The Ransom of Commercial Cloud Services is Big Business


Commercial cloud services have become wildly popular. Gartner projected that the worldwide public cloud services market would grow 18 percent in 2017 to total $246.8 billion. That amount has been forecast to grow to more than $383 billion in 2020 due to the growing need for on-demand network and compute resources, which are outpacing available internal resources even in private cloud environments. 

According to IDC, 75 percent of organizations are currently implementing or considering the implementation of public cloud resources, and 50 percent of enterprise workloads are expected to migrate to the public cloud by 2018. Enterprises currently use a median of 62 different cloud applications or services in their networks, with Infrastructure as a Service (IaaS) reaching an all-time high. This represents nearly a third of all applications and services used.

This movement to the cloud is an essential component of the trend towards digital transformation. At the same time, it poses several serious security challenges – including creating and maintaining a consistent security posture across multiple domains, establishing single-pane-of-glass visibility and control, sharing threat intelligence across different devices and network segments, and orchestrating a coordinated response to detected threats at digital speeds. The recent advent of multi-cloud architectures, where organizations are moving their software, platform and even infrastructure to multiple cloud vendors to address issues such as redundancy and efficiency, has complicated these issues around visibility and control even further. 

As a result, it is pretty easy to predict the next big target for ransomware is likely to be cloud service providers and other commercial services. Their “one-to-many” model, where knocking a single provider offline can simultaneously affect hundreds or thousands of organization, represent huge revenue opportunities for cybercriminals.

Cloud Services' Achilles Heel

Cloud services are centralized, presenting a huge potential attack surface. Such complex, hyper-connected networks can produce a single point of failure. Which is precisely what happened when the Mirai botnet took out a DNS hosting provider in 2016. Rather than hacking a dozen businesses, criminals can hack a single cloud environment and potentially have access to data from dozens or hundreds of organizations or wipe out an entire range of services with a single attack.

And it's not just businesses that are affected. Government entities, critical infrastructures and healthcare organizations all use the cloud – and many times use the same cloud provider. If a cyber terrorist was able to take down a single major cloud service provider, the results could be devastating.

Of course, the fact that there is so much money to be made makes cloud providers increasingly tempting targets, particularly for ransom situations. And this is not mere speculation; one hosting provider in the APAC region recently paid a $1 million ransom to get its services back.

Smarter, More Sophisticated Attacks

This is just the beginning. To achieve their goals and outsmart the layers of security many cloud providers have implemented, it is highly likely that cybercriminals will begin to combine artificial intelligence (AI) technologies with multi-vector attack methods to scan for, detect and exploit weaknesses in a cloud provider's environment.

There are already attack tools with automated front ends being used to mine for information and vulnerabilities. They are being combined with AI-based analysis to sift through the resulting Big Data in search of weak spots. And it's now possible to leverage machine learning to modify code on the fly based on what has been detected in the cybercriminal's lab in order to better hide these penetration tools.

Although the threat magnitude of ransomware has already grown 35X over the last year with the growing prevalence and sophistication of ransomworms and other types of attacks, there is more to come. Next-gen morphic malware, for example, will use entirely new, customized attacks that will not simply be variations based on a static algorithm but will employ automation and machine learning to customize attacks to the profile of a unique target, while simultaneously making them far harder to detect and mitigate.

AI will allow criminals to detect a device or system weakness, then create an attack and conceal it based on that information. That attack can then deployed to cripple a service that generates millions of dollars a day for the provider while disrupting service for potentially hundreds or thousands of businesses and tens of thousands or even millions of their customers. Affected cloud providers, and potentially even their customers, must then pay a ransom to get services back online, creating a massive payday for a criminal organization.

Strategies to Secure the Cloud

There are multiple factors to consider when building and deploying a cloud security strategy. The IT security team must think in terms of not only doing everything possible to prevent a breach, but they need to expand their mindset from simply working to stop all threats to include assuming that some will be successful. IT teams need to be constantly answering the question, “What happens after a breach occurs?”

This mind shift changes the design paradigm from hardening the edge to one of detection and response to ensure that critical resources both in the cloud and the local network remain resilient and secured in spite of any network compromise.

Organizations need to carefully consider what their crown jewels are (whether IP or commercial services) and build a hardened security strategy around these large assets. They should evaluate how much revenue would be lost if any of these services went down and then invest in security solutions accordingly.

Micro-segmentation is a necessary strategy for dealing with threats once they're inside the network. Micro-segmentation is all about managing traffic within a domain of control, such that only approved sources, destinations and services are able to communicate with each other inside that single domain of control. This approach addresses the growing risk of a compromised server or device within a domain of control being able to communicate and perhaps subvert all the other devices within that domain.

To meet the demands of security across multiple cloud domains, a shared security model is required. Though cloud providers offer a wide range of security solutions, this can easily lead to yet more siloed security tools that are difficult for IT teams to coordinate. IT teams already have to manage their security tools through an average of 14 different security consoles, making threat correlation and response complicated and less effective. Adding additional complexity is not the answer. 

The goal for management and orchestration tools, whether local or in the cloud, is that they can be seen and managed through a single management interface in order to facilitate the collection and correlation of threat intelligence, as well as track and orchestrate universal security policies. 

Organizations are heading toward an interwoven security model that uses automation to manage security policies and update each security device regardless of where they have been deployed. Additionally, such a unified security framework can automatically correlate threat intelligence from across the distributed network and coordinate responses to detected threats whether local, mobile, or somewhere in the multi-cloud.

Because a security framework is built around integration, all tools, from end-point protection to firewalls and cloud-based security solutions, are able to communicate with each other to become an expert system capable of sharing and acting on the latest threat intelligence or suspicious network behavior. Such a framework's inherent scalability also means that as networks grow and become more distributed, their security protection grows accordingly.

Toward a Unified Security Model

Organizations increasingly see cloud environments as the best way to support digital transformation. Cloud providers are in high demand, but the rapid adoption of cloud services has outpaced IT's ability to secure them. The complex, interconnected networks that cloud providers have developed can create a single point of failure for hundreds of businesses, including government entities, critical infrastructures, and essential healthcare organizations. Cybercriminals are capitalizing on this situation by using advanced technologies, including automation and AI, to devise hard-to-detect attacks that can wreak havoc on cloud providers and their customers.

It's not just about the network perimeter anymore. Cloud security solutions today must address the unique requirements of cloud computing—whether public, private, hybrid or multi-cloud environments—by melding security solutions into a single integrated framework that enables and maintains centralized visibility and control across the entire distributed and highly elastic threat landscape.

Derek Manky

Derek Manky is chief security strategist and global vice president of threat intelligence at FortiGuard Labs. Derek formulates security strategy with more than 15 years of cyber security experience behind him. His ultimate goal to make a positive impact in the global war on cybercrime. He provides thought leadership to industry, and has presented research and strategy worldwide at premier security conferences. As a cybersecurity expert, his work includes meetings with leading political figures and key policy stakeholders, including law enforcement. He is actively involved with several global threat intelligence initiatives including NATO NICP, INTERPOL Expert Working Group, the Cyber Threat Alliance (CTA) working committee and FIRST – all in effort to shape the future of actionable threat intelligence and proactive security strategy.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.