From the Minds at Mandiant: How to Avoid Common Cloud Security Pitfalls

Since cloud computing’s inception, the security of provider environments has been a top-of-mind concern for business leaders.

However, a recent Gartner report predicts that through 2022, at least 95% of cloud security failures will actually be the customer's fault.

As the report explains: “The parts of the stack under customer control can make public cloud computing a highly efficient way for inexperienced users to implement poor practices, which can easily result in security or compliance failures.”

For cyber security professionals, this illuminates a critical priority: identity and access management (IAM), and platform configurations and cloud operating procedures, must be focal points of security planning.

Anatomy of a Customer-Side Cloud Security Breach

The Gartner prediction aligns with the front-line experience of our Mandiant Incident Response experts.

For example, most of the Amazon Web Services (AWS) intrusions that our team encounters begin with compromised user credentials—a problem that cloud providers have little control over.

Once attackers obtain an access key or user password, they can access the AWS command line interface via API or console to manipulate their target’s resources.

To further illustrate this trend, let’s examine a Mandiant case study outlined in the M-Trends 2020 report:

• The attacker initially gained access to the victim’s GitHub repository via an account that was not enforcing multi-factor authentication (MFA), then found AWS credentials by searching the commit history.
• The attacker then used the IAM access keys to infiltrate and interact with the victim’s AWS environment from a server in the Netherlands.
• After performing reconnaissance and not finding any information of interest, the attacker created a new user account with more permissive access.
• Using the new account, the attacker transferred large volumes of the victim’s data to an outside server.

This example highlights a common theme among today’s emerging cloud security challenges. Attackers seek and exploit any weak points to gain entry to public cloud environments, and use that initial access to maintain presence, move laterally and execute their mission. Something as simple as accessible credentials hosted in the wrong place can quickly become a complex problem and a business disruption.

Best Practices for Common Cloud Security Challenges

So how can you start improving your organization’s cloud security posture? These best practices are a strong starting point:

As described, not enforcing MFA on GitHub repository user accounts, AWS IAM users, or Azure Active Directory users is a common and highly exploitable stumble. MFA should be applied to user accounts that have access to code repositories and AWS accounts, and applied to command-line interface access. For Azure and Microsoft 365, MFA should be applied to all accounts, especially those with administrative permissions and access to command-line interfaces. Organizations should also consider second-factor mechanisms like hard or soft tokens.

Many organizations use long-living IAM credentials for application functionality, which expands their attack surface. For application functionality, organizations should aim to use IAM roles for EC2 instances, because the underlying credentials that the application uses to interact with service APIs have a temporary, six-hour timespan. With Microsoft Azure, organizations should consider utilizing managed service identities with Azure role-based access controls to keep credentials secure.

Our experts often find that IAM user accounts are over-privileged, which puts them at risk for both inadvertent and deliberate activity outside of their intended purpose. Here, the best practice is to always follow the principle of least privilege while assigning access. And to limit the overall number of users with administrative privileges.

Finally, it’s critical for organizations to develop SIEM use cases that help detect threats impacting cloud assets and services. Anomalous activity must be identified and reported in real time so that security teams can investigate quickly and minimize the impact of compromise.

Put Your Cloud Security Knowledge to the Test

To test your understanding of common cloud security challenges and best practices, we created the Cloud Security Knowledge Builder quiz.

The Cloud Security Knowledge quiz is an online experience that takes you through six cloud security scenarios and asks you to select the optimal solutions (hint: you may have read several helpful insights for solving the quiz scenarios in this blog post).

Also, take advantage of our Mandiant Cloud Architecture and Security Assessments to evaluate existing cloud security and hardening techniques and better understand the threats and security controls relevant to your specific cloud environment.