Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

What Attackers Aim to Compromise in Cloud Environments

The business world is rapidly changing and the evolution of handheld technology has greatly impacted consumer behavior. Today, both as consumers and employees, people demand immediate, anywhere, anytime access when it comes to purchasing goods and services or working for the organizations that provide them.

To meet these demands, businesses have looked to cloud technology to keep up, migrating their operations and business processes to multiple cloud environments that provide the speed and flexibility required. Unfortunately, this results in an increased attack surface, one that not only makes it difficult for security leaders to locate dispersed data, but also protect it. But with this expanded malicious playground, what are attackers looking to compromise first and what should security leaders be focusing on to protect themselves?

To answer that question we asked Trustwave SpiderLabs Director of EMEA Ed Williams, who provides security professionals with the following knowledge and advice.

How do you think these malicious actors perceive these cloud-based environments when it’s time for them to go about with their malicious deeds?

Ed Williams: What has happened is a bit rush to the cloud for the last two to three years. Everyone now has a cloud-first agenda. But what that rush to the cloud inevitably brings is complexity and people not fully understanding that with this rush to the cloud, errors and issues crop up that result in misconfigurations, which lead to data breaches. Misconfigurations I see as being as big of an issue as phishing was two to three years ago.

Do you think these misconfiguration issues are being talked about enough? Phishing still seems to grab the headlines. Would you say that’s the case? If so, why? 

Ed Williams: Massively. The “why” is probably because phishing is something that we now understand. We’re becoming more mature on that topic and understand what the impact is. It’s only now with a bulk of data breaches around misconfigured cloud instances, particularly around Amazon S3 buckets. The default policy was that the buckets were publicly available, and we’re still seeing these people who have these large amounts of “sensitive data” in buckets and they’re not configured correctly. To be fair to Amazon, they’ve moved forward a lot in a couple of years. They’ve changed the default settings, they’ve made it easier to search for these erroneous permissions. But we’re still seeing people make mistakes because they don’t fully understand the actions, they take in cloud environments. Once that maturity comes, then the security will catch up with it.

How much does the immense complexity that security leaders experience tied to this topic benefit attackers?

Ed Williams: With the advent of the cloud, it’s easier to spin up machines, and if they’re not configured securely from the beginning, it’s going to cause issues. We see that through excessive services on the internet and excessive API endpoints. The way an organization’s security posture looks like today has changed. Before, all of your internal infrastructure was located behind a number of firewalls. That’s changed now. Many organizations now have a hybrid model where you have certain things on-premises, some in the cloud, and it’s difficult for older security mindsets to match up with current, modern environments.

What are attackers looking to exploit first in these environments?

Ed Williams: The first thing I believe they’re looking at, and that penetration testing teams have a huge amount of success with, is software-as-a-service solutions. Things like Office 365. You can make cloud environments absolutely bulletproof, but they can easily not reach that state. Gaining access to usernames and passwords associated with Office 365 and using that as a launchpad into other parts of the organization is common. If you have an Office 365 mailbox, the mail that you then send to other parts of the organization is “trusted.” We see a lot of organizations that say they have multi-factor authentication on their Outlook 365, but what they’re not doing – which we recommend – is remove legacy services. It’s easy for attackers to abuse these legacy services. By enabling them, the benchmark’s already being lowered by organizations.

For organizations operating in multi-cloud environments, where are the major risks located?

Ed Williams: What organizations need to do is simulate what they’re going to store in the cloud and conduct a threat assessment around that. If you’re going down the Office 365 route, they need to simulate what the attack vectors are likely to be – such as phishing and weak passwords – and prioritize security around that. If they’re putting data repositories in the cloud, how are they securing that data? It’s important for organizations to put threat analysis around what they’re putting in the cloud. Operating in multi-cloud environments can be secure, but just like anything, it can also be very insecure because since it’s in the cloud, the impact will likely be greater.

As Williams puts it, it’s possible for cloud environments to be very secure. To reach that ideal state, he highlighted three things security leaders need to hone in on: 

  • Understand the Ramifications of Operating in the Cloud
    Each organization is unique, and chances are they’re utilizing cloud services for very different reasons. Based on your core business functions, understand what it means to store what your organization deems “sensitive information” in the cloud.

  • Conduct a Threat Assessment
    It’s important to conduct a threat assessment around the “stuff” that you’re looking to place in the cloud. If you have a multi/hybrid/on-prem cloud environment, are the connections between all those elements secure? There’s only one way to do that and it’s through testing.

  • Regular Testing
    Proactive security testing can help you understand where your risks and vulnerabilities reside, enabling you to better prevent, detect and respond to security incidents and continuously improve your overall security posture. This is especially the case when working in cloud environments.

Securing the modern-day cloud environment goes back to the old maturity model. Understanding your assets, make sure the basics are covered, and ensure you’re conducting continuous pen testing and red teaming. Once you start doing that, you’ll begin to increase your organization’s security maturity.


For more insights on securing organizations that operate in multi-cloud environments, download our latest e-book.

Marcos Colón is the content marketing manager at Trustwave and a former IT security reporter and editor.

Latest Trustwave Blogs

Defending Healthcare Databases: Strategies to Safeguard Critical Information

The healthcare sector continues to be a primary target for threat actors, with 2023 seeing a record number of data breaches and compromised records. While successful attacks are inevitable, it’s...

Read More

Trustwave SpiderLabs: Ransomware Gangs Dominate 2024 Education Threat Landscape

The security teams manning the defenses at the higher education and primary school system levels often find themselves being tested by threat actors taking advantage of the sector's inherent cyber...

Read More

LockBit Takedown: Law Enforcement Disrupts Operations, but Ransomware Threats Likely to Persist

The news that US, UK, and other international law enforcement agencies disrupted LockBit is welcome, as stopping any threat group activity is always a positive. The unfortunate aspect is this blow...

Read More