The past five years have seen the emergence of various cloud services and the trend is only growing stronger. As expected, attackers have been fast to leverage this trend and execute attacks. While some of the attack techniques we’ve seen are new, and are the direct result of new technologies and DevOps culture that are associated with modern cloud development, some attack techniques don’t differ from what you see on your on-premises infrastructure. However, the result is more significant because parity has not been achieved between the security practices that are practiced on-premises with what needs to be practiced in the cloud.
In this post we will look at cloud attacks from an attacker's point of view, to see how attackers have adapted their modus operandi to the new playground, learn what has been changed in an attacker’s kill chain, and understand how Azure Security Center can help you detect attacks in your infrastructure.
- Reconnaissance - Successful attacks start with great intelligence on the target (i.e. HUMINT, OSINT). This information is usually being collected in a passive manner using social networks and web searches. Unfortunately for the attackers, when it comes to attacking cloud environments, social networks are not a good source of intelligence. This is because the targets they are after are servers and not users. This forces the attackers to actively scan and probe the target environment to reveal its attack surface and vulnerabilities. The reconnaissance step is no longer passive.
- Delivery - Operating/managing cloud resources is done remotely via RDP/SSH. Thus, delivering a malicious payload to a cloud resource is not practical. This means that attacks such as drive-by-download, malicious e-mail attachments and rogue USB don't make sense when attacking a cloud environment, unless of course, the attacker is after the cloud operator that resides on-prem. The delivery step is no longer relevant.
- Exploitation - Attackers love attacking client-side applications, such as browsers and document viewers that are widely deployed. However, as we have seen, delivering malicious files to a cloud resource that will eventually exploit a client-side vulnerability is tricky unless the admin has downloaded them to the resource intentionally or was socially engineered into doing so. This shifts the attacker's focus from client-side to server-side vulnerability exploitation (e.g. Shell Shock). The exploitation step is no longer client-focused.
- Lateral movement - Once breached, attackers will probe the internal network for new targets. This step includes harvesting/stealing user credentials from machines and moving laterally in the network. Cloud environments are made of resources that leverage keys and tokens to authenticate (on top of hashes). This introduces new “resource-pivoting” techniques that attackers take advantage of in order to move laterally within the cloud environment. The lateral movement step introduces new attack vectors.
This new mindset influences the types of attacks we see, which include:
- Secret reconnaissance - Attackers consistently scan public source repositories, and pray upon developers who accidently check in files that contain a password/certificate/token that enables access to a cloud resource (e.g. Storage).
- Resource abuse - Attackers gain access to multiple resources in different regions using fake credit cards and/or server-side vulnerabilities and leverage this “temporary” horse power to orchestrate attacks such as DDoS, Brute Force and Port scanning.
- Resource pivoting – Attackers gain access to a resource (e.g. Storage), harvest more secrets, pivot to other resources, and in some cases where trust is broken, pivot to the on-premises environment.
- Management port exploitation - Attackers consistently scan cloud providers' IP ranges to locate machines with exposed management end points (e.g. SSH, RDP, SQL). Once detected, attackers will try to brute force and exploit these end points, taking advantage of new machines with weak passwords and/or bad configurations.
Detecting and preventing cloud attacks require defenders to understand the new attack surface exhibited by the differences discussed above. Questions such as Where to monitor? What data to collect? Which attack scenario am I looking at? need to be answered.
Azure Security Center can help you detect attacks on your infrastructure by focusing on the following areas:
- Virtual machine analysis – Collect, correlate and perform behavioral analysis on top of VM (IaaS/PaaS) data which include security events, kernel traces and crash dumps to name a few. These events help reveal suspicious process executions and malicious user activities which may indicate an insider threat.
- Network analysis – Inspect network signals and perform both flow and deep packet analysis to detect network threats. These signals help reveal volumetric attacks such as incoming/outgoing brute force, DDoS and port scanning attacks.
- Resource analysis – Monitor access logs to cloud resources such as Storage and SQL. These logs help reveal excessive access rates and geo location anomalies that are associated with a data breach.
- Blind spot analysis – Pinpoint new areas that need to be monitored and segregated in order to increase the detection coverage and reduce the attack surface. This analysis yields new recommendations that helps to harden the environment. This includes installing new security software, installing critical patches and enabling audit logs.
Our security research team is dedicated to reveal new cloud attack techniques and help you understand and eliminate them.
Interested to learn more about cloud attacks, defense and trends? Check out our RSA presentation, Cloud Attacks Illustrated: Insights from the Cloud Provider.