Can You See the Clouds Gathering?

As a Princeton seminary student, I had the opportunity to sing with the Princeton University Gospel Ensemble (a.k.a. PUGE). One of the more memorable songs we sang was a slave spiritual adapted from the Noah Story of the Bible. Its lyrics were the following:

"Can you see the clouds gathering,

don't let it be said too late.

You better run into the ark before the rain starts."

Slave spirituals appeared in the context of American slavery of Africans in the South. American slavery, an institution built on the enslavement of Africans, forcibly displaced them from their native lands, subjected to harsh servile labor, and broke up families. Africans attempted to liberate themselves from the tyranny of slavery with the help of the Underground Railroad, doing so at significant risk and threat to their lives. The Underground Railroad served as a northern passageway to freedom consisting of sympathetic abolitionists and a network courageous slave operatives. Together they created a secret and secure network of routes to transport freedom seekers safely to Canada. The success of these covert operations would not have been possible without the slave spirituals.

These songs served a dual purpose – to alert slaves and liberation operatives of impending danger on routes to freedom and render this messaging indecipherable to slaveholders. The mention of “gathering clouds,” coded language, mobilized the Underground Railroad network operatives to change tactics and course based on knowledge of imminent threats, enabling slaves to continue their pursuit of freedom and preserve their well-being without their oppressors catching on.

For companies on the path of cloud adoption, the fear that dark “clouds gathering” could impact business health and one's financial bottom is a source of anxiety. Despite recent data that show cloud adoption rates consistent growth over the last 18 months, a group of holdouts endure.[1] A recent conversation with a large multinational client revealed that some technology teams remain risk averse to a public cloud; leadership’s position on a public cloud was an adamant one: “We will only implement a private cloud, never a public one.” The unspoken implication to me was “private cloud is inherently safer than public cloud. Single tenancy keeps our data safe.”

Because of this fear of threats, business leaders are hesitant to move business-critical applications to the cloud. Workloads like messaging, customer resource managements, and collaboration solutions like Box and Google Docs in this line of thinking are not worth the risk to businesses. This distrust of the cloud continues but are these fears warranted? The fact that 30% of data (of which we are aware) still reside in cloud repositories gives executive pause. Add to this number the explosive growth of data generated by Internet of Things (IoT) endpoints, data levels in cloud repositories will skyrocket exponentially, resulting in increased opportunity for data theft.

The Cloud Security Alliance (CSA) recently polled technology leaders to understand what concerns them most regarding cloud adoption. The result – the treacherous twelve cloud security concerns.[2] Data breach, vulnerabilities, insider threat and nation-state actors, traditional concerns, are the same for executives contemplating cloud. I would argue that two main motivations characterize these “12” and other security threats: data theft and data disruption.

In the first bucket, motivated actors’ objective is to access and steal data. Concerning data theft, the following activities, ranging from trivial to highly sophisticated attacks, have been reported:

• Obfuscation: Reports indicate that attackers have leveraged cloud services to obfuscate exfiltration data from companies. In one instance, attackers used malware to take over a Twitter account. The corporate account, identified by Skyhigh Networks, showed a 10^2 order of magnitude increase in activity, a change from a few thousand tweets to 100,000. Further, the account was found to be tweeting out 140 characters of data at a time.[3] In another instance, Skyhigh uncovered a nation-state actor using a well-known video service, purportedly YouTube, to siphon data from a company it targeted. The perpetrators packaged the targeted data and encoded them in standard video format and subsequently uploaded videos. These videos were then downloaded and decoded to access the stolen intellectual property.[4]

• Account Compromise Using Cloud Ecosystems: Data thieves are using cloud ecosystems as an adversarial advantage to compromise accounts at scale. Synchronization was determined to be the root cause of a major data breach in which 1.7 million stored user passwords were exposed. Opera, the breached entity and Norwegian browser, notified users of the issue. Opera Sync, an Opera product, figured prominently in this incident. Apparently, attackers targeted Opera's sync servers. Attackers then relied on Opera sync’s install base to amplify the attack. Opera sync affords its users the ability to maintain computing activity between devices (e.g., laptop to mobile), offering seamless end user experience (i.e., syncing browsing and tab history and passwords in addition to favorites and bookmarks). Opera cautioned users that the extent of the compromise is not yet determined but to assume the breach jeopardized the integrity of their accounts, warranting the notification.  Opera directed users to not only change their Opera sync passwords but also third-party site passwords linked to their sync accounts, exhibiting the way cloud breaches of this type spread quickly.[5]

Cloud side channel attack theory, extended from traditional side channel attack methodology, has been in vogue in academic circles in recent years and considered an attack method of choice of the criminally motivated. The seminal paper on this approach, "Cross-Tenant Side-Channel Attacks in PaaS Clouds," written by researchers Juels, Reiter, and Ristenpart details three successful attacks against platform-as-a-service (PaaS) implementations. Using a framework of side channels to extract data or keys from CPU cache, they successfully exposed weaknesses in shopping carts, pseudo-random number generators (PRNGs), and the security assertion markup language (SAML) to compromise PaaS ecosystems.[6]

• Application Programming Interface (API) Abuse: APIs are ubiquitous in cloud environments, paving the way for opportunistic threat actors. Information technology teams managing cloud services are responsible for managing and monitoring those services. Risk arises through the exposure necessary of API keys by these teams to ensure compatibility between services. Because APIs are exposed to facilitate operability among clouds (i.e., cloud chaining), APIs become a ripe attack surface for theft. Threat modeling and code review in conjunction with application reviews and assessments are necessary to ensure API security hygiene.[7]

In the disruption data bucket, we see distributed denial of service (DDoS) as the primary disruptor of business continuity. Malware amplification via the cloud has also resulted in outages. Each of these disruptions is meant to keep businesses off line and in some instances serve as precursors for the actual compromise.

• Ransomware, our current leading security scourge, in my opinion, straddles the data theft and data disruption categories, warranting a third bucket: data extortion.[8] Criminals hold data hostage (i.e., tantamount to theft) while at the same time interrupting normal business operation.
• Dark Cloud Networks: The Risk Analytics Threat Intelligence team discovered a complex network of command and control (CC) servers, botnets and advanced fast flux capability spreading spambots and malware, popular flavors of ransomware and information stealers, and click fraud.[9] Brian Krebs dubbed this crimeware network the “Dark Cloud.”[10] Unfortunately, criminals in collusion with other unlawful accomplices are successfully building dark cloud ecosystems that detection tools miss.

This makeshift taxonomy presented here is not meant to be exhaustive but merely highlight active threats materializing in the cloud and the need to plan accordingly given these risks. To keep pace with threat actors and the threats they pose are typical focus areas:

• Identity and Access Management - Management of identity is critical to understanding who is accessing data. The CSA recommends that at a minimum they use of multi-factor authentication (MFA) and single sign-on (SSO) to thwart credential theft.
• Data Security - Encrypt data-in-transit to the cloud and at-rest wherever possible. Protect and manage keys from falling into the wrong hands
• Monitoring and Alerting/Threat Intelligence - Build early alerting systems based on threat intelligence to flag patterns of anomalous behavior, leaking of sensitive data and criminal activity.

Defenders in the cloud must “do the right thing(s)” and perform due diligence to withstand this next wave of threat.

Conclusion

Not surprisingly, a familiar cast of characters behind these threats is emerging. Foreign governments and malware dealers increasingly adopt the cloud as a medium to accomplish their nefarious ends. The tectonic shift ushered in by cloud computing emboldens threat actors to evolve and amplify their breach efforts. In the way that slaves innovated the use of slave spirituals to thwart threat, cloud adopters need to acquire usable cloud intelligence and adapt strategy to mitigate attacks.

Given this ever-changing attack surface are we poised to see new geopolitical, socio-political, and multi-national groups threaten? Are new waves of cyber-espionage or hacktivism propagated through cloud ecosystems soon to strike? Will so-called digital caliphates extend their rhetoric of hate to the cloud to carry their outreach to broader audiences? Will audit trails and attribution get harder? The data suggest that dark clouds are gathering, signaling the need for comprehensive preparedness consisting of cloud threat intelligence and threat mitigation initiatives.