Cloud adoption has become critical to digital transformation, providing businesses with the agility and scalability they need to better serve customers. However, cloud adoption has also expanded the attack surface these businesses must monitor and protect.

Security teams struggle to keep up because of poor visibility and fragmented approaches to security management and threat detection, and because the attack surface expands with every workload deployed to the cloud. Protecting the cloud therefore requires a different security model from the one protecting your on-premises environment.

Common Cloud Vulnerabilities

To defend cloud environments, security teams must protect against common cloud vulnerabilities, including these:

Misconfigurations

Misconfigurations are often caused by a lack of general knowledge or review and can include everything from users having unnecessary access to resources, to containers left exposed to the public.

Insecure APIs

APIs are increasingly used in modern software development and in microservices, applications and website backends. They must handle a variety of requests. Unfortunately, some of these requests come from threat actors and target vulnerabilities and misconfigurations.

Lack of multifactor authentication (MFA)

MFA requires a user to present at least two forms of identification for validation to access an account or data. User passwords are vulnerable to theft, making the lack of MFA a potentially critical vulnerability.

Lack of control over end-user actions

Exercising control of who can access cloud resources and monitoring user activity are critical components of protecting the cloud. Without them, organizations risk a situation where malicious activity goes undetected

Weak spots in software supply chain security

Cloud-native applications often use opensource software. As threat actors target this software, organizations must take action to mitigate the risk of vulnerabilities and misconfigurations being introduced.

How Cloud Vulnerability Exploitation Works

Researchers at CrowdStrike have their eyes on the ever-evolving threat landscape today’s organizations are facing. As enterprises embrace new cloud architectures in search of better scalability, efficiency and security, threat actors have taken notice and are targeting cloud infrastructure.

Malicious actors tend to opportunistically exploit known remote code execution (RCE) vulnerabilities in server software, typically scanning for vulnerable servers without focusing on particular industry sectors or geographic regions. After gaining initial access, actors may deploy a variety of tools. The wider criminal exploitation of cloud services for initial access includes the exploitation of file transfer application vulnerabilities.

Since January 2021, multiple companies have self-disclosed breaches related to such exploitation. VMware has also been targeted by threat actors, including CVE-2021-21972 — a critical vulnerability impacting VMware’s ESXi, vCenter Server and Cloud Foundation products. Exploiting this vulnerability provides a simple and reliable method that threat actors can use across multiple host-operating systems, attack vectors and intrusion stages. Multiple adversaries, particularly big game hunting (BGH) actors, have likely leveraged this vulnerability.

What You Can Do to Protect Your Cloud Environment

Enable runtime protection and obtain realtime visibility

You can’t protect what you can’t see — even if you plan to decommission the infrastructure. Runtime protection and continuous visibility are central to securing your cloud infrastructure to prevent a breach. It remains critical to protect your containers, servers and workloads with next-generation endpoint protection, including servers, workstations and mobile devices, regardless of whether they reside in an on-premises data center or virtual cluster or are hosted in the cloud.

Make it your mission to eliminate configuration errors

The most common cause of cloud intrusions continues to be human errors and omissions introduced during common administrative activities. It’s essential to set up new infrastructure with default patterns that make secure operations easy to adopt. One way to do this is to use a cloud account factory to easily create new subaccounts and subscriptions. This strategy ensures that new accounts are set up in a predictable manner, eliminating common sources of human error. Also, make sure to set them under full management along with your CSPM. Then use your CSPM on all infrastructure up until the decommissioning of the account or subscription to ensure that operations teams have continuous visibility.

Gain more control over user actions

Organizations need to employ access controls, like the ones found in CrowdStrike cloud infrastructure and entitlement management (CIEM) solutions, to manage and secure cloud resources. These controls should be supported by visibility into cloud workloads and infrastructure. To protect cloud environments, up default roles and network security groups that keep developers and operators from needing to build their own security profiles and accidentally doing it poorly.

Be proactive when it comes to securing APIs

The proliferation of APIs poses a challenge for developers and security teams. However, by “shifting left” and integrating security into the CI/CD process, organizations can reduce risk. In addition, code injection attacks targeting vulnerable APIs can be prevented with a web application firewall configured to filter requests by source IP address and/or HTTP header info.

Leverage a cloud security posture management (CSPM) solution

Ensure your cloud account factory includes enabling detailed logging and a CSPM — like CrowdStrike Falcon Cloud Security™ — with alerting to responsible parties, including cloud operations and security operations center (SOC) teams. Actively seek out unmanaged cloud subscriptions, and when found, don’t assume they are managed by someone else. Instead, ensure that responsible parties are identified and motivated to either decommission any shadow IT cloud environments or bring organizations must be able to enforce security policies consistently across multiple cloud platforms.

Secure multi-cloud resources by establishing least-privilege access

Excessive permissions increase the risk of attack. Users should only have the level of access they need to perform their jobs effectively. With the principle of least privilege guiding decisions about access rights, organizations can reduce the amount of potential damage that could be done if an account is compromised.