Surprising Lesson About Cloud Attacks

There’s an important lesson for everyone to know.

Cloud computing started being a thing over 2 decades ago, but it really didn’t take off until about 15 years ago, when Google, Amazon, and Microsoft started putting tens of billions of dollars into making huge warehouse-based cloud infrastructures. Ever since then, computer security experts have been warning about the many potential cloud threats. Clouds have every threat a traditional, “on-premise” environment has, plus everything possible in the virtual machine world (since most clouds are VM-heavy), plus every possible cloud-specific threat. Today we can add all the container-based and micro-services threats. It’s a big attack space. Let me re-summarize the possible cloud attack space again:

·????????Every traditional, on-premise issue, plus:

·????????Virtual machine issues

·????????Containers and micro-services

·????????Cloud-specific threats

And the media, including me, spent a lot of time worrying about all those cloud-based threats, most of which centered around shared resource (i.e., tenant) problems. There were (and still are) many examples of old, shared, VMs, storage space, IP addresses, networks, and the like being insufficiently cleared and/or isolated against attacks by other tenants. There are many organizations dedicated to helping everyone to better secure the cloud, including the awesome Cloud Security Alliance (https://cloudsecurityalliance.org/ ), of which I am an active, contributing member.

Cloud-Based Threats

So, what has a decade and a half of a growing, nearly ubiquitous, cloud infrastructure taught us about cloud threats?

Well, most of the successful attacks are the exact same things that worked on non-cloud infrastructures. While we were all worked up about shared tenant resources and virtual machine guest-to-guest and guest-to-host attacks, what almost all cloud attackers do came from the non-cloud world. And they work just as well, if not better, in the cloud-based world.

What do I mean?

Well, social engineering has been involved in 70% to 90% of successful attacks since the beginning of computers. The cloud hasn’t changed that. The most common way a cloud resource is going to get compromised is an attacker tricking a legitimate user or admin into allowing them access. Social engineering has always been the number one most successful trick an attacker can use to achieve their objective and cloud-based resources haven’t changed that fact one iota.

The second most common way a cloud will be compromised is unpatched software, the same as in the traditional world. For various reasons, patching cloud-based resources has proven even more difficult than patching on-premise resources unless you let the cloud-vendor handle all patch duties.

The third most common method of successful attack is compromised passwords. The fourth most common successful attack method is misconfiguration of some sort. How many times do we need to read that some supposedly sophisticated organization had insecure storage permissions which allowed the leak of data? Does it even make the news anymore? There are lots of other types of threats, including API attacks, insider threats, etc., but the bulk of successful attacks remain fairly consistent as compared to the non-cloud attacks.

Note: The Cloud Security Alliance publishes a top threats report (https://cloudsecurityalliance.org/artifacts/top-threats-to-cloud-computing-egregious-eleven/ ) which is great reading. Their ranking of threats differs from mine simply because mine is based on actual attack data and the CSA report is based on the surveying of members and they categorize attack types differently. For example, the surveyed members rank data breaches as the number one threat, but data breaches are an outcome of attacks and not an attack method. They don’t include how those data breaches happened (i.e., what attack type was used), but I can tell you it was due to social engineering, unpatched software, password issues, and misconfigurations.

But what you won’t read in any cloud attack report, including the Cloud Security Alliance’s report, is how cloud-specific threats…threats that could only happen in cloud environments, are your biggest threats and risks. I don’t read about a whole lot of successful shared data and network resource attacks. They happen, but they aren’t a top risk. I don’t read about a whole lot of virtual machine guest-to-guest or guest-to-host attacks. Vmware, the top virtual machine vendor is constantly releasing patches to close critical holes, but those same holes aren’t in the top threats for most people. This is not to say that virtual machine issues aren’t a problem. They are. They are abused by attackers. Unpatched virtual machine exploits are routinely abused by attackers and are included in CISA’s Known Exploitable Vulnerability Catalog list (https://www.cisa.gov/known-exploited-vulnerabilities-catalog ) when they are. But so far, the virtual machine attacks are due to unpatched instances of software and not some new exploit driven by some new multi-tenancy angle. What’s the biggest problems with containers? Social engineering, unpatched software, and misconfiguration. No surprise.

The long-standing truth is that most successful cloud attacks are due to the same things that successfully attacked traditional infrastructure. It wasn’t the new attacks that could only have occurred on the new type of platform. And this applies to other paradigm-shifting IT platforms, like mobile devices, social media, virtual machines, containers, micro-services, and likely whatever we invent in the future.

What compromises most successful attacks in the metaverse and cryptocurrencies? Social engineering, software (i.e., contract) bugs, and misconfiguration. How will AI, virtual reality, quantum computers, and wearable computers be most likely be successfully attacked in the future? Probably the same attack methods. At least that what’s the history of computers and networks show us so far.

My recommendation to everyone is to be aware that despite the teased promise of the next great thing, the vast majority of successful attacks on those new things are likely to be what has worked so well over the last four decades. You need to be worried mostly about those same attacks and figure out how you need to shift or change your mitigations so they work just as well or better in those new paradigms. That’s the “secret” lesson to take away that no one else is talking about.

It’s OK, and right, to be concerned about brand new types of threats that are allowed by a new paradigm or platform, but what’s going to hurt most people and organizations and cost them the most time and money are likely to be the same things that have worked for decades on everything we have invented so far. Concentrate on those things first and best or you’ll likely be concentrating on the wrong things. Don’t let new and shiny distract you from focusing on the basics first and best.