By Gavin Knapp
Global expenditure on cloud services rose 34 per cent year-on-year in the final quarter of 2021, hitting $53.5bn as the great migration to cloud storage and compute continues to gather pace. Analysts at Gartner expect end-user spending on public cloud services to be more than $480bn this year, including £172bn on Software-as-a-service (SaaS) applications.
Organisations of all sizes are now seeking the cost and agility advantages of cloud deployments, entrusting their data and applications to highly sophisticated global cloud providers with an eco-system of security providers. Bodies such as the UK’s three secret intelligence services have the confidence to host classified material with AWS, which has invested large sums in protecting its infrastructure.
Most companies, however, are unlikely to have the in-house security expertise of national security organisations and digital eavesdroppers. Their business and IT leaders may instead put their faith in every claim about end-to-end security, when in reality, cloud-adoption comes with cyber risks. This is especially true when out of concern for competitiveness, or as a result of events such as the pandemic, a company accelerates cloud migration to become more agile and innovative while reducing costs.
The trap of misconfiguring the cloud
It is very easy, amid such pressures, for a company to misconfigure how it deploys all its data and workloads and digital assets in the cloud, opening itself up to significant risk. In simple terms, misconfiguration leaves environments with inadequate protection. Each deployment requires the right kind of storage, user-access, permissions and privileges. Everybody wants protection, but nobody wants to be so security-obsessed as to render applications unworkable through the cloud equivalent of single confinement in a dungeon. The danger, however, is to leave data inadequately protected.
The fact is that cloud misconfigurations are among the most significant enablers for cyber-attacks. These vulnerabilities are becoming more worrisome, given the way cyber-criminals are upping the ante with complex attacks that involve multiple methods of entry originating from skilled human actors. In particular we see the emergence of human-operated ransomware and the phenomenon known as ransomcloud.
Leaders must address the emergence of ransomcloud
Ransomcloud describes attacks that target or take advantage of weaknesses or legitimate functionality in cloud resources to deploy malware, encrypt data, and extort money from businesses. As businesses move into the cloud, cyber-criminals follow and devise multiple ways of accessing cloud-hosted data.
As well as exploiting vulnerabilities in cloud services, or web applications to deploy web shells and malware, malicious actors will steal valid credentials to obtain privileged access to cloud consoles. They may conduct consent-phishing and other identity attacks which result in shared file storage or services encrypted by malicious apps.
The rise of Ransomware-as-a-Service (RaaS) has helped facilitate this highly unwelcome development. It means malicious actors no longer necessarily need interaction from unwitting end-users to trigger ransomware. Instead of prompting an interaction, technically-proficient individuals obtain access, move through networks, locate and remove data before executing the ransomware.
Most organisations are vulnerable to RaaS-fuelled cloud attacks
These attacks are not indiscriminate, but any business using the cloud is at risk. Businesses that lack maturity in architecting secure cloud services are particularly vulnerable, as are companies with no security controls to prevent users granting permissions to applications. Criminals have also successfully targeted more mature organisations that should know better, catching them cold when outsourcing cloud projects to third parties without providing adequate project assurance or security wrap.
Malware authors and criminal groups operate very much like any modern business and are transforming their own tactics and techniques, gaining for themselves the ability to exploit hybrid IT infrastructure by switching between a target’s on-premises and cloud environments. The automation of cloud attacks is also growing, while the time between vulnerability releases and weaponisation of malware, including ransomware, is getting shorter.
As with all ransomware attacks, ransomcloud can cause significant disruption to business operations. A ransomware incident last year at Cloudstar, a Florida-based cloud-hosting service, affected hundreds of companies, including many in the real estate business that were unable to complete transactions. It took months to sort out. It is also worth remembering that the 2021 IBM Ponemon Cost of a Data Breach Report put the average cost of a ransomware attack at $4.62m.
The approach leaders must take
Education is the key to reducing the potential of cloud ransomware. Organisational leaders must ensure IT, security, and employees are fully aware of how criminals perform cloud-focused attacks, what can be done to protect against them, and how to report an incident when necessary.
Businesses need to install strong endpoint, email and cloud application detection-and-response capabilities to avoid developers and cloud engineers becoming the prey of social engineering attacks. Organisations must ensure they have robust identity and cloud workload protection, and detection controls, which should include multi-factor authentication and zero-trust, conditional access to sensitive areas or accounts. IT departments should deprive end-users of the ability to approve unsanctioned applications. Security should review permissions and privileges and adapt or change them as employees change roles or leave the organisation.
Businesses also require an overhaul of protocols and solutions. Alerts from powerful cloud workload protection and detection solutions, which they should use, must be sent to central SIEM (Security information and event management) and SOAR (Security orchestration, automation and response) platforms where they can be monitored 24/7, benefiting from automated response, where sensible. Threat intelligence services are also useful in providing early warning of an attack.
In the face of these threats, organisations should reassess cloud services on a rolling basis, ideally through a blend of vulnerability assessment, pen testing, purple team testing or breach and attack simulation (BAS).
Mitigating the worst – if it happens
Should the worst happen, however, and a ransomware attack lock up, encrypt or steal data, businesses should have a watertight incident response plan in place and accompanying manual that covers ransomware in the cloud. Companies should test the effectiveness of these plans regularly, with support from the segmentation of backups and protections to prevent backups being automatically overwritten by corrupt or encrypted data.
Although the growth of cloud and hybrid environments, and their use by thousands of companies and organisations, has given rise to new threats, fuelled by RaaS and human-operated ransomware, there is no cause for despair. Assuming breach, constantly revising and improving security posture, the enlistment of expertise and technology from third-party specialists and a continuing programme of internal education will protect most organisations from the evolving threats of ransomware in the cloud.
About the Author
Gavin Knapp, Cyber Defence Technical Lead, Bridewell Consulting. Gavin is Cyber Defence Technical Lead with a 10-year track record in IT and security. He joined Bridewell in 2016 as a consultant and has been responsible for delivering security awareness programmes, ISO27001:2013, security and compliance audits, digital security, risk and technical advisory services to clients in government, energy and financial services.
He has since moved through senior and principal consultant roles and now oversees the Security Operations and Cyber Defence services including Engineering, MDR, Hybrid SOC, DFIR, CTI and Threat Hunting Teams.
Gavin is a computer science graduate from UWA. He holds numerous industry qualifications covering Security Operations and Incident Response including SANS GIAC GCIH, GCIA, GSEC and is a member of the GIAC advisory board. He also holds certifications across AWS, Azure and Microsoft 365.
Prior to joining Bridewell Gavin oversaw security at a local authority responsible for data protection. Previously he had worked across cloud, infrastructure, network, telecoms and desktop teams for the Authority, Mountway and T-Mobile.