It is no secret that more people are working remotely than ever before and cloud technologies adoption is rapidly accelerating in every aspect, from operations and ease of use (and management) to scalability and resiliency. From a cyber perspective, the cloud represents a significant change compared to the on-premises world.
With cloud vendors managing the applications and infrastructure, customers depend on their security and reporting capabilities to get visibility into their own environments. New application frameworks designed to take full advantage of cloud-native architectures can still contain significant vulnerabilities. Microservice-oriented architectures feature applications that exchange data over the cloud-based network via APIs. It is difficult for traditional tools to monitor the application and user interactions within the application in this type of architecture. Network detection and response (NDR) tools can help bridge the security gap inherent in these environments.
Keeping up with the adversary
Many enterprises migrate data and/or services to the cloud to handle their applications, infrastructure and data services. So, it is no surprise that bad actors have chosen to leverage the cloud for their nefarious purposes. Cybercriminals use several vulnerabilities to attack cloud systems. Here are some of the most common examples.
Misconfiguration: Cloud service providers like AWS and Microsoft Azure offer robust, built-in security features. However, these tools provide support primarily for the underlying cloud infrastructure. Customers must provide security for the applications and databases that they host on top of the infrastructure. Increasingly complex service offerings raise the bar for the skillset required to configure and monitor applications hosted in the cloud. Most exposures of cloud-based systems come from configuration-related human error.
APIs: The prolific nature of mobile applications and trends in cloud-native application development that require developers to rely more on microservice-oriented architectures has increased the use of APIs. API vulnerabilities are not always easy to spot and require specialized technology for detection. Hackers are more proficient at using APIs to breach sensitive user data. The fact that there are no distinct boundaries like in the physical world may lead to adversaries using vulnerabilities within the API to exfiltrate data. Thus, rushing straight to the cloud without proper consultation and design can leave you vulnerable.
Reduced visibility and control
When assets and operations transition into the cloud, there is a loss of visibility and control. Setting up new assets becomes available with a click of a button while insuring visibility and doing the proper foundational requirements that are done in an on-premises environment sometime gets left behind.
One of the main reasons for that is that customers feel that the responsibility for enforcing policies and maintaining infrastructure now shifts to the cloud service provider.
The problem is that only relying on the cloud infrastructure providers create serious gaps in your security program.
Elastic self-service models simplify unauthorized use
One of the primary benefits of the cloud is how easy it is to provision new services. A cloud administrator can spin up costly services and infrastructure without authorization. This can bloat an organization’s shadow IT footprint and present additional cybersecurity risk to their assets.
Multi-tenancy on the same hardware and infrastructure can lead to a failure to maintain separation among tenants. Attackers can leverage one tenant with inadequate security controls to gain access to another organization’s resources.
Incomplete data deletion
It is more difficult for organizations to verify the secure deletion of data in the cloud. Users have very little visibility into where data is physically stored and it is often spread across multiple devices shared with other tenants.
Greater damage from insider threats
The impact of a nefarious inside threat is exacerbated in the cloud. An insider can provision new resources to carry out attacks or exfiltrate data without being detected. Forensics and investigative capabilities may not be available natively in the cloud. NDR systems can extend the forensics and investigative capabilities necessary to detect activities from insider threats.
Cloud data has become a prime target for attacks. A whopping 86% of cybercrimes were for financial gain this year, and 80% of successful web attacks were the result of stolen credentials. These figures continue to trend upward as companies move their data to the cloud.
Furthermore, attacks like ransomware that used to take days or weeks now take hours to achieve, taking advantage of the scalable computing power and terabytes of hosted data in the cloud. In many cases, by the time the breach is discovered, cloud logs containing terabytes of stolen sensitive data are already for sale in dark web marketplaces.
Attacking from the cloud
Bad actors have many ways to use the cloud to their advantage. These include credential exposure, incorrectly configured cloud buckets, crypto-mining, server-side request forgery (SSRF), and Access as a Service (AaaS).
Credential exposure can occur when the attacker decompiles application code and searches for usernames and passwords within the code, providing them quick access. Incorrectly configured cloud buckets contain bucket-level permissions that do not always apply to the objects within them. Gaining access to these buckets allows the attacker to search for an open data store and extract the desired data.
A crypto-mining attack occurs when a cybercriminal hacks computing resources and redirects them for cryptocurrency mining. SSRF happens when the attacker exploits a container with an SSRF flaw to steal credentials and establish a remote session to execute API calls. The attacker can use these API calls for whatever they want. To make matters worse, cybercriminals are thoughtful enough to provide access as a service for other criminals for a price.
Each of these attacks displays anomalous behavior on a network, but you can detect them with the right platform – the key for all this is the visibility that goes beyond logs. Cloud providers offer partial visibility and auditing services, and everyone is using them. The problem is that it is a very limited view that doesn’t contain all that happened on the network, but rather a high-level summary of activities. This is far from sufficient, and customers are looking to get the actual data to understand the threat landscape and be able to respond effectively.
Legacy systems are comprised of multiple different components that take time to parse threat data. In order to keep pace with the adversary, the security team must understand Users/Applications/Data relationships and activities. That is the key for being able to properly reduce risk and being able to respond in a timely manner.
NDR provides the needed visibility
Performance and security are critical to an organization’s success. Monitoring network traffic and getting true visibility that goes deeper than your basic metadata logs from the cloud provider is the only way to ensure visibility and the ability to secure your applications. NDR systems rely on AI and machine learning algorithms to build a holistic view of all traffic traversing the network. No different than the on-premises world, to truly understand and secure your environment, you must be able to see it first. By definition, this must include packets traversing the cloud.
Traditional security systems cannot keep up with the rising number of attacks. To keep you and your customers safe, you must be able to identify anomalous behavior as it occurs and enable an immediate response process once suspicious behavior has been detected. WireX Systems’ NDR platform takes raw data packets on your network and automatically performs a deep dive to identify each action.
After the packet is investigated and reconstructed, a human-readable and user-friendly output is created for security operators to review. Network detection and response provides a holistic view of your network and leaves no space unmonitored.
While in-depth visibility is the foundation NDR provides actionable that is critical for threat detection and response. The ability to immediately visualize what took place right before an event, what occurred during and right after the event, who was involved and what data was accessed is paramount to the incident outcome.
WireX’s NDR also provides automatic views of the analyzed data to accelerate the operator’s work, and it includes investigation management capabilities to provide an audit trail and enable sharing of the forensics steps taken with other ream members and management.
These playbooks and scheduled tasks that are executed automatically are a force multiplier, especially when having less experienced or new analysts on the team. This allows the first-tier team members to execute the same steps that the more seasoned analysts would have done and enables the seasoned operators to deal with the more advanced tasks, such as threat hunting.
Threat hunting becomes more efficient with the amplified bandwidth and valuable details of an attack. WireX’s NDR removes the need for analysts to have years on the job and allows them to quickly validate alerts and expertly resolve issues, providing holistic views of users, applications and the network.
The NDR platform executes all of the heavy-lifting of translating packet-level information into the exact actions that took place, automatically correlating alert-related information, and enables team members at any level to respond quickly and operate more efficiently.
Facebook (Cultura Colectiva) breach
In 2019, digital media company Cultura Colectiva exposed over 540 million Facebook user records as the result of an insecure AWS server. The exposed data included user IDs, account names and other sensitive data. The configuration of the Amazon S3 bucket allowed attackers to publicly download files.
The leaked data was specific to the “At the pool” application, which puts the onus on Cultura Colectiva to secure the AWS bucket, even though the data was fed from Facebook. Amazon sent multiple notifications to its customers about the insecure bucket starting in January. However, the bucket was not made secure until the beginning of April. Platforms like WireX’s NDR can help detect data exfiltration, reducing the impact of events like this.
Why choose WireX
WireX Systems is changing the incident response and threat hunting model with technology that allows anyone on the security team to carry out faster, more efficient investigations while reducing overall costs. Our Contextual Capture™ technology provides immediate insight into generated alerts, providing in-depth visibility to the world’s largest organizations.
By increasing skills and producing workflows for knowledge sharing, the solution empowers the security team to handle more threats in less time. Today, chief enterprise companies rely on WireX Systems for their forensics infrastructure to convert their security operations into an intelligence-driven security team. To learn more, contact us today and schedule a demo.