Cyber security is the classic game of one-upsmanship, whitehat IT pros and ethical hackers versus the bad actors or blackhats, in a constant dance of wit and wile. Similar to the radar-detector-detector, a cloud security strategy needs to stay on it’s toes to keep up with the ever-evolving threat landscape to off-prem IT systems and digital assets.
If you’re running a workload in the cloud, take a moment to look at the activity logs for your public-facing resources. There’s bad guys there, and they’re probing your cloud infrastructure looking for misconfigurations they can exploit.
A lot has changed with how hackers go about stealing data or otherwise damaging an organization. The traditional approach involves picking an organization to target, and then searching for vulnerabilities to exploit.
A high-profile example is the infamous Sony hack. A certain country was unhappy about a particular movie, and they set about to attack the media company that produced it. Using a mix of backdoors, proxy tools, and malware, the attackers were able to destroy assets and publish sensitive data on the Internet. This is called an Advanced Persistent Attack, or APT.
Of course, this still happens and it must be guarded against. But another, more broadly dangerous kind of threat has emerged with cloud computing. Malicious actors now use automation tools to scan the entire internet searching for cloud misconfigurations, such as unrestricted SSH access (e.g., 0.0.0.0/0 on Port 22), orphaned and unpatched compute instances, and many others.
They don’t have to look too hard, and what they get back is essentially a long shopping list of cloud environments they can access. It’s relatively trivial to discover who owns these environments, so the attacker goes shopping.