Understanding the Latest Threats and Mitigation Strategies to Better Secure the Cloud

The treachery and evolution of the cyber threat landscape is well known at this point, as is the importance of being aware of problems as a precursor to addressing them. With cloud computing and storage growing in users across the globe, maintaining awareness of the gravity and scope of the latest threats facing the cloud is important. What follows will take a look at the latest data on the cloud landscape, including brief case studies.

According to the 2024 Cloud Security Study published by 泰雷兹 , four of the top five most highly targeted vectors for cyberattacks are cloud-based, focusing on applications, storage, and management infrastructure (1). This data indicates that the cloud has overtaken on-premises and locally hosted targets. While not entirely surprising given rapid technological advancements and adoption, this inevitable arrival highlights the urgent need for organizations to ensure a robust cloud-focused defense strategy in part of any cyber resilience program.

To further illustrate the complex challenges cloud-dependent organizations face in maintaining data integrity, research from IBM indicates 40% of all breaches captured data stored either solely in either a public or private cloud and another 40% captured data that was stored in both cloud and on-premises locations (2). As companies adopt more cloud-hosted and cloud-delivered technologies—around 60% of large organizations utilize “more than 25 SaaS [Software as a Service] applications and 30% have more than 50”—maintaining appropriate security regarding every single one of these applications is immensely challenging (3).

As threat actors focus their attacks on cloud environments, it should be unsurprising to learn that close to 50% of businesses experienced a breach in their cloud environment. Many of these originate through these third-party applications (Thales). While not all breaches necessarily result in lost data or organizational downtime, the rate is yet another concerning statistic pointing to the profound challenge of securing sensitive data. Continued data migration and cloud usage will likely exacerbate these risks.

Case Studies

To more fully capture the nature and challenges of cloud cybersecurity, what follows are several actual case studies demonstrating the numerous ways in which threat actors access targeted networks.

Healthcare: False Invoice

Victim: Government Health Insurance Program (4)

How it happened: The victim entities were scammed into wiring payments in a series of schemes involving several threat actors operating out of different states. In most cases, threat actors created email accounts that looked nearly identical to legitimate businesses and hospitals. Targets were tricked via social engineering schemes into updating the bank account details for reimbursement payments. To cover their tracks, the threat actors used stolen identities to open bank accounts in the name of shell companies.

Construction: Unauthorized Access & Lateral Movement

Victim: Construction Risk Management Firm (5)

How it happened: The victim organization first reported that suspicious activity was identified on their network, though there has been no definitive indicator as to how the initial breach occurred. Once in the network, the threat actor was able to access sensitive information related to more than 60,000 customers as well as current and former employees. Because the organization did not have robust network visibility and lacked proper access controls, threat actors were able copy and exfiltrate highly sensitive data after escalating their privileges and moving with relative freedom throughout the network.

~~~~~~~~

Education: Leaked Credentials

Victim: Large Urban School District (6)

How it happened: A Russian-based threat group, Vice Society, utilized the legitimate credentials of a school employee to access the broader district network. These credentials were available on the dark web following a prior cyberattack. The employee, in this case, had wide access, including the ability to login through the district’s VPN (virtual private network). As this attack occurred over the Labor Day weekend when internal teams were off duty, the threat actors were able to move extensively and unobserved throughout the environment. In the end, 500 GB of data was exfiltrated, including sensitive student information. The breach cost taxpayers approximately $18M to remediate.

Education: Social Engineering & Account Compromise

Victim: Public School District (7)

How it happened: A large school district lost more than $6 million after threat actors appeared to have gained access to the email account of the district’s chief operating officer (COO). The threat actors monitored the private email correspondence between the COO and a district vendor. Eventually, the threat actors impersonated both organizational leaders in order to divert district payments to its school bus contractor and a law firm to fraudulent accounts. So far, $3.6 million has been recouped.

~~~~~~~~

Government/Municipalities: Third-Party Data Breach

Victim: Department of Insurance, Securities and Banking (DISB) (7)

How it happened: The data breach at the Washington D.C. DISB originated with an attack on a third-party technology provider. The LockBit ransomware gang accessed and stole 800GB of data stored on the third-party vendor’s cloud, which contained sensitive client data. The technology provider discovered unauthorized activity in their private cloud hosting environment, leading to the breach. Following an investigation into the incident, it was determined that threat actors gained legitimate credentials via a brute force attack, which were subsequently used to takeover user accounts. Despite taking the system offline and launching an investigation, some of the stolen data was publicly exposed.

Factors Contributing to Data Breach Cost and Mitigation

While there is no singular or absolute way to avoid being a victim, there are various factors that contribute to raising or lowering the cost and difficulty of responding to a cloud-centered breach. One way to enhance your ability to identify and counter threats against your cloud environment is to limit, as much as is possible, the various factors that make them prime targets. The 2024 IBM Cost of a Data Breach Report identified several of these factors. Here are the top five, in order of additional cost:

Complicating Factors

1. System complexities, which can include overlapping tools, patch management processes (or lack thereof), data storage, and more
2. Skills and personnel shortage, specifically related to the cybersecurity and IT teams
3. Breaches of third-party vendors and software providers
4. Regulatory non-compliance
5. Migration of data from local network storage and operations to the cloud or from one service to another

Mitigating Factors

In conjunction with these compounding factors are those that “reduced the average breach cost” per the IBM report. Again, the top five:

1. Employee training, including for identifying and reporting phishing and social engineering attempts
2. The utilization of AI to gain insights into network activity
3. Implementation of a Security information and event management (SIEM) system to log and trend network activity
4. The development and practicing of an Incident Response (IR) plan to better ensure a quick response in the event of a breach or cyber incident
5. Encrypting all sensitive data coming into and leaving your network

This is not to say that improving upon these 10 areas will guarantee your company operations free from cyberattacks or other security incidents. What it does mean, however, is that your organization will be better positioned to learn from those who have experienced significant breaches and operational downtime and implement a robust security program to defend against predatory threat actors.

If you want to learn more about how we help organizations prevent these targeted attacks, navigate here: https://www.speartip.com/shadowspear-cloud-monitoring/

Sources

1. Thales. 2024 Cloud Security Study - Global Edition. https://cpl.thalesgroup.com/cloud-security-research . Accessed 13 Aug. 2024.
2. IBM. Cost of a Data Breach Report. 2024, https://www.ibm.com/downloads/cas/1KZ3XE9D .
3. Thales. 2024 Cloud Security Study - Global Edition. https://cpl.thalesgroup.com/cloud-security-research . Accessed 13 Aug. 2024.
4. Office of Information Security. Business Email Compromise (BEC) & Healthcare. 16 May 2024, https://www.hhs.gov/sites/default/files/business-email-compromise-healthcare-tlpclear.pdf .
5. Thibault, Matthew. “Construction Insurer Hit in Data Breach.” Cybersecurity Dive, 6 Oct. 2023, https://www.cybersecuritydive.com/news/builders-mutual-data-breach/695697/ .
6. Gatlan, Sergiu. “Los Angeles Unified School District Investigates Data Theft Claims.” BleepingComputer, 6 June 2024, https://www.bleepingcomputer.com/news/security/los-angeles-unified-school-district-investigates-data-theft-claims/ .
7. Zaretsky, Mark. After Hackers Stole $6 Million in City Money, New Haven Works to Tighten Protocols, Recover Funds. New Haven Register, 11 Aug. 2023.
8. City of Philadelphia. Notice of Privacy Incident. 20 Oct. 2023, https://www.phila.gov/media/20231018161713/Notice-of-Privacy-Incident_PDPH-Website_10_20_23.pdf .

The information in this newsletter publication was compiled from sources believed to be reliable for informational purposes only. This is intended as a general description of certain types of managed security services, including incident response, continuous security monitoring, and advisory services available to qualified customers through SpearTip, LLC, as part of Zurich Resilience Solutions, which is part of the Commercial Insurance Business of Zurich Insurance Group.? SpearTip, LLC does not guarantee any particular outcome. The opinions expressed herein are those of SpearTip, LLC as of the date of the release and are subject to change without notice. This document has been produced solely for informational purposes. No representation or warranty, express or implied, is made by Zurich Insurance Company Ltd or any of its affiliated companies (collectively, Zurich Insurance Group) as to their accuracy or completeness. This document is not intended to be legal, underwriting, financial, investment or any other type of professional advice. Zurich Insurance Group disclaims any and all liability whatsoever resulting from the use of or reliance upon this document. Nothing express or implied in this document is intended to create legal relations between the reader and any member of Zurich Insurance Group. Certain statements in this document are forward-looking statements, including, but not limited to, statements that are predictions of or indicate future events, trends, plans, developments or objectives. Undue reliance should not be placed on such statements because, by their nature, they are subject to known and unknown risks and uncertainties and can be affected by numerous unforeseeable factors. The subject matter of this document is also not tied to any specific service offering or an insurance product nor will it ensure coverage under any insurance policy. No member of Zurich Insurance Group accepts any liability for any loss arising from the use or distribution of this document. This document does not constitute an offer or an invitation for the sale or purchase of securities in any jurisdiction.

In the United States, Zurich Resilience Solutions managed security services are provided by SpearTip, LLC.

Copyright ? 2024 SpearTip, LLC