Malware in the cloud: Challenges and best practices
Ask any CISO about the top three risks to his or her enterprise, and you can be sure that malware will be on that list.
Malware as a cybersecurity threat has evolved over the years from a nuisance to a devastating multi-billion-dollar industry that can bring governments and companies to their knees. The Colonial Pipeline ransomware attack in 2021 was just a taste of things to come, and attackers have further refined their attempts to weaponize malware. Recent events like the Russia-Ukraine conflict provide them with more avenues for ransomware and state-sponsored attacks, with the government of Costa Rica being forced to declare a state of national emergency after ransomware devastated its infrastructure.
Attackers go where the money is, and the top two technology trends of the last few years have been the rapid adoption of Cloud Computing and Artificial Intelligence. Cloud adoption is expected to reach $1.55 Trillion by 2030, which is a staggering amount, and attackers have not been slow to see its potential.
How malware can compromise the cloud
Along with the increased adoption by companies, attackers have also started using the cloud to be more scalable and efficient in their operations. There have already been reports of SaaS models cropping up offering cybercrime hosted on the cloud. Just like businesses, attackers are now utilizing the speed and agility of the cloud to supercharge their operations, which extends to malware as well.
Malware can use cloud computing in one of two ways:
- As a delivery platform: By using the power and storage of the cloud, attackers can automate and streamline their operations to be faster, more cost-effective, and thus more dangerous. The cloud can be used as a delivery vehicle for malware and an amplifier, with attacks like DDOS benefiting from the cloud resources they can access.
- As a target: Cloud infrastructure can become the target of the malware itself, with misconfigured infrastructure services and storage like S3, Dropbox, etc. being a prime target of attackers. There are many ways of doing this:
- Misconfigurations: Despite cloud security maturing year by year, there are still reports of simple misconfigurations having devastating effects, like the recent S3 bucket that exposed over 69 million documents and 12TB+ of production data!
- Malicious Cloud apps: Most cybersecurity teams are unaware of the permissions they have granted to SaaS applications within their environments, nor do they verify their origin. Attackers can gain a foothold into a tenant by tricking users into installing a malicious cloud app or using a compromised account to install a cloud app that acts as a backdoor.
- As part of a supply chain attack: Many companies use the cloud for their code repositories and keep critical workloads on-prem in a hybrid computing model. Attackers can compromise the cloud repos and inject malicious templates as a jumping pad into the customer’s environment.
How to combat cloud malware
Protecting against cloud malware is not all that different from safeguarding against on-prem attacks. Along with investing in a proper anti-malware solution, you should follow these best practices to secure your environment:
- Strengthen your access control, as the more locked down your permissions are, the more difficult it will be for cloud malware to take control of your infrastructure. Best practices like principle of least privilege, multi-factor authentication, and role-based access control are all essential practices for securing your cloud.
- Implement a process to audit the permissions given to SaaS applications within your environment. What level of permissions do these applications have, and are they verified? Is there an approval process present before a SaaS application can connect to your cloud?
- Make sure you have a backup method so that you can recover from malware disruptions. This can be a different media or a separate account or subscription.
- Implement a governance model that segregates your production cloud environment from less secure accounts like development or sandbox. You should be using a different cloud account or subscription for running your production and development workloads. The best practice is to segregate them and implement guardrails on what developers can do, even with elevated access. This will ensure that even if malware can compromise privileged access within a development cloud account, it cannot laterally move onto your production workloads.
- Implement behavioral analytics to detect malicious activity within the cloud. In large cloud environments, there are millions of events happening at any given time, which is beyond the scope of human security analysts or SIEM solutions to analyze. Using tools like InsiderSecurity’s Cloud Security Monitor can help you detect suspicious cloud activities and prevent cloud data from being misused by malicious or compromised users. Our software will help you identify any malicious activity before it can infect your environment and your users.
The future of malware
Malware is an evolving threat, and cybersecurity professionals must keep pace or risk being attacked. Teams must upskill themselves to take advantage of cloud security controls and their speed/automation in stopping such threats. One of the biggest mistakes cybersecurity teams make is to “copy-paste” their on-prem controls to the cloud and not take advantage of its security tooling. The cloud is now in the cross-hairs of cybercriminals both as a target and as a platform, and cybersecurity teams need to take steps to secure their cloud footprint before it is targeted.