Cloud computing has allowed modern organizations to scale at incredible rates, transforming how organizations collaborate and operate. While cloud adoption grows across all industries, its inherent risks have expanded alongside it. This steers security leaders towards implementing the right cybersecurity strategies to protect their cloud environments.
In the latest Angelneers podcast episode, host Oleg Sullivan Koujikov spoke with SentinelOne’s VP, Product Management for Cloud Security, Ely Kahn, about the realities of using cloud computing, the three main cloud-based attack vectors, and the rise of cloud native application protection platforms (CNAPPs) in combating threat actors who continue to take aim at this fast-growing attack surface. In this post, we share Ely’s main take aways for staying secure in the cloud.
Growing Threats Organizations Face in the Cloud
Koujikov: Today, in 2023, many business organizations have completely migrated computing resources to the cloud and other companies are still working to migrate over to the cloud. It seems we are trending in this direction and threats are also growing in cloud computing. Can you talk about some of the cloud security issues and threats organizations face as this larger trend towards cloud computing is adopted?
Kahn: The first thing to remember with cloud security is what people use the cloud for. Organizations are using the cloud to host web applications and store their data. Oftentimes, this is time-sensitive data or business-critical web applications that are generating tens, if not hundreds of millions of dollars of revenue.
This in mind, the real goal of cloud security is to defend those applications and the underlying infrastructure that they sit on in the cloud. Given that there are these applications in cloud processing, sensitive data like personal health information, personally identifiable information (PII), or credit card information, attract adversaries who want to either steal that information, resell it on the dark web, or use it to conduct a ransomware attack. Adversaries then extract money from a victim company who are trying to unbrick their application that has been encrypted due to that ransomware incident.
3 Common Cloud-Based Attack Vectors
Kahn: Adversaries or threat actors are conducting these attacks using one of three ways as their initial access. The following are stack ranked in relative frequency.
1. Misconfigured Resources
Number one on the list is misconfigured resources and, specifically, cloud resources that are made publicly accessible to the internet. For example, if I am using an S3 bucket, Elasticsearch cluster, or another type of cloud database and I accidentally misconfigure it so that it is publicly accessible from the internet when it shouldn’t be, I will be breached within minutes.
There are adversaries continuously scanning the internet and AWS IP ranges for any type of resource that is exposed to the internet. Suppose that resource contains sensitive data or connections to other resources through overly permissive identity roles or permissions. This is a classic way in which organizations experience cloud breaches.
2. Compromised Access Keys
With cloud providers, there’s the concept of access keys. On one hand, think username and password-type access keys and, on the other, there are ephemeral access keys. Ephemeral access keys are always the recommended way for setting up your access through identity access management (IAM) roles instead of IAM users. Roles have ephemeral access keys; users have long-lasting access keys.
The long-lasting access keys can get compromised in a number of ways. They can get stolen, people can hard code them and then find that the code repos are made public. Essentially, finding access keys and then using them to access cloud accounts is the second most common cloud-based risk organizations face.
3. Vulnerable Web Applications
As mentioned before, people are using cloud computing to host web applications from cloud providers. Those web applications could have exploitable vulnerabilities associated with them. For example, a company may be using a version of WordPress that has a badge or corrupted plug-in that can be exploited, or a form on their application is subject to SQL injection.
There are several ways to protect applications from these types of vulnerabilities. You can scan the application vulnerabilities, or put a web application firewall in front of them to limit the malicious actions that can be taken against them. However, once a threat actor has gotten in through that front door, they are able to move laterally and conduct various types of cloud attacks.
Koujikov: To summarize these three main cloud-based attack vectors, we can say it’s like one: you left open a door, two: someone got a key, or three: they went right through the front door.
Kahn: Exactly, and maybe broke a window in the process!
Understanding Hybrid & Multi-Cloud Risks
Koujikov: Next, can you talk about the growing hybrid cloud approach? It implies that services and applications that can be hosted are configured locally and could be migrated to a cloud. Can you talk about the proliferation of hybrid and multi-cloud security?
Kahn: Let me break these down a little bit: What does multi-cloud mean? Multi-cloud means that you’re actually using multiple cloud providers, for example AWS and Azure, for your host workloads. Rarely is the same application being used across multiple cloud providers. More often, organizations are picking one cloud provider for one type of workload and another cloud provider for another type of workload, because you really like their capabilities in a particular area. Back to the example, perhaps an organization is using Azure for its machine learning, but then using AWS for everything else.
With hybrid cloud, this refers to organizations that store some of their data in a public cloud environment while simultaneously running other applications within their own on-prem environment, which could be a private cloud environment. What’s interesting from a security perspective is the idea that security incidents can actually start on-prem and then move into the cloud or vice versa. So, right now, I would say that most security solutions are relatively stovepiped meaning they only focus on cloud security, or they only focus on on-prem security.
Because of that stovepipe-like focus, many security solutions potentially miss these pivots between on-prem and cloud environments. This limits your ability to really, truly understand the full scope of an attack or a full scope of incident.
As an example, a user could accidentally enter credentials in a malicious website linked from a phishing email. An adversary would then use those credentials to log into their machine. From there, actors could use privilege escalation techniques to acquire admin credentials or find existing admin credentials on the compromised machine. Say those admin credentials are cloud admin credentials.
With that access in hand, the threat actor could log into the cloud and perhaps create a new user for themself that has permissions to complete the rest of their mission in the cloud. From the point of view of a threat actor, I’ve just pivoted from your laptop into the cloud environment and I’m executing nefarious actions there.
For security leaders today, what’s important is to put all of these pieces together into a larger storyline – a unified view that cuts across both on-prem and cloud environments.
How Cloud Native Application Protection Platforms (CNAPPs) Can Help
Koujikov: Is that why there’s an interest in cloud native application protection platforms (CNAPPs)?
Kahn: “Cloud native application protection platform” is a term coined originally by Gartner, but used widely throughout the industry now. Going back to the idea of stovepipe-like connections between on-prem security and cloud security, there’s lots of specialization. Alternatively, the idea of CNAPPs begins to merge various cloud security tools into a more unified platform itself.
To completely and fully defend the cloud, organizational leaders need application security tools that can ensure the integrity and the security of the code associated with the applications that they’re deploying to the cloud. They need security tooling to look at the development and deployment pipelines for that code.
When code is developed, it goes through a series of tests moving from beta to production environments. That pipeline itself needs to be secure. Using the case of the SolarWinds attack, Russian-linked threat actors were found to have injected code into the SolarWinds code base via their development and deployment pipelines. Since then, that’s really keyed in the idea that the pipeline itself needs to be secure for the rest of the community.
Once you deploy that code into your cloud environment, you need to make sure that the outer perimeter of that cloud environment is secure by putting in place network firewalls and web application firewalls. Security leaders need to also be looking at the infrastructure that that code is running on and monitoring that infrastructure including virtual machines, containers, databases, and the identities being used. Monitoring for misconfigurations, anomalies, and signs of adversary behavior needs to happen for all of those aspects of cloud computing.
The vision for CNAPP is uniting all these things together so that you can have a clear line of sight. CNAPP gives us the ability to see malware that’s sitting on a machine in your cloud environment as well as visibility all the way back to the initial code repo that contains the instructions about how that machine should be deployed. This visibility translates to the ability to go back to the beginning and make sure that any misconfigurations in that initial deployment code are cleaned up.
Learn About SentinelOne’s Singularity for Cloud
To maintain steps ahead of threat actors, organizations using cloud services must fully understand how the services are being implemented and maintained. Visibility within the cloud is critical to seeing how file sharing is being done, the type of data being stored and its security, and what applications are connected.
SentinelOne’s Singularity™ Cloud ensures organizations get the right security in place to continue operating in their cloud infrastructures safely. Contact us today or book a demo to see how we can help improve your cloud defenses and fuse autonomous threat hunting, endpoint detection and response (EDR) capability, and security together to defeat cloud-based threats without compromising agility or availability.
Angelneers is a community of startup builders with a mission of helping a new generation of startups drive the next phase of enterprise transformation. Angelneers aims to propagate better decisions around product, engineering, and growth. Their podcast interviews founders, operators, and technologists who have founded or helped build game-changing companies in the enterprise space.