Three stages of cloud-native breaches
- Land by gaining a foothold into the IaaS/PaaS environment.
- Leverage compromised/weak credentials to gain access as a legitimate user.
- Exploit a vulnerability, such as server-side request forgery (SSRF), in deployed software.
- Capitalize on misconfigurations of ingress/egress security groups.
- Expand by finding ways to move beyond the landing node.
- Leverage privileges associated with a compromised node to access remote nodes.
- Probe for and exploit weakly protected applications or databases.
- Capitalize on weak network controls.
- Exfiltrate data while staying under the radar.
- Copy data from the storage account to anonymous nodes on the internet.
- Create a storage gateway to gain access to the data from a remote location.
- Copy data from the storage accounts to a remote location outside the virtual private cloud (VPC).
To understand how companies are vulnerable at each stage, let’s look at a few statistics:
- Land: 99% of the misconfigurations in enterprise IaaS environments go unnoticed. Companies think they have 37 misconfigurations every month, yet actually experience closer to 3,500.
- Expand: 58% of companies experience privileged user threats every month, averaging seven per month in IaaS.
- Exfiltrate: Companies actively assessing their data exfiltration attempts in IaaS currently see an average of 5,314 events each month.
Three recommendations to help prevent cloud-native breaches in cloud environments
We’ve entered a new reality for enterprise infrastructure, and we should expect it to change more rapidly than ever before. The capacity to upgrade, innovate, and deploy new technology is no longer a constraint. Instead, companies have access to the global CSP teams at AWS, Microsoft, Google, and other companies that are rapidly upgrading, innovating, and making it easier and faster to deploy infrastructure than ever before.
Build IaaS configuration auditing into your CI/CD process
Do it early—preferably at code check-in—to minimize the misconfigurations that make it into production. Look for security tools that integrate with Jenkins, Kubernetes, and others to automate the audit and correction process.
Evaluate your IaaS security practice using a framework like “Land-Expand-Exfiltrate”
This helps you check controls against the entire attack chain, increasing your likelihood of stopping a breach.
Invest in cloud-native security tools and training for security teams
Cloud tools and training help security teams understand cloud infrastructure at the same level as their DevOps counterparts. Security tools, like cloud access security brokers (CASBs), cloud security posture management (CSPM), and cloud workload protection platforms (CWPPs) are built to work within DevOps and CI/CD processes but are not replications of on-premises data center security. They require new knowledge that goes hand in hand with cloud transformation.