Security and Compliance Blogs
Security & compliance of business operations are critical in this age of rising cyber threats, increasing compliance regulations, and rapid technological change. SAP customers, partners and SAP employees put great effort in to meet those risks and work towards effective security outcomes and cyber resilient systems. We benefit from each others' challenges and successes to protect the business processes and services we all depend on. Join us here for blog posts and thought leadership regarding the security and compliance of SAP software and cloud services, as well as secure development, deployment, and operational practices, whether on-premise or cloud.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Effective Measures to Defend Against Common Cloud Threats

JayThvV
Product and Topic Expert
Product and Topic Expert
‎03-01-2024 10:49 PM

clouds-silverlining-sunbreaking.jpg

 Recently, three interesting reports came out that give insight into the current state of cloud security from different perspectives: The cloud infrastructure and service provider view is represented by Google Cloud’s Threat Horizons H1 2024 Report (TH2024). Orca just published their 2024 State of Cloud Security Report (SCS2024), giving the cloud users’ perspective through their Cloud Native Application Protection Platform(CNAPP). Finally, Crowdstrike’s 2024 Global Threat Report (GT2024) adds a runtime eXtended Detection and Response (XDR) flavor. That completes the picture across system landscapes, including cloud environments.

I would encourage reading the reports. Together they help with a broader understanding of common cloud threats.

In this blog, I review highlights from the reports, and why cloud operators need to act quickly to protect themselves from cybercrime. I conclude with practical and effective measures that you can take quickly to reduce the risk of common cloud threats.

 

Report Findings

The findings indicate that many cloud landscapes remain vulnerable, while adversaries are becoming more cloud conscious. However, many cloud threats can also be blocked quite easily, which is promising.

Initial Access Methods of Cloud Compromises

The usual suspects of cloud misconfigurations, vulnerable software and leaked credentials as common initial access methods for adversaries are not new. Nearly 14% for sensitive web UIs or APIs exposed is also a known rising threat. But seeing over half of cloud compromises coming from publicly exposed resources over Secure Shell (SSH, port 22) and Remote Desktop Protocol (RDP, port 3389) connections with weak or no password protection is surprising - a failure of basic security hygiene.

Data source: SCS2024Data source: SCS2024

Google Cloud’s impact of cloud compromises seems based on the visibility that they have. Over 65% of cases were for cryptocurrency mining, and another 26% leveraged compromised cloud resources to infect third parties. These are opportunistic adversary activities that are easily detected. They are also violations of cloud providers’ acceptable use policies.

Vulnerabilities, Identities and Access

The State of Cloud Security report provides more insight higher up the stack. Orca presents the data by showing what they observed in what percentage of the landscapes of the organizations that subscribe to their Cloud Native Application Protection Platform (CNAPP). It is not based on incident response data but overall security and compliance posture. For full disclosure, SAP is an Orca customer but runs a private instance of the solution that is not included in their dataset. The report reflects Orca’s Software as a Service (SaaS) customers.

Highlights from the report are in the chart below. The color of the bars matches the main themes of the report. Issues around vulnerabilities and Identity & Access (IAM) dominate. But on further examination, these themes also return in other categories. Neglected assets are not updated, so known vulnerabilities pile up as new ones are discovered and announced. Such assets will also have unused user credentials as time goes by.

Data source: SCS2024Data source: SCS2024

The Continuous Integration/Continuous Delivery (CI/CD) security findings discovered in code repositories also tie back to vulnerabilities and IAM. Most cloud landscapes are relatively new. The Orca report shows that decades-old vulnerabilities are deployed into the cloud. Cloud systems have just not been around long enough for this to be the outcome from deploy-and-forget.

Unencrypted secrets in source code are a real danger. Hostile bots run over public code repositories to detect commits that contain secrets. Adversaries exploit those secrets to gain access to cloud resources or the cloud control plane. Internally hosted code repositories are not safe either. Adversaries who already have access to internal networks will scan internal code repositories for secrets for lateral movement into other parts of the landscape.

Adversaries Becoming More Cloud-Conscious

Crowdstrike’s report has one of its main 2023 themes dedicated to identity-based and social engineering attacks. They observed adversaries stealing account credentials, Application Programming Interface (API) keys and secrets, session cookies and tokens, one-time passwords (OTP) to bypass multi-factor authentication (MFA), and Kerberos tickets. Some of these allow adversaries a pivot to a victim’s cloud landscape.

This report also indicates that adversaries are becoming more cloud conscious (GT2024 p. 17). Crowdstrike distinguishes between two different types of threat actors: Those who either were not aware that they compromised a cloud environment or did not take advantage of cloud features, and those that were cloud conscious and used their access to abuse the victim’s cloud services.

In comparison with 2022, in 2023 Crowdstrike observed an overall growth of 75% in cloud intrusions. But while the cloud-unaware cases rose by 60%, the cloud-conscious cases grew by 110%. While most cases in 2023 were still cloud unaware, the trend Crowdstrike observed is only bound to continue.

 

Defend Against Common Cloud Threats

Orca observed a marginal improvement in security scores, compared to their previous report published in 2022 (SCS2024 p. 26). But considering the findings above and increasingly cloud conscious adversaries, cloud operators need to do better. Assuming an organization already uses cloud providers, and has CNAPP and Endpoint Detection and Response (EDR) solutions deployed as represented by these reports, I won’t go into Cloud Security Posture Management (CSPM) and vulnerability management programs. Setting these up for effective governance takes significant effort, as SAP has experienced itself.

However, there are controls that can be put in place that are low-cost and effective that either eliminate or mitigate several cloud threats described in these reports. You can implement these quickly and without more expensive tooling. Explore these options to make real progress in defending against the common threats we just discussed.

Cloud Guardrails

Since February 2020, SAP has deployed an increasing range of preventive controls or cloud guardrails that enforce baseline security controls on the public cloud landscape. These guardrails are applied on AWS organizations, Azure tenant root groups, and Google Cloud organization resources, so they operate on all cloud accounts in those organizational structures. That includes any new ones that are created. Such controls make cloud accounts more secure-by-default and cannot be turned off by either cloud operators or adversaries. I recommend implementing a suitable set of controls for your own organization.

One of these controls, for instance, blocks many common admin ports from the public internet. Those include SSH and RDP. Regardless of password strength, this control alone eliminates 51% of the cloud compromise initial access in Google Cloud’s report.

MFA for Cloud Admins

Another such control is to apply MFA to all your cloud administration users on organization level, and another SAP guardrail. Orca’s report says that 61% of organizations have root and account owners without MFA. MFA does not necessarily protect against all account take-over attacks, but certainly makes it much more difficult for adversaries. It also mitigates the risk of unused IAM credentials.

SAP administrator user accounts must be SAP identities. That limits adversaries’ ability to add their own administrator user accounts to gain a foothold for lateral movement. A similar control in your landscape would prevent adversaries from adding their own administrator accounts with different domains. Combined with MFA that sets up a significant barrier.

Continuous Delivery and Build Checks

Cloud provider APIs are designed for modern cloud-native Continuous Integration/Continuous Delivery (CI/CD). This allows for reproducible deployment-as-code that can be re-run at will – for instance in a full landscape restoration after an incident – and accelerates the controlled rollout of fixes.

Infrastructure as Code (IaC), static code analysis (SAST) and image scanning all find misconfigurations and vulnerabilities in your base image, application code and dependent libraries. Integrating such scans in your CICD build checks – and failing the build when alerts are encountered! – prevents known vulnerabilities mentioned in the Orca report from being deployed into the landscape. You can prevent old vulnerabilities to be deployed and re-deployed into new cloud landscapes.

Scan for secrets in your code repositories with SAP’s Credential Digger or a similar tool. Use cloud provider Key Management Services (KMS) and Secrets Managers. You can even enforce secure configuration of those services through a cloud guardrail control.

Autoscaling

It may come as a surprise to add autoscaling of workloads as a security measure. However, autoscaling virtual machines (VM) or Kubernetes for container-based workloads continuously auto-refresh themselves from images in an image repository. That means any foothold an adversary might achieve on a VM or container soon will be replaced by a copy of the original image.

That doesn’t stop attackers from compromising the same vulnerability again, if it hasn’t been patched. But Crowdstrike’s cloud unaware segment will keep losing their access established through rootkits they may have installed on VMs and containers that are already cycled out through autoscaling. That buys you time to act, forces adversaries into alternative techniques for persistence, and gives more opportunities to detect malicious activity.

 

Make the Cloud Your Ally

All these recommendations have something in common: they all leverage the capabilities that cloud service providers such as Amazon Web Services (AWS), Azure and Google Cloud Platform (GCP) have designed into their platforms. Their cloud APIs and cloud control planes are not just powerful to manage cloud infrastructure. They also provide an unprecedented opportunity to run secure and compliant in the cloud.

Make the cloud your ally in the struggle against these common cloud threats. However much you have lifted & shifted, you can still take advantage of the cloud control plane methods described above. SAP already has.

 

More Information

You can find the threat reports and hyperscaler documentation regarding the implementation of cloud guardrails via the links below:

 

Popular Blog Posts