Research uncovers greater awareness of cloud account compromises and efforts to implement best practices, but companies need to do more in the face of emerging dangers such as Instance Metadata APIs
Menlo Park, CA (May 15th, 2018) – RedLock, an industry leader in Cloud Threat Defense, today released its newest “Cloud Security Trends” report based on research from the RedLock Cloud Security Intelligence (CSI) team, an elite group of security analysts, data scientists and data engineers dedicated to uncovering serious threat vectors. Marking the one-year anniversary of the Cloud Security Trends report, among other worrisome findings, the report reveals the phenomenon known as cryptojacking has unquestionably gone mainstream, discovers a new source of potential access credentials compromise, and finds that despite heavy media and industry attention, organizations are struggling to meet compliance requirements in public cloud environments. On the flip side, there’s evidence that companies are becoming more aware of cloud account compromises and implementing best practices to prevent attacks, but there’s still no shortage of new attack vectors hitting the market.
The report offers a comprehensive analysis of threats confronting the cloud computing environment. These include:
The mainstreaming of cryptojacking: The RedLock CSI team previously uncovered hacker infiltrations of public cloud environments owned by Tesla, Aviva and Gemalto. It’s now apparent the practice of stealing cloud compute resources specifically to mine cryptocurrency has accelerated and there are signs that attackers are using advanced evasion techniques for this purpose.
However, even with expectations of greater activity in this area, the numbers are a surprise: The CSI team found that 25% of organizations suffered from cryptojacking incidents, a sharp spike representing a 3X increase from the 8% reported in the last quarter. On a related note, 85% of resources were found to have no firewall restrictions on any outbound traffic (up from 80% one year ago). For the record, industry best practices mandate that outbound network traffic should be restricted to prevent accidental data loss or data exfiltration in the event of a breach.
Among other measures, the RedLock CSI team strongly recommends that organizations implement a ‘deny all’ default outbound firewall policy, and monitor network activity for any suspicious traffic such as communication with cryptomining pools.
Account compromises fueling new attack vectors—meet the Instance Metadata API: Again, there are indications that organizations are doing more than before to avert cloud account compromises, but dangers new and old certainly remain. Adding to such past issues as leaked credentials in GitHub repositories, unprotected Kubernetes administrative interfaces and web servers—all highlighted in previous RedLock CSI reports—a major new threat vector can be found in public cloud Instance Metadata APIs. A feature available to public cloud customers, Instance Metadata refers to data about a cloud Virtual Machine (VM) that can be used to configure or manage the running VM—in effect, submitting a query via an API to gain access credentials to the public cloud environment by any process running on the VM. The team identified several ways that hackers might exploit this API, although it is unclear whether any of these methods have been used in the wild. However, just as with the Spectre/Meltdown vulnerabilities of the recent past, the potential impact has a very large blast radius.
The core concern here is that despite the good news, 43% of all organizations have not rotated their access keys in more than 90 days. This is an unacceptable level of exposure. Fortunately, only 20% of organizations allow the root user account to be used to perform activities, a steep drop from the 73% reported last year.
The RedLock CSI team recommends that enterprises eliminate the use of root accounts for day-to-day operations, enforce multi-factor authentication on all privileged user accounts, implement a policy to automatically force periodic rotation of access keys, and monitor for any anomalous behaviors.
Ensuring the omnipresence of compliance: There’s certainly no shortage of industry standards for cybersecurity: NIST CSF, CIS, PCI DSS, SOC2, HIPAA and (soon) GDPR are just some of the acronyms serving up a blizzard of regulations and requirements. The RedLock CSI team finds a decidedly mixed bag of effort and negligence in an operating environment where anything less than full compliance is essentially not compliance at all.
On the positive side, there is a growing trend toward database encryption, a helpful practice to meet the pseudonymization requirement in GDPR and a best practice in its own right. Barely a year ago, 82% of databases in the cloud were not encrypted; now, it’s 49%. However, on average organizations fail 30% of CIS Foundations’ best practices, 50% of PCI requirements, and 23% of NIST CSF requirements.
The RedLock CSI team recommends that companies ensure cloud resources are automatically discovered when they are created, and monitored for compliance across all cloud environments; implement policy guardrails to ensure resource configurations adhere to industry standards; and integrate configuration change alerts into DevOps and SecOps workflows to automatically resolve issues.
“We understand why there might be fatigue with endless reports on IT infrastructures that lack adequate security, and there are signs that corporations are stepping up initiatives to minimize vulnerabilities, but there’s definitely more to do,” said Gaurav Kumar, CTO of RedLock and head of the CSI team. “That’s why this report not only shines a light on emerging dangers but also offers concrete advice on how best to ward off attacks. Cloud computing environments bring tremendous flexibility and great economies of scale, but those advantages are meaningless without top-level security. This is a constant and shared responsibility.”
The report also offers a look back on the previous twelve months, providing insights into the largest cloud security challenges facing enterprises over the last year, key incidents and lessons learned. On average, 27% of organizations experienced potential account compromises. And over the last year, we saw credentials and access keys being stolen or leaked at companies such as Uber, OneLogin, Tesla, Aviva and Gemalto. Over half (51%) of organizations publicly exposed at least one cloud storage service, such as Amazon Web Services S3 Simple Cloud Storage Service. And nearly a quarter, 24%, of enterprises have hosts missing high-severity vulnerability patches in the public cloud, representing a glaring risk and providing an open invitation to cybercrooks. MongoDB, Elasticsearch, Intel and Drupal are some of the companies affected by cloud vulnerabilities over the past year.
A full version of the report is available for download at https://info.redlock.io/cloud-security-trends-may2018.About RedLock
RedLock enables effective threat defense across Amazon Web Services, Microsoft Azure, and Google Cloud environments. The RedLock Cloud 360™ platform takes a new AI-driven approach that correlates disparate security data sets to provide comprehensive visibility, detect threats, and enable rapid response across fragmented cloud environments. With RedLock, organizations can ensure compliance, govern security, and enable security operations across public cloud computing environments.
Global brands across a variety of verticals trust RedLock to secure their public cloud computing environments. The company is backed by Sierra Ventures, Storm Ventures, Dell Technologies Capital, and other high profile investors. RedLock has received a number of industry accolades including finalist for Most Innovative Startup at RSA 2017, CRN Emerging Vendors in Security 2017, and TiE50 Winner 2017.