The cloud recently became more complicated and more important than ever; but I’ll leave the best bit to the end. One of the main security concerns with using the cloud, although I accept that there are several, are misconfigurations. These lead to data breaches or, in the case of hacktivism, misconfigurations allow for denial-of-service attacks.
Even where an organisation is successful in configuring and securing the perimeter, many use the cloud for its ability to store vast amounts of data. Data segregation, access rights, permissions, data classifications and so on are all too often poorly implemented, or purposefully ignored to provide faster, more convenient access to all of that data. This means that if unauthorised access is achieved, huge troves of data are exfiltrated and placed onto ransomware and data theft hosting sites for download.
Traditionally people point a vulnerability scanner, roughly in the direction of their services. Some will run penetration tests, configuration tests, hide services and the most mature will run External Attack Surface Management (EASM) programmes. Those that use EASM are likely to have dodged many a bullet. Mature EASM programmes will either be run by the internal testing teams, Cyber threat intelligence (CTI) teams or external CTI providers. The intent is to continuously look at the perimeter and beyond, not only looking at what is running, versions, services and ports, security controls and misconfigurations, but also new shadow services, usually accidentally set up by rouge developers, engineers or architects. This is what consistently leads to security incidents and data breaches.
Ideally EASM programmes will be threat informed. i.e. CTI teams are constantly looking at what actors are doing in terms of operations, targeting and TTPs and aligning these to the cloud services they run to ensure controls are appropriate. With cloud implementations, EASM has never been so important. During Covid, when new cloud services were rapidly deployed to allow for remote working and new ways to interact with customers, EASM rapidly became essential.
I regularly conduct Threat Led Penetration Tests (TLPT) that are part of regulatory frameworks, such as CBEST and GBEST in the UK and TIBER in Europe. A key component of the threat intelligence element of these tests is called ‘targeting intelligence’. Essentially it is hostile reconnaissance of an entity that includes many things, but importantly, the reconnaissance of the perimeter and cloud services of an entity to look for weaknesses that could be used to gain a foothold. Although technical exploitation of a perimeter service by the red teamer is rare against mature entities such as banks, discovery of shadow services, IP ranges and domains that the entity was not aware of, is certainly not rare.
There is a direct correlation between those entities that suffer a breach in their cloud infrastructure and those that do not have constantly running EASM programmes.
With good vulnerability management programmes, EASM and regular penetration testing, the vast majority of threats and risks should be mitigated. So why did I say at the beginning of this article that it has recently become more complicated and more important? Why am I cautious and why is this going to get worse before it gets better? You guessed it, artificial intelligence (AI). Please, do not sigh, this is not doom-mongering but a genuine developing threat. It is a threat that is much closer to reality than many of the concerns over AI.
As I write this, I am reviewing a paper on the near time uses of AI by threat actors and there are two relevant developments that we will see in the short to mid-term. Firstly, organisations will be rolling out new AI services, which are likely be cloud-based due to the horsepower and data storage they need. This will lead to an increased attack surface for any entity that they will need to secure, but also, AI solutions are new, and likely to be less tested and more vulnerable. Regular penetration testing will be essential.
Secondly, is the use of AI by threat actors in their own reconnaissance and targeting tools. AI enhanced tools will be created for both good and evil. The latter will allow attackers of even medium capability, to have a live understanding of the attack surface of large parts of the internet and react instantly, without prompt, to misconfigurations and vulnerabilities.
Defenders will no longer have a few days or weeks to spot things, they will be exploited far quicker, in an automated way. I am sure a vendor will soon be offering a ‘next generation, live organic deep tech, dark recon tool’, but in the short term, invest resources into your EASM, invest in your vulnerability and patch management programmes and engage with your IT teams so they understand how the cloud part of your environment is going to be more critical than ever.
