Manual GRC is Out, Modern GRC is In

Still burning time with manual GRC tasks? Drata automates evidence collection, saving you thousands of hours while ensuring compliance. Its risk management maps and monitors new risks in real-time, enabling quick remediation before they impact your business—all in one platform. See the Drata Difference

Attacks from the Cloud

There is no shortage of commentary and debate about the cybersecurity threats and challenges that target the operators of cloud-based applications and services, but not so much is said about how cloud resources are being used to launch cybersecurity attacks and disruption, be that at other cloud services or at end users and their endpoint devices.

“The cloud” is a very small, concise term for something that comprises millions of servers in thousands of data centers spread across the globe. Everyone reading this will likely be well-versed about the cloud: what it is, how it works and what it can be used for.

Among the many things it can be used for is to carry out cyber attacks.

Cloud services are incredibly versatile – which is why they are so popular. It is incredibly easy to spin up a few virtual servers in your favorite cloud provider and start deploying applications and data to them. This also makes it equally simple for a bad actor to use the cloud to attack our systems. And “our systems” means both cloud-based and on-premise, since anything that is internet-connected is fair game for a cloud-originated attack.

Finding the Source

The first problem in defending against cloud-originated attacks is traceability. This sounds a little strange – after all, the source IP address of an attack is easy to trace back to its origin, while law enforcement agencies can work with the cloud providers to establish which customer’s systems are carrying out the attack. The problem here, of course, is that attackers are not foolish enough to sign up to cloud services in their own name – instead, they use other people’s. As we are all aware, it is common for some cloud service customers to configure their active services insecurely, making them available for bad actors to invade and use them for nefarious purposes. So yes, cloud-sourced attacks are traceable, but not necessarily to the extent needed to identify the perpetrators quickly and easily.

Next is the issue that the cloud is just so extensive – which makes it easy to exploit the traceability problem. When there are tens of millions of virtual servers around the globe, the law of averages means that a good few thousand – probably a lot more – are misconfigured and vulnerable to being used to conduct attacks.

The problem is compounded by another good-but-bad-as-well factor with the cloud: consistency. In an on-premise (that is, non-cloud) world, ten different organizations will have ten different configurations, using several different makes and models of firewall. There will not be the same level of common misconfigurations as there is with public cloud systems, simply because different equipment is being used. There will be no easy way to automate an attack to hit them all. What the big cloud providers bring is uniformity – so if there is a well-known, common security misconfiguration this can make it easy to automate an attack.

Attack Forms

Aside from malware (which frequently equates to ransomware these days) the second most popular type of cyber attack is Denial of Service (DoS), which generally means Distributed Denial of Service (DDoS). Why is DDoS so popular? Simple: to conduct a basic DoS attack which saturates the target’s network connection or server CPU requires a massive amount of processing power and bandwidth at the attacker’s end. Want to saturate someone’s 100Mbit/s internet connection and kill their web services? You’ll need 100Mbit/s upstream bandwidth at your end. Use a DDoS attack with 100 distributed servers conducting it, each of them is only using one meg of bandwidth – which will most likely go entirely unnoticed by the people whose servers the attacker has invaded. If you exploit the big cloud providers to spread the attack sources around the globe, there will be no noticeable geographical source for the attack either.

None of the above should really be much of a surprise. The cloud is phenomenally useful to all of us who use it for our organizations’ legitimate purposes, so why should it not be equally attractive to the less attractive types who have less valid motivations. So, what can we do about it? Is there something special we must do in order to mitigate the extra threat that cloud-based attackers present to us?

Is the Cloud an Additional Threat?

Before we answer that, let us look at that last question and ask: is there really an extra threat from cloud-based attacks? In short: no, not really. The nature of the cloud is that it provides a useful platform to use for bad, but the attacks perpetrated using those systems are the same as would be used via other mechanisms. A DDoS attack is still a DDoS attack; a botnet is still a botnet; a Command-and-Control setup is still a Command-and-Control setup. Although a cloud-originated attack may be more thinly spread across a wider range of source IPs and regional geographies, it will most likely still be within the capacity of the tools that we use to identify nefarious behavior.

Carry on re-assessing security risks. Carry on using and adding to the tools that you use to detect and defend against cyber attacks. Monitor your tools properly, react when you see something of concern. As cloud-sourced attacks do not pose huge additional threats that are many times harder to deal with than “traditional” approaches.

It's just a shame that they are not many times easier to deal with either.