Cloud Incident Response Blog | Cado Security

Our Take: Four Cloud Security Predictions for 2022

Written by jbowen@cadosecurity.com | Jan 6, 2022 2:33:11 PM

2021 was far from ordinary. Cybersecurity remained front and center after numerous high-profile breaches and vulnerabilities made headlines, including ransomware attacks on Colonial Pipeline and JBS Foods, and most recently the Log4Shell exploits. Cybercriminals became more sophisticated and attack techniques evolved, as enterprises struggled to manage the new reality of hybrid work and increased talent shortages.  

While no one has a crystal ball, there are a few things we can expect to unfold based on what we know today. 

Shift in Shared Responsibility: Cloud Security Needs To Go Beyond The Vendor

Organizations have historically relied on cloud provider tools to protect their cloud environment. However, it’s becoming clear that a layered approach is required, as tools from the leading cloud security providers are no longer sufficient on their own to keep the cloud secure amidst the growing attack surface.

In the past months, we’ve seen a number of high-profile attacks exploiting vulnerabilities in cloud environments. An example is the OMIGOD Azure vulnerability. The OMI framework was remotely exploited by attackers, enabling them to escalate to root privileges and remotely execute malicious code. 

Enterprises are coming to the realization that they need to incorporate additional cloud security measures, on top of what cloud providers offer, as they don’t fully manage the security risks that come with leveraging the cloud. The platform providers have certain security responsibilities, but the OMIGOD and Azurescape incidents both illustrate how slow it is to patch once you look behind the “curtain of the cloud”. 

It’s critical that organizations adopt a layered approach to cloud security, starting by ensuring they are looking at everything their third party vendors have access to so that vendors don’t have permissions beyond what is required. In addition, organizations must take responsibility for setting alerts to be notified if vendor credentials are used for anything outside of normal operations to appropriately monitor for any malicious activity.

 The Effects of SolarWinds Won’t Be Going Away Anytime Soon

The SolarWinds attack (known as Sunburst) highlighted the severe impact software supply chain attacks can have. Since last December, we’ve seen continued damage as a result of this attack, as organizations struggle to discover the extent to which they were breached.

In the next year, we will continue to see the aftereffects of the SolarWinds attack, as many of these threat actors are still lying low across the networks of numerous victims waiting to make their next move. Enterprises need to thoroughly and immediately investigate incidents, in order to identify attackers who may be “living off the land,” waiting for the right moment to strike again.

The Need for Cloud Security Experts Will Only Grow

With data moving to the cloud at rapid rates, security teams are now under extreme pressure to become cloud experts. To complicate matters further, organizations are increasingly leveraging more than one cloud platform, meaning security analysts need to understand the complexities and intricacies of each. Unfortunately, we’re seeing that time and tool limitations coupled with the complexity of the cloud often makes it impossible for security teams to investigate the true root cause, scope, and impact of a security incident. 

As attacker techniques continue to evolve and target cloud environments, security experts should become familiar with the different data sources available in the cloud. Augmenting traditional host-based analysis techniques with cloud context is key. For example, AWS has numerous log sources which can help you detect and investigate threats. Some of these include CloudTrail, CloudWatch, Guard Duty, AWS Load Balancers/VPC Flow Logs, S3 Access Logs. Simply put, the more data sources you can analyze in aggregate, the better your investigation will be. 

Ransomware Won’t Strike Just Once

Targeted ransomware attacks generally take place over a longer period of time. Sophisticated attackers take their time, learning the ins and outs of the victim’s environment, to ensure their efforts are as lucrative as possible. This unfortunately means that repeat-ransomware attacks are on the rise.

Ransomware operators often disappear and resurface with new branding, so it’s extremely important to understand how these attackers operate across all stages of the attack lifecycle to ensure future related detections are investigated thoroughly before they escalate.

As hackers become more sophisticated, the window to detect ransomware in the beginning stages will get smaller and smaller. Enterprises need to ensure they have the means to detect and investigate early signs of ransomware before it executes.

For more on what's to come in the new year, from the top cloud threats to the biggest cloud incident response challenges and trends, watch What to do in 2022: Cloud DFIR Predictions.

What trends do you expect to occur?