Common cloud threats

As cloud environments continue to grow in complexity and scale, the need for robust threat detection and prevention strategies has never been more critical. While the exact number varies by source, according to recent studies the average number of SaaS apps deployed by businesses is estimated to be between 93 and 112 applications. 

What’s more, Gartner has predicted that through 2025, 99% of cloud security failures will be the customer’s fault, highlighting the importance of proper security practices. With the rapid adoption of cloud technologies, it's crucial for security teams to stay ahead of evolving threats and understand the unique challenges posed by cloud environments. 

Misconfigurations 

Cloud misconfigurations are errors in setting up cloud resources that can leave them vulnerable to attacks or data breaches. These are often simple mistakes that can have severe consequences. 

Common examples include: 

• Exposed S3 buckets with public read/write permissions 

• Open security groups allowing unrestricted inbound traffic 

• Misconfigured IAM roles granting excessive permissions 

To name an example of a threat of this nature, the Thomson Reuters breach was caused by a series of misconfigurations in their cloud environment. Specifically, an ElasticSearch database containing sensitive customer and corporate data was left exposed on a public-facing server without proper access controls or authentication. This misconfiguration allowed unauthorized access to approximately 3 terabytes of data, including customer-sensitive information, corporate data, and Thomson Reuters internal documents, potentially affecting thousands of customers and exposing proprietary company information. 

Best practices to avoid misconfigurations: 

• Implement automated configuration checks 

• Use continuous monitoring tools to detect and alert on misconfigurations 

• Leverage and operationalize Cloud Security Posture Management (CSPM) tools.  

• Leverage Infrastructure as Code (IaC) tools to ensure consistent and secure configurations 

• Regularly audit and review cloud resource configurations 

Identity and Access Management (IAM) vulnerabilities 

Secure identity management is foundational to cloud security. IAM systems control who can access what resources, making them a prime target for attackers. 

Common identity-related threats include: 

• Privilege escalation: Attackers gaining higher-level permissions than intended 

• Stolen credentials: Compromised user accounts used to access sensitive resources 

• Misconfigured permissions: Overly broad access rights granted to users or roles 

As an example of an IAM-based vulnerability, consider EleKtra-Leak, which performs automated targeting of exposed identity and access management (IAM) credentials within public GitHub repositories. This vulnerability allowed attackers to potentially gain unauthorized access to AWS accounts by exploiting a misconfiguration in the AWS STS (Security Token Service) AssumeRole API. The impact was significant as it could have led to widespread compromise of AWS environments, enabling attackers to escalate privileges, access sensitive data, and potentially take control of entire cloud infrastructures. 

Best practices for securing identities: 

• Enforce the principle of least privilege 

• Implement multi-factor authentication (MFA) for all users 

• Use role-based access control (RBAC) to manage permissions effectively 

• Regularly audit and rotate access keys and credentials 

API vulnerabilities 

APIs play a critical role in cloud architectures, enabling communication between different services and applications. However, they also introduce new attack surfaces that malicious actors can exploit. 

Common API-related threats include: 

• Unauthorized access: Attackers exploiting weak authentication to access APIs 

• API abuse: Overloading APIs with requests to cause denial of service 

• Insecure API endpoints: Poorly designed APIs exposing sensitive data or functionality 

Consider the US Treasury breach as an example, wherein a compromised API key from BeyondTrust's Remote Support SaaS was exploited by a Chinese state-sponsored APT actor. This API vulnerability allowed the attackers to bypass security measures, reset application passwords, and override security features, ultimately gaining unauthorized remote access to Treasury workstations and unclassified documents. 

Strategies to secure APIs: 

• Implement API gateways to centralize control and monitoring 

• Use strong authentication mechanisms like OAuth 2.0 or JWT 

• Apply rate limiting to prevent abuse 

• Regularly test and audit API security 

Supply chain risks 

Supply chain risks in the cloud refer to vulnerabilities introduced through third-party dependencies, such as software libraries, packages, or services integrated into your cloud environment. 

Examples of supply chain attacks: 

• Compromised software packages injected with malicious code 

• Vulnerabilities in third-party services that can be exploited to gain access to your systems 

• Insider threats from vendor employees with access to your cloud resources 

The supply chain attack on the lottie-player JavaScript library is a prime example. By injecting malicious code into a popular library, attackers potentially gained access to countless websites and their users, including high-profile cryptocurrency platforms, highlighting the cascading impact of a single point of compromise in the software supply chain. 

How to mitigate supply chain risks: 

• Thoroughly vet third-party vendors and their security practices 

• Secure software development pipelines with proper code review and testing 

• Use trusted repositories and verify the integrity of downloaded packages 

• Implement strong access controls for third-party integrations 

By understanding these common cloud threats and implementing appropriate security measures, SecOps teams can significantly improve their ability to detect and respond to security incidents in cloud environments.