As enterprises increasingly move applications and other assets to cloud platforms, attackers are targeting these environments with the same attack types they use against on-premises infrastructures, according to a new report.
There are a lot of assumptions out there that by default your service provider handles these things for you, but they don't.
director of threat research, Alert Logic
Houston-based security as a service provider, Alert Logic, collected data on security incidents from 2,200 of its IDS customers -- roughly 80% cloud hosting providers and the rest on-premises data centers. Alert Logic also included data from honeypots it deployed in public cloud infrastructures around the world.
The resulting 2014 Cloud Security Report, released this week, showed a sharp increase in cloud attacks, both in terms of volume and variety from April 1 through Sept. 30, 2013. While on-premises environments on average saw 2.5 types of attacks, the same as in 2012, cloud providers rose from an average of 1.8 attack types to 2.3 in 2013.
Only 29% of cloud providers had been subjected to a vulnerability scan in last year's report, for instance, but more than two out of every five cloud providers were subjected to such scans this year, narrowly above the rate seen in on-premises environments. Stephen Coty, director of threat research for Alert Logic, said the dramatic rise of vulnerability scans against cloud environments showed that attackers understand that more and more sensitive data is being stored in the cloud.
Attackers also relied more on brute-force attempts to exploit log-in weaknesses within cloud environments, according to the report, as 44% of cloud providers experienced such an attack in 2013 compared to 35% in 2012. Just under half of Alert Logic's on-premises customers witnessed a brute-force attempt. Malware activity in cloud environments doubled since the 2012 iteration of the report as well, with more than one out of ten providers suffering a malware-based attack.
Coty noted that there was a great variance in the malware samples picked up by Alert Logic's honeypots. When compared to U.S.-based honeypots, European honeypots were four times as likely to be targeted by malware -- Asian honeypots were twice as likely. A lot of the malware writing community and cyber underground is based in Eastern Europe, he said, and attackers prefer to deploy test versions of their malware closer to home.
Apart from volume, the honeypots also picked up on different malware samples based on geographic location, according to Coty.
"In Europe, everything, other than directory services, was very equally portioned in terms of the types of attacks, which kind of shows that attackers are trying to test different types of malware in those environments," said Coty. "But Asia was getting hit left and right with Conficker; that made up the top 10. Every variant of Conficker I've seen in the past all hit the Asian honeypots, whereas only certain pieces of it hit the U.S. and Europe."
Moving security strategies to the cloud
Interestingly, antivirus detected approximately 86% of the malware recorded in the honeypots. Coty said much of the malware that went undetected was repurposed versions of Zeus, Conficker and other old variants.
"Zeus and Conficker are still extremely effective, so if you can find a mechanism to deliver them to an environment that only has a firewall and antivirus as part of its security, then not only are you going to get credentials, but it's an easy attack to put in motion," said Coty. "Why reinvent the wheel?"
The use of repurposed malware variants as part of cloud attacks is hardly unique, Coty said, as traditional enterprise environments have dealt with such attacks for years. Brute forcing and vulnerability scans too have typically targeted on-premises data centers, he noted, meaning that enterprises moving to the cloud must be prepared to deal with many of the same security issues that they've already experienced in the past.
"We've heard in the past that antivirus is dead, but it still serves a purpose," said Coty. "I mean, it's part of that security-in-depth strategy [from the corporate environment] that companies still need to follow in the cloud."
Despite the rising number of attacks against cloud environments, Coty said that enterprises shouldn't be deterred from moving assets to the cloud, both because on-premises environments still see more attacks overall and cloud environments have not been proven to be less secure in any measurable way.
Instead, he advised enterprise cloud consumers to focus on understanding their security obligations when moving to cloud environments, which means opening and establishing a clear dialogue with cloud service providers.
"For example, the service provider is 100% responsible for foundational services. They're responsible for the majority of the portions of the networking piece. But the app layer is 100% the responsibility of the consumer. Patching configurations; access management; log review; all of that is the customer's responsibility," said Coty. "There are a lot of assumptions out there that by default your service provider handles these things for you, but they don't. You really need to understand the extent of your service provider's responsibilities."