Cloud Threat Defense

Cloud Security Trends

+ 11 Tips for your “PreCrime”
Unit to Combat Tomorrow’s Cybercrime

Published by the RedLock CSI Team

February 2018 Edition
 Table of Contents

Introduction 3

Key Takeaways 5

01 - Account compromises are on the rise 6

02 - Changing tides: from stealing data to stealing compute 8

03 - Long road ahead to GDPR readiness 10

04 - Spectre and Meltdown vulnerabilities - a rude awakening 12

About the Report 14

Ready to Take Action? 15

© 2018 RedLock Inc. All rights reserved. 2

 Introduction The countless number of mega breaches in 2017 involving

public cloud environments has left organizations feeling

more vulnerable and exposed than ever. If only we had

precogs from Minority Report with clairvoyance abilities to

help us foresee the cybercrimes of the future and take

measures today to prevent them. In lieu of this, the

RedLock Cloud Security Intelligence (CSI) team studied

threats across public cloud environments from October

2017 to January 2018 and formulated hypothesis about

the biggest risks impacting these environments.

The analysis is centered around the shared responsibility

model for security. Cloud service providers such as

Amazon Web Services (AWS), Microsoft Azure, and Google

Cloud are responsible for protecting the infrastructure that

runs all of the services offered in the Cloud. None of the

breaches in 2017 were caused by negligence on the part of

the cloud service providers.

An organization’s obligations in the shared responsibility

model include monitoring for risky configurations,

anomalous user activities, suspicious network traffic, and

host vulnerabilities (figure 1). This report assesses the

efficacy of the security controls that organizations are

implementing to meet their obligations and highlights key

issues in each of these areas.

© 2018 RedLock Inc. All rights reserved. 3

 Introduction

Most notably, the research suggests that cryptojacking will become a serious issue in public cloud environments and

the primary attack vector will be compromised account credentials. In order to get ahead of cybercriminals tomorrow,

organizations need to make a concerted effort towards instituting stringent user access policies and vigilantly

monitoring user activities for anomalous behavior today.

Figure 1: The Shared Responsibility Model

© 2018 RedLock Inc. All rights reserved. 4

 Key Takeaways

1. Account compromises are on the rise

Poor user and API access hygiene is leading to an increase in account compromises. When combined with ineffective

visibility and user activity monitoring, it makes organizations even more vulnerable to breaches, Tesla being a recent

victim.

2. Changing tides: from stealing data to stealing compute

The soaring value of cryptocurrencies is prompting hackers to shift their focus from stealing data to stealing compute

power in an organization’s public cloud environment. The nefarious network activity is going completely unnoticed due

to a lack of effective network monitoring.

3. Long road ahead to GDPR readiness

Risky resource configurations can be attributed to a large number of the breaches in public cloud environments in 2017.

With GDPR coming into effect in a few months, organizations are under the gun to identify and address these issues as

quickly as possible.

4. Spectre and Meltdown vulnerabilities - a rude awakening

The impact of the Spectre and Meltdown vulnerabilities on public cloud environments was a wakeup call for

organizations to address vulnerability management in the cloud. Unfortunately, organizations are unable to leverage their

standalone on-premise tools to achieve this since they were not designed for cloud architectures.

© 2018 RedLock Inc. All rights reserved. 5

 01 While we saw a number of data exposures last year related to

Account cloud misconfigurations such as publicly exposed Amazon S3

compromises
(Simple Storage Service) buckets, there were also a few prominent

incidents such as the Uber breach resulting from account

are on the rise compromise. Hackers had accessed one of Uber’s private GitHub

repositories where they discovered login credentials to Uber’s

AWS account. They used these credentials to login into the AWS

account and exfiltrate sensitive data on 57 million people.

73% Uber is by no means alone as far as compromised credentials go;

the RedLock CSI team recently discovered an unprotected

Kubernetes console that belongs to Tesla. Within one Kubernetes

of organizations are allowing
pod, access credentials were exposed to Tesla’s AWS
root user activities
environment. An examination of the environment revealed that it

contained an Amazon S3 (Amazon Simple Storage Service)

bucket that had sensitive data such as telemetry.

This incident prompted the RedLock CSI team to analyze trends

40% around access hygiene. The findings indicate that we can expect

this type of attack to increase in frequency in 2018.

of access keys have not

been rotated
Key Findings

The most alarming statistic was the fact that 73% of

organizations are allowing the root user account to be used to

perform activities. This goes against security best practices and

16% Amazon has strongly warned against this; administrators are

advised to lock away root user access keys and create individual

IAM users instead.

of organizations with potential

account compromises
When the team examined organizations’ hygiene around access

keys, they discovered that 40% of them had not been rotated in

over 90 days. This is concerning because keys often tend to

© 2018 RedLock Inc. All rights reserved. 6

 01
Account
compromises
are on the rise

have overly permissive access than is necessary for the role which creates greater exposure. In the event of an account

compromise, rotating access keys will ensure that the window of opportunity available to hackers is finite.

Further investigation by the RedLock CSI team determined that 16% of organizations have users whose accounts have

potentially been compromised. In addition to closely managing access, organizations must also be vigilant about monitoring

user activities within their public cloud environments to detect insider threats or account compromises.

Tips

1. Forbid the use of root accounts for day-to-day operations.

2. Enforce multi-factor authentication on all privileged user accounts.

3. Implement a policy to automatically force periodic rotation of access keys.

4. Establish user and access key behavior baselines, and monitor for deviations to detect account
takeovers or malicious insider activity.

© 2018 RedLock Inc. All rights reserved. 7

 02 The soaring value of cryptocurrencies has captured the attention

Changing tides: of audiences around the world including hackers. As a result, we

from stealing data

are seeing a cryptojacking epidemic. It is becoming far more

lucrative for hackers to steal organizations’ compute for mining

to stealing compute cryptocurrencies than to steal their data. As an example, hackers

had placed mining malware via Google DoubleClick ads on

YouTube. These ads used visitors’ compute power and electricity

to mine cryptocurrencies for the hackers.

As organizations embrace public cloud, the focus will shift to

targeting these environments for cryptojacking. A few months

ago, the RedLock CSI team uncovered cryptojacking incidents at a

80% number of organizations including multinationals such as

Gemalto and Aviva. The RedLock CSI team recently discovered a

similar incident at Tesla. Essentially, hackers were running crypto

of resources do not restrict
outbound traffic at all mining scripts on Tesla’s unsecured Kubernetes instances. To

conceal their identity, the scripts were connecting to servers that

reside behind CloudFlare, a content delivery network. The

nefarious network activity had gone completely unnoticed by

Tesla.

8% The lesson learnt from these incidents is that aside from

monitoring public cloud environments for risky configurations and

account compromises, organizations must also have effective

of organizations had network intrusion detection solutions in place. The RedLock CSI
cryptojacking activity within
their environments team decided to analyze the implementation of this best practice

across organizations.

Key Findings

The research revealed that many organizations were not following

network security best practices and had risky configurations. The

most staggering statistic was the fact that 80% of resources are

associated with security groups that do not restrict outbound

© 2018 RedLock Inc. All rights reserved. 8

 02
Changing tides:
from stealing data
to stealing compute

traffic at all. Best practices dictate that outbound access should be restricted to prevent accidental data loss or data exfiltration

in the event of a breach.

Upon closer examination, the team discovered that 8% of organizations had cryptojacking activity within their environments.

While this is a small percentage today, we anticipate this will rapidly increase as this technique gains popularity amongst the

hacker community.

The Tesla incident highlights the need for a holistic approach to security in the cloud. A combination of configuration, user

activity, network traffic, and host vulnerability monitoring is necessary to detect advanced threats in public cloud environments.

Tips

1. Implement a “deny all” default outbound firewall policy.

2. Monitor ingress and egress network traffic for any suspicious activities.

© 2018 RedLock Inc. All rights reserved. 9

 03 2017 saw a record number of mega data exposures resulting from

Long road ahead to cloud misconfigurations, especially due to unsecured cloud

GDPR readiness
storage services. With General Data Policy Regulation (GDPR)

coming into effect in a few months, organizations are under the

gun to address these issues as quickly as possible. The RedLock

CSI team assessed the preparedness of organizations based on

fundamental security best practices and the results suggest a

long road ahead.

58% Key Findings

The RedLock CSI team analyzed that 58% of organizations using

cloud storage services such as Amazon S3 and Microsoft Azure

organizations publicly exposed
at least one cloud storage service Blob storage had inadvertently exposed one or more such

services to the public. The good news is that the violation trend is

slowing; last year this number was 53% in October and 40% in

May, respectively. Perhaps the proactiveness by cloud service

providers such as Amazon in adding security features to help

66% organizations detect these issues is paying off.

We are seeing a similar slowing trend with database encryption;

of databases are not encrypted 66% of databases in the cloud are not being encrypted compared

to 64% in October. Data encryption is an important technique that

could help meet the pseudonymization requirement for GDPR and

should be enforced as a security best practice.

55% A broader compliance assessment against industry standards

revealed that on average, organizations fail 55% of

CIS Foundations best practices, 47% of PCI requirements,

of CIS compliance checks fail 44% of HIPAA requirements, and 32% of SOC 2 best practices.

While the slowing trends are encouraging, organizations have a

long way to go before they can claim compliance and time is

running out as far as GDPR is concerned.

© 2018 RedLock Inc. All rights reserved. 10

 03
Risky users are
flying under the radar

Tips

1. Ensure cloud resources are automatically discovered when they are created.

2. Implement policy guardrails to ensure that resource configurations adhere to industry standards such as CIS,
SOC 2, PCI, and HIPAA.

3. Integrate configuration change alerts into DevOps and SecOps workflows to automatically resolve issues.

© 2018 RedLock Inc. All rights reserved. 11

 04 Organizations around the world kicked off 2018 with fire drills to

Spectre and address the Spectre and Meltdown vulnerabilities. Their

Meltdown
widespread impact -- virtually affects all modern high-end

microprocessors -- and the risk to public cloud environments in

vulnerabilities - particular garnered them a lot of attention. Amazon, Microsoft,
a rude awakening and Google rushed to patch their operating systems. However,

security in the cloud is a shared responsibility and requires that

organizations also do their part by identifying vulnerable hosts

and implementing the mitigations. The RedLock CSI team

assessed host vulnerability management in the cloud to

determine the state of affairs.

Key Findings

The research revealed that 83% of vulnerable hosts in the cloud

83%
are receiving traffic from suspicious locations, suggesting

attempted exploitation. Moreover, RedLock’s integration with

Amazon GuardDuty, a threat detection service that launched in

of vulnerable hosts November 2017, indicates that 15% of these hosts are actually
are receiving exhibiting activity patterns associated with instance compromise
suspicious traffic
or reconnaissance by attackers. The notion of vulnerability

management has been around for a long time and in light of the

recent Spectre and Meltdown vulnerabilities, these results beg the

question why organizations are not being more proactive with

15% vulnerability management in the cloud.

The crux of the issue lies with the fact that while most
of vulnerable hosts
organizations have existing investments in third party vulnerability
flagged as compromised by
Amazon GuardDuty scanning tools such as Qualys and Tenable, they are unable to

map the data from these tools to identify and prioritize

remediation of vulnerable hosts in the cloud. Specifically,

identifying hosts that are missing patches by IP addresses is

ineffective, since IP addresses are constantly changing in the

cloud. Vulnerability management is a key requirement of GDPR

and organizations need to consider how they will address the

issue for their public cloud environments.

© 2018 RedLock Inc. All rights reserved. 12

 04
Spectre and
Meltdown
vulnerabilities -
a rude awakening

Tips

1. Correlate vulnerability data with resource configuration data to identify vulnerable hosts.

2. Correlate network traffic data to determine whether the vulnerabilities are actually network exploitable
and prioritize remediation accordingly.

© 2018 RedLock Inc. All rights reserved. 13

 About the Report

RedLock CSI Team

RedLock enables effective threat defense across Amazon Web Services, Microsoft Azure, and Google Cloud

environments. The RedLock Cloud 360™ platform takes a new AI-driven approach that correlates disparate security data

sets to provide comprehensive visibility, detect threats, and enable rapid response across fragmented cloud

environments. With RedLock, organizations can ensure compliance, govern security, and enable security operations

across public cloud environments.

The RedLock Cloud Security Intelligence (CSI) team consists of elite security analysts, data scientists, and data

engineers with deep security expertise. The team’s mission is to enable organizations to confidently adopt public cloud

by researching cloud threats, advising organizations on cloud security best practices, and frequently publishing out-of-

the-box policies in the RedLock Cloud 360™ platform.

The CSI team has discovered millions of exposed records that contain sensitive data belonging to dozens of

organizations ranging from small businesses to Fortune 50 companies. The team notifies the affected organizations and

publishes security advisories to raise awareness about the issues.

Report Methodology
The data in this report is based on analysis across the public cloud environments monitored by RedLock, which

comprises of over twelve million resources that are processing petabytes of network traffic. In addition, the team also

actively probed the internet for vulnerabilities in public cloud environments.

© 2018 RedLock Inc. All rights reserved. 14

 Ready to Take
Action?

Get a Free Risk Assessment

Get started in minutes and obtain a free risk assessment across your cloud footprint without hindering agile

development. It will provide the following insights:

Are there any resources with risky configurations?

Are there unpatched hosts in your environment?

Have there been any network intrusions?

Are there any insider threats?

Have any accounts been compromised?

More information: https://info.redlock.io/cloud-risk-assessment

Download Cloud Security Buyer’s Guide

Download the Cloud Security Buyer’s Guide to get 20+ tips based on the NIST Cybersecurity Framework and manage

risks across your public cloud computing environment.

More information: https://info.redlock.io/lp-nist-csf-cloud-security

© 2018 RedLock Inc. All rights reserved. 15

“We were able to deploy RedLock in minutes without disrupting DevOps and immediately gained visibility into risks

across our entire AWS footprint in a single view.”

Raymond Espinoza

Global Head of Security

To learn more:
Call: +1.650.665.9480, Visit: www.redlock.io
© 2018 RedLock Inc. All rights reserved.

RedLock and RedLock logo are registered US trademarks of RedLock Inc.

RedLock Cloud 360 is a trademark of RedLock Inc.
All other registered trademarks are the properties of their respective owners.