizations make the decision for cost savings and flexibility without considering the security challenges that go alongside this new infrastructure. Cloud security isn’t something that security teams will understand without requisite training. Maintaining best practices in cloud security posture management will help you avoid common misconfigurations that lead to a cloud security breach.