The rapid deployment and expansion of cloud technology over the past year has led to a dangerous rise in misconfigurations—a vulnerability that cybercriminals are only too eager to exploit. It’s increasingly critical for organizations to identify and implement tools to protect themselves from opportunistic attackers looking to take advantage of these misconfigurations. These tools must deliver visibility into potential security gaps, attack path vulnerabilities, exposed credentials, and suspicious account activity. As more organizations fall victim to misconfiguration-driven breaches, it has never been more important to have a strong understanding of what causes these breaches and how to defend against them.
The cost of misconfiguration-driven breaches
Before the pandemic had even reached its peak, the 2020 Verizon Data Breach Investigations Report noted a significant increase in the percentage of error-driven breaches caused by misconfigurations—rising from 20 percent in 2019 to 40 percent in 2020. A recent cybersecurity survey by Netwrix reported that a stunning 88 percent of government enterprises believe cloud misconfiguration are a top security threat, up from just 25 percent before the pandemic started. In the first three months of the pandemic alone, 11 percent of security incidents resulted from cloud misconfigurations—a number that has almost certainly risen in the months since. The numbers all underscore the growing seriousness of this issue, as does the ever-increasing cost of data breaches.
Ponemon’s 2020 Cost of a Data Breach Report found that the average total cost of a data breach has hit $3.86 million—a number that the report estimates increased by $137,000 as a specific result of the shift to remote work. Ponemon found that misconfigured clouds were one of the leading causes of breaches, with cloud misconfigurations as the initial attack vector in 19 percent of them. On average, these misconfiguration-driven breaches cost victims $4.41 million—14 percent more than the average breach. As these breaches grow more common, today’s businesses require stronger protections.
Network visibility can identify misconfigurations
Today, there are network visibility tools that can help identify privilege-related misconfigurations. While it’s essential to have mechanisms to locate intruders within the network, identifying the sort of excessive access or permission misconfigurations that can lead to breaches can help businesses address the root cause of these vulnerabilities before they become an issue.
Network visibility also lets companies conduct an attack surface vulnerability assessment, helping them understand potential attack paths based on exposed credentials, identity entitlements, and misconfigurations. Attackers are always probing networks for weaknesses, and organizations that understand their potential vulnerabilities can better prepare for attackers attempting to exploit them.
Taking steps to remediate stored credentials, changes in accounts and entitlements, and misconfigurations can significantly reduce the attack surface and give attackers less access and room to operate. Savvy defenders can substantially improve their odds of repelling attacks with enhanced visibility into the cloud threat landscape. Making life difficult for intruders can stop them and convince them the attackers that they should spend their efforts elsewhere.
Protect Active Directory
While Active Directory (AD) has become a prime target for attackers, it’s also notoriously difficult to protect. Because AD handles permissions across the enterprise, a wide range of systems must seamlessly connect with it. Today, enterprises can federate their on-premises environment with Microsoft’s Azure AD, which lets administrators use more stringent access control levels whether on-premises or in the cloud. However, if an attacker can authenticate on AD, they can get single-sign-on (SSO) access to resources throughout the network, including enterprise cloud resources.
With this in mind, companies need to focus on protecting AD on-premises and in the cloud. Toward that end, data concealment technologies that hide and deny access to AD objects, as well as decoys and lures, have become valuable tools for network defenders. Decoy cloud technologies like fake S3 buckets, serverless functions, and workloads such as containers and cloud-hosted servers (AD or otherwise) can trick attackers into interacting with them and giving away their presence. Even attackers who successfully infiltrate an enterprise’s cloud environment through a misconfiguration or other means will have difficulty navigating through its defenses. These include controls that secure privileged access, hide critical data, and deploy a minefield of decoys that will disrupt their attacks.
Innovations in conditional access and deception defenses enable efficient, high-fidelity alerting, which removes false alarms. Additionally, defenders can feel confident that all the alerts they receive are verified security threats based on unauthorized access. They can now automate their incident response for additional speed and efficiencies.
Identify misconfigurations to drive SOC efficiency
Although cloud misconfigurations are on the rise, organizations can protect themselves from costly investigations and breaches by taking the necessary steps to gain early visibility to exposures and identify attacks during the phase of discovery. By prioritizing early visibility to exposures that create risk and protecting high-value targets like Active Directory, defenders can close down the most vulnerable attack paths. These actions make it difficult for attackers to establish a foothold or gain the privileged access they need. By deploying data concealment strategies alongside lures and decoys throughout the cloud environment, organizations can further impede the attacker’s ability to escalate their attacks. Today, security incident response and data breaches are more costly than ever, but finding and remediating misconfigurations shouldn’t exhaust a company’s resources or keep IT teams up at night with concerns over what they may have missed.
Carolyn Crandall, chief security advocate, Attivo Networks
