When the adversary lurks in your cloud
Organizations embracing hybrid and cloud infrastructures are experiencing the benefits of business agility and operational cost savings. But what happens when an adversary brings their nefarious intentions to the same cloud?
Organizations are embracing hybrid and cloud infrastructures to host their applications and experience benefits including greater business agility and operational cost savings. But what happens when an adversary lurks around the cloud with nefarious intentions?
In an earlier blog post, I shared a few benefits of embracing the cloud, including:
- Unlike traditional, on-premises datacenters, the cloud offers highly scalable resources for running applications and managing data.
- The responsibility for security doesn’t have to exclusively rest with the cloud tenant. It can be shared with the cloud provider, which can reduce the burden on the tenant.
- Compared to on-premises datacenters, the cloud can be more energy efficient.
According to Gartner, the worldwide public cloud services market is projected to grow over 17% in 2019, to a total of $206.2 Billion. More organizations across industries — ranging from Healthcare, Retail, Consumer Goods, Transportation, to Banking — are adopting a hybrid cloud approach using a combination of on-premise resources and cloud services. On one hand, this is good news because organizations will reap great benefits to their productivity and cost savings. On the other hand, malicious actors are increasingly motivated to leverage the cloud to their advantage.
Adversaries are increasingly motivated to leverage the cloud to their advantage.
Common Adversary Activity in the Cloud
In Microsoft’s new Security Intelligence Report interactive site, Microsoft shares intelligence and insights on Azure platform’s incoming and outgoing attacks. Here are 3 common cloud attacks to be aware of and defend against when adopting hybrid or fully cloud infrastructures:
1. Distributed Denial of Service (DDoS) attack: In a DDoS attack an adversary is trying to shut down the targeted application (aka. resource), making it inaccessible to intended users by flooding it with useless traffic (junk requests). In doing so, the adversary hopes to make a profit — by extorting money from the victim in exchange for ending the attack. Secondly, a DDoS attack could serve as a kind of smokescreen for more directly lucrative crimes. While a security team is struggling to deal with the high volumes of traffic that is crashing their system and rendering the application unavailable, attackers can steal sensitive information such as passwords, credit card numbers, or identity information. Furthermore, a DDoS attack may be used to bypass the security mechanisms in place to obtain administrative access to the targeted application.
A DDoS attack could serve as a kind of smokescreen for more directly lucrative crimes.
2. Web application attacks: Such attacks could impact any organization that hosts a website, be it a static page or a page that hosts a login or e-commerce application. Most adversaries are focused around the OWASP (Open Web Application Security Project) Top 10 list of web application attacks, which lists injections as the number one threat to web application security. SQL is a query language that was designed to manage data stored in relational databases. Many web applications and websites store all the data in SQL databases. An attacker may use SQL injection vulnerabilities to bypass application security measures. This puts a company’s private data, customer records, employee IDs, and various other types of confidential data at risk of being “taken” from internal servers. This stolen data may then be used by the attacker to blackmail victims or even sell their information on the black market (aka. dark web) to make a profit.
3. Brute force attack: This attack is a type of application attack. In a brute force attack, an adversary tries to “crack” the targeted application administrator’s credentials or encrypted data such as login, passwords or encryption keys, through an exhaustive effort (using brute force) with the hope of eventually guessing correctly. After obtaining access, the adversary will try to perform another activity, such as:
- Stealing personal data from a customer database
- Sending phishing emails to legitimate users to visit fake, adversary- controlled application (e.g. web site) and then steal their personal data from there (e.g. via a fake login page)
- Installing backdoors and trojans on the application server for using it in the long run
- Installing malicious software to infect administrator and/or customer resources (e.g. virtual machines)
These are just a few types of attacks to be prepared for when adopting cloud services.
Securing the cloud is a shared responsibility between the cloud service provider and users. While the cloud tenant needs to take actions towards securing their cloud workloads, a responsible cloud provider should also offer solutions to help users address security threats. For Microsoft Azure customers, Azure Security Center can help prevent, detect and respond to DDoS, Web application, and brute force threats. One of the best reasons to trust Azure for your applications and services is the wide array of security tools and capabilities available to users.
In my next blog post, I will share 5 security recommendations for organizations adopting cloud services.