10 Cloud Risks CISO Whitepaper
10 Cloud Risks CISO Whitepaper
10 Cloud Risks CISO Whitepaper
CISO Technical
Guide – Top 10
Cloud Risks
Defending modern public cloud
The ten threats we discuss below largely track the Egregious Eleven, although we have also accounted for recent
developments in attack efforts. Because each stage of the cloud service lifecycle has significant vulnerabilities
and exposure, securing these services requires a concerted effort by cloud service providers and their clients.
Enterprises using cloud service provider infrastructure and platforms must understand and meet their own security
responsibilities under the shared responsibility models.
Due to the immense computing resources of cloud systems, they are a natural
target for an increasingly popular cyberattack: cryptojacking. Cryptojacking Cryptojacking attacks
attacks use a variety of threat vectors, including malware and phishing, to
gain access to cloud services. Once comfortably installed in a user’s cloud use a variety of
environment, they begin to consume increasing amounts of resources. threat vectors,
One highly publicized crypto jacking attack on cloud services hit popular including malware
car manufacturer Tesla. The attackers gained access to a Kubernetes admin and phishing,
console for a Tesla Amazon Web Services (AWS) account that was not password
protected. They then used the Tesla account to mine Monero cryptocurrency.
to gain access to
cloud services.
What can companies do to avoid cryptojacking attacks? Monitoring your cloud
services and workloads for indicators of cryptomining binaries is one important step.
You should also continuously inspect north-south (N-S) traffic (i.e., traffic in and
out of your data centers) for suspect traffic. Reviewing flow logs alone is insufficient; instead, your mining detection
efforts should implement cloud-native deep packet inspection. Many major cloud providers have services that allow
you to mirror traffic for use in outside monitoring applications. These services include AWS Traffic Mirroring, GCP
Packet Mirroring and Azure vTAP.
Hackers are using mutating Linux-based malware for everything from cyber-espionage to attack on IoT devices. And
with malware-as-a-service and rootkits increasing in popularity across the darkweb, vigilance against malware attacks
is increasingly essential.
To prevent malware attacks on your cloud services, you should analyze both
storage and traffic because malware can exist within stored data or be in
Malware-as-a- transit to or through your cloud. Many cloud providers do not have a default
policy of scanning data in buckets for malware. But using cloud-native API
service and rootkits
services, you can define triggers that activate malware scans depending on
are increasing in user activity, such as accessing files.
popularity across the
But you must do more than run malware scans on your stored cloud files
darkweb, and (although you should do this with regularity). You should also actively
cloud services are monitor cloud traffic for malware, especially because corporate users can
put malware in transit when uploading data to the cloud. Many services
far from immune. allow you to accomplish both with cloud-native APIs.
In addition to active monitoring, you should also protect your data and
systems with backups, object versioning and cross-region replication (CRR). With proper backups, you can build the
capacity to recover quickly from a successful malware attack.
Limiting access to cloud storage is also an important step you should take. You should implement and enforce least
privilege access policies and make sure that you grant admin rights only when absolutely necessary. You should also
then monitor your cloud services for unauthorized connections.
There are many possible causes for data exfiltration. These include using public data buckets, misconfigured
permissions, unencrypted data, problems with IAM implementation and other associated human errors. Avoiding
these issues requires a concerted effort.
Prevention begins with proper configuration. You should have well-defined, least privilege or zero trust access policies,
as well as encryption requirements for data at rest. Moreover, you should implement automated guardrails for each
cloud in your environment (which may have its own language and complexities). Guardrails continuously monitor your
cloud deployments to identify potential deviations from your policies and practices.
Preventing data exfiltration also requires constant monitoring. You should use real-time N-S traffic inspection and
monitor your activity logs for evidence of exfiltration attempts, such as suspicious traffic patterns and destinations.
Once again, monitoring is critical for risk mitigation. You must continuously inspect VMs and containers for malicious
code, including at build and ship times. Relying on software bills of material (SBOMs) or CVEs is not sufficient.
In addition, you should monitor network traffic for command and control (C2) attacks. Modern C2 attacks are highly
evasive, and using IP domain blacklists alone will not provide sufficient C2 security.
To manage brute force and privilege escalation risk, you must carefully provision and monitor your systems,
particularly those interacting with remote workers and services. Give particular attention to RDP and SSH protocol
provisioning because brute force attacks primarily occur through them. As always, you should also then monitor for
suspicious network activity using these protocols.
Moreover, because privilege escalation impacts your IAM policies and processes, you should continuously monitor
for anomalous activity from IAM users and activity that is inconsistent with IAM roles.
Protecting against server and API compromise is a multi-faceted task. Beginning with the obvious, you should
prioritize patching according to the risk severity. Prioritization should address an attack’s likelihood (e.g., how large is
the attack surface and what is its external exposure?) and its impact if successful (e.g., the CVE severity).
Less obvious is the need to consider the vulnerability of your internal workloads in addition to outward-facing
instances. Least privilege access is crucial for every workload component, and your policies should demand it.
You should also rely on cloud-native resilient API frameworks. Investing in web application firewalls (WAF) and other
modern app-aware API security tools is another vital element of a robust cloud security program.
But secret detection alone is not enough. Credential leaks frequently occur through
widespread malicious activities such as phishing or existing but unidentified breaches. So, in addition to training your
employees on proper password hygiene and credential protection processes, you must once again turn to continuous
monitoring. Look for any unusual activity concerning credentials and your cloud assets.
There are many different tools for increasing visibility in your cloud stack. For network traffic, you can use cloud-
native mechanisms, including previously mentioned traffic mirroring services. For storage, consider how you can best
apply cloud-native triggers tied to data access. Computational visibility tools include agentless VM and container
scans. And, on the control plane, you have activity and audit logs.
Cloud-native automated guardrails also help maintain cloud visibility. Guardrails allow you to automatically inspect
new regions, accounts, VPCs, and buckets as they are brought inline with no human intervention.
User and Entity Behavior Analytics (UEBA) is a promising tool for probabilistic threat detection. UEBA tools look at
user behavior (reflected in activity data, for example) to identify anomalous or suspicious activity.
Cloud risk management should include countermeasures at every stage in the software lifecycle, including build,
ship and runtime phases. By focusing on the top risks and root causes of security breaches, you can build a robust
defensive framework. And with automation, you can increase visibility and allow your security efforts to keep pace
with agile cloud DevOps efforts.
Blue Hexagon’s Continuous Cloud Threat Detection and Response Deep Learning platform enables enterprises to
adopt the cloud securely, reduce risk and detect & resolve threats faster. Cloud Security and DevOps teams can now
continuously defend and harden their cloud against errors and attacks, throughout the cloud lifecycle. Customers
protect their business and brand against known and unknown threats including ransomware, malware, including
zero-day, C2, cryptomining and insecure apps/code by prioritizing risk combining threat and misconfiguration
detection. The multi-cloud agentless-actionable-accurate solution deploys in minutes, integrates with cloud-native
stack to help reduce DevSecOps friction and triage delays for faster remediation.
Blue Hexagon is the world’s most recognized AI cybersecurity company and has been widely adopted by leading
technology, healthcare and financial organizations.
Blue Hexagon is trusted and deployed by leading healthcare, electronic retail, technology, insurance, and financial
services companies such as Pacific Dental Services, Narvar and Prime to secure their public cloud workloads,
computer and data. Our customers quickly deploy Blue Hexagon in AWS, GCP or Azure clouds within minutes,
instantly identify their assets and start detecting threats, ransomware and malware as well as misconfigurations, and
non-compliance, with one solution across their complete cloud lifecycle.
Blue Hexagon has been recognized in Forbes AI 50 for Next Gen NDR innovation, included in the 2020 Gartner Headquarters
Market Guide for Network Detection and Response, named to CNBC’s Upstart 100 list of “World’s Most Promising 150 W Iowa Avenue #103
Startups”, was tested by Miercom as the most effective of four leading security products against the most lethal Sunnyvale, CA 94086
zero-day malware, ransomware, worms, botnets and evasive malicious threats and was named to the 2021 CB www.bluehexagon.ai
Insights AI-100 list of “Most Innovative Artificial Intelligence Startups”, CRN’s “10 Hottest AI Security Companies inquiries@bluehexagon.ai
You Need to Know”, and most recently recognized by Analytics Insights “Top 100 Artificial Intelligence Startups to
Lookout for in 2021”.
Blue Hexagon is headquartered in Sunnyvale, CA, and backed by Benchmark and Altimeter Capital. Follow us on
Twitter @bluehexagonai or on the Web at www.bluehexagon.ai