How to Monitor for Cryptomining in the Cloud

Introduction
Public cloud environments are excellent targets for cryptojacking. With the proper access, an adversary can take advantage of expensive, quickly provisioned virtual resources without detection. CrowdStrike’s Cloud Security Posture Management solution, Falcon Horizon, helps organizations secure cloud environments while proactively monitoring for misconfigurations, overly permissive access settings and suspect behaviors.
Video
Cloud Security Assessments
Leveraging two different types of assessments, the main dashboard displays an overview of recent findings across all of the registered cloud accounts and providers. The findings on the left are based on configuration policies that look at various service specific settings. Behavioral assessments focus on changes or patterns that could indicate malicious activity. Any related findings are shown on the right side of the dashboard.
Cloud Security Policies
Assessments are performed on a regular, configurable basis using CrowdStrike developed policies for the different cloud services. Under the policies tab, there is a comprehensive list of supported services for each cloud provider including Amazon’s EC2. AWS’s Elastic Cloud Compute (EC2) service makes it possible to quickly obtain compute capacity at scale.
The various Falcon Horizon policies for EC2 include configuration policies around various settings such as public access and identity management. For each registered account and region, there are options to enable policy and customize the severity.
While CrowdStrike’s CSPM policies are not limited to compliance standards, those that correlate to benchmarks include links to additional information such as the rationale statement and audit procedure.
Behavioral policies are available to assess how EC2 instances are being leveraged. By monitoring behaviors and patterns, Falcon Horizon can look beyond configurations to alert organizations when suspicious activity is detected.
Monitor for Cryptomining Activity
Specifically, there is a behavioral policy to monitor for cryptocurrency mining attacks. This policy is looking for a specific, rapid sequence of calls that would be used by an attacker launching a scripted mining attack.
The policy details include remediation steps as well as alert logic and the MITRE ATTACK details. Assessment findings based on this policy would merit immediate investigation to confirm the findings and take action to stop a mining attack in progress.
Conclusion
With the growth of cloud deployments, it is imperative that companies continuously monitor their environments and consistently maintain their required security standards. Falcon Horizon provides granular policy assessment and visibility to help organizations quickly identify potential exposures, resolve findings and minimize overall risk.
More resources
