Recent cloud-based attack headlines remain front-and-center in the cybersecurity community, adding to the relevance of analysis and guidance provided by Mitiga Co-Founder and CTO Ofer Maor in his recent BrightTALK Webcast, It's Getting Real & Hitting the Fan! Real World Cloud Attacks.
If you haven’t yet viewed this BrightTALK session, here are several relevant Question & Answer storylines worthy of your online consideration.
Cloud breach detection timeline: 200 days
In response to one questioner, Ofer shared that the average cloud breach takes up to 200 days to discover and 70 days to respond: “This sounds terrible, but it is the reality. So, organizations often discover breaches along time after they started.”
Simply put: the common practice of 90-day log retention provided by a sizable segment of cloud service providers (CSPs) won’t help identify the breach type or cyber attacker when the timeline dates back 200 days. Absent the necessary forensic data baseline, cloud incident response is time-consuming, which challenges the IR teams tasked with reducing business downtime and notifying regulators about the breach.
While the timeline to discover a cloud breach is lengthy, the window for organizational notifications to regulators is not, with Ofer’s response also noting that reductions to 12-hour reporting requirements are under consideration. For teams who have not assembled detailed information about the cloud breach by the time that report is due to regulators, that can be an uncomfortable proposition.
Contrasting cloud and on-premises attacks
If on-premises attacks can be characterized by standard methodologies – possibly involving the initial compromise of a machine or malware, with lateral movement to servers or a domain controller, for example – cloud attacks are really different.
Ofer’s response noted that we are in the early days of the cloud, and some of the cloud attacks seen are immature, since most of the commercialized attack infrastructure remains in on-premises environments.
Cloud-native attacks frequently involve misconfiguration issues, EC2 machines, and virtual machines. Regardless of the number of security controls or detection schemes in place, your organization will experience a major cloud breach at some point, because it is impossible to secure everything in today’s complex cloud and SaaS environments.
Assessing SaaS marketplace risks
“SaaS marketplaces are great from a functionality perspective, but they are a huge, huge security risk,” Ofer noted in one response.
In considering respective Office 365, Slack,Salesforce, and GitHub marketplaces and associated integrations, SaaS vendors have expanded their functionality. In creating this SaaS mesh, there is considerable communication between different SaaS services, which has resulted in organizational risk, since there are different security levels among these various vendor SaaS servers. Many smaller SaaS vendors are not necessarily at the same security level as Microsoft and Salesforce, for example.
In this environment, even single SaaS service compromise can quickly impact an entire organization, with this SaaS mesh making it a far more likely occurrence.
Improving cloud incident response and digital forensics expertise
Since cloud Digital Forensics and Incident Response subject matter expertise remains in short supply, one approach considered by today’s organizations involves straining on-premises incident response resources in cloud and SaaS forensics.
In addressing a related question, Ofer’s response noted that while such reference resources are in short supply, a baseline understanding of cybersecurity and knowledge of cloud security provider security practices are important places to start. Next, the Cloud Security Alliance offers some working groups that offer helpful information regarding cloud IR and digital forensics in cloud environments.
Getting ready before the next breach hits
Increasing cyber resilience in advance of the next cloud attack will remain a challenge, because control of organizational data now also depends on the security afforded by CSPs. In advancing cloud incident response readiness, Ofer’s guidance focused on collecting and storing forensics data in a way that allows you to do an investigation very quickly and efficiently. Cloud IR planning should also factor ongoing organizational readiness activities, including a tabletop exercise and updating the organizational IR plan.
For more information about how increasing organizational cyber resilience in advance of the next cloud attack can help you turn a crisis into an inconvenience, watch: It's Getting Real & Hitting the Fan! Real World Cloud Attacks (brighttalk.com)