Facebook founder and CEO Mark Zuckerberg’s famous motto, ‘move fast and break things’ is believed to be one of the drivers behind the company’s innovations and growth. However, moving faster than you’d planned isn’t always a good thing, as organizations worldwide discovered during the COVID-19 pandemic. While 2020 saw digital transformation programs in response to the pandemic, this rapid move to mass remote working and cloud connectivity also meant that for many organizations, some things got broken along the way – including security. advance by over five years Research in mid-2020 by Check Point found that public cloud security is a major concern for , and over 80% of enterprises found their existing security tools don’t work at all or had only limited functions in the cloud, exposing them to the risks of breaches and attacks. The dynamic, fast-moving nature of the cloud is one of the root causes of these risks, because it often leads to misconfigured permissions and privileges linked to identities or users. 75% of enterprises Threat actors and cyber criminals have been quick to exploit these misconfigurations and vulnerabilities. The Ponemon Institute’s identified cloud misconfigurations as the attackers’ entry point of choice: combined with stolen or compromised credentials, these issues were the cause of nearly 40% of all breaches. And they also led to one of the largest and most significant cyber-attacks ever: the ‘Sunburst’ supply chain compromise attacks which breached over 18,000 government and private-sector technology organizations worldwide via a backdoor embedded in their SolarWinds network management software. 2020 Cost of a Data Breach Report Blinded by Sunburst , the threat actor behind the Sunburst attacks, relied heavily on the cloud model to access sensitive information and gain footholds on the networks of targeted organizations. Once an enterprise was compromised, the attacker moved laterally from the backdoor in the target’s SolarWinds server to their Active Directory Federation Services server, which is responsible for the organization’s Single Sign On processes for accessing cloud services like Office365. At this point, the attacker used a previously published technique to gain persistent, full and hard-to-detect access to the victim’s cloud services, allowing them to explore and steal data from emails and storage. Dark Halo But how did the threat actor compromise SolarWinds’ systems in the first place, giving themselves the platform from which they could use privilege escalation to attack organizations using its software? Stolen or guessed credentials are one of the main sources of attack SolarWinds is investigating: a company intern for a critical lapse in password security that was undiagnosed for years, and have yet to rule out this lapse as a root cause of the attack.  It shows just how significant a single breached, stolen password can be. executives have blamed Taking unearned privileges Sunburst is the highest-profile example of a significant change in the nature of cloud misconfigurations, their root causes, and their consequences over the past year as identity and access management (IAM) misconfigurations began . These targeted attacks on cloud accounts, sometimes caused by flaws in the provider’s permissions or trust policy logic, can allow an attacker to gain privilege escalation and move laterally within the corporate’s cloud environment, thus obtaining certificate private keys, sensitive information and database credentials and enabling them to access sensitive data. making headlines Essentially, we are seeing a shift towards attacking cloud accounts instead of cloud resources. This shift has opened the door for attack vectors based on role assumption – the ability to obtain short-term permissions to authorized resources – that often enables vast operations within the cloud environment, including data theft. According to security researchers, Identity and Access Management (IAM) roles can be by 22 APIs found in 16 AWS services. Privilege escalation exploits based on permission settings can also be found on , which unlike AWS, is a SaaS (Software as a Service) solution. abused Salesforce These attacks rely on understanding the components, architecture, and trust policy of both IaaS (Infrastructure-as-a-Service, such as Amazon) and SaaS providers to sophisticated multi-stage attacks. This is in contrast with previously-common types of data breaches, which mostly relied on misconfigured settings – such as publicly exposed AWS S3 storage buckets. construct Protecting your privileges So how should organizations go about closing off security gaps and vulnerabilities that could be exploited by criminals? As we saw earlier with the Sunburst attack, sometimes the flaw lies in a particular application or multiple applications within their environments. This means it’s critical to monitor for security patches for all applications used, and to apply them as soon as possible to minimise the opportunity for attackers. It’s also useful to ensure that unneeded services within an application are disabled, to minimize network access points. Organizations should also design their networks and cloud infrastructures according to least privilege principles, so that users do not have access to services they are unlikely to, or should not use. Many attacks rely on exploit chains that combine multiple vulnerabilities in multiple systems, so breaking one link in that chain can often stop the entire attack in its tracks. Finally, enterprises need to get holistic visibility across all their public cloud environments, and deploy unified, automated cloud-native protections. This way, they can keep pace with business demands while ensuring continuous security and compliance.

Chain

Amazon

Check Point

Facebook

Salesforce

Target

Uncovering the Vulnerabilities of Qualcomm DSP

How to Protect Your Organization from Double Extortion Ransomware

Visit us

Too Long; Didn't Read

Check Your Privilege: Designing Cloud Infrastructures According to the Least Privilege Principle

Check Your Privilege: Designing Cloud Infrastructures According to the Least Privilege Principle

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Best Practice: Identifying And Mitigating The Impact Of Sunburst

47 Stories To Learn About Checkpoint

Best Practice: Identifying And Mitigating The Impact Of Sunburst

Cloud Sourcing as a Crucial Component in Threat Prevention

Cloud Threat Hunting: Investigating Lateral Movement

Cloud Threat Hunting Series: What Lead To a Major Financial Institution Suffering a Cloud Breach

Best Practice: Identifying And Mitigating The Impact Of Sunburst

47 Stories To Learn About Checkpoint

Best Practice: Identifying And Mitigating The Impact Of Sunburst

Cloud Sourcing as a Crucial Component in Threat Prevention

Cloud Threat Hunting: Investigating Lateral Movement

Cloud Threat Hunting Series: What Lead To a Major Financial Institution Suffering a Cloud Breach

Light-Mode

Classic

Newspaper

Minty

Dark-Mode

Neon Noir

Minty

HN StartUps