Whitepaper

The development and deployment

cycle for cloud applications presents
cybercriminals with opportunities for
exploitation at every stage. Understanding
and defending against the top cloud
security risks is paramount for CISOs as
their organizations migrate to the public
cloud at an unprecedented pace.

CISO Technical
Guide – Top 10
Cloud Risks
Defending modern public cloud

Dr. Saumitra Das and Dr. Neil Daswani

Threats Across the Cloud Application Lifecycle

How Criminals Access and Exploit Cloud Services
Top 10 Cloud Security Risks in 2021
Getting It All Together
Blue Hexagon Continuous Cloud Threat Detection and Response
 Cloud service usage exploded during the COVID-19 global pandemic. As businesses shifted to
remote work arrangements during government-mandated lockdowns and wholly virtual sales
and services became the norm for most businesses, the need for more and scalable applications
and data in the public cloud took the center stage.
Naturally, additional cloud services spawned a wave of cybercriminals looking to take
advantage of systems that were often put in place quickly but not always safely. Attacks on
cloud services accelerated as swiftly as cloud service adoption. The focus for the continued
expansion of cloud-based enterprise deployment is now on cybersecurity. Here, we address
the 10 most significant cloud security risks and discuss ways to mitigate them.

Threats Across the Cloud Application Lifecycle

The development and deployment cycle for cloud applications presents cybercriminals with opportunities for
exploitation at every stage. In 2019, the Cloud Security Alliance (CSA) identified its Top Threats to Cloud Security: The
Egregious Eleven, which details threats across the lifecycle, the business implications of these threats, and guidance
and controls for threat response.

Figure 1: The cloud application lifecycle

The ten threats we discuss below largely track the Egregious Eleven, although we have also accounted for recent
developments in attack efforts. Because each stage of the cloud service lifecycle has significant vulnerabilities
and exposure, securing these services requires a concerted effort by cloud service providers and their clients.
Enterprises using cloud service provider infrastructure and platforms must understand and meet their own security
responsibilities under the shared responsibility models.

Figure 2: The Microsoft Azure shared responsibility model

(source https://docs.microsoft.com/en-us/azure/security/fundamentals/shared-responsibility)

CISO Technical Guide — Top 10 Cloud Risks 2

 How Criminals Access and Exploit Cloud Services
Understanding how to best secure cloud services requires knowing how hackers access systems and what
vulnerabilities they most frequently exploit. According to a recent IBM report on the cost of data breaches, a little
more than half of breaches result from malicious attacks, while 25% are attributable to system glitches and 23% result
from human error.
The most prevalent threat vectors are compromised credentials (19%), cloud misconfigurations (19%), vulnerabilities in
third-party software (16%), and, not surprisingly, phishing (14%).
Rounding out the list of threat vectors are malicious insiders (7%), other misconfigurations and system errors (6%),
business email compromise (5%) and social engineering (3%).

Figure 3: How cybercriminals are gaining access to cloud services

(from https://www.ibm.com/security/digital-assets/cost-data-breach-report/)

Top 10 Cloud Security Risks in 2021

#1 - Cloud Misconfigurations
When looking to implement cloud-based services and applications, many companies focus primarily on the service
providers’ security solutions. But often, threats and attacks do not come from service provider failures. Indeed,
according to Gartner, through 2025, customers will cause nearly all cloud security failures (99%).
IBM Security estimates that 19% of malicious breaches result from misconfigurations. One of the most prominent
recent data breaches, the 2019 attack on Capital One that exposed hundreds of thousands of social security
numbers, resulted from a cloud server misconfiguration.
According to the CSA, many common cloud misconfigurations involve access to ports (inbound and outbound). Other
common misconfigurations arise from poor Identity and Access Management (IAM) processes or failures to properly
configure virtual private clouds (VPCs).
There are many steps companies can take to identify and rectify cloud misconfigurations. Of primary importance
is performing asset inventory and continuous cloud configuration assessment. With asset- and risk-based
misconfigurations highlighted, you can then triage the misconfigurations and prioritize your remediation. Knowing
which misconfigurations carry the highest risk exposure and those that you can quickly address versus those that
require substantial time to rectify is key. Indeed, while some misconfigurations may require more than 24 hours to fix,
others may need more than a month.
Keep in mind that the threat of misconfigurations expands as your systems and services expand. Multi-cloud and
multi-region services can complicate your configuration efforts and require additional vigilance. Consider services
that can consolidate your configuration monitoring across clouds, regions and accounts.

CISO Technical Guide — Top 10 Cloud Risks 3

 #2 - Cloud Cryptojacking
Cryptocurrency mining is a highly lucrative business, but it consumes enormous amounts of energy and processing
power. Indeed, the power consumption alone has made mining a high-profile
political target for both environmental groups and governments.

Due to the immense computing resources of cloud systems, they are a natural
target for an increasingly popular cyberattack: cryptojacking. Cryptojacking Cryptojacking attacks
attacks use a variety of threat vectors, including malware and phishing, to
gain access to cloud services. Once comfortably installed in a user’s cloud use a variety of
environment, they begin to consume increasing amounts of resources. threat vectors,
One highly publicized crypto jacking attack on cloud services hit popular including malware
car manufacturer Tesla. The attackers gained access to a Kubernetes admin and phishing,
console for a Tesla Amazon Web Services (AWS) account that was not password
protected. They then used the Tesla account to mine Monero cryptocurrency.
to gain access to
cloud services.
What can companies do to avoid cryptojacking attacks? Monitoring your cloud
services and workloads for indicators of cryptomining binaries is one important step.

You should also continuously inspect north-south (N-S) traffic (i.e., traffic in and
out of your data centers) for suspect traffic. Reviewing flow logs alone is insufficient; instead, your mining detection
efforts should implement cloud-native deep packet inspection. Many major cloud providers have services that allow
you to mirror traffic for use in outside monitoring applications. These services include AWS Traffic Mirroring, GCP
Packet Mirroring and Azure vTAP.

#3 - Cloud Malware and Ransomware

Malware and ransomware are particularly damaging attacks and hackers continue to effectively use them against
businesses and organizations worldwide. For 2021, estimates suggest that a ransomware attack will occur every 11
seconds, resulting in over $20 billion in costs for the affected companies. And, cloud services are far from immune.

Hackers are using mutating Linux-based malware for everything from cyber-espionage to attack on IoT devices. And
with malware-as-a-service and rootkits increasing in popularity across the darkweb, vigilance against malware attacks
is increasingly essential.

To prevent malware attacks on your cloud services, you should analyze both
storage and traffic because malware can exist within stored data or be in
Malware-as-a- transit to or through your cloud. Many cloud providers do not have a default
policy of scanning data in buckets for malware. But using cloud-native API
service and rootkits
services, you can define triggers that activate malware scans depending on
are increasing in user activity, such as accessing files.
popularity across the
But you must do more than run malware scans on your stored cloud files
darkweb, and (although you should do this with regularity). You should also actively
cloud services are monitor cloud traffic for malware, especially because corporate users can
put malware in transit when uploading data to the cloud. Many services
far from immune. allow you to accomplish both with cloud-native APIs.

In addition to active monitoring, you should also protect your data and
systems with backups, object versioning and cross-region replication (CRR). With proper backups, you can build the
capacity to recover quickly from a successful malware attack.

Limiting access to cloud storage is also an important step you should take. You should implement and enforce least
privilege access policies and make sure that you grant admin rights only when absolutely necessary. You should also
then monitor your cloud services for unauthorized connections.

CISO Technical Guide — Top 10 Cloud Risks 4

 #4 - Cloud Data Exfiltration
Data breaches are an unfortunate reality in today’s business environment, often with serious consequences.
Companies may incur substantial costs for containing and rectifying breaches, as well as associated reputational
damage. Breaches can also generate considerable public concern, such as in the Schoolzilla data breach that
exposed personal information on more than a million K-12 students.

There are many possible causes for data exfiltration. These include using public data buckets, misconfigured
permissions, unencrypted data, problems with IAM implementation and other associated human errors. Avoiding
these issues requires a concerted effort.

Prevention begins with proper configuration. You should have well-defined, least privilege or zero trust access policies,
as well as encryption requirements for data at rest. Moreover, you should implement automated guardrails for each
cloud in your environment (which may have its own language and complexities). Guardrails continuously monitor your
cloud deployments to identify potential deviations from your policies and practices.

Preventing data exfiltration also requires constant monitoring. You should use real-time N-S traffic inspection and
monitor your activity logs for evidence of exfiltration attempts, such as suspicious traffic patterns and destinations.

#5 - Cloud Software Supply-Chain Attacks

Here we refer to the software supply chain rather than the physical supply chain (although the physical supply chain
also has security challenges).

Agile cloud DevOps practices potentially create vulnerabilities for cloud

applications and services. It’s important for cloud developers to learn how to
reuse code, including utilizing open source third-party modules and images You must
from large code repositories, which may already be vulnerable. continuously inspect
In fact, a recent analysis found that more than half of the images on the VMs and containers
DockerHub repository had at least one critical vulnerability. for malicious code,
Code repositories add thousands of new containers every day. Unfortunately, including at build
this makes it easy for attackers to insert backdoors in the software supply and ship times.
chain that are often invisible to simple Common Vulnerabilities and Exposures
(CVE) checks.

Once again, monitoring is critical for risk mitigation. You must continuously inspect VMs and containers for malicious
code, including at build and ship times. Relying on software bills of material (SBOMs) or CVEs is not sufficient.

In addition, you should monitor network traffic for command and control (C2) attacks. Modern C2 attacks are highly
evasive, and using IP domain blacklists alone will not provide sufficient C2 security.

#6 - Cloud Brute-forcing and Privilege Escalation

Brute force and privilege escalation attacks also skyrocketed as the number of remote employees increased during
the pandemic. Hackers use these attacks both for initial infection and lateral spread through corporate networks.
And, cloud services are just as susceptible to these attacks as on-premise networks.

To manage brute force and privilege escalation risk, you must carefully provision and monitor your systems,
particularly those interacting with remote workers and services. Give particular attention to RDP and SSH protocol
provisioning because brute force attacks primarily occur through them. As always, you should also then monitor for
suspicious network activity using these protocols.

Moreover, because privilege escalation impacts your IAM policies and processes, you should continuously monitor
for anomalous activity from IAM users and activity that is inconsistent with IAM roles.

CISO Technical Guide — Top 10 Cloud Risks 5

 #7 - Cloud External Server/API Compromise
External-facing web servers and API endpoints are common starting points for cloud service exploits. As just one example,
a recent study by Palo Alto Networks identified potential attack vulnerabilities in 22 APIs across 16 AWS services.

Protecting against server and API compromise is a multi-faceted task. Beginning with the obvious, you should
prioritize patching according to the risk severity. Prioritization should address an attack’s likelihood (e.g., how large is
the attack surface and what is its external exposure?) and its impact if successful (e.g., the CVE severity).

Less obvious is the need to consider the vulnerability of your internal workloads in addition to outward-facing
instances. Least privilege access is crucial for every workload component, and your policies should demand it.

You should also rely on cloud-native resilient API frameworks. Investing in web application firewalls (WAF) and other
modern app-aware API security tools is another vital element of a robust cloud security program.

#8 - Cloud Credential Leaks

Hackers frequently access corporate networks and cloud systems using stolen credentials or those credentials that
users failed to protect adequately. And, it only takes minutes to inflict substantial damage using leaked credentials.
Unfortunately, despite the publicity surrounding cyberattacks using compromised
credentials (for example, the breach of a Github repository that gave hackers
access to Uber’s AWS credentials and exposed the data of 57 million people
It only takes worldwide), organizations still fail to put proper protections in place.
minutes to inflict
Given the ease and speed of using compromised credentials, you must conduct
substantial damage checks at every stage of the lifecycle from build to deployment, including secrets
using leaked detection. Secrets detection processes should address source code (not always
a simple task), continuous integration and delivery (CI/CD) processes, and VM
credentials. and container images.

But secret detection alone is not enough. Credential leaks frequently occur through
widespread malicious activities such as phishing or existing but unidentified breaches. So, in addition to training your
employees on proper password hygiene and credential protection processes, you must once again turn to continuous
monitoring. Look for any unusual activity concerning credentials and your cloud assets.

#9 - Cloud (Limited) Visibility

Until recently, practitioners had access only to flow logs in the public cloud rather than deep packet inspection typical
for on-premises inspection. More automated analysis including agent-based approaches to generating cloud visibility
are notoriously difficult to deploy and can lead to so-called “dark space” in network models.

There are many different tools for increasing visibility in your cloud stack. For network traffic, you can use cloud-
native mechanisms, including previously mentioned traffic mirroring services. For storage, consider how you can best
apply cloud-native triggers tied to data access. Computational visibility tools include agentless VM and container
scans. And, on the control plane, you have activity and audit logs.

Cloud-native automated guardrails also help maintain cloud visibility. Guardrails allow you to automatically inspect
new regions, accounts, VPCs, and buckets as they are brought inline with no human intervention.

#10 - Cloud Insider Threats

Unfortunately, insider threats are all too real, and cloud usage exacerbates the difficulty of dealing with them.
Obviously, you can employ standard methods such as least privilege access and zero trust models to limit insider
threats. But you should also consider more advanced means such as probabilistic detection.

User and Entity Behavior Analytics (UEBA) is a promising tool for probabilistic threat detection. UEBA tools look at
user behavior (reflected in activity data, for example) to identify anomalous or suspicious activity.

CISO Technical Guide — Top 10 Cloud Risks 6

 Getting It All Together
Modern cyberattacks are multi-source and multi-vector. They span the control plane and the data plane and implicate
networks, applications and data. Therefore, your cloud defense must similarly be multi-dimensional.

Cloud risk management should include countermeasures at every stage in the software lifecycle, including build,
ship and runtime phases. By focusing on the top risks and root causes of security breaches, you can build a robust
defensive framework. And with automation, you can increase visibility and allow your security efforts to keep pace
with agile cloud DevOps efforts.

Blue Hexagon Continuous Cloud Threat Detection

and Response

Blue Hexagon’s Continuous Cloud Threat Detection and Response Deep Learning platform enables enterprises to
adopt the cloud securely, reduce risk and detect & resolve threats faster. Cloud Security and DevOps teams can now
continuously defend and harden their cloud against errors and attacks, throughout the cloud lifecycle. Customers
protect their business and brand against known and unknown threats including ransomware, malware, including
zero-day, C2, cryptomining and insecure apps/code by prioritizing risk combining threat and misconfiguration
detection. The multi-cloud agentless-actionable-accurate solution deploys in minutes, integrates with cloud-native
stack to help reduce DevSecOps friction and triage delays for faster remediation.

Blue Hexagon is the world’s most recognized AI cybersecurity company and has been widely adopted by leading
technology, healthcare and financial organizations.

Blue Hexagon is trusted and deployed by leading healthcare, electronic retail, technology, insurance, and financial
services companies such as Pacific Dental Services, Narvar and Prime to secure their public cloud workloads,
computer and data. Our customers quickly deploy Blue Hexagon in AWS, GCP or Azure clouds within minutes,
instantly identify their assets and start detecting threats, ransomware and malware as well as misconfigurations, and
non-compliance, with one solution across their complete cloud lifecycle.

Blue Hexagon has been recognized in Forbes AI 50 for Next Gen NDR innovation, included in the 2020 Gartner Headquarters
Market Guide for Network Detection and Response, named to CNBC’s Upstart 100 list of “World’s Most Promising 150 W Iowa Avenue #103
Startups”, was tested by Miercom as the most effective of four leading security products against the most lethal Sunnyvale, CA 94086
zero-day malware, ransomware, worms, botnets and evasive malicious threats and was named to the 2021 CB www.bluehexagon.ai
Insights AI-100 list of “Most Innovative Artificial Intelligence Startups”, CRN’s “10 Hottest AI Security Companies inquiries@bluehexagon.ai
You Need to Know”, and most recently recognized by Analytics Insights “Top 100 Artificial Intelligence Startups to
Lookout for in 2021”.
Blue Hexagon is headquartered in Sunnyvale, CA, and backed by Benchmark and Altimeter Capital. Follow us on
Twitter @bluehexagonai or on the Web at www.bluehexagon.ai