What the bad guys are looking for: Insights into cloud misconfiguration

The importance of the cloud to future business growth was underlined at the World Economic Forum, where the first global cyber-security outlook report was published. Surprisingly, it showed business and security executives agree that the top influence on cyber security is digital transformation and, we know, that relies on the cloud and why any breaches are a big concern.

As the acceleration of cloud adoption continues, what may not be obvious is that the data being compromised isn’t always the high-value information like credit cards and personally identifiable information. Other highly sought-after data that is far more common includes names, locations and email addresses, which present a goldmine for opportunists and attackers, especially those interested in social engineering attacks to extract even more valuable information.

To better understand cloud security breaches and the latest attack trends, each year we release our Cloud Misconfigurations Report. We review data in publicly disclosed breaches that occurred in the prior year, and look at data from our internet scanners and honeypots (more on this below). Our goal is to unearth patterns and trends in cloud-related breaches and persistent exposures, so organisations can protect against threats by addressing their own cloud misconfigurations.

As it turns out, many breaches are caused by “avoidable” circumstances. Despite this, cloud misconfigurations remain a problem. In our most recent Trust in the Cloud Report, 13 per cent of respondents said a cloud service breach occurred in the prior 12 months, with misconfigurations ranking first in the list of reasons for a breach. While 13 per cent may not seem like much, eliminating these cloud misconfigurations will make a difference when considered alongside traditional threats such as malicious insiders and account hijacking.

There is also a broad spectrum of industries targeted, impacting organisations of every size and serving as a timely reminder that anyone is susceptible to breaches caused by cloud misconfigurations. What we also notice is government-related cloud compromises are on the increase year-on-year, whilst the information, healthcare and professional industries typically jockey for that dubious leadership position. Top of the list in this year’s report was the information industry, with healthcare being the second-most affected industry.

Publicly disclosed breaches

Through our analysis of publicly disclosed breaches we can easily find data exposed on the internet through cloud infrastructure, and the unfortunate reality is that it doesn’t actually take much for a breach to occur. It can be the result of something as simple as a misconfigured cloud storage instance, or even a slip-up with credential management. But from an attacker’s perspective, a simple configuration error makes it easy to jump from reconnaissance to exfiltration.

Whilst not all publicly disclosed breaches provide clear details about the specific resources compromised, the top resources in question are typically a mix of AWS and Elasticsearch, followed by Azure, Google and various git-based services. This is consistent year-over-year. But what is revealing is that of the breached resources we studied, many were secured and private by default, which means it takes intentional choice to make such cloud resources less secure and more susceptible to breach. For a service like AWS S3 for cloud storage, which is by default set to private and limited access to explicitly specified users, to become accessible to unauthorised parties suggests someone, somewhere, intentionally made a change to reduce the security posture of the resource. This implies a lapse in security, and whilst lapses can be easily addressed through user training, systems and controls, our findings suggest these steps are often not in place.

VIEW ALL

Time from breach to disclosure

Once a breach occurs, it’s important to determine how long it takes defenders and teams to first understand whether or not they’ve been breached, and second, whether or not the disclosure has occurred publicly. The good news is that, according to our research, the time between breach and disclosure typically falls under one month, which indicates that these organisations have an effective discovery process and remediation plan in place.

But there is bad news. Our research also found organisations with a long duration from breach to remediation. In some cases, the breaches lasted for years and in that time, we can only speculate what malicious activities may have occurred or what the actors may have accomplished with such a broad window of access.

Getting a clear picture of cloud security

When it comes to drawing generalisations about the cloud, it’s preferable to work with more systematic and comprehensive data. To do this we have data collection systems across the internet to shed light on the manner of misconfigurations and exploitation in cloud infrastructure. One source is Project Sonar, an outbound scanner that looks across the entire internet searching for public exposures across a range of ports and protocols. The other is Project Heisenberg, a globally distributed honeypot network to track inbound connections. By combining these two sets of data, we get a sense of what cloud sources are connecting to our honeypots and the breadth and the types of things that are being targeted across different cloud infrastructures.

What have we learned?

Cloud breaches can hit any organisation, no matter their size or their level of prestige. Those in high-risk industries should be especially aware of their postures and their activities in the public cloud. The data compromised isn’t what has been historically regarded as high value; for example, simple data such as names, locations and email addresses can become a really powerful weapon in the hands of a skilled social engineer. Therefore, it’s critical to keep this information safe, even if it’s not considered your crown jewels.

Far too many breaches happen as a result of users manually relaxing security settings on cloud resources, which means staying safe can sometimes be as easy as just leaving the default security settings intact. We also saw that there are still a lot of unencrypted instances in the cloud, which is a default setting that should be obeyed as well.

As I said at the outset, keeping your organisation safe is simpler than you think. It often comes down to basics – checking your cloud inventory, checking your configuration, verifying the credentials that you have in use, monitoring your logs and then having a response plan that is regularly tested to make sure you know what to do should an incident occur.

Ken Mizota is the regional CTO, Asia Pacific and Japan, Rapid7.