Security Guidance from the Front Lines of Cloud Incident Response

In our first-ever Cloud Threat Summit, CrowdStrike’s Senior Vice President of Intelligence and Senior Director of Consulting Services discussed the most common ways adversaries breach the cloud and the steps organizations can take to stay safe.

An insightful and engaging conversation during last week’s Cloud Threat Summit featured Adam Meyers, Senior Vice President of Intelligence, and James Perry, Senior Director of Consulting Services, sharing real-world stories of cloud breaches and how they inform best practices for stopping cloud-focused adversaries. Their experience in helping customers navigate cloud security incidents can help organizations fortify their cloud defenses. 

In his years of incident response engagements, James has had a front-row seat to the tactics, techniques and procedures (TTPs) cloud-conscious adversaries use in their attacks. Today’s threat actors have grown adept at breaching enterprise cloud environments and silently moving through them, escalating privileges and accessing sensitive data they can use to further their nefarious agendas — often without the victim’s knowledge. 

CrowdStrike’s Incident Response Services and Threat Intelligence teams work closely during and after incidents, sharing valuable information about the adversary and their traits, capabilities and tactics. In response to the increase in cloud-conscious cyberattacks, the IR Services team has developed cloud specialists. This group consists of experts who have built cloud environments for large corporations, and been trained in incident response; it also consists of incident response experts who have been trained in cloud technology and vernacular. 

“We bring those two skill sets together when a customer has a cloud breach, and that really helps us translate the problems they’re having to execs in an organization,” said James. 

Like the IR Services team, today’s organizations must prepare themselves for cloud-focused attacks. Here, we’ll dig into the key themes of this conversation about cloud threat activity and best security practices.  

Neglecting MFA Opens the Door to Attackers

Many businesses still use credentials with simple passwords and no multifactor authentication (MFA) or have misconfigured access policies that allow attackers to break in without an MFA prompt. The most common error he sees is organizations allowlisting their corporate subnets for no MFA. This would allow an attacker that gains endpoint access to quickly pivot into the cloud, often gaining the “more destructive” access the cloud can provide, James said. Organizations often don’t realize adversaries will use their initial access to breach a victim’s identity system, which allows them into many other applications — including the cloud.

“They want to make things easy for their users, but it also makes things very easy for the attackers,” he said.

Allowing users to provision their own MFA is an issue as well. When you create cloud-only accounts and don’t provision MFA, a threat actor can brute-force the account and register their own device so they can log in with MFA. In some cases, the attacker gains access to an admin account and adds an allowlist for their own IP address to bypass MFA. In others, they abuse certificate-based authentication and enroll their own certificate, which is hard to detect.

“You can reset passwords all you want, but if they have a certificate-based authentication, they can come right back in,” he added.

Adversaries will take the path of least resistance — and the cloud is becoming that path. Consider eCrime adversary SLIPPY SPIDER, or Lapsus Group, which in Summer 2022 was able to breach a trillion-dollar company with just one compromised credential and get all the way into the source code. Credentials are keys, and adversaries have their eyes on them.

Some threat actors will use their initial access to find tools they can use to their advantage. James and Adam discussed the recent trend of adversaries using the capabilities of Azure to execute commands on systems hosted in Azure. Last summer, eCrime threat actor SCATTERED SPIDER used this method to push publicly available remote access tools to every host in the environment they could access. Their persistence in the cloud allowed them to lurk on systems across the environment. An attack like this is tough to detect. It takes expertise in cloud, adversaries and intelligence to understand an adversary may do something like this. 

Log Management: Critical to Cloud Security

As organizations interconnect different clouds, Adam predicts they’ll run into the problem of adversaries moving from one cloud to another to better conceal their activity, and reemerge in different ways to catch their victims off-guard. “That’s going to be an interesting dynamic, if they start to do that,” he said.

This use of multiple clouds also leads to the challenge of managing logs, James added. You’ll have different logs coming from different clouds, in addition to on-premises logs. If you’re operating in multiple environments giving different signals, you need the right way to correlate that information and respond to it.

“I think that’s going to be one of the big challenges you see in the future,” he said. “Customers had all the right data but they didn’t have it in the right place; they didn’t have the ability to search it all quickly and see there was an issue.” 

Adam advises organizations to diversify the applications and tools they use to protect their workloads running in multiple clouds. “One of the things I always tell organizations is, don’t put all your eggs in one basket,” he said. If all of your eggs are in one basket and an attacker gets into that basket, they could simply turn protections off. Make sure you have a third party for that essential cloud workload protection — for endpoint protection.

If you’re using one vendor for your productivity suite, you shouldn’t also use it for enterprise security — instead, rely on a third party with expertise in that area. “You get some diversity that way and you’re not beholden to one flaw that could ruin the whole thing,” Adam said.   

Secure the Cloud: Three Best Practices

Three pieces of advice James has for organizations eager to strengthen their cloud security are:

• It all starts with hygiene: The cloud is secure — until you go in and start making configuration changes. Many admins don’t have the same in-depth knowledge of the cloud that they have for on-premises infrastructure. Ask yourself: Is your cloud clean? Are any common misconfigurations putting your organization at risk? Are resources exposed to the cloud that shouldn’t be? Basic hygiene is essential to stopping cloud-conscious adversaries.
• Identity must be a priority: Make sure you understand your identities — your on-premises identities tied to Active Directory, your cloud identities, your cloud-only accounts. Understand how those are configured, who has access to what, and whether MFA is enabled. Review conditional access policies: Who can access your cloud? From where? What identity policies are enforced on that access?
• Implement cloud-to-endpoint protection: Organizations need active protection on cloud and endpoint. Today’s adversaries will find that path of least resistance, whether that means logging into a cloud environment or pivoting from endpoint to cloud. Ensure they can be stopped before they cause a big problem. 

You don’t have a cloud problem — you have an adversary problem, and the key for defenders is to make attacks more difficult and expensive for them. The more barriers you have in place, the harder you can make it for adversaries to achieve their goals. When they slip up, you’ll be able to quickly take notice and respond.

Additional Resources

• View this conversation as part of the full Cloud Threat Summit, now available on demand.
• Learn more about how CrowdStrike’s Cloud Security Services can help you respond to a cloud attack, fortify your cloud defenses and prepare you to defend against cloud-conscious adversaries.
• To find out more about how to incorporate threat intelligence into your security strategy, visit the CrowdStrike Falcon® Intelligence page.
• We’re proud to be recognized as a Representative Vendor in the 2023 Gartner® Market Guide for CNAPP, which we believe demonstrates our ability to meet or exceed Gartner’s criteria for CNAPP capabilities.