In a recent report by Palo Alto Networks Unit 42, it was revealed that sensitive data is present in as much as 66% of cloud storage buckets, leaving it vulnerable to ransomware attacks. The SANS Institute has highlighted that these attacks can exploit the cloud provider’s storage security controls and default settings, potentially leading to devastating consequences.
Security consultant and SANS Certified Instructor, Brandon Evans, raised alarm over the increasing sophistication of ransomware attacks, emphasizing that threat actors are now leveraging legitimate cloud security features to execute their malicious activities. One such attack campaign, disclosed by Halcyon, utilized Amazon S3’s native encryption mechanism, SSE-C, to encrypt target buckets. Additionally, security consultant Chris Farris demonstrated how attackers could exploit AWS security feature, KMS keys with external key material, using ChatGPT-powered scripts. This trend underscores the importance of addressing cloud ransomware with effective strategies.
To combat cloud ransomware effectively, SANS recommends that organizations take proactive measures:
-
Understand the power and limitations of cloud security controls:
It is crucial for security professionals to grasp the functionalities and constraints of cloud security controls. Merely utilizing cloud services does not guarantee the safety of data, as evidenced by the lack of file recovery capabilities in services like Amazon S3, Azure Storage, and Google Cloud Storage. Awareness and comprehension of how these services operate are essential to bolster security. -
Block unsupported cloud encryption methods:
Organizations should implement Identity and Access Management (IAM) policies to restrict the use of vulnerable encryption techniques like AWS S3 SSE-C and AWS KMS external key material. Mandating the use of secure encryption methods, such as SSE-KMS using key material hosted in AWS, can mitigate the risks associated with ransomware attacks. -
Enable backups, object versioning, and object locking:
Integrity and availability controls like backups, object versioning, and object locking play a crucial role in data recovery post-ransomware attack. While these features are not enabled by default in major cloud providers, activating them can increase the likelihood of data restoration in the event of an attack. - Balance security and cost with data lifecycle policies:
Organizations must strike a balance between data security and financial considerations when defining data lifecycle policies. Cloud providers offer tools to automate the deletion of unnecessary data objects, versions, and backups, helping organizations manage costs while enhancing security. However, it is vital to anticipate potential misuse of these policies by threat actors and implement appropriate safeguards.
In conclusion, the evolving landscape of ransomware threats in the cloud underscores the critical importance of proactive security measures. By understanding cloud security controls, blocking unsupported encryption methods, enabling essential data protection features, and implementing robust data lifecycle policies, organizations can enhance their resilience against ransomware attacks. To delve deeper into mitigating risks in cloud environments, Brandon’s webcast and course offerings provide valuable insights and strategies to bolster cloud security posture and defend against emerging threats.