8 Attack Vectors Puncturing Cloud Environments
These methods may not yet be on your security team's radar, but given their impact, they should be.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltd47001d6d5f17f9f/64f0d5d525b2c63e4327b660/cloudsecintro.jpg?width=700&auto=webp&quality=80&disable=upscale)
As companies work to protect their cloud environments, they need to know which types of attacks are most likely to hit.
"Cloud has been around for years, but cloud security has only within the past year or so become a formal discipline," says Matthew Chiodi, vice president of cloud security at RedLock. And as the cloud evolves, attackers are finding new, advanced ways to break into enterprise environments.
Public cloud security incidents often stem from a poor understanding of the shared responsibility model, which governs how cloud users and providers both shoulder the burden of security, Chiodi says.
"Many of the threats we talk about are the result of organizations not understanding the threat model of the public cloud," he explains. Customers struggle to use security tools in the public cloud, and legacy enterprise tools don't work in the dynamic nature of cloud environments.
Several types of threats are taking aim at the cloud, says Manuel Nedbal, CTO at ShieldX. "We see most of the attacks are either orchestration or cross-cloud attacks, or data center attacks," he says, attributing the overall rise of these incidents to the rise in cloud adoption.
Here, the two cloud security pros point to different types of cyberattacks and explain how they affect cloud environments.
Black Hat Europe returns to London Dec 3-6 2018 with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.
It's common for cyberattackers to use public cloud environments to infiltrate on-prem data centers, ShieldX's Nedbal says.
These types of threats occur when customers move one of their workloads into a public cloud environment, such as Amazon Web Services or Microsoft Azure, and use Direct Connect (or any other VPN tunnel) to move between the public cloud into the private cloud, he explains. An attacker who breaches one of the environments can then move laterally, under the radar of security tools.
"Second stage is much harder to detect and can move from public cloud to private data centers," Nedbal says. After the attacker scans the environment, he can use traditional vulnerabilities and exploits to gain an advantage in the public cloud.
The threat could be caught in the public cloud, he continues, but defenses are weaker there than they are in on-prem environments. An attacker has an advantage in moving between public and private clouds, and can use his position to persist in a target network.
"The cyberkill chain turns into a cyberkill cycle," Nedbal explains. "Start with reconnaissance, start to deliver malware, start to move laterally, and then you start the recon again."
Cloud orchestration is used to provision servers, acquire and assign storage capacity, handle networks, create virtual machines, and manage identities, among other tasks in the cloud. Orchestration attacks aim to steal accounts or cryptography keys that can be reused to assign privileges to cloud resources. Attackers, for example, could use a stolen account to create new virtual machines or access cloud storage, Nedbal says.
How successful they are depends on the privileges of the accounts they steal, he notes. However, once an orchestration account is breached, the attackers can use their access to create backup accounts for themselves, and then use those accounts to get to other resources.
Orchestration attacks are aimed at the cloud API layer and therefore can't be detected with standard network traffic inspection tools, Nedbal continues. A security team will want to observe both network-based behavior and account behaviors.
Once inside a data center, attackers often don't face boundaries in gaining access to sensitive resources, according to ShieldX's Nedbal.
Data centers are managed using points of delivery (PoD), or modules that work together to deliver services. It's common to connect these modules and add more as data centers expand. PoDs should be secured by redirecting traffic through a multilayered system, but many businesses overlook this, opening up a potential attack vector. If one part of the PoD is compromised, attackers can spread from one data center to another.
Instant metadata API is a specific functionality offered by all cloud providers, RedLock's Chiodi says. There is no bug or exploit, but given it didn't exist in the on-prem world, it often isn't secured or monitored properly. An attacker might exploit it in two potential ways.
First of these is vulnerable reverse proxies, he explains. Reverse proxies are common in public cloud environments and can be configured in a way that someone can set a host to call instant metadata APIs and obtain credentials. If someone brings up the proxy in a cloud environment, it can be configured in a way that if one of those cloud instances were to access the Internet through that reverse proxy, it could store those credentials.
"If somebody has not properly set the permissions on those access credentials for that specific instance, they can do anything those permissions would grant that instance," he says.
The second way is via malicious Docker images. Developers share Docker images through Docker Hub, Chiodi explains, but ease of use has led to behavior that openly trusts images that could leverage malicious commands to pull access keys. An attack could broaden from a compromised container to giving attackers access to a public cloud account.
"It's a great functionality, but you have to know how to handle it," he says. Chiodi advises monitoring user behavior in the cloud and to follow the principle of least privilege when issuing credentials.
These types of attacks take place within the same tenant, ShieldX's Nedbal says. There is nothing to stop workloads from communicating with one another within the same tenant or virtual network, so an attack on your virtual desktop can spread to your virtual Web server or database.
It's common for businesses to use untrusted virtual machines for browsing and downloading online content. If any one is infected, and it's running on the same tenant as other workloads with sensitive data, those could potentially be compromised.
"To reduce the risk of a breach, workloads with different security requirements should be in different time zones," Nedbal wrote in a blog post. "Traffic traversing those zones should be inspected using a rich set of security controls like what is expected for north-south perimeter defenses." However, he adds, it's difficult to add security controls between workloads.
These types of attacks take place within the same tenant, ShieldX's Nedbal says. There is nothing to stop workloads from communicating with one another within the same tenant or virtual network, so an attack on your virtual desktop can spread to your virtual Web server or database.
It's common for businesses to use untrusted virtual machines for browsing and downloading online content. If any one is infected, and it's running on the same tenant as other workloads with sensitive data, those could potentially be compromised.
"To reduce the risk of a breach, workloads with different security requirements should be in different time zones," Nedbal wrote in a blog post. "Traffic traversing those zones should be inspected using a rich set of security controls like what is expected for north-south perimeter defenses." However, he adds, it's difficult to add security controls between workloads.
As companies work to protect their cloud environments, they need to know which types of attacks are most likely to hit.
"Cloud has been around for years, but cloud security has only within the past year or so become a formal discipline," says Matthew Chiodi, vice president of cloud security at RedLock. And as the cloud evolves, attackers are finding new, advanced ways to break into enterprise environments.
Public cloud security incidents often stem from a poor understanding of the shared responsibility model, which governs how cloud users and providers both shoulder the burden of security, Chiodi says.
"Many of the threats we talk about are the result of organizations not understanding the threat model of the public cloud," he explains. Customers struggle to use security tools in the public cloud, and legacy enterprise tools don't work in the dynamic nature of cloud environments.
Several types of threats are taking aim at the cloud, says Manuel Nedbal, CTO at ShieldX. "We see most of the attacks are either orchestration or cross-cloud attacks, or data center attacks," he says, attributing the overall rise of these incidents to the rise in cloud adoption.
Here, the two cloud security pros point to different types of cyberattacks and explain how they affect cloud environments.
Black Hat Europe returns to London Dec 3-6 2018 with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024