By Abdullrazaq Zahran, security engineering manager METNA at Vectra AI
As cloud adoption continues to accelerate with no end in sight, the evolution of the next generation of modern attacks will traverse through and towards an enterprise’s cloud control plane. But why is that?
The control plane provides management and orchestration across an enterprise’s cloud deployment. This is where configuration baselines are set, user and role access is provisioned and where applications sit so they can execute with related services—it’s akin to air traffic control for applications. When the control plane is compromised, an adversary gains the opportunity to modify access and configuration—allowing them to inflict material damage. This malicious activity can run the gamut of virtual machines, containers and serverless infrastructure leading to both data loss and impactful attacks.
This, perhaps is the cloud’s double-edged sword? While any organization utilizing the cloud will reap the benefits of the speed and scale it provides, attackers will attempt to use these attributes to their advantage as well. We must remember that the infrastructure, identity, data and services in the cloud control plane are all in play and increasingly in the attacker’s crosshairs.
Believe it or not, this future has been telegraphed for years, going at least as far back as the fatally destructive attack launched against Code Spaces in 2014. Once their Amazon Web Services (AWS) control plane was breached and their infrastructure and data was seized, it was just a matter of time before their operation was completely shuttered. More recently, in 2019 we saw the extensively publicized Capital One breach, where the resulting damage was quantified to include over 100 million stolen records and at least $80 million in levied penalties.
While it’s true that more fortunate organizations may find that they’re merely co-opted to support less destructive attacks like crypto mining, this may be a best-case outcome for organizations that fail to protect their control plane. We should also recognize that this outcome will be less likely the more valuable an organization’s assets are, or the more sophisticated the adversary. Additionally, as software delivery itself is transformed by the cloud, new opportunities for supply chain compromise through products and services will become an area of increasing concern.
All of this considered, the cloud control plane isn’t the place to underestimate risk, as persistence here allows expansive reach and influence well beyond the boundaries of traditional, legacy network-based campaigns. The stakes are high, the adversary is motivated, and the tradecraft is actively being developed where it hasn’t already been commoditized.
Of course, none of this is to say that this risk should dissuade executives and strategic decision makers from pursuing an aggressive and expansive cloud strategy, only that such a strategy must include a clearly defined vision and visibility. A vision for what authorized use looks like and the visibility to monitor and measure deviations from that vision.
The question then becomes: which actions are authorized, and which are malicious? Answers that won’t be found by subscribing to the latest threat intel feed or by downloading the latest signature pack. However, collecting the right data and applying artificial intelligence (AI) will help make heads or tails of it all. It comes down to having the ability to detect key components of attack progression—monitoring for compromised credentials, how services are being used and the interaction between applications and the underlying services.
Organizations with the right intrusion detection technology and partner ecosystem can aggregate the correct signals indicating the control plane is under threat, unlock the attack progression and give themselves a chance. But to be clear, that’s a far cry from the legacy approach to network attacks that involve searching for known bad indicators, or simply trying to reduce the attack surface to the point of completely relying on prevention. While modest pursuit of these approaches has some merit, they’re ineffective by themselves, and when faced with a novel mutation of the next threat, will fail—silently. Silently of course until the breach makes headlines because attackers got a foothold, established persistence and successfully expanded towards their objectives.
If we’ve learned anything since the turn of the millennium, it’s that when faced against the nearly limitless ingenuity of a motivated adversary, unknown and unanticipated threats will eventually establish a beachhead. The cloud control plane will be no different, and wise leaders will invest in preparing to detect and respond to that inevitability.