Why Cloud Attacks No Longer Need Malware

As organizations increasingly depend on cloud technology, it has become a more appealing target for cybercriminals who aim to steal data or demand ransoms. While malware has been a common tool for these attacks in the past, cyber threats are evolving and becoming more sophisticated. To gain deeper insights into these emerging threats and effective defense strategies, we interviewed Shai Morag, Senior Vice President and General Manager of Cloud Security at Tenable.

The Cloud: A Prime Target

Many organizations are experiencing a substantial shift towards cloud computing, transferring both workloads and critical data to cloud-native platforms. This trend, along with the creation of new cloud-native applications across various providers, has markedly increased the attack surface. Consequently, the cloud has become a major target for cyber threats, as the expanded attack surface offers more opportunities for attackers to exploit vulnerabilities and access sensitive information and systems.

In response to this migration, cybercriminals are adapting their tactics to exploit cloud environments. In fact, a Tenable report found that more than two-thirds of cloud decision-makers say their cloud deployments -- particularly public and hybrid instances -- are their organization’s greatest area of exposure risk. Recently, the Cybersecurity and Infrastructure Security Agency (CISA) issued a warning that APT29, responsible for the 2020 SolarWinds breach, is targeting cloud services to gain initial access to organizations in the government, healthcare, and education sectors. By taking advantage of the increasing migration from on-premises to cloud-based infrastructures, these bad actors are leveraging the cloud to move beyond traditional methods to gain initial access.

Beyond Traditional Malware

With on-premises systems, traditional malware is often the primary tool for cyber attackers to gain a foothold and cause damage. Utilizing malware enables attackers to establish persistence, maintain that foothold, and infiltrate the network. With cloud-native attacks, attackers don't have to leverage malware to maintain their foothold in the network. Attackers' primary persistence strategy involves identity-based means, such as creating access keys, exploiting misconfigured access controls and entitlements, or creating a user/role, to infiltrate, escalate privileges, and move laterally.

Emerging Attack Vectors

We are seeing more and more attacks exploiting misconfigurations in identity and access managers. With the complexity of modern IT infrastructures and the proliferation of cloud-based services, organizations often find themselves grappling with an abundance of identity and access management systems. Organizations have to manage identities and entitlements at the identity provider level, the cloud infrastructure level, and in the on-prem environment. These responsibilities are divided among different teams and different systems.

These fragmented systems create exposure, opening the door for attackers to exploit weaknesses and gain unauthorized access to sensitive data and resources. For instance, misconfigured access controls or improperly managed user privileges can inadvertently grant attackers unrestricted entry to critical systems or data repositories.

To tackle these new threats effectively, organizations should focus on optimizing and unifying their identity and access management procedures. By bringing these systems together and adopting strong security protocols, such as frequent audits and access evaluations, organizations can considerably lower their risk exposure and bolster their overall security stance.

The Role of Malicious Insiders

Malicious insiders can play a role in cloud-based attacks, especially in organizations with lackadaisical identity and access management policies. While external threats often dominate headlines, insider threats can be just as, if not more, damaging, because the insider has familiarity with the organization’s systems and potentially broader access to sensitive data. As a result, insiders can be a major threat to an organization -- whether the threat is intentional or not.

Regularly reviewing an organization's data sensitivity and auditing access permissions is essential for effectively mitigating insider threats. The potentially severe impact of such threats necessitates a proactive approach, which includes implementing robust access controls, frequent audits of user permissions, and real-time monitoring to detect and respond to suspicious activities. Utilizing Just-In-Time controls helps eliminate long-standing permissions, further reducing risks. Additionally, promoting a culture of security awareness and accountability among employees is vital to prevent insider threats from arising. By addressing both the technical and behavioral aspects of security, organizations can effectively safeguard against the dangers posed by malicious insiders in cloud environments.

Defending Against Cloud Attacks

The first step for businesses to build a robust cloud security strategy is to ensure comprehensive visibility across all cloud environments. This requires a deep understanding of cloud identities, entitlements, and resources, encompassing IAM, federated, and third-party users. Businesses should also prioritize identifying and mitigating risks related to access, such as excessive permissions and network exposure. Enforcing least privilege access and enabling just-in-time access for developers are crucial measures that can help minimize the attack surface and enhance the overall security posture.