Cloud detection and response need to break down boundaries.

Over the past few years, the professional community in security and engineering has frequently heard that identity is the new perimeter. While ensuring secure management procedures has always been fundamental for guarding against security hazards, it proves increasingly important in aspects involving cloud computing.

Attacks against cloud environments have changed and threat actors are continuously honing their TTPs to adapt to the ever-changing cloud landscape.

In this blog article, we will unpack how threat actors are navigating across multiple layers of the cloud environment to orchestrate advanced attacks against environments. We will also provide some actionable steps your team can take to bolster your defenses against these attacks and better secure your cloud environment.

Credential compromise continues to be a problem for security teams.  

Perhaps the biggest problem with provisioning API secrets is the lack of inherent visibility into who created the secrets, how they are being used, or who is using them. This creates a significant blind spot for an organisation’s ability to detect anomalies in the way those credentials are being used, if they’re being shared, and other behaviour that increases the security risk of these secrets.

A threat actor can easily move across authentication boundaries, but security tools can't.

Logixal’s solutions dedicated to securing your business IDP are Duo security for Multi-Factor Authentication, Azure AD to secure and manage identities for hybrid and multi-cloud environments, and Active Directory (AD), for managing permissions and network access.

Attacks that rely on exploiting a single cloud application or service are becoming less frequent. Nowadays, attackers don't always stop accessing an S3 bucket and stealing data. Instead, they often use AWS environments as a starting point to gain higher privileges or gather credentials that allow them to access other environments holding sensitive data or discover additional access keys. For instance, a threat actor may enter an artifact repository and either steal or upload a malicious docker image, or they may breach a GitHub account and replicate repositories.

Modern threat actors are adapting their TTPs to break across authentication boundaries with ease. To effectively detect attackers, detection tools must be able to cross boundaries and provide a comprehensive overview of their activity.

What organisations can do to protect against advanced threat actors.

There are a few steps security and engineering teams can take to help better defend themselves against modern cloud attacks.

1. Create an all-encompassing record of every identity involved within your system. This should include all individuals, automation tools, and service providers that have contact with your virtual environment. Consistently update this document by associating each identity with their granted access to sensitive data. Keep track of their activities by recording and analysing the ratio of privileges used to privileges given.
2. Keeping your keys secure is crucial, as compromised credentials will remain a significant cause of attacks in the near future. It is essential to regularly rotate secrets, such as API keys, every 90 days. It is not uncommon to come across environments where API secrets have been in use for over four years. These static values pose security risks as they become outdated, like passwords. Apart from utilising a secrets vault, companies should focus on enhancing visibility into the usage of their secrets. This includes knowing who has provisioned them, who has access to them, and where they are being shared.
3. Create a baseline of regular user conduct for every identity - Utilising a baseline to determine the routine behaviours of every user can construct a behavioural profile that will indicate any unusual action. Typically, users exhibit a recurring behaviour pattern and become habitual creatures. With a baseline in place, SIEM or logging tools can be configured to signal abnormal activity, which could indicate malice – or simply, suspicious undertakings.

However, looking at cloud security through the lens of posture and focusing on managing to eliminate misconfigured resources is no longer enough. Runtime visibility and monitoring will quickly become a must-have to be able to keep up with the modern TTPs of threat actors and effectively stymie the dynamic attack patterns against your environment.

Logixal Solutions take a cloud-first approach that keeps your business top of mind as we design and build a dedicated cloud architecture with the best mix of technology for your needs. Then we’ll deliver and manage it so you can reap the benefits.

Stay connected with Logixal at – info@logixal.co.uk