The Cloud Threat Report 2019 by Darktrace reveals case studies of cloud-based attacks identified by cyber AI which discusses the ability for cloud-native security to provide sufficient coverage.
A Double-Edged Sword
From small businesses seeking to cut costs to corporate innovation centres launching digital transformation projects, the large-scale journey to the cloud has fundamentally reshaped the digital business and the traditional paradigm of the network perimeter. As this perimeter dissolves, hybrid and multi-cloud infrastructure has become a part of the furniture of an increasingly diverse digital enterprise, empowering organizations to push the upper limits of innovation while expanding the attack surface at an alarming rate.
This trend of course represents the double-edged sword of the digital age, and the security challenges that business leaders must face on their journey to the cloud are difficult to overstate. The ‘cloud’ itself encompasses a wide range of systems and services, and a single security team can often be responsible for securing cloud workloads across AWS and Azure, email communications in Office 365, customer data in Salesforce, file sharing via Dropbox, and virtualized servers in traditional on-premise data centres.
Cloud-Native Security An Unfamiliar Territory
This complex patchwork of cloud-based platforms often fuels efficiency, flexibility, and innovation at the cost of a coherent and tractable security strategy. The cloud in all its various forms is unfamiliar territory for traditional security teams, and prior tools and practices are often too slow, siloed, or not even applicable to defend hybrid and multi-cloud environments against advanced attacks.
And while many cloud-native security solutions can often help with compliance and log-based analytics, they are rarely robust and unified enough to provide sufficient coverage – both because they continue to encourage a “stove-pipe” approach to security, and because they rely on rules, signatures, or prior assumptions and therefore fail to detect novel threats and subtle insiders before they have time to escalate into a crisis.
Still worse, the lack of visibility and control that security teams face in this area – together with the new and unfamiliar mindset required by the agility and speed of the cloud – also renders it an attractive target for cyber-criminals, who invariably seek to generate maximum profits while remaining sufficiently low profile to avoid attention from law enforcement. Cloud security is not where it needs it be, and cyber-criminals know this better than anyone.
Yet in many ways, organizations today need more than just cloud security – they need enterprise-wide security, and a unified solution that can operate at the speed of digital business, adapt to future threats, and correlate the subtle hallmarks of an advanced attack as it broadens its presence within a network.
Insider Threat in the Cloud
Unlike external threat actors, malicious insiders are often uniquely positioned to evade traditional controls given their privileged access and intimate knowledge of the network. Whether these controls rely on binary detection logic or merely monitor the perimeter, a disaffected employee can often easily bypass static defences in the cloud and exfiltrate or manipulate critical data without triggering suspicion.
Configuring security controls in hybrid and multi-cloud environments is often an overwhelming and complex process, as native and third-party solutions in this area are often diverse, unfamiliar, and incompatible across platforms. This complexity, together with the unprecedented speed and agility of the cloud, has often led to critical misconfigurations that expose the business to attack.
Email Spoof Resulting in Network Infiltration
A malicious email spoof involves registering a seemingly legitimate domain that closely resembles that of a trusted contact or service, such that an attacker can trick an unsuspecting recipient and infiltrate a network with ease. More often than not, the attacker will seek to impersonate a high-level executive and make an urgent request, hoping that the employee will comply before spotting the forged sender address. For years this method has allowed attackers to evade traditional controls, as a newly registered domain would not only trick a recipient but also bypass solutions that rely on blacklists.
Compromised Credential Leaked
Advanced cyber-criminals can steal corporate account credentials in a variety of ways, from social engineering attacks to “smart” malware that combs through traffic and ephemeral cloud assets in search of passwords. And with stolen data readily available to buy and sell on the Dark Web, the frequency and severity of credential theft is increasing year on year.
Powered by artificial intelligence, Darktrace’s Enterprise Immune System fills these critical gaps with a unique self-learning approach that detects and responds to cloud-based attacks that others miss.
The solution works by learning the normal “pattern of life” for every user, device, and container across hybrid and multi-cloud environments, without defining ‘benign’ or ‘malicious’ in advance. By continuously analysing the behaviour of everyone and everything in the business, the self-learning AI can uniquely correlate the weak and subtle signals of an advanced attack as it emerges in disparate corners of the network.
And while pre-programmed point solutions can certainly complement this approach, the Enterprise Immune System is the only proven solution to stop the full range of cyber-threats in the cloud, from malicious insiders and external attacks, through to critical misconfigurations that can expose the business to future compromise – whether they originate from targeted spear phishing campaigns, corporate account takeovers, “low and slow” data exfiltration, or lateral movement across the cloud.