Why cloud attacks no longer need malware [Q&A]

As organizations have come to rely more on the cloud, it's become an increasingly attractive target for cybercriminals seeking to steal data or extract ransoms.

In the past this has involved the use of malware, but as attackers get more sophisticated there’s a move towards different types of attack. We spoke to Shai Morag, SVP and general manager cloud security at Tenable, to discover more about these threats and how to tackle them.

BN: Why has the cloud become such an attractive target?

SM: Most organizations have found themselves undergoing a significant migration to the cloud, moving workloads, as well as the storage of their most important data, to cloud-native services. The increasing migration of workloads to the cloud, coupled with the development of new cloud-native applications across multiple providers, have significantly expanded the attack surface, making the cloud a prime target for cyber attackers. This expansion provides attackers with more entry points to exploit vulnerabilities and gain access to sensitive data and infrastructure.

In response to this migration, cybercriminals are adapting their tactics to exploit cloud environments. In fact, a Tenable report found that more than two-thirds of cloud decision-makers say their cloud deployments -- particularly public and hybrid instances -- are their organization’s greatest area of exposure risk. And recently, the Cybersecurity and Infrastructure Security Agency (CISA) issued a warning that APT29 (who was responsible for the 2020 SolarWinds breach) is targeting cloud services to gain initial access to organizations in the government, healthcare and education sectors. By taking advantage of the increasing migration from on-premises to cloud-based infrastructures, these bad actors are leveraging the cloud to move beyond traditional methods to gain initial access.

BN: What is leading attackers to move away from using traditional malware?

SM: With on-prem, traditional malware is often the primary tool for cyber attackers to gain a foothold and cause damage. Utilizing malware enables attackers to establish persistency, maintain that foothold and infiltrate that network. With cloud-native attacks, attackers don't have to leverage malware to maintain their foothold in the network. Attackers' primary persistency strategy involves identity-based means, such as creating access keys, exploiting misconfigured access controls and entitlements, or creating a user/role, to infiltrate, escalate privileges, and move laterally.

BN: Which attack vectors are now becoming more common?

SM: We are seeing more and more attacks exploiting misconfigurations in identity and access managers. With the complexity of modern IT infrastructures and the proliferation of cloud-based services, organizations often find themselves grappling with an abundance of identity and access management systems. Organizations have to manage identities and entitlements at the identity provider level, the cloud infrastructure level and in the on-prem environment. These responsibilities are divided among different teams and different systems.

These fragmented systems create exposure, opening the door for attackers to exploit weaknesses and gain unauthorized access to sensitive data and resources. For instance, misconfigured access controls or improperly managed user privileges can inadvertently grant attackers unrestricted entry to critical systems or data repositories.

To effectively address these emerging threats, organizations must prioritize streamlining and centralizing their identity and access management processes. By consolidating these systems and implementing robust security measures, such as regular audits and access reviews, organizations can significantly reduce their attack surface and enhance their overall security posture.

BN: How big a role do malicious insiders have in these attacks?

SM: Malicious insiders can play a role in cloud-based attacks, especially in organizations with lackadaisical identity and access management policies. While external threats often dominate headlines, insider threats can be just as, if not more, damaging, because the insider has familiarity with the organization’s systems and potentially broader access to sensitive data. As a result, insiders can be a major threat to an organization -- whether the threat is intentional or not.

Regular scrutiny of an organization's data sensitivity and auditing access permissions is crucial to mitigating insider threats effectively. Given the potentially devastating consequences of insider threats, organizations must adopt a proactive approach to mitigating these risks. This includes implementing stringent access controls, conducting regular audits of user permissions, implementing monitoring mechanisms to detect and respond to suspicious activities in real-time and eliminating long standing permission by utilizing Just-In-Time controls. Additionally, fostering a culture of security awareness and accountability among employees can help prevent insider threats from materializing in the first place. By addressing both technical and behavioral aspects of security, organizations can effectively mitigate the risk posed by malicious insiders in cloud environments.

BN: What steps do businesses need to take to defend themselves?

SM: Step one is for businesses to establish a strong cloud security strategy that ensures comprehensive visibility across all cloud environments. This involves gaining a thorough understanding of cloud identities, entitlements, and resources, including IAM, federated, and third-party users. Additionally, companies should focus on identifying and mitigating access-related risks, such as excessive permissions and network exposure, while also enforcing least privilege access and enabling just-in-time access for developers. By implementing these measures, businesses can reduce their attack surface and strengthen overall security posture.

Image Credit: Creativa Images / Shutterstock