Cloud environments have seen a meteoric rise in the past decade. What began as means of data storage has now become a full-scale computing platform, enabling a global shift in how businesses share, store, optimize, and manage information. However, threat actors have witnessed these changes and taken to targeting the cloud, knowing that more and more businesses continue to make the transition to hybrid workspaces and cloud technologies.

The same features that make cloud services beneficial to organizations are the same that make them attractive to threat actors. In recent years, attacks on cloud environments have surged as threat actors took advantage of the high volumes of sensitive data flowing between organizations and their cloud service providers. Opportunistic by nature, threat actors thrive off of weak credentials, misconfiguration, and human errors when it comes to planning their attacks on the cloud surface.

While the related security challenges haven’t slowed cloud adoption, organizations should be aware of their scope, significance, and how to secure against them. This blog post outlines why cloud has emerged as one of the most attacked surfaces and what security measures businesses can implement to safeguard their cloud environment and data.

Cloud Attacks Are Rising

The number of reported attacks on clouds has increased dramatically in the last few years, in part spurred on by the COVID-19 pandemic when businesses of all sizes needed to adapt quickly to alternative means of operation.

According to Gartner, the pandemic along with a surge in digital services have made cloud the “centerpiece of new digital experiences”, and global cloud revenue will total $474 billion this year – a $66 billion dollar increase from 2021. The research firm also predicts that more than 95% of new digital workloads will be deployed on cloud-native platforms resulting in a 30% increase from the year before.

Businesses need to plan beyond traditional security strategies to manage a widening enterprise attack surface as well as the risks associated with cloud services. The following statistics show the rise in cloud adoption and just how much clouds have come under attack in the last few years:

• 69% of organizations have accelerated their cloud migration in the last 12 months. The percentage of organizations with most or all of their IT infrastructure in the cloud is expected to increase from 41% to 63% in the next 18 months (Foundry, 2022).
• 49% of IT professionals reported that cloud-based attacks led to unplanned expenses.
• 80% of CISOs surveyed by PurpleSec were unable to identify instances of excessive access to data in their cloud environments.
• 79% of organizations have suffered at least one cloud-based data breach in the last 18 months. Further, 43% have reported 10 or more breaches within that same time frame (Emertic, 2021).
• 83% of cloud breaches are derived from access-related vulnerabilities (CyberTalk.org, 2021).

Understanding Cloud Risks

Using cloud services inherently exposes organizations to new security challenges, often related to unauthorized access, insider threats, and supply chain risks. To a threat actor, cloud vulnerabilities are means of gaining access to exfiltrate data from the targeted organization’s network whether by service disruptions, ransomware, or unauthorized data transfer. More sophisticated threat actors may employ lateral movement and detection evasion techniques, or account takeovers to establish and maintain a long-term foothold within the targeted network before leveraging existing services and tools found within it.

Common cloud security risks include the following:

• User Account Takeovers – Whether credentials are stolen through phishing, brute force, or malware, weak password policies often lead to compromised user accounts.
• Misconfiguration – Cloud service providers offer different tiers depending on the needs of the organization. This allows the cloud to work to scale with the organization. However, many organizations lack the security posture needed to ensure the safety of these services, resulting in security risks in the deployment stage of implementation. Misconfigured servers are a leading cause of compromise when it comes to cloud-based attacks.
• Vulnerable Public APIs – Public APIs allow trusted users to interact and operate within the cloud. If exploited, these APIs become a straightforward method for threat actors to gain access to the platform and exfiltrate sensitive data in the cloud database. Further, if the original configuration of the API harbors any vulnerabilities, this leaves threat actors with a backdoor for future exploits.
• Insider Threats – Even organizations with a healthy cyber ecosystem can fall victim to a legitimate, malicious user with a mind to leak data. Malicious users often already have access to sensitive or critical data, and may also have the permissions to remove certain security protocols. The threat of malicious insiders is greatly minimized through zero-trust policies and identity and access management solutions.
• Denial-of-Service (DoS) Attacks – Designed to overload a system and bar users from accessing services, DoS attacks are especially devastating to cloud environments. When the workload increases in a cloud environment, it will provide extra computational power to address the extra load. Eventually, the cloud slows down and legitimate users lose their access to any files in the cloud.
• Third-Party Vendors – It is important for organizations to assess third-party risks when using vendor services. Clouds are susceptible to supply chain attacks when threat actors infiltrate a network through unsecured third-parties that work with the organization. Cyber risk is inherited when organizations choose to work with vendors who have more lax cybersecurity posture than their own.

Defending the Cloud – Cyber Hygiene Matters

Securing the cloud begins with the basics. Cloud environments require short and long-term security planning, implementation, and strategy, and practicing cyber hygiene is the first step of that strategy.

Organizations that have processes in place for strong password requirements, multi-factor authentication, patch management, software updates, and device security can impede threat actors from grabbing those low-hanging fruits and lessen the attack surface under target.

Cover the Bases with Zero Trust & Segmentation

There is no such thing as immunity from cyber attack, but implementing zero trust policies goes a long way when building a holistic defense against threat actors who are eyeing a vulnerable cloud. Threat actors cause the most damage when they are able to move laterally through a victim’s network and escalate privileges along the way.

Adopting zero trust makes life more difficult for threat actors. The zero trust principle works by eliminating the concept of ‘trust by default’. Implementation of zero trust requires each user and machine to authenticate before receiving only the specific access pre-determined for their role.

Network segmentation plays an important part in successful zero trust implementation as well. By segmenting networks into smaller subnets that each act like their own, independent network, administrators can better control and secure the flow of traffic between each one via granular rules. This approach breaks up the architecture of a network and allows administrators to pinpoint technical issues more easily and be able to improve monitoring efforts.

Develop a Cloud Operational Strategy

Clouds are, at their core, designed to help businesses scale and store data, not to provide security. For many organizations, clouds are managed by DevOps and CloudOps teams rather than the in-house security team. In siloed organizations, security measures may not be uniform across different teams and could cause discrepancies in how the cloud is protected.

Defending cloud infrastructure requires a joined-up strategy that looks at the organization’s cloud footprint with a holistic approach. Data needs to be collected and analyzed from all available sources in a way that security teams can ingest and understand.

Simplify the Challenges of Multi-Cloud Environments

Many organizations have multiple clouds deployed to optimize support for a larger data infrastructure. However, this scales up the complexity of the cloud infrastructure. Protecting multi-cloud environments means trying to find a common way to cover clouds that may each have a unique deployment, set of regulatory requirements, and policies.

A lack of uniformity here can be a big challenge for organizations, particularly if the organization does not have access to cloud security experts. Multi-cloud environments become even more complex if they are provided by different vendors. Integration between each of the cloud solutions may be difficult and result in a loss of visibility.

Dealing with these challenges involves considering the future as well as the present. Will technology investments made yesterday and today integrate with those of tomorrow? Many organizations have understood the need to move to an XDR platform, but only an open XDR platform that integrates existing solutions and can integrate with them, analyzing data, receiving alerts and automatically sending responses, can effectively address the challenges of a multi-cloud environment.

Conclusion

The widespread adoption of cloud technologies continues to re-shape the modern day workforce. A significant part of the digital transformation happening globally, cloud implementation has allowed businesses to lessen costs, increase organizational agility, and improve long-term scalability. Though the migration to cloud has benefited many businesses, it has come with a variety of new attack vectors for threat actors.

To get ahead of threat actors, organizations using cloud services must fully understand how the services are being implemented and maintained. Visibility within the cloud is critical to seeing how file sharing is being done, the type of data being stored and its security, and what applications are connected.

SentinelOne can help organizations improve their cloud security strategy through a combination of endpoint detection and response (EDR) capability, autonomous threat hunting, and runtime solutions that can defeat cloud-based threats without compromising agility or availability. Learn more about Singularity Cloud or contact us today for a demo.

Singularity Cloud

One home to secure VMs, servers, containers, and Kubernetes clusters across multi-cloud and datacenters. Prevent, detect, investigate, and respond to threats in the cloud in real time—without sacrificing performance.

Get a Demo

The Good

Ask a security professional about the weakest link in any organization and the answer most commonly received is: users. A lack of awareness regarding threats as well as poor or absent cyber hygiene practices mean that phishing and social engineering are a threat actor’s favorite play.

It may come as a welcome surprise, then, to learn that according to a new survey, there’s been a marked improvement in cybersecurity awareness among the general public over the last three years. Coming after the pandemic and the large-scale shift to work from home, that can only be good news for enterprise security teams.

The survey found that in 2022, some 77% of respondents said they use MFA to log into online accounts compared to only 50% in 2019. An encouraging 88% said they now use strong passwords, up 12% from three years ago. In 2019, some 31% of people said they did not use any kind of security feature to unlock their smartphones. That number is down to 15% in 2022.

What accounts for this rise in cybersecurity awareness? The report suggests that the coverage of cybersecurity issues and emerging digital threats in the media, the increase in data breaches, and the growing awareness of ‘cookies’ and third-party trackers on personal devices are all likely to have contributed to the general perception that cybersecurity is an issue that affects all of us, at home and at work.

The Bad

If it’s good news we’re all becoming more cyber aware, on the other side of the fence is the unwelcome news that threat actors are making it easier to create and conduct phishing campaigns with a new PhaaS (Phishing-as-a-Service) platform called Caffeine. While PhaaS’s are not an entirely new phenomenon, what makes Caffeine particularly troubling is that anyone can sign up for it on the public internet.

Typically, threat actors wanting to use a PhaaS need a recommendation from a current customer or must go through some kind of vetting process. Caffeine is a site hosted on the public internet which accepts applications from anyone with just an email address, researchers say. For as little as $250/month, subscribers can use the platform to create customized phishing kits, generate URLs to host malware payloads, and track their campaign’s progress.

Caffeine significantly lowers the barrier to entry to would-be threat actors, offering to take care of infrastructure, fake sign-in pages, website hosting, email templates and more. The service currently targets the theft of Microsoft 365 credentials via fake sign-in pages hosted on compromised WordPress sites. Researchers say they expect to see the service expand its targets as it develops.

With competing PhaaS offerings advertising services such as 2FA and MFA bypasses, it seems that threat actors have a wealth of easy options for getting new campaigns off the ground.

Whether Caffeine’s open registration and appearance on the public internet will survive scrutiny from security researchers and law enforcement remains to be seen, but even if the service eventually retreats underground, the onus is on users and security teams to bolster their defenses. The emergence of services like these is only likely to increase the already high volume of phishing attacks being seen by enterprise security teams.

The Ugly

Last week, Fortinet issued a private warning to its customers of a new authentication bypass flaw affecting its FortiOS, FortiProxy and FortiSwitchManager products. This week comes the unpleasant but not entirely unexpected news that the flaw, tracked as CVE-2022-40684, is being actively exploited in the wild.

The critical flaw allows an unauthenticated attacker to perform arbitrary operations on the products’ admin interface after sending maliciously-crafted HTTPS requests. These operations include modifying admin user’s SSH keys, adding new local users, updating network configurations to reroute traffic, and initiating packet captures.

Exploit available for critical Fortinet auth bypass bug, patch now – @sergheihttps://t.co/oqceLu6YeP

— BleepingComputer (@BleepinComputer) October 13, 2022

CISA has added the bug to its database of Known Exploited Vulnerabilities (KEV), and FortiNet has advised organizations to hunt for the following IoC in device logs:

user=”Local_Process_Access”

In addition, those using the affected products should apply the available patches without delay. For those that cannot patch, Fortinet is advising admins to disable HTTP/HTTPS administrative interface or limit the range of IPs allowed to reach it.

In other bug-related news, Microsoft’s monthly ‘Patch Tuesday’ failed to offer fixes for the recently reported Exchange Server vulnerabilities commonly-known as ProxyNotShell but did fix 13 other critical flaws that could allow for privilege escalation, spoofing and remote code execution. Three critical RCEs affect Microsoft Office and Word. As always, Microsoft users are urged to patch at the earliest opportunity.

2022 has, so far, shown us that data breaches, cyber threats, and privacy incidents are here to keep media outlets busy and news headlines stacked. The threat of cyberattack has permeated every layer of the global infrastructure from small businesses to large-scale enterprises. Even nation states have not been immune to cyber compromise.

Just this year, we saw the ransomware attack on the Costa Rican government that brought the country’s Ministry of Finance, public health services, and import and export sectors to a standstill. Data breaches were reported by two major international airlines in India and Turkey and, as the school year kicked-off, a disproportionately high number of attacks plagued U.S. schools, even resulting in the identity theft of minors.

Enterprises experienced their share of cyber dilemmas as well. Networking giant, Cisco, was hit with an identity-based attack through Active Directory, and ransomware gangs have zeroed in on nearly every critical sector including digital security firms, defense contractors, manufacturers, and information technology companies.

In all of these examples, there were security solutions in place. This blog post discusses the realities of the uphill battle enterprises are facing against cyber threats, their significance, and what actions they can take to better protect themselves.

Understanding Adversaries & Attack Surfaces

Today, businesses are asked to show they have reputable cybersecurity solutions in place before they can even get insurance coverage. As for threat actors, they have both evolved and expanded. Ransomware-as-a-Service (RaaS) business models have given non-technical criminals the ability to launch full-fledged campaigns. Double and triple extortion tactics are commonplace and ‘big game hunting’ targets high-value or high-profile organizations which have been identified as being able to pay large ransoms.

Not only have threat actors become more adept, attack surfaces are widening as businesses thrive in the age of more access, more connections, and more tools. The term ‘attack surface’ refers to the totality of vulnerabilities found in an environment. The term ‘attack vectors’ refers to ways that an unauthorized party can access the environment in question. Larger, more complex environments typically have a greater number of attack vectors and a larger attack surface to protect.

Observing the current threat landscape, three main attack surfaces come to the forefront: endpoints, cloud, and identity.

Attacks on Endpoints

The task of endpoint protection has grown more complex in recent years as more organizations adopt remote workers and BYOD (bring-your-own-device) policies. Endpoint-delivered threats usually start with malware-carrying devices that are then connected to the targeted network and spread infection, or social engineering tactics that trick unsuspecting users to install malware on their device.

Modern day work cultures allow endpoints to access sensitive data no matter where they are connected from, which increasingly puts the onus on the integrity of the endpoint itself. As endpoints are a critical part of every organization, their defense is a priority.

Attacks on Cloud

Security teams are starting to rethink their strategy as more businesses make the move from on-prem to hybrid and cloud environments. While cloud services offer an attractive boost in collaboration, scalability, and efficiency, they come with new risks that must be taken into account. Cloud computing requires businesses to secure virtual machines, containers, serverless workloads, and Kubernetes – all of which could be leveraged as potential attack vectors.

Cloud misconfigurations can easily expose businesses to cyberattack. Cloud environments are especially vulnerable to severe data loss, insider threats, supply chain attacks, and denial-of-service access.

Attacks on Identity

Identity-based attacks often involve the threat actor weaponizing legitimate tools and software used by their targeted victim. This year, Active Directory (AD) infrastructure continues to be an oft-exploited element in ransomware campaigns and post-compromise extortion efforts. For threat actors, targeting identity through sources such as compromised AD or access management is their quickest way to reaching their targets.

Since AD serves as a gateway to the rest of a company’s network, threat actors leverage the existing infrastructure to perform enumeration and move laterally through the rest of the network layers, escalating their privileges, obtaining access to sensitive files, and exfiltrating the data they are after.

Taking Care of Low Hanging Fruit

With low barrier entryways available and the possibility of generating high revenue, cyber adversaries will always look for easy ways into a targeted environment. It is crucial for businesses to identify and secure the attack vectors applicable to their network.

Not to be confused with attack surfaces, attack vectors are the means by which a threat actor gains unauthorized access to an environment. Common attack vectors include phishing and compromised credentials.

Existing infrastructure and solutions are also increasingly exploited by threat actors. Examples of these include:

• Multi-Factor Authentication (MFA) – While enabling MFA is highly recommended, examples from this year showed attackers exploiting this essential protection layer. Adding rules and monitoring attempts can help enterprises prevent and detect abuse of MFA for malicious access.
• Chrome & Browser Extensions – With the explosion of web applications, browser extensions have become essential for employees to perform their work. However when compromised, threat actors can perform data scraping techniques and see user behavior within the browser. Only approved extensions should be installed on company devices.
• Unpatched Software – Outdated software is one of the easiest ways threat actors gain unauthorized entry into a targeted network. Patch management keeps endpoints and networks up to date with bug fixes against known exploits as well as bolstering protection via new safety features.

The Long-Term Security Play | How SentinelOne Can Help

From a strategic standpoint, enterprise leaders need to take stock of the attacks happening on various surfaces as well as trending threats seen in the threat landscape. Enterprises that can keep their security strategies agile are the ones that stay ahead of cyberthreats.

Improving the organization’s security posture is a long-term play based on three major pillars: people, process, and technology. It requires understanding and a coordinated effort from all parts of a business, smart investment in effective technology, and a willingness to embed cybersecurity best practices on the day-to-day level of operations.

People: Build a Strong Security Strategy & Team

Enterprises are toughening up their teams in order to withstand and counter sophisticated cyber threats. Many companies are bringing in Chief Information Security Officers (CISOs) to assess, plan, and maintain the safety and digital growth of a business.

Based on the fluctuating threat landscape, CISOs are responsible for reevaluating their security strategies and adjusting how their business monitors and responds to potential attacks. Experienced CISOs stay ahead of developing cyber trends and attack patterns to build best practices that make sense for their team. A CISO’s cybersecurity strategy does not only safeguard people and processes but can also drive new opportunities, increase operational efficiency, and build up their business’s authority in their industry.

Process: Securing Operations & Workflows

Cyber attackers are the ultimate opportunists, always looking for the path of least resistance in the form of unprotected servers, vulnerable devices, or even third-party vendors that have weak security practices. Threat actors have been known to use relatively straightforward social engineering and phishing attacks to gain entry and then abuse the infrastructure itself, such as Active Directory, to spread quickly into an environment. Implementing identity protection is critical to stopping the misuse and exploitation of existing infrastructure and software and securing sensitive data held within it.

Enterprises globally trust SentinelOne’s industry knowledge and experience with fighting back privileged escalation and lateral movement. Get comprehensive identity security as part of Singularity XDR for autonomous protection including:

• Singularity Identity: End credential misuse through real-time infrastructure defense for Active Directory and deception-based endpoint protections. Singularity Identity defends Active Directory Domain & Azure AD Identities and domain-joined assets from adversaries aiming to gain privilege and move covertly.
• Singularity Ranger® Active Directory Assessor: Uncover vulnerabilities in Active Directory and Azure AD with a cloud-delivered, continuous identity assessment solution. Ranger® AD Assessor delivers prescriptive, actionable insight to reduce Active Directory and Azure AD attack surfaces, bringing them in line with security best practices.
• Singularity Hologram: Lure network and insider threat actors into engaging and revealing themselves with network-based threat deception. Singularity Hologram decoys stand at the ready, waiting to be engaged by adversaries and insiders. The resulting telemetry supports investigations and contributes to adversary intelligence.

Technology: Prepare to Invest In Tech

Security that stays relevant to developing cyber threats and also scales along with a business required investment in the right technology. Today, many businesses are adding artificial intelligence (AI) and machine learning (ML) to their security arsenal to better identify and respond to advanced persistent threats. When it comes to staying ahead of threats, speed is the differentiating factor – AI and ML both allow enterprises to combat emerging attacks by detecting patterns in real time. Many threat campaigns, particularly ones using ransomware, only last a few hours and actors are often already within a victim’s network just waiting to deploy. For context, major ransomware attacks from this year alone totaled over $236 million.

SentinelOne’s Endpoint Protection (EPP) and Endpoint Detection and Response (EDR) seamlessly combines automation with both AI and ML to detect and remediate modern attacks in real-time, at machine speed, and without extra intervention. This means that businesses can focus their resources on addressing operations-specific tasks. SentinelOne’s EPP solution also fully replaces legacy AV and AM solutions and can be scaled and tailored to fit a businesses’ specific requirements and processes.

Conclusion

While the headlines may make it seem like threat actors are winning in the ongoing cyber fight, enterprises can learn much from the attacks that have already happened and action them as lessons learned.

An adaptive and agile security strategy, team, and culture will take enterprises far in the uphill battle against growing cybercrime. Binding together people, process, and technology is key in taking a smarter, proactive approach to novel threats.

Enterprise businesses trust SentinelOne to help safeguard their critical attack surfaces by fusing together autonomous, AI-driven threat hunting and EDR capabilities. To learn more, request a demo or contact us for expert advice.