Cloud security and runtime analysis - why speed matters

Cloud computing helps companies implement technology more efficiently so they can achieve their goals faster. Gartner estimates that spending with cloud service providers (CSPs) will reach nearly $600 billion this year, as companies run to add more innovation to their business approach. However, cloud computing maintains risk as well. The very reasons that we value the cloud - speed, efficiency, scale - are also prized by threat actors looking to make a buck. By Crystal Morin, Cybersecurity Strategist, Sysdig.

  • 1 year ago Posted in

A metric we can use to represent this environmental risk is dwell time - that is, how long an attacker spends within a victim’s IT network before being detected. For on-premises deployments, this is measured in days. Mandiant estimates that threat actors spend an average of 16 days within the network before they are detected and removed. In the cloud, the risk timescale is vastly different. In our 2023 Global Cloud Threat Report, the Sysdig Threat Research Team reported that threat actors went from initial access to attack mode in just 10 minutes. Dwell time in either environment may include the attacker getting the lay of the land, looking for valuable data or additional privileges, and taking actions such as exfiltrating data or deploying malware. Dwell time is when attackers are the most stealthy and where they are looking to maximise their return on investment.

With your customers’ proprietary data and business financials at stake and so little time to mitigate the risks, how do you help them proactively prepare for cloud security attacks and stay ahead of attackers?

Spot the problem, before it becomes a problem

One of the greatest struggles with cloud security is how to spot potential attackers in the first place. Fortunately, from the get-go CSPs have provided services like AWS CloudTrail which logs all data pertaining to what, where, and when activity is taking place in a cloud environment. There was an initial challenge, however, in that security professionals were not familiar with these tools and did not make use of them effectively. As cloud security processes matured, these became the standard first step in defensive security tooling.

This maturity and ubiquity has not gone unnoticed by threat actors either. In response, attackers look for ways to hide their actions within legitimate traffic and activity, and there are several common methods that have developed. One is the use of an AWS Virtual Private Cloud (VPC) to obfuscate the attacker’s existence in a victim network. A VPC spoofs the IPs that end up in the victim’s CloudTrail logs, which makes attacker activity appear to be benign behaviour. This technique bypasses any typical security measures that rely on spotting threat actor activity based on abnormal source IP addresses, and makes it harder for defenders to differentiate an attacker IP from normal IP addresses used in the internal network. An attacker can even prepare their AWS VPC with their own AWS account, not needing to have initial access to a victim environment and anonymise any request to publicly reachable service endpoints.

Attackers can also hide themselves from logging services like CloudTrail by calling on AWS S3-compatible services rather than using S3 itself because the latter services do not get captured in CloudTrail logs. In the SCARLETEEL operation, the attacker used the S3-compatible Russian service mail.ru when exfiltrating data. In this case, CloudTrail logs will not suffice and more is needed to stop these attacker techniques.

Lastly, using cloud services like AWS CloudFormation can help attackers get past defences too. CloudFormation allows you to model, provision, and manage AWS and third-party resources by treating infrastructure as code, making it an essential tool for those running AWS installations. It is also able to manipulate roles and policies outside of traditional mechanisms, which makes it ideal for attackers to abuse. Using CloudFormation’s AssumeRole command, attackers can try to add more privileges to an account and move laterally to use or implement other services. Spotting attackers using this tool is tricky when it may also be heavily used for any internal management workflows.

Real-time and runtime security

Cloud threat detection systems can help customers protect themselves against these kinds of attacks because relying solely on the native logging and alerting tools provided by the CSPs just isn’t enough. Cloud threat detection should be near real-time so your customers’ security teams get alerts instantaneously, rather than getting those alerts after multiple actions have taken place.

Once you understand how fast attacks take place, the need for runtime security becomes apparent. In Sysdig TRT’s research on more than 13,000 container images publicly available on DockerHub, 819 were secretly malicious. Of these malicious images, only 60 percent were identified using vulnerability scanning, and 69 percent were found using static analysis alone. Ten percent of malicious images were still not detected when we combined vulnerability scanning and static analysis. That ten percent of the malicious images were only identified when the container was actually implemented and running.

If you can’t spot that a container houses a threat before you implement it in your cloud environment, then you are providing an attacker with an initial access vector as soon as that container goes live. In our 2023 Cloud-Native Security and Usage Report, we found that 72 percent of containers live less than five minutes, but the threat report confirms that this is all the time that is needed for an attacker to obtain initial access and make moves inside your cloud environment.

Looking to runtime security and using tools such as Falco are therefore an essential piece of a speedy and proactive cloud defence. The open source project Falco is now part of the Cloud Native Computing Foundation (CNCF) and provides runtime insight into cloud-native environments running containers, Kubernetes, hosts and cloud services. Using Falco, your customers can get the insights they need to secure their cloud and container environments early against attacks that take place at runtime and that would otherwise be missed.

CSPs deliver huge amounts of data to those that use them. Picking out potential threats and issues can be difficult if you do not know where to look for obfuscated attacker activities. However, this level of runtime insight can be used alongside other existing defensive cloud services to spot threats that cross over between different levels of cloud infrastructure and that would be missed by any single cloud logging service. Correlating information from multiple cloud detection services and understanding them in context is necessary to spot threat actor behaviour against the backdrop of your typical cloud environment usage. Truly understanding this complexity is where you can provide advice and guidance to your customers on how to architect cloud security and beat runtime threats.

By Manuel Sanchez, Information Security and Compliance Specialist, iManage.
Anita Mavridis, VP of Product at Zivver, and Sue Musumeci, Director of Quality & Clinical...
By Danny Lopez, CEO of Glasswall.
Nadir Izrael, Co-Founder and CTO at Armis discusses the importance of critical infrastructure...
By Darren Thomson, Field CTO EMEAI at Commvault.
By Asher Benbenisty, Director of Product Marketing at AlgoSec.
By Steve Purser, former Head of Core Operations at the EU Agency for Cybersecurity, and Zivver’s...
By Graham Jarvis, Freelance Business and Technology Journalist, Lead Journalist, Business and...