Optimising cloud-based systems: Cyber-attacks evolving

Matt Lovell, Co-Founder and CEO of CloudGuard, discusses how businesses can optimise their cloud-based systems to evolve with cyber-threats.

Automation: Improving cyber maturity

Overall, automation is improving cyber maturity and reducing attack surfaces, particularly for cloud-based systems more than anything else.

Clouds, in all their forms be these public or private, allow for flexibility and scalability, template driven configuration to best practices and the integration of disparate Clouds to one security command and control.

The risks do not reduce though, they are adapting and evolving faster.  

Human weaknesses are still a critical input in many attacks and risks observed.

Whether it is uncontrolled adoption of AI based tools, organisational data sets copied and not secured appropriately, Cloud services not depreciated correctly or Application interfaces not included in security verifications prior to release, it is often peripheral services which evade controls and real time identification.

Another repeated challenge observed is that of ineffective, fully integrated and tested Incident Response plans with Business Continuity plans as organisations migrate to Clouds.

Hybrid landscapes represent new challenges to both planning and testing.

There are different risks to consider as well.

Loss of storage account access, encryption keys and service principals were not previous considerations – they are now.

Many organisations utilise immutable backups and cross platform services to reduce risks.

Recent higher profile cyber-attacks have proven how important it is to ensure the entire recovery process, in multi-cloud and hybrid environments is fully tested and all critical resources identified to maximise recovery time objectives (RTO’s).

These interfaces can represent new attack surface areas for bad actors as the reconnaissance they undertake will seek to establish how they could disrupt business continuity plans.

The modern threat landscape

Security teams are under increasing pressure. In the event of a major incident, a key concern is the increase in pressure and workload placed upon these key resources.

Whilst many businesses now leverage global threat intelligence sources, this needs focus and continual immersion to identify and validate specific threats to a business.

The dark web represents an ever-increasing marketplace for trading insights, attack approaches and exploitation strategies.

Attackers commonly share these and migrate between affiliate entities as they evade detection and adapt.

Why do spear phishing and sophisticated phishing email attacks remain so prevalent?

Why is combining this with social engineering attacks which leverage AI to considerably increase the accuracy of voice and video synthesis an increasing challenge for so many businesses?

Cloud and AI is enabling all of us to develop, innovate and adapt so much faster.

As systems and interfaces are added, the security workload and surface management responsibilities increase.

Existing security tools, controls and processes may not be as effective and we may need to consider updates and additions.

Diversionary techniques as well as multi-channel attacks are key Tactics, Techniques and Practices (TTP’s) adopted by bad actors.

We have seen this with several critical application vulnerabilities recently.

Whether it was the critical CVE in SAP NetWeaver or the multiple Authentication Bypass attack vectors observed, attackers acknowledge these are critical business systems where maintenance can be challenging to agree with business owners.

Cloud services do provide more options, not all businesses can and do leverage these for all landscapes.

It is not just distraction TTP’s. Shadow IT in apps, AI and development techniques present increasing challenges to identifying privilege escalation, new application registrations, data exfiltration through pipelines and AI as well as unsanctioned apps.

Cloud-based cybersecurity and automation

Cloud based cybersecurity automation and AI can increasingly take the initial detection, triage, investigation and response and across multi cloud and hybrid landscapes.

However, security cannot slow the business innovation timelines and overall responsiveness.

As Cloud based security and AI tools are increasingly adopted, the focus moves to how Security teams in Cloud environments can leverage emerging capabilities to accelerate security in these highly innovative environments.

Large tech companies are increasingly rethinking over security by design practices in their own developments given the evolution of the threat landscapes.

Security is everyone’s challenge and we ALL have our part to play.

From awareness, adhering to controls and policies to understanding security issues as we adapt and evolve working processes and practices are critical.

Using lessons learnt from recent incidents, we can accelerate our Cloud based security thinking.

When we engage with customer in immersive table-top simulation attack exercises and help organisational consideration for security in a new application or service, the key questions are:

• How could this be exploited/someone bypass controls? In cloud environments, there are many possible answers. Was it an undetected app registration, a misconfigured storage bucket? A stolen API or modified application key? A compromised token from a phishing attack? Monitoring changes in user sign-ins and control deviation here are additional areas to monitor
• How could this lead to persistence? Increasingly we are observing attackers remaining within an environment or changing application code as a means of persistence. Attacker evasion techniques within cloud-based systems are increasingly sophisticated and difficult to detect. Without the right monitoring and analytical rules, coupled with behavioural analysis, it is difficult to identify
• What data is involved and could be exfiltrated? Either accidentally or with intent. Human error and insider threat account are a significant contributor to many attacks. In the cloud, data can move through many routes so monitoring all of these necessitates automation and verification of changes. Approved file-sharing tools, monitoring for unsanctioned apps and new file destinations used to exfiltrate data are critical. Maintaining logs in these areas for longer is highly recommended as attacks can exist for months or even years

Six steps to modernising your incident response plan

So, what does an optimised Cloud based Incident Response plan look like? Here are six elements I recommend:

1. Build cloud-specific playbooks: Do not rely on generic steps. Create playbooks for cloud-specific business scenarios: Exposed storage, compromised API keys, stolen tokens. These risks need tailored responses
2. Define how you will work with your cloud providers: Who contacts them? What information will you need? How will you escalate issues if you do not get the answers you need? Which resources and with no single point of failure or dependency.
3. Integrate cloud telemetry with your SIEM or SOAR : Pull together logs from across your cloud services. You cannot spot lateral movement or privilege abuse if the data is not in one place. This accelerates detection and saves considerable time at the investigation and determination stage therefore avoiding cul-de-sac investigations.
4. Automate where possible: Recovery Time Objectives matter. Be ready to revoke access, disable tokens or block compromised accounts fast. Automation makes the difference but so to does working with users in heightened awareness post incident to ensure confidence and further anomaly detections.
5. Secure trusted tools and partners before the crisis: Do not be making decisions on who to call when an incident hits. Have those relationships in place and the tools approved in advance. Test and retest. Be Prepared like never before.
6. Support focused teams: If you do not have in-house expertise, arrange external support now. Focused teams are just as vulnerable and often have fewer resources but ensuring key individuals are known and proven to work together ensures optimal response and recovery performance.

Data exfiltration

Most attacks involve data exfiltration. Your plan needs to cover: How to spot abnormal data movement – remember, you must know what normal looks like first; having secure, approved ways to transfer data safely during an incident and clear communication with customers and regulators about what was taken and what it means.

You will not always know if data has left the business. That is why preparation, monitoring and communication are so important.

What’s next?

Continuous testing is key. Plans change all the time – as do processes, people and technology.

It is essential to run simulations and red team exercises and prove your plan works before it is needed.

Regulators will also demand clearer evidence of how incidents are handled. You will need transparency and strong documentation as well.

The cloud will not stand still and neither will those looking to exploit it.

Build resilience now

This is not about reacting when something goes wrong.

It is about building resilience so you can act with speed and confidence under pressure.

Review your Incident Response Plan now. Test it. Make sure it reflects the realities of modern cloud-based systems. Because when the next incident happens – and it will – you will want to know you are ready.

This article was originally published in the August edition of Security Journal UK. To read your FREE digital edition, click here.