The cloud has become the new battleground for adversary activity: CrowdStrike observed a 95% increase in cloud exploitation from 2021 to 2022 and a 288% jump in cases involving threat actors directly targeting the cloud. Defending your cloud environment requires understanding how threat actors operate: how they’re breaking in and moving laterally, which resources they target and how they evade detection.
Cloud misconfigurations — the gaps, errors and vulnerabilities that occur when security settings are poorly chosen or neglected entirely — provide adversaries with an easy path to infiltrate the cloud. Multi-cloud environments are complex, and it can be difficult to tell when excessive account permissions are granted, improper public access is configured or other mistakes are made. It can also be difficult to tell when an adversary takes advantage of them.
Misconfigured settings in the cloud clear the path for adversaries to move quickly.
A breach in the cloud can expose a massive volume of sensitive information including personal data, financial records, intellectual property and trade secrets. The speed at which an adversary can move undetected through cloud environments to find and exfiltrate this data is a primary concern. Malicious actors will speed up the process of searching for and finding data of value in the cloud by using the native tools within the cloud environment, unlike an on-premises environment where they must deploy tools that make it harder for them to avoid detection. Proper cloud security is required to prevent breaches with far-ranging consequences.
Over the past two years, CrowdStrike has assembled a global team of cloud security specialists, including incident responders and cyber forensic investigators, to combat this increase in cloud-focused adversary activity. Our experts continue to see the devastating impact of cloud breaches that could have been detected earlier or prevented if common cloud security settings had been correctly configured.
So what are the most common misconfigurations we see exploited by threat actors? Our cloud specialists have observed the following preventative gaps and detection gaps (*) stemming from misconfigured cloud settings:
- Unrestricted outbound access
- Disabled logging *
- Missing alerts *
- Exposed access keys
- Excessive account permissions
- Ineffective identity architecture
- Inadequate network segmentation
- Improper public access configured
- Public snapshots and images
- Open databases, caches and storage buckets
- Neglected cloud infrastructure
Inadequate Network Segmentation: Modern cloud network concepts such as network security groups make old, cumbersome practices like access control lists (ACLs) a thing of the past. But insufficient security group management practices can create an environment where adversaries can freely move from host to host and service to service, based on an implicit architectural assumption that “inside the network is safe” and “front-end firewalls are all that is needed.” By not taking advantage of security group features to permit only host groups that need to communicate to do so, and block unnecessary outbound traffic, cloud defenders miss out on the chance to block the majority of breaches involving cloud-based endpoints. Improper Public Access Configured: Exposing a storage bucket or a critical network service like SSH, SMB or RDP to the internet, or even a web service that was not intended to be public, can rapidly result in a cloud compromise of the server and exfiltration or deletion of sensitive data.
Public Snapshots and Images: Accidentally making a volume snapshot or machine image (template) public is rare. When it does happen, it allows opportunistic adversaries to collect sensitive data from that public image. In some cases, that data may contain passwords, keys and certificates, or API credentials leading to a larger compromise of a cloud platform. Open Databases, Caches and Storage Buckets: Developers occasionally make a database or object cache public without sufficient authentication/authorization controls, exposing the entirety of the database or cache to opportunistic adversaries for data theft, destruction or tampering. Neglected Cloud Infrastructure: You would be amazed at just how many times a cloud platform gets spun up to support a short-term need, only to be left running at the end of the exercise and neglected once the team has moved on. Neglected cloud infrastructure is not maintained by the development or security operations teams, leaving bad actors free to gain access in search of any sensitive data that may have been left behind. Just about everyone has a cloud presence at this point. Many organizations make decisions based on cost savings and flexibility without considering the security challenges that go along with this new infrastructure. Cloud security isn’t something that security teams will understand without requisite training. Maintaining best practices in cloud security posture management will help you avoid common misconfigurations that lead to a cloud security breach. CrowdStrike offers solutions to help you protect your cloud platforms and respond to a cloud data breach so you can focus on digitally transforming and growing your business with cloud applications and services. For more information, download our complete eBook on avoiding common misconfigurations in your cloud security settings: Seven Easily Exploited Cloud Misconfigurations and How to Minimize Their Risk.
Additional Resources
- View the infographic on Common Cloud Security Misconfigurations.
- Learn more about CrowdStrike Incident Response for Cloud services.
- Determine your cloud security posture with a CrowdStrike Cloud Security Assessment.
- Identify threat activity in your cloud environment with a CrowdStrike Cloud Compromise Assessment.
- Test your cloud defenses with a Red Team / Blue Team Exercise for Cloud.
- Manage your cloud security posture and protect your cloud workloads with CrowdStrike Falcon Cloud Security.