As we move into 2023, it’s important to stay ahead of the curve when it comes to cloud security. The cloud has become an integral part of modern business, but with its increased adoption comes an increased risk of cyber attacks and data breaches. In this blog, we’ll explore some of the key predictions for cloud security in 2023, including the evolving threat landscape, the role of automation in security and incident response, and the importance of adopting modern technologies to reduce the complexity of the cloud and address the cyber security skills gap.
Evolving Cloud Security Strategies: From Prevention and Detection to Investigation and Response
Much of the security team’s effort to date has been focused on cloud protection and detection, as evidenced by the widespread adoption of Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platforms (CWPP). However, when it comes to investigation and response, there is a huge gap. Once something bad is identified, organizations often don’t have the ability to quickly understand the true scope and root cause of an incident. As cloud protection and detection technologies become commoditized, more organizations will look to expand their post-detection capabilities in the cloud, including forensics and incident response.
While most of today’s organizations already recognize the need for solutions that will close the gap between detection and investigation and response, due to the lack of technology innovation in this area, security teams often have little choice but to resort to traditional/open-source incident response tools. However, these tools weren’t designed for dynamic cloud environments – this is evident with every step of the process from collection to analysis (and the level of difficulty significantly increases in multi-cloud and ephemeral environments).
Without cloud-specific incident response solutions, responding to threats is extremely complex, manual and time consuming. But the cloud can actually be an asset to your security team. By leveraging the speed and automation that the cloud offers, organizations can drastically reduce the time it takes to respond to threats in their environment from days to hours.
Automation: The Key To Addressing the Cyber Security Skills Gap
The cybersecurity skills gap is a well known problem. And with the rapid transition to cloud, organizations are now tasked with hiring security talent with deep cloud knowledge, on top of being security experts in an ever-rapidly-evolving threat landscape. It’s often just not possible for security teams to perform a deep-dive investigation in the cloud with the knowledge, tools and resources they have.
While it’s important to have a basic understanding of the different data sources available in the cloud (e.g. core logging platforms such as AWS CloudWatch, Azure Monitor Logs, GCP Logs, Kubernetes Logs, etc.), it’s unreasonable to expect any one individual to have all the cloud expertise to perform incident response investigations in the cloud. Using traditional incident response approaches, analyzing all of these different data sources can feel close to impossible. However, by ruthlessly automating where we can, common investigative techniques can be replicated – from capturing the right data to identifying an incident’s root cause, scope and impact. This automation alleviates alert fatigue and enables analysts of all levels to perform deep dive investigations in the cloud. Automation is key to providing the means to help security teams identify which alerts actually matter, prioritize response efforts, and ultimately give SOC teams the ability to take action the moment a threat is identified.
The Evolution of Cryptojacking Threats: From Passive Income to Destructive Attacks
Cryptojacking groups, such as TeamTNT, have traditionally focused on stealthily mining cryptocurrency using compromised cloud resources. However, as the profitability of cryptocurrency mining has decreased and the use of cloud computing has become more widespread, Cado experts predict these groups will likely shift their focus to more destructive activities. These could include distributed denial of service (DDoS) attacks, or the deployment of ransomware. Given the ease with which cloud resources can be compromised, it is important for organizations to prioritize the security of their cloud infrastructure and implement measures to prevent unauthorized access and attacks. Further, as we’ve seen with ransomware, repeat attacks are on the rise; therefore, having the ability to perform a proper and thorough investigation is critical in ensuring an attacker’s access is completely removed and any existing gaps that could leave the organization vulnerable to future compromise are addressed.
A few other emerging threat trends the Cado Labs team is seeing include:
- Evolving tactics to newer cloud services: In April 2022, Denonia, the first publicly-known case of malware specifically designed to execute in an AWS Lambda environment, was discovered. Although the first sample was fairly innocuous in that it only runs crypto-mining software, it demonstrates how attackers are using advanced cloud-specific knowledge to exploit complex cloud infrastructure, and is indicative of how we’re only scratching the surface of more nefarious attacks that may leverage a much wider range of cloud services.
- Using stolen credentials more aggressively: Misconfigurations and associated credential theft have long been a leading cause of security breaches, but consequences have thus far generally been limited to spinning up cryptominers. In recent research, though, we have seen attackers use credentials for a variety of much more nefarious purposes, such as stealing data for later attack phases like phishing or data exfiltration. As we have seen from recent reports, such attacks can be highly effective.
As we look towards the future, it’s always important for organizations to consider the evolving trends that shape the threat landscape, and take steps to secure their systems and protect against these types of threats. This involves many different aspects including implementing strong password policies, regularly updating software and systems, investing in security tools that address all stages of the attack lifecycle, and as always, employee cybersecurity training.
The Future of Cloud Computing is a Multi-Cloud Approach
According to Gartner’s 2020 Cloud End-User Buying Behavior Survey, 76% of respondents have adopted multi-cloud infrastructure, and this number has only increased over the last few years. Some of the main reasons for the rapid adoption of multi-cloud include the need to maintain service level agreements, protect against outages, adhere to regulations and guidelines, capitalize on regional coverage and manage costs. While a multi-cloud approach can provide many benefits, it also introduces challenges from a security perspective. One major issue is the risk of data silos, as data may be spread across multiple platforms and locations. This can make it difficult to capture and analyze incident data, leading to potential gaps in security and risk management. To address these challenges, organizations require a cohesive approach to managing security across multiple platforms. This may involve investing in security tools that provide cross-cloud support so that security teams can seamlessly investigate incident data – regardless of where it resides.
The cloud security landscape is constantly evolving, and it’s important for organizations to stay up-to-date on the latest trends and threats. In the coming year, we expect to see an increasing focus on cloud forensics and incident response as security teams work to gain visibility and respond to threats across multi-cloud, container-based and serverless environments. Adopting tools and strategies that allow for automation and simplification will be key in reducing the complexity of the cloud and addressing the cyber security skills gap. As emerging cloud threats continue to evolve, it is important for security teams to stay informed and have the ability to efficiently investigate and respond to such threats. By staying vigilant and taking proactive steps to secure their systems, organizations can better protect their assets and mitigate the risks they may face in dynamic cloud environments.