Cyber Threats to the Technology Sector

Note: This is an auto-generated transcript, which may contain errors. 

Sean Heide: I came from the Navy background. I was an intel analyst for about eight years and then really kind of struck a passion there with computers over time and got into cybersecurity through college and then that's when I got picked up by CSA, I think about five years ago. So in the middle of 2018.

Audra: Have there been any interesting trends that you've seen in those five years that you've been with CSA?

Sean Heide: You know, the, the trends have actually changed quite a bit and it's been truly interesting and I know we might talk about it, but the, the top threats was one of the first things I was actually introduced to when I joined CSA. And you know, when I took over the second one, we had seen such a progression of different things and one of those key things that we had even noticed was identity and access management across cloud. And that, that became such a talked about notion. And then when we saw it move into things like zero trust architecture and it's kind of becoming grained into us. And that's one of the things I think over time that has just progressively stayed at the top of everyone's lists.

Audra: Yeah, and just referring back to that report, this is CSA’s 2022 Top Threats to Cloud Computing report. In a survey of 700 industry experts, the report found that identity and access management along with key and credential management are a top concern. This is the responsibility of the customer and not the cloud service provider. Do you see in your research that the endpoint user is most frequently targeted for that reason of being the weakest link?

Sean Heide: Yeah, and I mean, this has been across the board for a long time and we always, I always say this actually in personal research, the end user is your number one barrier for security and it doesn't really matter if it's cloud or on prem that end user is always going to be the key role there. And with cloud that's been no different because when it's come to privilege management or identity management. If an end user, you know, gets fished, an email comes in, they click on a link, they then put some data, they now, you know, an attacker has access to an endpoint, they're able to find passwords on the device. I mean, that's all basic management through, you know, these base principles that have been around for a while. And so I don't think it's changed the architecture and how data is stored and, you know, cloud versus on-prem, those things have changed, but I think the... traditional aspect of how access is granted has generally stayed the same. And so that's where we see things like the first threat finding we had with insufficient identity or credentials. It's the same thing, you know, in cloud versus on-prem, those things still are not being properly done or have controls in place around them enough to sufficiently have coverage.

Audra: What would you recommend as a mitigation strategy? Is it zero trust architecture and least privileged access?

Sean Heide: Those are some of the more, I would say advanced ways that we're moving into. And I, I always like to say it, and I probably over say this fact, but there still are baseline concepts like using CIS critical controls that protects almost just as well without having to use a lot of those advanced concepts. Of course, depending on the industry you're in, things like using multi factor authentication. if you're using things like Azure Active Directory, being able to take your applications, utilizing SAML and SCIM, providing roles, role-based access, and using an SSO function for that access, and then doing just-in-time privilege. So there are these other small concepts of identity management that we should be able to do and that I think are... quite easy to actually reach once you put the time and resources towards it.

Audra: Misconfigurations are another top concern from the CSA report. Are there any common misconfigurations that cloud customers should really aim to avoid?

Sean Heide: Yeah, well, a lot of the misconfigurations that I've personally seen through research is actually account management. So not enabling password security, not actually, you know, we come back to the centralization of access. So if an application or a cloud instance has been purchased by a department. that no one else knows about it, especially security. So they're just running these instances in the cloud. And then every baseline misconfiguration is left open. So that could be rotation of keys, I mean, key management not even being in there, so just keys in plaintext. And those were some of the main misconfigurations that we've continuously seen. And with that, of course, was change control. So if changes were made, those things weren't being logged. And this can also be a misconfiguration as not actually having logging turned on or actually feeding into a system where someone's actually taking a look at those things.

Audra: There are different cloud service models like software as a service and platform as a service. Would you say infrastructure as a service has a larger attack surface because the customer is responsible for securing things like VMs and storage?

Sean Heide: I think so. And it really comes back to business continuity, disaster recovery. I mean, when you, when you place it on the customer, there is going to be a tendency to probably overlook a lot of it more so than if you have a trust in your cloud provider, which I know we'll probably discuss something like the shared responsibility model, but there is an inherent risk when you are going with infrastructure, but you don't have the uh, necessary skills or employees to kind of help facilitate and build those things out because there still needs to be disaster recovery. You still need to have a concept of doing backups. You need to have a concept of, uh, patching and updating. And so I think when you do place that on the customer, there is a lot more work that needs to be done

Audra: The log4j vulnerability really underscored the importance of securing code libraries and the software supply chain. And whenever these large scale vulnerabilities come out, it's very important to patch as quickly as possible. With a cloud first strategy, developers can often offload some of the updates and maintenance to the cloud service provider. And you mentioned before the shared responsibility model.. Do you think that can help organizations with timely patching and staying on top of vulnerabilities?

Sean Heide: I think what has been missing with a lot of this is still having a baseline time to react when it comes to vulnerabilities. No one has really come out with, uh, SLAs or SLOs on how to react to these or in cloud, how does this one area? If I don't make this change, how will it impact another? And I mean, traditionally it's typically the same. on-prem verse cloud. But with cloud, you just have less, I guess, hands in the bucket when it comes to who is able to make those changes. And so that's where it's critically important to actually have roles that are assigned to now address these critical vulnerabilities and things like that. I think with the shared responsibility model, I think what's important is that as a customer that you understand exactly where that... ownership lies because I think there's a lot of confusion that when you do go to cloud they assume hey the cloud vendor they're gonna do all this for us. They're gonna go ahead enhance us. But what on you know in the reality of things is that's not always the case, It does fall on the customer. And so I think it's critically important to utilize things from CSA where we have a shared responsibility model that's vendor n eutral. We go to Microsoft. They have a shared responsibility model. And I think it's critically important to actually take a look at both of those and really understand what it means to go to cloud.

Audra: With cloud computing, third party risk could mean anything from open source code to SaaS products to API risks, or a managed service provided by a cloud vendor. And I noticed in the CSA report, there was a research statistic from Colorado State University that two-thirds of breaches are a result of supplier or third-party vulnerabilities. I'm curious what your advice is for organizations that might be considering what products to use or maybe they're in the process of creating an inventory and analyzing third party risk.

Sean Heide: I'm hoping no one else has coined this term. Uh, but I've liked to call it the vendor of my vendor. And so what will happen is when you get into these contracts with a software as a service or any application that you're using internally, oftentimes, if there is a lack of security review from the business, they just go ahead and get into contract with a vendor. Now that's fine. Um, that's going to happen. regardless. But the issue is on the back end of most application infrastructure, they actually outsource to other third parties. And that's where we have seen these vulnerabilities actually take place with limited visibility is because that actual first vendor never had, you know, mentioned because the question was never asked that they actually are utilizing a third party cloud service themselves. And so I have seen multiple instances of data breaches because the vendor of their vendor actually was breached. And that's where a lot of issues have come in from what I have seen personally from multiple sources. Now, kind of to... build a use case on helping eliminate that risk is doing proper security questionnaires, having a procurement process and strategy that aligns to the business. But if we come back to that security questionnaire, and CSA does have nice resources, we have the Consensus Assessment Initiative Questionnaire, which is a set of cloud-specific applications, application questions or infrastructure or platform as a service. Basically it goes through all domains of cloud, but what it enhances is. It allows you the ability to go to your vendor, hand it to them if they've never done it and they go through every possible, basically scenario breakdown of cloud controls that you could think of. And now when you get it back, you can actually take a look at it and be like, all right, are they doing identity? Are they doing data storage? Do they have backups? Are they using other third-party resources? Cause now's the time to say it.

Audra: We hear a lot about phishing as a top initial access vector… does that align with what you’re seeing in your research?

Sean Heide: Absolutely. I think phishing is going to remain the number one vector for attack paths. And I say this because with the onset of chat GPT and AI language models booming right now, I have actually seen a firsthand use case of a lot of, I'll say malicious applications utilizing it now. And so, much faster pace than we have previously seen. I think that it's going to actually grow and become a lot more scarier. And I say scarier because I think we're going to start seeing things like deep fake voices. So when someone makes a phone call, I think they're going to be able to have an automated system running on that. And I think from the perspective of AI, I think that's where this continues to grow. And so to touch back on your question, Audra, it's going to continue to be the number one vector in my mind.

Audra: That's interesting you're already seeing the use of LLMs to develop phishing emails. Do you see any use cases for that same AI technology for network defense?

Sean Heide: Absolutely, yeah. And it's actually, you know, as much as I talk about it being scary for attackers, I think it's actually a stronger use case for defenders. You know, long gone, in my opinion, are the days of having to understand coding languages, you know, going into Azure using... Other programming, I guess, inputs, data inputs for programming into things like Azure. And what you're actually able to do now is go into things like chat GPT, tell it what you need, the format you need it in, the parameters that you're looking at, and its ability to scrape, like I said before, is quite substantial. So now as a defender, and we actually had this in our chat GPT security implications paper that we released a few months ago from cloud security alliance. We actually address the defender's ability to just go in, say you need a firewall rule and say you wanna put it into Microsoft Defender, but maybe you're not so, have an expert eye for Microsoft Defender using Microsoft. All you do is go into chat GBT, tell it what you need and it is fairly accurate. And I think for anyone who is maybe in one area focused of security and may not know another, I think Its ability to cross over multidisciplinary areas now is where its use case is going to grow for security defenders as a whole. It's been insane. I mean, I've gone in there. It's written Python scripts for me. I've given it ranges for, hey, these firewall rules, we want to be able to limit the visibility in this one area. And it turns it out in less than 20 seconds. And you know, whether it's accurate or not, because you should still always verify the information, just the speed at what it does is I think the greatest point of inflection for it.

Audra: Are you seeing any trends for how adversaries are trying to obfuscate malware. I saw one example of compromised images where adversaries might create back doors there or try to hide malware inside that image. Are you seeing anything like that?

Sean Heide: Yeah, I mean, and this continues, we've seen a lot of, I guess, financial reporting documents that typically get sent to, that you would see in an enterprise, right? So if it's an Intuit, I think I just got one on my personal email.

Audra: Uh oh.

Sean Heide: I got an IRS Intuit request for pay, right? And it was a PDF file. And my first thought was, well, why is the IRS using Intuit first off? Wouldn't they have their own private system probably? And, you know, firstly, going to actually use that openly if they are using a third party service for the government. But it's still those attack vectors like that. And of course, that comes back to end users. But what we have typically seen, whether it's an image in a container, I mean, oftentimes that happens. But more often than not, it's still coming from these PDF files that have been embedded with malware. And we've seen actual endpoint detection systems catch those more. I think the only other area that we would be able to really say that there's been access is, you know, open things like open S3 buckets on the internet with no credentials backing them. And I think those are the areas that we've really seen.

Audra: Would you say publicly exposed S3 buckets are a common issue across the internet?

Sean Heide: Yes, I think this is, you know, and if I'm spilling any information that shouldn't be, then I mean, I think this is pretty general knowledge, but yes, there are even, you know, online repos of publicly exposed S3 buckets. And I mean, it's happening every day, you know, a small business, they spin up an AWS account, they start pushing data into the cloud, you know, they don't have an IT team more than likely, a technology or security team. And so, What's happening is that, you know, there have been some changes made from the vendors, thankfully that now require some security, uh, but there are, I would probably say more publicly exposed lthan not. And, you know, you can go utilize tools, uh, you know, go, uh, through Shodan in tools like these, uh, offensive security tools or defensive, depending how you're using them and you can go online and actually see a lot of these exposed places that are, you know, open and. you would actually be surprised at the amount that are actually out there that anyone can access.

Audra: I’m curious about ransomware or I've also seen it called ransomcloud where a local device might be compromised and then it spreads to the cloud when the data syncs with a cloud storage device. Have you seen that happen in the wild or is it more rare?

Sean Heide: I think it's more rare and I think it's because of the general use case around cloud and the ability to spin up and do backups at a faster rate than you would traditionally be able to do with on-prem. And you know, I think the malware that's being created has really been specifically designed to operate in the cloud. And so it's becoming a lot more sophisticated than it used to be. But I don't necessarily think it's becoming anything more than we haven't seen elsewhere. I haven't seen ransomware attacks in the cloud in the respect that you're actually suggesting. just because of the amount of redundancy that's been built by enterprises. And I think we've done a good job at actually addressing a lot of that. And actually a lot of the identity controls that we find is the top risk, I think a lot of companies are doing it correctly now to where that's not necessarily a problem on something like Ransom Cloud. Luckily, luckily that doesn't mean it won't happen more, but I don't think we've seen anything suggesting it.

Audra: Mm-hmm. And when I was doing a little bit more digging online before this interview, I noticed that there were also a few cybercrime groups that were observed targeting the cloud in order to engage in cryptomining. And there were two groups in particular. One is called ROCKE, I think, or ROCKY. It's R-O-C-K-E. The other one is TeamTNT is what they call themselves that are known to target cloud for cryptomining. Is that something that you're seeing as well or is that limited to just a few groups that are doing that?

Sean Heide: Yeah, I mean, that's a few groups. And I am definitely familiar with that one. And so it has slowed down quite a bit for crypto mining just because of the resource allocation and actually the sheer amount of EDR systems that are now catching things like that. They're very good at having the signatures. They're very well aware of how a crypto mining machine would work or how it would be infected and how it would interact. And so I have seen this from only these specific groups because the attacks are, you know, they're well orchestrated. There has to be some thought behind doing something like that, like crypto mining for malware and things like that. And so we haven't actually seen that too much. It's actually slowed down quite a bit.

Audra: Last question: what's the top security advice that you have for organizations that are in the process of migrating to the cloud.

Sean Heide: Yes, make sure you start small and don't scope out too far. The first thing you want to do is ensure you have in place a way to centralize your applications and access. But with that, the most important thing is to identify your roles and whose job. is going to live in managing the cloud. You need to have these things separated. And so first, I mean, we talked about identity being the top threat of our last report. But honestly, it's one of the top things to look at when you're going to cloud. How are you going to access things? Who is going to provide that access? And who's going to turn it off? And I think that's one of the baselines when you're moving into the cloud, is just kind of organizing the thoughts around access.