In recent years, enterprises and security officers have focused on how to better manage and protect cloud infrastructure amid a wave of changes as enterprise cyberattacks evolve and increase. Recent studies reveal that 71% of Spanish companies suffered a ransomware attack during 2021, compared to 44% in 2020. According to a study carried out by Vectra AI, 72% of those surveyed in Spain believe that it is possible or probable that they have been attacked without being aware of it, 83% have experienced a significant security event that required an incident response effort, and 48% do not fully trust their security tools to protect them against sophisticated attacks. As CTO (Chief Technology Officer – Director of Technology), much of my attention is focused on the future, creating “thought experiments” to determine the best ways to protect our data and critical systems. Ransomware continues to be a major topic of discussion among cybersecurity professionals around the world. The other constant theme is related to attacks on the supply chain, including traditional products on-premises and services delivered through the cloud. Migration to cloud and SaaS, as well as the inability to find experienced talent that understands the security implications of clouds, are also related issues. There is a tension between companies that want to be agile by adopting the cloud and security teams trying to gain visibility and implement security in those environments. In a perfect world, that tension is resolved in a balanced way, but we don’t live in a perfect world, and the business imperative to quickly roll out new services often outstrips an organization’s ability to do so securely.
The problem with the cloud
Not too long ago, local networks were very open to attackers, so this has been our goal. Now, employee traffic predominantly accesses applications over the Internet. This means we have to examine records across cloud platforms like Amazon Web Services (AWS), Azure, and Google Cloud Platform (GCP), cloud identity systems like Azure AD and Okta, and collaboration apps like Microsoft 365 and Google Workspace. INCIBE has managed more than 109,122 cybersecurity incidents during 2021. Of this total number, 90,168 affected citizens and companies, 680 strategic operators and 18,278 the Spanish Academic and Research Network (RedIRIS). Regarding its typology, 29.88% corresponded to malware or malicious software, followed by the different variants of fraud with 28.60%. In third place, attacks on vulnerable systems stand out, with 18.89%, since working from home during the pandemic made more people vulnerable to online attacks. A common story is that the pandemic prompted companies to move to multi or hybrid cloud configurations, not because of grand strategy but because of a pressing need. As a result, services such as Microsoft 365 or e-commerce platforms were rapidly deployed, without regard to the impact on infrastructure or security. Additionally, different business units or departments often evolved in different directions, adding layers of complexity. We are now at a reckoning point where we must understand the reality of the situation and how to remedy it.
The move to the cloud has left gateways for attackers to exploit and have an entry point, and they are starting to make the most of it. On premises, if a cybercriminal wants to encrypt a company’s data, they must go through the painstaking exercise of connecting to a server, extracting all the data over the network, encrypting it and writing it back to the server, and finally erasing the data. original copy. To be successful, ransomware operators try to insert their hooks in as many places as possible and encrypt as much data as possible. In the cloud, ransomware operators can take advantage of the server-side encryption provided on cloud platforms, allowing them to encrypt data much faster and without much effort.
This is the future of ransomware threats
At Vectra, we view a cloud like AWS or Azure as having two different attack surfaces. There’s the traditional attack surface, where attackers go through the network to attack a workload running in the cloud, escape the workload, and then steal data. And there’s the management plane or control plane of a cloud platform, which represents a more powerful and lesser-known set of controls. Recognizing this, Vectra has solutions to cover both attack surfaces. We work to protect customers from being attacked from within the network, and we work to protect businesses from being attacked at the control plane of their cloud tenant. The initial entry vector can be incredibly complex and varied, but once it lands and establishes some foothold in the environment, we help the business find and stop the incursion before it does any real damage.
Looking at the future
As valuable customer data moves to the cloud, so will ransomware. That’s why we asked ourselves questions like: what does the combination of cloud and ransomware look like, how quickly will attackers become cloud-aware, and what steps should we take now? We need to look at how we can protect ourselves against ransomware in cloud systems and why this is substantially different than the defensive measures required for physical workplaces. By discussing these issues, I hope to encourage CISOs to bridge the gap between the world of security and the world of business so that investments can be prioritized and our infrastructure can be protected.
Author: Oliver Tavakoli, CTO of Vectra AI