The Common Cloud Misconfigurations That Lead to Cloud Data Breaches
by Raj Rajamani, Chief Product Officer, CrowdStrike
Malaysia is setting its sights on becoming the next big data hub in Southeast Asia. Surging data consumption and rapid adoption of cloud services across industries have led to a rising demand for data storage and processing. Areas like Johor in the South and Cyberjaya near Kuala Lumpur have already witnessed major growth, with a steady flow of investors taking advantage of tax breaks and incentives offered by the Government. Malaysia’s data centre market is forecasted to grow 72% from to $2.25 billion USD by 2028, surpassing the 47% growth rate for Southeast Asia, according to Ireland’s Research and Markets.
However, rapid growth without robust data security regulations and guidelines to safeguard the rise in data centres can make Malaysia a prime target for cyberattacks. Last year, hackers gained access to login credentials from at least five data centres in Asia used by some of the world’s biggest businesses, exposing thousands of employee and customer emails and passwords.
Within this landscape, the cloud has become the new battleground for adversary activity: CrowdStrike observed a 95% increase in cloud exploitation from 2021 to 2022 and a 288% jump in cases involving threat actors directly targeting the cloud. The Malaysian government has already introduced licensing requirements for cloud service providers as part of its initiative to accelerate the country’s digital transformation. Efforts to further strengthen cybersecurity for Malaysia’s growing cloud environment will require understanding how threat actors operate: how they’re breaking in and moving laterally, which resources they target and how they evade detection.
Cloud misconfigurations — the gaps, errors or vulnerabilities that occur when security settings are poorly chosen or neglected entirely — provide adversaries with an easy path to infiltrate the cloud. Multi-cloud environments are complex, and it can be difficult to tell when excessive account permissions are granted, improper public access is configured, or other mistakes are made. It can also be difficult to tell when an adversary takes advantage of them.
Misconfigured Settings in The Cloud Clear The Path For Adversaries To Move Quickly.
A breach in the cloud can expose a massive volume of sensitive information including personal data, financial records, intellectual property and trade secrets. The speed at which an adversary can move undetected through cloud environments to find and exfiltrate this data is a primary concern. Malicious actors will speed up the process of searching for and finding data of value in the cloud by using the native tools within the cloud environment, unlike an on-premises environment where they must deploy tools making it harder for them to avoid detection. Proper cloud security is required to prevent breaches with far-ranging consequences.
So, what are the most common misconfigurations we see exploited by threat actors and how are adversaries exploiting them to get to your data?
Ineffective Network Controls: Gaps and blind spots in network access controls leave many doors open for adversaries to walk right through –
Unrestricted Outbound Access: When you have unrestricted outbound access to the Internet, bad actors can take advantage of your lack of outbound restrictions and workload protection to exfiltrate data from your cloud platforms. Your cloud instances should be restricted to specific IP addresses and services to prevent adversaries from accessing and exfiltrating your data.
Improper Public Access Configured: Exposing a storage bucket, or a critical network service like SSH, SMB or RDP to the Internet, or even a web service that was not intended to be public, can rapidly result in a cloud compromise of the server and exfiltration or deletion of sensitive data.
Public Snapshots and Images: Accidentally making a volume snapshot or machine image (template) public is rare. When it does happen, it allows opportunistic adversaries to collect sensitive data from that public image. In some cases, that data may contain passwords, keys and certificates, or API credentials leading to a larger compromise of a cloud platform.
Open Databases, Caches and Storage Buckets: Developers occasionally make a database or object cache public without sufficient authentication/authorization controls, exposing the entirety of the database or cache to opportunistic adversaries for data theft, destruction or tampering.
Neglected Cloud Infrastructure: You would be amazed at just how many times a cloud platform gets spun up to support a short-term need, only to be left running at the end of the exercise and neglected once the team has moved on. Neglected cloud infrastructure is not maintained by the development or security operations teams, leaving bad actors free to gain access in search of any sensitive data that may have been left behind.
Inadequate Network Segmentation: Modern cloud network concepts such as network security groups make old, cumbersome practices like ACLs a thing of the past. But insufficient security group management practices can create an environment where adversaries can freely move from host to host and service to service, based on an implicit architectural assumption that “inside the network is safe,” and that “front-end firewalls are all that is needed.” By not taking advantage of security group features to permit only host groups that need to communicate to do so, and to block unnecessary outbound traffic, cloud defenders miss out on the chance to block the majority of breaches involving cloud-based endpoints.
Monitoring and Alerting Gaps: Centralized Visibility into the logs and alerts from all services would make it easier to search/hunt for anomalies.
Disabled Logging: Effective data logging of cloud security events is imperative for the detection of malicious threat actor behaviour. In many cases, however, logging has been disabled by default on a cloud platform or gets disabled to reduce the overhead of maintaining logs. If logging is disabled, there is no record of events and therefore no means of detecting potentially malicious events or actions. Logging should be enabled and managed as a best practice.
Missing Alerts: Most cloud providers and all cloud security posture management providers provide alerts for important misconfigurations and most detect anomalous or likely malicious activities. Unfortunately, defenders often don’t have these alerts on their radar, either due to an excess amount of low-relevance information (alert fatigue) or a simple lack of connection between those alert sources and the places they look for alerts, such as a SIEM.
Ineffective Identity Architecture: The existence of user accounts not rooted in a single identity provider that enforces limited session times and multifactor authentication (MFA) and can flag or block sign-in for irregular or high-risk signing activity, is a core contributor to cloud data breaches because the risk of stolen credential use is so high.
Exposed Access Keys: Access keys are used to interact with the cloud service plane as a security principle. Exposed keys can be rapidly misused by unauthorized parties to steal or delete data; threat actors may also demand a ransom in exchange for a promise to not sell or leak it. While these keys can be kept confidential, albeit with some difficulty, it is better to expire them or use automatically rotated short-lived access keys in combination with restrictions on where (from what networks and IP addresses) they can be used.
Excessive Account Permissions: Most accounts (roles, services) have a limited set of normal operations and a slightly larger set of occasional operations. When they are provisioned with far greater privileges than needed and these privileges are misused by a threat actor, the “blast radius” is unnecessarily large. Excessive permissions enable lateral movement, persistence and privilege escalation which can lead to more severe impacts of data exfiltration, destruction, and code tampering.
Just about everyone has a cloud presence at this point. A lot of organizations make the decision for cost savings and flexibility without considering the security challenges that go alongside this new infrastructure. Cloud security isn’t something that security teams will understand without requisite training. Maintaining best practices in cloud security posture management will help you avoid common misconfigurations that lead to a cloud security breach.
