Through advances in cloud technology, data access is now readily available. This is a boon for developers. For security practitioners, though, it presents a challenge. With datasets increasingly made available to company employees via cloud adoption or migration, the potential for personal and identifiable data falling into the wrong hands increases.
Implementing a robust and systematic security program to secure your cloud environment is the first step to ensuring sensitive internal data doesn’t fall into those hands.
In this post, we will detail the top 10 cloud security risks every organization should address to prevent becoming the next cloud breach headline.
Top 10 Cloud Security Risks
In the recently released Cloud Threat Report, Volume 7: Navigating the Expanding Attack Surface, Unit 42 and Prisma Cloud researchers identify 10 critical risks that require an architectural and operational focus to ensure the detection of advanced threats within cloud environments.
This list will assist organizational leaders across any industry and vertical to secure their cloud environments against cloud threat actors.
- Failure to properly manage IAM policies
- Lack of operationalization of cloud audit and log data
- Extended response times to cloud alerting
- Failure to assess the cloud threat landscape
- Unaware of cloud threat actor group operations
- Failure to detect and properly handle cloud-targeting malware
- Redundant security tool operations
- Multiple cloud platform owners
- Not implementing Zero Trust principles
- Failure to establish cloud-focused IR planning or operations
Tactical Goals for Top Cloud Threats
Failure to Properly Manage IAM Policies
Unit 42 researchers have curated an index of known cloud threat actors groups (CTAG) that actively target cloud environments. You can view indicators of compromise (IOC) for each CTAG under respective tags that include Automated Libra, Adept Libra, Thief Libra, Money Libra, Aged Libra and Returned Libra.
The link between these threat actor groups is their common IAM credentials target and use of automation to exfiltrate identifiable IAM credentials within seconds of compromising a cloud environment.
According to Unit 42’s latest Cloud Threat Report, 83% of organizations have hard-coded IAM credentials within their source control management systems, and 76% of organizations don’t enforce MFA for their cloud accounts.
Proper IAM policy creation is an essential security requirement for maintaining a secure cloud. To ensure your organization is adequately protected from IAM credential theft, consider implementing the following security measures:
- Define a robust least privilege architecture for each IAM role or policy, such as single-use isolated service accounts for all cloud developments.
- Automate IAM credential cycling to avoid long-lived credentials, defaulting to zero access for IAM user credentials when they elapse.
- Alert on any modification or deletion of any established IAM role or policy.
- Alert on the creation of new IAM users, roles, or policies.
- Scan all modified cloud infrastructure as code (IaC) for leaked IAM data and implement a remediation plan for positive findings. Pay close attention to access ID, keys. tokens, PII, and sensitive internal data.
Lack of Operationalization of Cloud Audit and Log Data
Cloud platforms, their services, and cloud-native applications generate vast quantities of data. This data is a gold mine for security operations and incident response teams if they can access and view it. But 76% of organizations don’t implement cloud storage audit logging policies within their cloud environments, according to Cloud Threat Report, Volume 7.
Many reasons prompt organizations to forgo logging cloud audit and infrastructure usage. Logs are often noisy and expensive to store, but not having them can cripple security teams trying to detect and remediate a security breach.
To effectively store and use logging data, Unit 42 recommends implementing the following action items:
- Enable CSP tools and services designed to reduce log noise and extract necessary information.
- Consolidate cloud log monitoring to a third-party security monitoring application, such as Prisma Cloud, to coalesce the data across hybrid and multicloud environments. This also allows for the identification of cloud incidents affecting more than a single cloud environment.
- Rank and prioritize critical logging sources and their events. Prioritizing IAM and runtime monitoring logs from cloud sources to ensure that security researchers have the data needed to detect malicious operations as they occur.
Extended Response Times to Cloud Alerting
Once logging access is available to security teams, they can begin actively monitoring and hunting for threats within their cloud environments. But logging is only a foundational component. Responding to alerts is equally important to the long-term success of security teams.
But the average alert dwell time is 145 hours (6 days), according to Cloud Threat Report, Vol 7. What’s more, researchers found that 5% of critical alerts were generating 80% of total alerts, introducing avoidable noise and contributing to alert fatigue.
Implement the following tactics to help your security teams identify and respond to critical alerts in a timely fashion.
- Enable time requirements for alerts based on their criticality.
- Address critical alerts first. One alert often relates to and informs subsequent alerts. If a critical alert is corrected, it will address all related alerts.
- Fine-tune alerting policies based on organizational needs and GRC requirements.
- Follow the guidance of the Prisma Cloud alert creation process when creating custom alerts.
Failure to Assess the Cloud Threat Landscape
Sixty-three percent of production cloud codebases contain unpatched vulnerabilities rated critical or high severity level, as reported in Cloud Threat Report, Vol. 7. If that doesn’t give you pause, consider that 11% of the exposed cloud web services contain critical or high severity vulnerabilities — and 71% of these are at least two years old.
These two findings demonstrate that organizations should spend more time scanning their cloud infrastructure for vulnerabilities and misconfigurations, especially given that many cloud-based attacks are successful due to misconfigurations within cloud environments.
The following five tactics can give organizations solid ground in knowing and securing their cloud threat exposure.
- Perform a quarterly asset inventory and security assessment of their cloud services and resources.
- Perform vulnerability and misconfiguration scanning on all cloud assets prior to their production deployment.
- Identify exposed systems and services using network scanners.
- Perform ongoing penetration testing operations on cloud production environments.
- Expressly specify that only the latest versions and patches of containerized applications will be deployed to production.
Unaware of Cloud Threat Actor Group Operations
Sun Tzu said, “Know your enemy and know yourself; in a hundred battles you will never be defeated.”
When you know your cloud threat landscape, you’re halfway there to defending it. And though it may seem like an onerous endeavor, you’ll find numerous resources available to assist you, including Unit 42’s Actionable Threat Objects and Mitigations (ATOM).
The following tactics can help your organization to identify CTAGs important to your operations and what actions they can take to mitigate these actor groups.
- Subscribe to several threat intelligence platforms, such as Unit 42’s Taxii feed, that offer STIX/TAXII IOC data consumable by your organization’s security tools.
- Identify which CTAGs target your industry's vertical.
- Develop detection solutions and alerting policies for identified CTAG operations.
- Implement prevention mitigations that will outright block specific IOCs.
- Train security staff on cloud attack techniques and operations to be better equipped to identify breaches.
Failure to Detect and Properly Handle Cloud-Targeting Malware
Cloud endpoint runtime monitoring is available for many organizations using single and multicloud platforms. Runtime monitoring for virtual machine, container, and serverless cloud instances are required of organizations that want to know if their cloud instances operations were designed to perform (i.e. interacting with known command and control (C2) nodes or running malicious binaries post-compromise).
With 63% of production cloud codebases containing a vulnerability of high or critical severity level, the need to monitor cloud instances is greater than ever. Tactical measures an organization should take to ensure they can view runtime operations within their cloud instances include:
- Deploy and properly configure cloud workload protection (CWP) to VM, Cluster and Container hosts, and serverless functions
- Ensure CWP solutions are configured to query backend Threat Intelligence data stores such as Wildfire
- Implement alerting, prevention, and secure handling policies for identified malware
Redundant Security Tool Operations
Several security tools available to detect security threats might seem logical. After all, redundancy is a key component to ensure visibility. But for 76% of organizations, the use of multiple point tools creates blind spots. With more security tools in place, more time is required to configure those tools, and once tools are established, the number of alerts climbs, exacerbating alert fatigue among security professionals.
In light of these facts, Palo Alto Networks researchers recommend the following tactics:
- Reduce the number of independent or redundant security tools allowing the organization to streamline its security operation effectiveness.
- Integrate security tools that provide a unified platform to ensure reduced gap coverage.
Multiple Cloud Operation Owners
In a recent Unit 42 IR case, researchers were tracking the actions of a CTAG that gained access to an organization’s cloud environments through an exposed and vulnerable cloud instance resulting from a cloud misconfiguration. The misconfiguration was caused by a communication failure.
Two security measures were put in place by two teams, neither of which had knowledge of the other’s actions. The development team had created a security network group, allowing public access to the vulnerable application. Meanwhile, the IT team had altered an overarching access control list (ACL) mechanism, which would have protected the exposed instance.
Lacking a centralized owner of cloud security operations within the organization allowed the two teams to make independent alterations to their security perimeter. The compromised cloud instance then allowed the CTAG to collect sensitive IAM credentials that gave them access to two of the organization's cloud platforms and resulted in the loss of sensitive data.
The following tactics are recommended to ensure that organizations maintain a secure environment for all teams.
- Assign responsibility for all cloud operations to a single organization entity, such as security operations or IT.
- Develop a hierarchical organization structure that includes cloud IT administration, DevOps, and security operations.
- Implement change control policies based upon the principles of CI/CD to ensure all cloud resources pass functionality, security, and accessibility requirements prior to production deployment.
- Routinely scan all cloud infrastructure to identify exposed cloud instances.
Ignoring Zero Trust Principles
Consider the ecosystem of controls available to an organization across the network, endpoint, cloud, application layer, and IoT. Identity management is the control linking these layers and, as such, IAM policies are the bedrock of a secure Zero Trust architecture.
But implementing Zero Trust isn’t easy, and cloud threat actors view the burden of this difficulty as their golden ticket to your environment.
Identity is the new perimeter of your environment, making IAM the most critical factor to your organization’s operation. Begin implementing the principles of Zero Trust architecture within your IAM policies, roles and users. A strategic approach to cybersecurity eliminates implicit trust and continuously validates every stage of digital interaction.
If you’re just starting your Zero Trust journey, the following tactics can give your organization a jumping-off point.
- Architect cloud environments using multiple cloud accounts designated for each organizational group or project.
- Segment product and development cloud operations within their own accounts. Should HR, IT, customer service, or marketing organizations require cloud resources, having their own cloud account operations will not affect other teams.
Failure to Establish Cloud IR Planning and Operations
Incident response (IR) plans are essential for organizations to properly recover from a breach or security incident. Cloud environments offer unique scenarios that need consideration when implementing a cloud IR operation.
Although costs to maintain a record of events taking place within your cloud environment can be high, you’ll find cost-reducing solutions to cloud logging with a little investigation. Properly implementing Zero Trust principles when designing IAM policies, roles, and users can be strenuous but will pay off significantly by reducing your threat landscape. Lastly, cryptojacking events are costly. Monitoring cloud instances for indications of malicious activity will boost your ROI.
Tactics to help your organization establish a solid cloud IR plan include:
- Define how cloud data is to be recorded and stored to ensure adequate visibility into all cloud operations in the event of a security incident
- Implement a robust quarantine control process for all cloud resources in the event of a compromise.
- Mandate quarantine and security team analysis of cloud resources — containers, VMs, serverless functions — in the event of a compromise. Compromised containers should never be restarted without a snapshot of their current operation.
- Ensure adequate access is given to the security research team responsible for investigating compromised cloud resources.
Closing the Gaps in Cloud Security
By addressing the top 10 cloud security risks, Unit 42 researchers believe the security of cloud environments can be dramatically improved, raising the bar for cloud security operations and allowing organizations to build manageable, well defended cloud environments.
For a comprehensive look at the current cloud security landscape, based on large-scale data and real-world attack scenarios, download Unit 42’s Cloud Threat Report, Volume 7: Navigating the Expanding Attack Surface.