Director of Research, Lacework Labs
Last week I had the pleasure of attending my first AWS Security Week. This was held at the AWS New York City loft from April 15th – April 18th. The AWS Lofts are a cool place for people to come to hang out, meet, code, etc. – all free of charge. AWS frequently hosts weeks of learning geared towards specific topics. This week the focus was security and compliance.
I presented on the Top 10 Threats to Cloud Security. These threats are not specific to a particular cloud service provider per se, but rather to running and protecting workloads in the public cloud.
The presentation was entry-level and began by describing the differences between traditional enterprise and cloud environments. I discussed users, devices, and threat detection methods.
When it comes to applying enterprise security tooling to cloud protection, while overlaps exist, traditional security tools are hit and miss for cloud security. This comes from the nature of shared infrastructure, ephemeral workloads, and an API driven environment with limited human interaction.
The Top 10 threats boil down to malware (focused on cloud environments), attacks against services commonly used in the cloud, misconfiguration issues, and insider threats.
For malware, I discussed how we typically see modular malware families used on cloud workloads. These malware families could be used for many purposes but usually are geared for either ransomware (typically targeting databases) or Monero mining (we don’t see much Bitcoin). Additionally, these malware families typically contain a module for propagation and many have both Linux and Windows capabilities. For cloud infrastructure, the initial infection vector is typically application vulnerabilities and weak passwords (such as brute force SSH).
Misconfigurations and data theft are well-known problems in this space. I discussed how data leaks typically originate from Elasticsearch, MongoDB, and cloud provider object storage buckets. These typically arise from oversights in deployments and network access policies and are generally discovered by researchers using Shodan or publicly available scanners for things like S3 buckets.
Insider threats are another well-known issue within the realm of security. In the public cloud, it can be particularly damaging as cloud service providers allow infrastructure to be changed easily. As an example, recently a terminated IT employee caused damage to his previous employer by deleting 23 AWS servers.
I had a great time visiting the AWS Loft, I highly recommend going if you have never been. It’s a great place to learn and network with others. If you would like to learn more about this presentation check out the slides here. I will also be doing a webinar on this topic on May 23rd, 2018. Stay tuned for more details.
If you would like to learn more about how Lacework provides workload security to detect attacks like the ones described in this presentation, follow this link to kick off a Free Cloud Risk & Threat Assessment to learn more.