In 2005, Gary McGraw and Brian Chess published a taxonomy of code vulnerabilities exploited by attackers. Today, the “Seven Pernicious Kingdoms” continue to be used by MITRE to classify vulnerabilities. With the onset of cloud computing, it is time to begin a new taxonomy that accounts for attacks on cloud infrastructure.
The Era of Cloud Insecurity
Large data centers and cloud environments have opened new attack vectors. As organizations adopt cloud computing and virtualization technologies, hackers are taking full advantage of the data exfiltration and computer hijacking opportunities provided by the dissolving security perimeter. The increasing rate of security incidents shows the urgency of identifying and protecting against these evolving cloud computing threats. In fact, one well-known incident response firm indicated that 15 percent of their investigations now center on cloud attacks.
With cloud computing, the perimeter moves within these new environments into unprotected territory. Most companies have heavily invested in traditional multi-layer, security appliances—such as firewalls and intrusion prevention systems (IPS)—that provide in-depth “north-south” perimeter protection to guard against common cyberattacks. But, these controls are less effective in securing lateral or “east-west” traffic because they cannot move into public cloud environments and they were not designed to handle the sheer volume of cloud traffic or forwarding the right traffic to them represents an operational hurdle.
When enterprises lack lateral defenses, the attacker has the advantage once inside the perimeter. If attackers find a way into a public Amazon AWS or Microsoft Azure environment, they can then easily pivot into an on-premises data center. The seriousness of this problem is highlighted by an increasing number news headlines reporting massive data leaks, such as the Equifax breach, or theft of computer resources, as was the case with the recent Tesla cryptocurrency mining attack.
In the last few years, attackers have become increasing skilled in using automation techniques to accomplish their goals. Network worms including WannaCry, Petya and NotPetya are perfect examples of how attacks can quickly spread laterally within networks using automation.
The opportunity for attackers is growing because most security practices still follow physical data center layouts instead of aligning with the virtualized, overlay model of how today’s environments are utilized. When trying to use traditional security tools in virtualized environments, the following top three issues often lead to gaps in protection:
- Problems operationalizing security controls (setup, scale, maintain)
- Issues with coordinating multiple products for each environment
- Aligning security controls with changes in environments
Creating Shareable Cloud Security Threat Knowledge
My research team has been very busy studying the different forms of attacks enabled by cloud adoption. Over the next few weeks (and throughout the year as new attacks evolve), we will be outlining the cloud attack categories that we believe will give cloud-enabled organizations the most trouble in 2018. In this post we start with the first threat: cross-cloud attacks.
If any organization is considering a move to a virtualized or public cloud environment (or if it has already made the move), then it will be important to pay attention to this list to make sure the company is prepared to proactively defend against these categories of cloud attacks.
Attack 1: Cross-Cloud (a.k.a., X-Cloud)
Many enterprises are under the impression that they can go easy on security if they don’t host “critical workload” or “sensitive data” resources in the cloud, but they couldn’t be more wrong. Attackers commonly use public clouds to gain entry into on-premises data centers.
Once a business makes the decision to migrate any workloads into the public cloud, the perimeter of the on-premises data center also extends into that public cloud environment.
So the appropriate defenses are needed but, the security controls used to protect the on-premises data center cannot easily extend into a public cloud environment.
This forces many organizations to adopt a fragmented security posture that is complex to maintain and leaves the door open for attackers. Public cloud workloads can become infected with malware. As the malware replicates and spreads, the attack can easily jump from the public to the private cloud using standard protocols—if there are no lateral defenses in place.
Solving the Cloud Insecurity Epidemic Together
Moving forward, experts believe cloud attacks will accelerate and grow in sophistication. While there is no silver bullet solution that will address every cloud security risk, industry collaboration and intelligent cybersecurity will enable better defenses and in turn greater business value from cloud innovations.
To this end, my team is building a compendium of cloud security threats that we hope will be enriched through industry collaboration. The goal is to create a taxonomy that can not only be used to classify cloud security vulnerabilities, but also offer a standard way to evaluate the effectiveness of cloud security tools and provide a baseline for threat identification, mitigation and prevention efforts.
Stay tuned for the new industry report series which will highlight new and known cloud threat categories that security practitioners need to be aware of when planning their cloud defenses. Leveraging diverse inputs from academia, government, security practitioners and other commercial vendors, my hope is to provide the breadth of structure and depth of knowledge needed to serve as a unified standard of cloud threat vectors.