We all know that the cloud changes on what seems to be a daily basis. With that, so do attackers. What was secured yesterday is no longer secure today. We need to take a good, hard look at attackers and how they are also changed. But that also means we need to look at our own people and self in how we are addressing these issues.
Cloud Security - Attacker tactics are changing
Attackers know that organizations are shifting to the cloud. With that comes new attack techniques developed to account for this model. In any cloud model (IaaS/PaaS/SaaS), there is a shared responsibility between provider and customer. Respective to each cloud model, the provider is responsible for some assets and the customer is responsible for all the other assets. In all models, the customer is fully responsible for their data. However, some predict that by 2025 99% of cloud security issues are customer fault. Cloud providers, like Microsoft, have massive teams maintaining their infrastructure and iron clad service level agreements. Without understanding the legality of these SLAs, we can probably safely assume they are drafting language that limits their liability in the event of a breach.
Again, attackers know this. So, they are targeting the assets responsible by the customers. The three most common reasons of breaches today are phishing, vulnerabilities, and misconfigurations. These are all entry points to both on-premises and cloud environments. Once an attacker gets in, the first thing they will try to do is create more entry points or a backdoor. Rapid response is the only metric to prevent this. More time in your environment means the potential for more backdoors or data exfiltration. And remember, attackers don’t need full administrator rights. Read access can get almost all data (by default).
These are several techniques and tactics that are becoming more prevalent:
- Living off the cloud: We all are aware of ‘Living off the land’ attacks that utilize legitimate tools and services but abused by malicious actors. Living off the cloud attacks are similar in nature but use common registered IaaS/PaaS/SaaS services to target organizations. An example would be someone using what appears to be a legitimate OneDrive for Business download link, but it redirects you to malware.
- MFA Bypass: Not enough organizations are enabled for MFA. But the number keeps rising each year. Attackers are now trying to develop methods to get around MFA. Examples of these include digital SIM Swap, targeting the registration (and re-register) processes, and stolen tokens.
- Stolen tokens: Speaking of stolen tokens…Microsoft reported 150K stolen tokens in the last 6 months alone. There are a variety of tokens in the cloud providing us access to our assets, ID information, or other functions. These tokens are valid for various amounts of time. Azure AD Access tokens can be valid for ~60 minutes while a refresh token can be valid for up to 90 days. If these tokens get stolen, an attacker can use them to authenticate and authorize themselves as if they were you. Some tokens, such as a Primary Refresh Token (PRT) even contains your MFA claim.
- OAuth Phishing: Even phishing attacks are evolving. A new technique is to use Open Authorization. OAuth is a means to get API access to your assets and/or data. An example is below, but think about every time you install a mobile app on your phone that wants permission to your camera? Do you ever read through all those permission consent forms? The average user will accept just so they can use the app. This is what attackers wish to exploit.
Finally, people. People, not data, are still to be considered an organizations #1 asset. That also means they are the #1 vulnerability and risk factor. We need to factor the people in the organization when developing a cybersecurity solution. That means we need to understand the culture of the organization. Plugging a best-of-breed solution in an environment without considering the culture is doomed to fail. Security tools need to be usable by all user profiles, even by the most non-technical groups. Lumping all users together is a bad idea. Without adoption, your security journey will not be successful.
We also need to stop a few other assumptions. For many, security is a fear tactic. People may feel embarrassed or even that their job is at risk if they fail a phishing simulation. We should not judge users that fail security measure, but positively reinforce their actions. Encourage feedback. It’s not us versus them. We are all in this together. There is no security without trust.
Cybersecurity is a big, scary world - so many memes expressing burn-out in the field. We simply need more people to jump into the field. These memes are not helping. Neither are organizations looking for seasoned, experienced candidates to fill the gaping holes in the millions of cybersecurity positions available. We should look for passionate people with a strong, but generalized IT foundation, good work ethics, and a desire to learn. Enabling has used that model a few times already with our own employees and we have had great success so far.
Here are a few final general tips for anyone that made it this far:
- Slow and steady wins the race. Pilot any new security solution
- Assume breach. No one is ever truly secure, but there is a threshold where you are secure enough with a level of accepted business risks.
- Secure what you have first. Mitigate existing threats with secure configurations and patching vulnerabilities. Maintain harden security. Analyze telemetry to detect advanced persistent threats in real time.
- Defense in Depth. It’s great but may not be practical or necessary. When considering multiple layers, also consider user impact and productivity.
- Don’t forget about old techniques. We may be past Solarigate, but that doesn't mean we should forget about it. With every new vulnerability and breach, we are instructed on new ways to secure. Don’t let that make you forget about breaches of the past. Trojans and worms are still a thing.
- Protect your on-premises environment too. Protect your cloud, sure. Don’t forget about your on-premises environment. Take advantage of modern cloud solutions, such as Microsoft Defender for Identity, to help safeguard what remains on-premises.
The next time you see a post from me, I will express how Microsoft and Enabling Technologies are taking these lessons learned and turning them into actions and best practices.
Enabling Technologies can help you properly prepare for moving to the cloud based on Microsoft Best Practices and utilizing a secure and productive environment. You can check out more in the Security section of our website.