Uncovering Hybrid Cloud Attacks Through Intelligence-Driven Incident Response: Part 1– Addressing the Speed of Cloud Attacks

Originally published by Gem Security.

Written by Yotam Meitar.

The rapid global migration to cloud environments has created unparalleled opportunities for scaling up IT operations, along with an increasingly high volume of sophisticated cyberattacks. Effectively responding to these attacks can be uniquely challenging. Cloud environments have wide potential attack surfaces for initial compromise, and attackers can leverage APIs and automation to move extremely quickly and dominate an environment once their foothold is established. This threat landscape often prevents incident responders from identifying the root causes of sophisticated long-term attacks, especially in cases of hybrid attacks targeting both on-premises and cloud environments. Implementing intelligence-driven contextualized incident response allows defenders to overcome these challenges by turning attackers’ advantages against them.

In this three-part series, we share our approach to leveraging the unique characteristics of growing attacker automation and large-scale cloud cyber operations to identify otherwise undetected root causes In this first part of the series, we’ll explain why effective response is so challenging and provide an overview of the problem. In parts two and three, we’ll dive into a step-by-step analysis of a real-world hybrid cloud attack from both attacker and responder perspectives, highlighting practical takeaways for effective incident response.

The Challenge

The number of organizations from all industries utilizing hybrid on-premises and cloud IT environments is constantly increasing. This trend is motivating cyber attackers to spend more time and resources developing tailored methodologies targeting the cloud. While cloud environments are not inherently more or less secure than their on-premises counterparts,

they make attractive targets for three key reasons:

First, cloud environments have a high-level of commonality and shared characteristics between organizations. These environments are always available and share many architectural features, enabling attackers to increase automation and rely heavily on repetitive playbooks. As a result, time attackers used to spend on detailed environment reconnaissance needed to develop tailored attack vectors, can now often be spent on developing more sophisticated attack techniques instead.

Second, cloud environments rely heavily on centralized identity management. Unlike most on-prem environments which include multiple operating systems, network segments and identity providers, a single identity management center often controls access to all cloud resources. This means a single compromised credential can provide an outsider all they need to fully compromise an environment. This feature is especially attractive to attackers in hybrid attacks, enabling quick privilege escalation from partial on-prem privileges to full cloud control.

Third and even more importantly, these developments require attentive and direct responses from security teams attempting to keep up with cyberattacks at the speed of the cloud. When resources can be accessed, created, modified and eliminated with immediacy and API-enabled automation, speed truly becomes the name of the game. Defenders who don’t respond rapidly have no hope of preventing damage from spreading. This challenge is often compounded in hybrid environments combining older on-premises environments with newly implemented services running in the cloud. Smoothly integrating these environments for company users and IT personnel can be a daunting task, one which becomes even tougher when accounting for the added difficulties to security investigations and incident response.

Investigating potential attacks in hybrid environments demands not only a broad technical understanding of an array of different technologies, but also the right defensive tools and data to figure out what attackers are up to. Huge volumes of incompatible data stored in different places add to the headaches faced by security teams. This also forces them to make difficult choices in deciding on appropriate log retention policies: most data will prove useless in the long run and storing it in a traditional SIEM runs up enormous bills, but a single unpredictable data point can become the linchpin of a crucial investigation months or even years after an attack. All these issues greatly benefit attackers who enjoy an uneven playing field in attacks against cloud environments.

How Can Defenders Adapt?

It's not all bad news though, as the cloud provides just as many opportunities for defenders as it does attackers. One key benefit to defenders in the cloud is that similar environments lead to similar attacks, which in turn create the potential for highly effective intelligence.

When used properly, both external threat intelligence and internal organization-specific intelligence can become invaluable tools in the fight to detect and respond to sophisticated cloud attacks. In hybrid on-premises and cloud environments, where the investigative challenge is arguably greatest, an intelligence-driven approach to incident response has become a true game changer, often making the difference between catastrophic attacks and swift remediation of malicious activities.

Implementing Intelligence-Driven Incident Response

Effectively using intelligence in cloud and hybrid IR presents some practical challenges: vast amounts of irrelevant data along with difficulties in incorporating the work of intelligence experts into traditional cyber investigations prevent many organizations from making the most of this key resource. The best way to surpass these challenges is to learn from practical experiences of defeating sophisticated hybrid cloud attacks. Attackers have the advantage of living through attacks every day and improving their technique, by targeting different victims around the world. On the other hand, security teams try to avoid facing advanced attacks and often don’t come across them until it’s too late. As security teams will never face as many live attacks as their adversaries, this asymmetry can only be corrected by constantly sharing, learning and leveraging effective intelligence. Leveraging organizational and community-wide intelligence allows defenders to overcome this information gap and drive successful cloud incident response.

In Part 2 of this series, we’ll share an example of a real-world attack that spanned hybrid on-prem/cloud environments, describing how the adversary executed their initial access, lateral movement, and (especially) persistence.

In Part 3, we’ll dive into the investigation and response, and share some examples of the techniques that enabled defenders to stop the attack before it was too late. We'll explains how incident responders discovered the IP address of the attackers’ C2 server by analyzing VPC flow logs in their AWS environment. Then they leveraged threat intelligence to identify other servers belonging to the same attacker, enabling them to locate an on-prem system which had been compromised in the initial phase of the kill chain.