The cloud proved a vital lifeline for businesses during the pandemic and investment soared over the course of 2020, and this is only set to continue. More than half (55%) of UK organisations plan to invest in cloud technology in the next 12 months, more than any other technology, according to the latest Accenture/IHS Markit UK Business Outlook. However, an increased business footprint outside of the company network also comes with security risks.
There are often misconceptions about where the responsibility lies, with many organisations making the wrong assumption that their Cloud Service Provider (CSP) is responsible for maintaining their security posture. And concern is also holding businesses back. Accenture recently found that 46% of senior IT executives felt that security and compliance risk is a barrier to realising the benefits of the cloud.
Here, we explore some of the main tactics cyber criminals are currently using to target cloud environments, based on experience and research of underground forums by Accenture’s Cyber Threat Intelligence team. Understanding these vulnerabilities is the first step in creating a strategy to defend against them.
Login credential theft and account takeover
Threat actors can target cloud login credentials with the same methods that are used to steal other company credentials, such as using social engineering, phishing, smishing social media scams or various types of malware such as information stealers. From there, actors either use the stolen credentials to access company resources themselves, sell to other criminals, or in some cases even give them away to enhance their reputation. Credentials for any corporate platform have become especially attractive as the ecosystem between network access sellers and ransomware gangs began to prosper in 2020.
Implementing multi-factor authentication wherever possible is critical for defending against this threat. Businesses should also look to secure their networks from malware through best practice for patching, maintaining up-to-date antivirus signatures, configuring firewalls, running regular scans, retaining backups separate from the network, and using application ‘allow’ lists.
How Confidential Computing is dispelling the climate of distrust around cloud security
Access key theft
Another method threat actors are using is stolen access keys. These offer actors an alternative to login credentials and provide them with authentication if used correctly. This means a threat actor could obtain the key from an exposed internal server, and then use it to steal data including email addresses, hashed and salted passwords, and application programming interface and transport layer security keys.
Access keys are often accidentally exposed on services such as Pastebin or software development platforms, making them easy to find if the repository is accessible to the public. They can also be stolen using malware deployed on compromised devices.
In order to protect themselves, leaders should follow access key security best practices, such as regular key regeneration, not embedding keys in code and deleting unneeded keys.
Supply chain compromise
As many as 40% of cyber security attacks occur as a result of indirect attacks on the supply chain. As the SolarWinds compromise showed, threat actors can gain access to victims’ networks and attempt to move from on-premise access to cloud resources by abusing trust in accepted authentication environments.
Organisations can implement a number of preventative measures to help mitigate threats through the supply chain, from multi-factor authentication to bolster user access control through to hardware-based authentication controls on critical assets. Analytics can be key in understanding potentially suspicious login attempts by actors leveraging legitimate credentials or highlighting when third-party supply chain partners might have been compromised too.
A post-Brexit supply chain relies on speed and agility
Vulnerabilities
While threat actors may use methods to actively infiltrate a company’s defences, sometimes the vulnerabilities are already there. CSPs are usually quick to patch known vulnerabilities without requiring customer interaction. However, when cloud services involve the customer in managing the software, oversight can be tricky due to the complexity of the environment.
Businesses should prioritise regular scanning and patching of known vulnerabilities with the latest version of each type of software they’re running on their system. On top of this, IT leaders should maintain an up-to-date inventory of assets to ensure visibility of all endpoints that require patching.
Misconfiguration
In the rush to gain a competitive advantage, cloud environments are evolving rapidly with organisations using a hybrid or multi-cloud approach. This complexity can lead to misconfiguration if set up incorrectly. Misconfigured cloud infrastructures can expose data or resources to the public internet, and failure to implement encryption or multi-factor authentication can allow actors to access cloud-related tools, data, assets, or systems.
There are many ways to misconfigure a cloud environment, so to avoid mistakes, asset and configuration controls must be defined early. Automated configuration and self-healing processes also reduce manual steps, ensuring nothing is missed across varied environments.
Three trends that will transform cloud computing in 2021
Protection must be a priority as UK businesses look ahead
CSPs have worked hard to secure their infrastructure and invest in native security features. But it’s down to the organisation to apply these tools to secure their own cloud environments, as well as the applications they build.
Too often security isn’t considered until organisations are well into their cloud journey. This leads to delayed projects and can even mean the work has to be done all over again. These are just some of the tactics threat actors are using to infiltrate cloud environments, but they won’t stop trying to develop new ways to breach a company’s defences. Ultimately, security needs to be ‘shifted left’ and treated in the same way as the rest of the software development lifecycle.