Stop Today’s Top 10 Cloud Attack Killchains

Everyone knows that cloud-driven exposures and related cloud attack killchains are emerging at a furious pace. These are the top 10 real-world attack scenarios we see in the field; over the coming weeks we will dive into the details and show you how to stop them.

Given the explosion of cloud adoption among organizations over the last decade, it’s no surprise that attack methodologies have mirrored the trend to exploit this expanding footprint.

While most of the research and alarm-raising focuses on cloud misconfiguration and vulnerabilities, there is a dearth of information on what attackers are up to. General guidance and defenses are great, but sometimes you need to know the common ways the bad guys are going to hit you, along with the best places to stop them.

One extremely effective model for understanding real attacks is the killchain concept, originally pioneered by Lockheed Martin. A killchain represents the standard process attackers take from start to finish to achieve their goals. The idea is that these are never single-phase attacks, but a *chain* of steps. Break one link and the attack fails.

The Lockheed killchain and MITRE ATT&CK models are two popular and well-developed frameworks, but they tend to be a bit high-level for guiding specific security control decisions. That’s why co-I recently presented on this very topic at the RSA Security Conference 2020 in San Francisco, specifically to help organizations threat model and plan cloud defenses.

We took a different approach. Instead of creating a general framework, we mapped the top 10 most common cloud attacks step by step. Our map covered all the key steps (and defenses) for each attack. But a quick run-through on the Top 10 attacks in less than an hour didn’t let us get into all the related details.

So the next stage of my research and reporting on this topic will be a series of blog posts published regularly here at DisruptOps. In these posts I will dive deeper into each of the attack killchains I shared at RSA, and offer some existing methods you can employ to protect your organization.

To start let’s take another look at the Top 10 list to set our agenda. Of course, in the spirit of collaboration, if anyone disagrees with my list and would like to suggest other emerging attacks to discuss, input here or via social media is very welcome. This is merely a snapshot in time, and I’m sure the list will change as new cloud capabilities and attack methods emerge.

That said, here is the current list as I see it, in no particular order:

  1. Static API Credential Exposure to Account Hijack: It’s no surprise that mismanaged cloud credentials remain a top issue. Preventing human lapses is always a challenge. I should know, having messed this one up myself.
  2. Compromised Server via Exposed Remote Access Ports: Exposing ports or other administrative access to the Internet is an efficient and common manner of opening yourself up to attack.
  3. Compromised Database via Inadvertent Exposure: More public exposure here, this time relating to vulnerable DB ports and public PaaS DBs; guardrails and assessments can help.
  4. Object Storage Public Data Exposure: Overly permissive or public-facing access to sensitive data in object storage is another frequent offense.
  5. Server Side Request Forgery: SSRF is unfortunately a real thing, and attackers are getting pretty handy at execution and privilege escalation. We need to better restrict access.
  6. Cryptomining: Bitcoin bandits are greedy, and it’s pretty much impossible to make a profit mining if you have to pay the power bill yourself. They want your cloud to run their operations, so you pay for it. Frequent assessment, smarter policies, and even tighter billing practices can keep them out.
  7. Network Attack: We have a lot of netsec mindshare here at DisruptOps and the refrain hasn’t changed since the TCP/IP era. The hard outer shell still doesn’t cut it.
  8. Compromised Secrets: Everyone has secrets, such as static DB passwords, and cloud attacks find them. We are as insecure as our [discernible] secrets.
  9. Novel Cloud Data Exposure and Exfiltration: Many data-storing cloud resources (think VM snapshots, VHDs, and Elasticsearch) are public-facing whether or not you knew it.
  10. Subdomain Takeover: “Orphaned” subdomain DNS resources are not cute little foundlings, but rather magnets for phishing attacks. Aggressively delete and monitor, please.

And there you have it, or rather them. One could easily write highly detailed white papers about each topic, but we will attempt to boil the individual attack killchains down into relatively short blog posts, pinpointing relevant details for shutting down whatever exposure you might incur.

Of course there’s a reason DisruptOps is so keenly focused on these challenges — we believe automation is the only practical solution to the scale of the cloud security issue within today’s massive and rapidly scaling implementations.

Here’s hoping this snapshot of our upcoming research has helped to whet your appetite. For more information you can start with the RSA session video.