The Common Cloud Misconfigurations That Lead to Cloud Data Breaches

Originally published by CrowdStrike.

The cloud has become the new battleground for adversary activity: CrowdStrike observed a 95% increase in cloud exploitation from 2021 to 2022 and a 288% jump in cases involving threat actors directly targeting the cloud. Defending your cloud environment requires understanding how threat actors operate: how they’re breaking in and moving laterally, which resources they target and how they evade detection.

Cloud misconfigurations — the gaps, errors and vulnerabilities that occur when security settings are poorly chosen or neglected entirely — provide adversaries with an easy path to infiltrate the cloud. Multi-cloud environments are complex, and it can be difficult to tell when excessive account permissions are granted, improper public access is configured or other mistakes are made. It can also be difficult to tell when an adversary takes advantage of them.

A breach in the cloud can expose a massive volume of sensitive information including personal data, financial records, intellectual property and trade secrets. The speed at which an adversary can move undetected through cloud environments to find and exfiltrate this data is a primary concern. Malicious actors will speed up the process of searching for and finding data of value in the cloud by using the native tools within the cloud environment, unlike an on-premises environment where they must deploy tools that make it harder for them to avoid detection. Proper cloud security is required to prevent breaches with far-ranging consequences.

So what are the most common misconfigurations we see exploited by threat actors? Our cloud specialists have observed the following preventative gaps and detection gaps (*) stemming from misconfigured cloud settings:

• Unrestricted outbound access
• Disabled logging *
• Missing alerts *
• Exposed access keys
• Excessive account permissions
• Ineffective identity architecture
• Inadequate network segmentation
• Improper public access configured
• Public snapshots and images
• Open databases, caches and storage buckets
• Neglected cloud infrastructure

Cloud security posture management should be a key component of your security strategy if you want to avoid becoming the next victim of a cloud data breach. Continue reading to find out more about these common cloud security misconfigurations we observe and how adversaries are exploiting them to get to your data.

Unrestricted Outbound Access:

When you have unrestricted outbound access to the internet, bad actors can take advantage of your lack of outbound restrictions and workload protection to exfiltrate data from your cloud platforms. Your cloud instances should be restricted to specific IP addresses and services to prevent adversaries from accessing and exfiltrating your data.

Disabled Logging:

Effective data logging of cloud security events is imperative for the detection of malicious threat actor behavior. In many cases, however, logging has been disabled by default on a cloud platform or gets disabled to reduce the overhead of maintaining logs. If logging is disabled, there is no record of events and therefore no means of detecting potentially malicious events or actions. Logging should be enabled and managed as a best practice.

Missing Alerts:

Most cloud providers and all cloud security posture management providers provide alerts for important misconfigurations, and most detect anomalous or likely malicious activities. Unfortunately, defenders often don’t have these alerts on their radar, either due to an excess amount of low-relevance information (alert fatigue) or a simple lack of connection between those alert sources and the places they look for alerts, such as a SIEM.

Exposed Access Keys:

Access keys are used to interact with the cloud service plane as a security principal. Exposed keys can be rapidly misused by unauthorized parties to steal or delete data, and threat actors may also demand a ransom in exchange for a promise to not sell or leak it. While these keys can be kept confidential, albeit with some difficulty, it is better to expire them or use automatically rotated short-lived access keys in combination with restrictions on where (from what networks and IP addresses) they can be used.

Excessive Account Permissions:

Most accounts (roles, services) have a limited set of normal operations and a slightly larger set of occasional operations. When they are provisioned with far greater privileges than needed and these privileges are misused by a threat actor, the “blast radius” is unnecessarily large. Excessive permissions enable lateral movement, persistence and privilege escalation, which can lead to more severe impacts of data exfiltration, destruction and code tampering.

Ineffective Identity Architecture:

Because the risk of stolen credential use is so high, a core contributor to cloud data breaches is the existence of user accounts not rooted in a single identity provider that enforces limited session times and multifactor authentication (MFA) and can flag or block sign-in for irregular or high-risk signing activity.

Inadequate Network Segmentation:

Modern cloud network concepts such as network security groups make old, cumbersome practices like access control lists (ACLs) a thing of the past. But insufficient security group management practices can create an environment where adversaries can freely move from host to host and service to service, based on an implicit architectural assumption that “inside the network is safe” and “front-end firewalls are all that is needed.” By not taking advantage of security group features to permit only host groups that need to communicate to do so, and block unnecessary outbound traffic, cloud defenders miss out on the chance to block the majority of breaches involving cloud-based endpoints.

Improper Public Access Configured:

Exposing a storage bucket or a critical network service like SSH, SMB or RDP to the internet, or even a web service that was not intended to be public, can rapidly result in a cloud compromise of the server and exfiltration or deletion of sensitive data.

Public Snapshots and Images:

Accidentally making a volume snapshot or machine image (template) public is rare. When it does happen, it allows opportunistic adversaries to collect sensitive data from that public image. In some cases, that data may contain passwords, keys and certificates, or API credentials leading to a larger compromise of a cloud platform.

Open Databases, Caches and Storage Buckets:

Developers occasionally make a database or object cache public without sufficient authentication/authorization controls, exposing the entirety of the database or cache to opportunistic adversaries for data theft, destruction or tampering.

Neglected Cloud Infrastructure:

You would be amazed at just how many times a cloud platform gets spun up to support a short-term need, only to be left running at the end of the exercise and neglected once the team has moved on. Neglected cloud infrastructure is not maintained by the development or security operations teams, leaving bad actors free to gain access in search of any sensitive data that may have been left behind.

Just about everyone has a cloud presence at this point. Many organizations make decisions based on cost savings and flexibility without considering the security challenges that go along with this new infrastructure. Cloud security isn’t something that security teams will understand without requisite training. Maintaining best practices in cloud security posture management will help you avoid common misconfigurations that lead to a cloud security breach.

For more information, download our complete eBook on avoiding common misconfigurations in your cloud security settings: Seven Easily Exploited Cloud Misconfigurations and How to Minimize Their Risk.