Cloud Security Fundamentals: Servers to Containers & Everything In-Between

With Linux being the operating system for 96% of the cloud, the landscape has changed beyond endpoint detection. Intezer Protect is built for the cloud with strong Linux threat detection and no impact on your resources.

“There is no cloud, it’s just someone else’s computer.” As prominent as this joke has become, it does a disservice to explaining the magnitude of Joseph Carl Robnett Licklider’s creation. Licklider is credited with the cloud’s invention due to his work on ARPANET, connecting people to data from anywhere in the world in the 1960s.

Let’s break down these characteristics and delve into those that bring security concerns into our cloud environments.

Cloud Characteristics

Broad Network Access

Companies do not often think about what vulnerabilities their cloud carriers could bring. Cloud carriers enable cloud providers, such as AWS, Azure, and Google Cloud, to connect to the outside world. While these connections are vital for companies to access resources from multiple locations and provide services to clients they also offer attackers access.

As more employees work from home across the world, access to the internals of cloud resources has broadened. Researchers found that cloud attacks increased by 630% in the first four months of 2020.

Network access provides access for almost all cyber attacks, including RATs (Remote Access Trojans). RATs allow attackers to monitor and control your computer or network. BlackBerry’s Decade of the RATs: Cross-Platform APT Espionage Attacks Targeting Linux, Windows and Android states that APT groups working with the Chinese government and RATs gain access and establish persistence to Linux servers. Similar to the recent IPStorm transition to Linux, these attacks are cross-platform. Modifying attacks previously used on Windows devices, these groups have been able to compromise Linux servers and have remained relatively undetected for almost a decade.

Tip: When we consider cloud security we often think about criminals forcing their way into our assets. RATs allow criminals to gain access to our cloud environments from trusted sources. There is no question that attackers consistently bypass traditional security, so it’s imperative we have visibility into what runs in our clouds regardless of who or what executed it.

Intezer Protect monitors code at runtime without consideration of who or what executed the new process. Having clear visibility into what code is running on your systems enables you to stop the attack before the attacker gains remote access to other assets.

On-Demand Self-Service

On-Demand Self-Service helps companies control their costs by only paying for what they use. Yet as we have moved to an agile style of development and deployments, more power has been given to developers to create and change resources as needed for application creation and modification.

With the ephemeral nature of the cloud, that is with companies creating new resources every few hours, minutes, and even seconds, it is nearly impossible for security teams to keep up with the hundreds if not thousands of containers, applications, and code deployments without the proper tools.

Many cloud providers offer functions as a service, aka serverless computing, which allows customers to run code as needed without providing or managing the infrastructure. As the cloud provider manages everything but the code, this leads to a false sense of security. At the end of the day, companies should understand that regardless of who provides them security, they are accountable to their customers when a breach occurs. Recently researchers at Intezer proved that functions are not as secure as believed by escaping the Docker environment in Azure Functions.

Tip: Despite our best security practices vulnerabilities are sometimes out of our control. Visibility into all code running in our environments is key to prompt and effective mitigation of attacks.

Intezer Protect scans for vulnerable packages and configuration issues giving a robust view into your constantly changing cloud environments. If an attacker is able to take advantage of a vulnerability before it is patched or an unknown vulnerability, Intezer Protect terminates processes by automation or a simple click of a button.

Rapid Elasticity and Scalability Elastically

This characteristic enables companies to adjust their resources based on their current needs. For example, suppose their product is featured on prime time TV. Resources creation can occur to handle the heavier workload. When traffic to their website begins to dwindle, those resources can be destroyed, helping keep costs down.

Although this sounds like a fantastic ability for growing business, it puts additional strains on security teams. Resources are created with predefined configurations, meaning the multiplication of vulnerabilities or misconfigurations with each resource allocation.  

Misconfigurations remain the number one cause of data breaches in the cloud. In 2020 Intezer Protect detected unknown code execution in the memory of a server which had never been seen before. It was container malware we dubbed Doki. Taking advantage of a misconfigured Docker API, Doki allows attackers to bypass traditional monitoring. Doki creates containers from a non-malicious image containing the commonly used cURL tool, enabling attackers to upload additional tools.

Actions:
1) Ensure that your systems are up to date on patches.
2) Have plans in place that allow for installing urgent patches outside of regular patch schedules.
3) Monitor activity on the server level as communication from the RAT to the outside world can bypass network monitoring by masking itself as legitimate traffic.
4) Ensure you are using new and secured operating systems (vs. outdated and unsupported Linux distributions).

Quick Tip: As not all vulnerabilities are known before attacks occur in the wild, Intezer Protect offers a last line of defense, providing visibility to the code running on your system regardless of the method of accessibility or even if the attacker’s code has never been seen before.

Resource Pooling

Similar to how clouds found in the sky are a collection of tiny water drops and ice crystals, a computing cloud consists of a group of systems that in the public cloud are owned by someone else (maybe there is some truth to this meme).

When we think of securing our clouds, we focus on our IaaS (Infrastructure as a Service) or even PaaS (Platform as a Service). Still, when it comes to Software as a Service, we trust that the vendor will effectively handle all security.

In 2012 Dropbox announced they had been breached with the accounts of 68 users compromised. The breach was not reported to customers until 2016, when the data was found for sale on the dark web and obtained by several tech magazines and security publications.

Dropbox themself was held accountable for leaking Snapchat photos despite the leak not resulting from any mistakes by Dropbox but rather by a third-party posting usernames and passwords online.

This is another reminder that your company is responsible for protecting your customers’ data at the end of the day.

Tip: On top of maintaining strong encryption standards within your company, find out what steps are in place to segregate your data and ask for proof of encryption schemes in place.

Although the public cloud offers extraordinary abilities to help companies grow without maintaining their own infrastructure, it is critical to remember that the cloud is more than just someone else’s computer. It’s an infrequent web of features designed to facilitate a customer’s experience. This convenience comes with a cost. The importance of visibility into what systems are in the cloud as well as the code, packages and configurations running in their environment can provide a strong foundation for their security posture.

Intezer

Count on Intezer’s Autonomous SOC solution to handle the security operations grunt work.