Illusive Blog April 30, 2020

Preventing Attackers From Turning a Cloud Ecosystem Into a Security Nightmare

By Jason Silberman

One topic we’ve written about a lot on this blog is lateral movement, when attackers leverage existing credentials and connections to move from one machine to another within an environment. When you add cloud to the mix, however, there are so many changes – from new attack vectors to methodologies and prioritizations – that the phrase seems incomplete.

For example, what happens when an attacker controls the local computer of a DevOps team member, and then finds credentials for high-privilege access to AWS? Or if a malicious insider, who has privileges in Microsoft Azure, then attempts to move to a private cloud that he is not supposed to enter, in an attempt to steal sensitive data or to cause service disruptions? Or perhaps the attacker will try to steal a sensitive document from a shared folder in a SaaS application like Dropbox.

The shift to the cloud from solely on-premise environments sitting behind a firewall continues at rapid speed. The typical business relies on a hybrid mix of public and private clouds, coupled with traditional on-premise infrastructure. As more businesses move critical operations to cloud applications – such as choosing Salesforce as their CRM or using Azure for hosting their databases – new attack vectors are created and evolve.

However, as we’ve continued adoption of hybrid cloud and multi-cloud strategies, it is not enough to simply secure assets in the cloud. Organizations also need to secure pathways to and from the cloud, as well as between and within clouds. Externally-hosted services and applications don’t stand in isolation—they are connected to the corporate environment. A risk to one part of the extended ecosystem is a risk to all.

Furthermore, the native security controls offered by the major cloud providers are very limited.
These typically include security groups, web application firewalls, and flow logs. By themselves, however, these security controls are greatly insufficient in defending against nation-state attacks and APTs. There are scores of vulnerabilities, especially those that leave attacker lateral movement in and between clouds almost completely unimpeded.

Multi-Directional Attack Risks

With Illusive, organizations can protect the business across hybrid ecosystems to stop malicious activity long before attackers are able to reach business-critical assets. There are four potential vectors a cloud security strategy needs to address:

  • Movement from the corporate network to cloud networks. An attacker might aim,
    for example, to capture Azure Secrets and credentials used by an internal DevOps team to gain high-privilege access to cloud systems. This effort would likely be preceded by significant lateral movement within the corporate network to reach DevOps machines. Once inside the Azure environment, the attacker could begin efforts to move laterally between systems and services, seeking valuable data and privileged users and roles.
  • Movement from the cloud to on-premise assets. In this case, an attacker would use any number of techniques (let’s say a brute force attack) to compromise a public-facing web app server, and use it as a beachhead to capture credentials to back-end enterprise systems. Once an attacker has access, he may ultimately be targeting an on-premise database, so will look to connect from the cloud back to the on-premise environment. Or perhaps we have a case of a malicious insider with Azure access who then tries to move toward a different target.
  • Movement from cloud to cloud. In this scenario, having established a foothold in one cloud environment, the attacker’s objective could be to pivot to another cloud network or other systems segmented within the same cloud infrastructure.
  • Movement between assets within the cloud. For example, an attempt to compromise an application server (like Tomcat, as one example) in order to try and attack its respective, connected cloud database. Or to gain higher privileges to get access to critical services such as storage or configuration assets.

With those challenges in mind, we at Illusive continue to develop solutions for our customers to give them the security and confidence to expand business activities both on-premise and in the cloud. Our approach remains familiar – discovering, monitoring and eliminating connection and credential violations on the one hand, while advocating for an endpoint-based deception strategy is to spread fake objects on endpoints and servers throughout the network that appear useful to an attacker. Now we have launched a series of new capabilities that address many challenges specific to cloud environments, protecting against attacker movement from anywhere to anywhere.

One of those capabilities is our new standalone decoy offering, which we wrote about here, Decoys in the Cloud – No Hardware Required. Illusive customers can take any host on their network – any physical or virtual machine, both in and out of the cloud – and convert into a full-OS decoy.

Higher Visibility and More Extensive Deceptions

We have several new features as part of our Attack Surface Manager which empower security teams with increased visibility and potential vulnerability context in cloud ecosystems.

  • Attack Surface Management in the Cloud: Visualize and automate the discovery of which cloud data is a “crown jewel” that needs to be protected. Find and eliminate common attacker pathways towards it.
  • Privileged Credential Violation Discovery and Remediation: Gain visibility into insecure usage and users on all common SaaS applications, including G Suite, Box, Salesforce, and many more. Mitigate the violations created by shadow admins, users without multi-factor authentication enabled, external and disabled accounts.
  • Linking violations and privileged access to the cloud and back. Map and connect high-privileged users of Cloud Service Providers connect them to information from on-premise directory services. For example, Illusive can identify an Active Directory user with cached RDP credentials found on a local machine, and inform security teams if they also have privileged Azure credentials. And ASM can also identify strong users in Azure Active Directory with weak, or even disabled, local AD privileges (a suspicious issue to investigate). Illusive also empowers businesses to discover and identify credentials and cached connections to SaaS applications, and the existence of credential information to SaaS applications from an authorized department (HR into Salesforce, for example). In the big picture, Illusive gives security teams with comprehensive visibility and remediation capabilities both inside and outside the cloud.
  • Set rules for monitoring and remediation. Enterprises can use Attack Surface Manager to set rules for determining misconfigurations or insufficient protection layers applied on cloud users and applications, and the remediation of these violations.

Alongside those, we are also excited to unveil new cloud deception capabilities in our Attack Detection System.

  • Plant in-cloud server-to-server deceptions to prevent attacker movement. Organizations are able to plant highly-authentic deceptions based on commonly-used web application and CI/CD servers, such as Tomcat, IIS and Jenkins servers, to prevent attacker compromise and lateral movement between servers.
  • Deceptions Between Servers. In addition, these server deceptions are complemented by a slate of SSH and RDP deceptions that are designed to find and stop attacker movement between those servers.
  • Cloud Endpoint Deceptions. An extensive selection of deceptions that seem like authentic pieces of valuable information to attackers and malicious insiders, tricking them into engagement, and forcing them to reveal their unauthorized presence to defenders in cloud environments. Cloud deceptions include false AWS tokens (helping to identify the breach point regardless of attacker location), deceptive SaaS application data, and much more.

It should be noted that these new deceptions and mechanisms are suitable for any data center, whether in the cloud or on-premise.

Furthermore, as all of these deceptions are invisible to real, authentic users and only seen by an attacker, and notifications are only triggered upon interaction with a deception, the result is a low amount of false positives. This reduces the workload for often-overwhelmed SOC teams, adding efficiency that is especially needed now.

The cloud offers tremendous advantages to enterprises—as long as the risks are properly mitigated. While that’s never easy, and attackers are ever more sophisticated, these capabilities both empower organizations with increased visibility and monitoring in the cloud, as well as force the attacker to unknowingly interact in order to progress their attack in any direction – laterally throughout the data center, vertically to and from the cloud, or between clouds.

For more information, please request a demo to speak with an Illusive security expert.


For more about this topic, view the on-demand webcast, “Defending Hybrid, Cloud-Enabled Ecosystems – Stopping Attacker Movement