More than two decades into the era of cloud computing, organizations are still struggling with cloud security, according to Elia Zaitsev, global CTO at CrowdStrike. In a recent interview with TechTarget Editorial at Black Hat USA 2023, Zaitsev highlighted several trends and challenges observed by the threat detection vendor. One common theme was the difficulties that enterprises face with cloud security, including misconfigurations, poor development practices, and a lack of knowledge about securing hybrid cloud environments.
Zaitsev pointed out that while cloud providers have made their services simple and user-friendly, organizations often deploy applications or instances that are easy targets for threat actors. In recent years, threat actors have increasingly sought simple yet effective ways to gain access to networks and profit from their actions, such as selling credentials on the dark web or extorting stolen data.
One of the noteworthy trends highlighted in CrowdStrike’s 2023 Threat Hunting Report was the rise in identity-based attacks. Zaitsev compared these attacks to military tactics, explaining that certain techniques may not be new but are highly effective. For example, Kerberoasting, a technique to exploit vulnerabilities in Microsoft Active Directory, saw a significant increase in attacks this year. Zaitsev emphasized that adversaries are recognizing the effectiveness of such attacks, which leads them to exploit them further.
Zaitsev also touched on the economic motivations behind identity-based attacks. Credential brokerage services, where threat actors can purchase credentials in bulk, have become a thriving business. For e-crime actors solely motivated by financial gain, obtaining legitimate credentials is a quicker and easier way to monetize their activities compared to more complex methods like stealing intellectual property.
When asked about the perpetuation of the attack surface on the enterprise side, Zaitsev designated legacy antivirus technology as one factor. Many organizations continue to rely on such technology, which does not effectively address the issue of threat actors infiltrating with legitimate credentials. He highlighted the importance of adopting zero-trust technology and urged organizations not to overlook social engineering techniques, which exploit human weaknesses rather than technical flaws.
Zaitsev also explained that cloud environments present new challenges for defenders. Cloud is becoming a preferred battleground for adversaries, and there are identity-based and credential-based techniques specifically targeted at cloud systems. For instance, adversaries exploit misconfigurations, vulnerabilities in application secrets, and metadata APIs to gain unauthorized access. While cloud service providers design their technologies to be secure, the onus is on organizations and developers to understand and utilize them correctly.
Regarding the complexity of cloud services and platforms, Zaitsev identified the problem as more about organizations and developers being new to the cloud rather than the inherent complexity of the technology. The scalability of cloud environments can amplify mistakes, making it crucial for organizations to avoid rookie errors such as granting excessive permissions to ease the development process.
From CrowdStrike’s perspective, operating in the cloud actually provides benefits. The use of cloud service provider APIs and controls makes deployment easier, and agentless technologies and cloud-native tools allow for rapid and scalable response. Combining runtime security with a control plane view and cloud security posture management is crucial for full control and visibility.
In conclusion, Zaitsev highlighted the ongoing challenges organizations face in cloud security, particularly with identity-based attacks. The emphasis on securing credentials and implementing multifactor authentication is essential, but organizations must also address misconfigurations, poor development practices, and a lack of familiarity with cloud environments. By understanding the shared responsibility model and leveraging the tools and features provided by cloud service providers, organizations can better protect themselves against evolving threats in the cloud computing era.