Defending Against Cloud Security Threats

As organizations continue to move their business operations into the cloud, the expanded attack surface generated by the “digital transformation” continues to present new opportunities for threat actors. Luckily, strategies to mitigate these new risks do exist and, as always, these center around the techniques and tactics of the adversaries. This article will take a deep dive into five techniques that are found in the Initial Access Phase of the MITRE ATT&CK Cloud Matrix and share some of the strategies Kroll recommends to help defend the cloud.

MITRE ATT&CK® Cloud Matrix: A Quick Explanation

The MITRE ATT&CK Matrix is a community-driven knowledge base of common techniques and tactics observed to be used by adversaries. The ATT&CK Matrix breaks down the steps an adversary may use in different phases of an attack, and for each phase enumerates the observed techniques of real-world adversaries. This provides a matrix of attack phases and observed techniques which allows defenders to plan and model for effective countermeasures at each phase of an attack. It also helps red teams provide taxonomy and systematic processes to ensure that all appropriate phases and techniques are covered during an adversary simulation exercise.

The MITRE ATT&CK Cloud Matrix and associated attack methods can be broken down according to the type of enterprise cloud services they target, including Office 365, Azure AD, Google Workspace, Software-as-a-Service (SaaS) and Infrastructure-as-a-Service (IaaS). Each type of enterprise cloud service has its own matrix, and the cloud matrix is a combination of all these service matrices.

Leveraging Initial Access: Five Common Adversary Techniques

Initial access is a critical stage in the MITRE ATT&CK Cloud Matrix, or in any attack by a real-world adversary. Initial access is the phase where an attacker first gains a foothold in the network and is a prerequisite for most other phases of an attack . Without an initial access vector, most attacks are stopped before they begin. MITRE ATT&CK identifies five initial access techniques that are used by real-world threat actors when targeting cloud systems.

Drive-by Compromise

The Drive-by Compromise technique is a common approach used across many types of enterprise environments. However, within the cloud matrix, it predominantly affects SaaS platforms and is only found in the MITRE ATT&CK SaaS Matrix. This technique targets a victim’s web browser, which is used to access SaaS-based applications.

This technique can leverage three paths for initial access:

Exploiting the Browser Render

This exploit is often achieved with a memory corruption vulnerability that allows the attacker to gain code executing inside a sandbox environment. This technique typically requires chaining multiple exploits together to defeat the many layers of protection built into modern web browsers.

The browser render exploit techniques requires an attacker’s code to be run in a browser. As most websites are complex and load content from many different sources to display the final page to a user, this allows attackers to target any component of the web page. Components such as imported JavaScript libraries and frameworks, Content Distribution Networks (CDN) and caching infrastructure, ads and tracking pixels, media content, or the source web server can all be exploited to deliver an attacker’s code for a drive-by compromise.

Defending against this technique requires blocking malicious content. Network filtering, domain reputations and web application firewalls are all useful tools in this endeavor. Regular patching of browsers is also critical to prevent known browser vulnerabilities which an adversary can exploit.
Leveraging the Browser Capabilities to Trick a User

This technique attempts to bypass many of the security protections built into the browser by leveraging it to perform tasks it was made to do, such as downloading a file (in this case, malicious) for the user to open. Browser extensions can also be abused by attackers to access a victim’s page or surreptitiously inject code into a webpage. Browser extensions are a powerful tool because they provide an environment inside the browser that allows the extension full access and control of a user’s web content, typically not limited to a specific domain.

Defending against this technique requires user training. Users must be aware and educated about the threats from opening downloaded files. Endpoint Detection and Response (EDR) can often identify and quarantine malicious downloads before they have a chance to execute. Users should be cautious when installing browser extensions and minimize their use. Enterprise browser management can also restrict or limit the use of browser extensions.
Exploiting Client-side Web Application Vulnerabilities That Target a User’s Web Browser

These techniques attempt to bypass the web application security controls, such as Same Origin Policy, to perform actions within the browser, without escalating execution context to the operating system. This method can target authentication tokens, scrape user information including keystrokes and credentials, or load malicious code into a page. Common approaches include cross-origin resource sharing (CORS ) misconfiguration, Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF).

Defending against this technique requires proactive assessments of your web application to ensure it cannot be exploited by attackers using these techniques to target clients. Web application firewalls and content filtering can also help protect users.

The drive-by compromise technique will target any victim that browses to the threat actor’s platform, potentially leading to widespread targeting. This can be a disadvantage to an actor as the more a method is used, the more likely it is to be detected. To focus the target pool, many threat actors will perform a scan of the browser to detect vulnerable versions, target browser extensions or language and region preferences, before launching their attack. Adwords or advertisement profiling can be another powerful mechanism to allow threat actors to precisely target their victims. So called “watering hole” attacks are another technique to identify the websites that a target population or organization uses and then compromise that website as a platform to reach the target.

In a successful attack, the attacker will move to the next phase of the attack such as achieving execution or credential access, which will enable them to target the SaaS platform.

Exploiting Public-Facing Applications

Exploiting public-facing applications is a common technique and is found in the Infrastructure as a Service (IaaS) Matrix. This technique can target web applications or public-facing infrastructure services such as VPN, RDP , email, databases or misconfigurations in IaaS service (such as AWS S3). This technique is particularly favored by ransomware groups. These groups are known to develop one key exploit and scan the internet for vulnerable targets in order to compromise as many victims as possible.

This technique can leverage a wide range of vulnerability classes to achieve remote code execution (RCE) on a server, which is the preferred path of attackers because of the flexibility it provides. This kind of control can also be achieved via other vulnerability classes, such as server-side request forgery (SSRF), which leverages the application’s server for further unauthorized activity; remote file inclusion (RFI), used to upload malware from an external URL; XML external entity (XXE), which can expose confidential data on the application’s server filesystem and expand access to other systems connected to the application; and SQL injection (SQLi) which allows attackers to execute SQL code on the database, leading to unauthorized data exposure.

The above classes of vulnerabilities are typically found in infrastructure and applications deployed and managed by the target organization, but IaaS services that are managed by cloud service providers (CSPs) can also expose vulnerabilities that an attacker can exploit for initial access. Most IaaS vulnerabilities result from misconfiguration of the service by the user, such as accidental public exposure of data (e.g., in S3 buckets), services (e.g., from open virtual private cloud [VPC] network access control) or overly broad Identity and Access Management (IAM) permissions and roles. Vulnerabilities exist in the IaaS services managed by CSPs, although exploitation of these vulnerabilities resulting in access to customer data is uncommon. It is important that all users of cloud services understand the shared responsibility model for cloud security.

While not all these classes of vulnerabilities give an adversary full control over a network, attackers can leverage connected cloud services that can be used to facilitate the next steps in an attack chain: persistence, code execution, privilege escalation and data exfiltration.

Defending against these initial access techniques requires application and infrastructure security programs that architect, design and validate security controls throughout your cloud and cloud-connected systems. These systems should be designed around the principles of least privilege, defense in depth and zero trust. A trusted partner professional services company can help achieve the right balance of validation with application security, program maturity assessments, penetration testing, cloud security assessments and risk audits.

Phishing

Phishing and spear phishing email messages are another technique that can lead to compromise of the cloud environment. In the case of IaaS platforms, a client can be exploited and access to cloud resources achieved via lateral movement where valid credentials stored on the victim's device are targeted. CSP login pages and authentication services such as third-party single sign on (SSO) or cloud-native identity providers (IdP) are also common phishing targets.

A strong defense against all forms of credential phishing is strong multifactor authentication (MFA). FIDO2-based tokens provide phishing-resistant MFA and are a preferred option as time-based, one-time passwords (TOTPs) and one-time codes are now a common target for attackers. The U.S. Federal government has also mandated phishing-resistant MFA tokens as part of its zero trust strategy.

Phishing is also covered in Office 365, Google Workspace and SaaS matrices. Office 365 and Google Workspace environments can be targeted via several productivity documents (.pdf, .docx, and .xls files). These document types provide a complex attack surface with many features (e.g., macros, script engines, and COM objects) that an adversary can exploit to achieve execution. Office documents can also be used as part of a multi-stage chain to achieve execution through initial access.

User education is a major part of a comprehensive defense against phishing, which can include phishing exercises and phishing simulation and reporting tools. Email filtering and sandboxing are also effective to defend against email-based phishing.

Trusted Relationships

Trusted relationships refer to the practice of granting an external entity (user or organization) access to an organization’s cloud systems, based on that entity’s predetermined authorization to access the resource. The approach of abusing trust relationships is found in the SaaS and IaaS cloud matrices. Actors can exploit trust relationships in several ways, such as through a legitimate application program interface (API). The risk can be exacerbated by an API with overly broad permissions. Any software or hardware that is installed in an organizations’ environment, that was created in whole or in part by a third party, is an opportunity for a supply-chain attack that exploits the organization’s trusted relationship with that vendor. Attack vectors can also involve third parties with either virtual or physical access to your infrastructure, from managed service providers to HVAC technicians or telecommunications personnel.

Defending against trusted relationships initial access techniques requires elements from a wide range of security programs:

A change management process should be invoked to review the scope of access and technical mechanisms used to provide connectivity to a third party. The review should include a risk assessment and may require a penetration test if a new internet-facing API is exposed.
All third-party access should be tracked in a central repository and subject to regular review. Any access that is no longer necessary should be revoked.
A vendor review process must be undertaken before a business relationship begins. This is a complicated process to perform effectively, however it is an important piece of the strategy.
Effective monitoring and logging of third-party access is an effective tool to mitigate risk and ensure that any malicious behavior is detected.
Appropriate security controls (physical, network and logical) should be in place to limit the access of third parties, following the principle of least privilege.

If the supplier of trusted technology is compromised, that relationship can be exploited as well. The 2020 SolarWinds breach was a notable example of a major supply-chain exploit, when a regular software-update process was compromised, enabling attackers to go into targeted networks.

The U.S. Federal Government’s new regulations around a software bill of materials (SBOM) is a useful step forward to provide organizations the information that is required to help manage supply chain security. Tools and best practices to translate that information into actionable practices are still being developed.

Access management is critical to defining and securing any trusted relationship; broad or admin permission settings are inherently risky and are often the Achilles’ heel actors are counting on.

Valid Credentials

Due to its simplicity and high impact, the exploitation of valid credentials is one of the most commonly used techniques for gaining initial access to cloud resources. The MITRE ATT&CK Cloud Matrix and each sub-matrix cover this technique. It is especially effective for IaaS platforms, which have the facility to grant compute services role-based access to other resources depending on the policies applied. Valid credentials are such a useful tool for an attacker because they can be used not only for initial access, but for many other steps in an attack chain including privilege escalation, persistence, defense evasion, lateral movement, and data exfiltration.

Valid credentials have long been targeted by attackers through various brute force or guessing attacks. Password spraying and credential stuffing are two of the most common techniques. During a credential stuffing attack, the attacker targets accounts with password reuse, using lists of passwords and user IDs (typically email), either leaked or assembled from previous data breaches. Password spraying is designed to target commonly used passwords, where an attacker cycles through many different user IDs, while attempting a list of commonly used passwords. Instead of trying many passwords for one target account, they target many user accounts with a limited set of common passwords.

Many organizations unknowingly leak access keys through their source code, compiled or packed applications and other public resources. If just a single entity in an enterprise is compromised through another initial access technique, stolen credentials can potentially allow an adversary to pivot to cloud assets. Overly broad permissions are a common misconfiguration among user roles, which means that a compromised set of credentials is more likely to allow broad access to cloud assets.

Additionally, cloud compute infrastructure, especially virtual machines (VMs), can be granted permissions to access other cloud services. If an adversary has control of a VM in a cloud environment, they can use the Instance Metadata Service (IMDS) to gain credentials to access other cloud resources authorized for that VM.

Credentials must first be strengthened through password policy and enforcement, which means users are required to meet password complexity requirements. Organizations must also enforce against known weak passwords (such as ‘P@ssword1’) or passwords that have been previously discovered in a breach. Multi Factor Authentication (MFA) is critical for protecting against an attacker leveraging valid credentials they have obtained, so the credentials alone don’t provide access.

Defense against leaking credentials is not an easy task since credentials can be leaked or exposed through many pathways. A mature application security program helps protect credentials using continuous integration/continuous deployment (CI/CD) tools to detect accidental exposure, as well as code scanning to reduce vulnerabilities that may result in exposed credentials. Strong secret management practices, including dedicated secret storage infrastructure, are also an important step to protect credentials in cloud environments. Access and account management policies are important to minimize the accounts that an attacker could target and minimize the scope of access for all accounts.