Ransomware is one of the predominant cyber threats facing us today with attackers demanding higher payouts than ever before. As ransomware gangs grow in numbers, sophistication and confidence, the US Treasury estimates more than half a billion dollars was paid in the first half of 2021.
Meanwhile, as part of global digitalisation efforts and propelled by the Covid-19 pandemic, organisations are continuing to migrate their business processes into the cloud at a rapid pace. This comes at no surprise given that cloud adoption can unlock $1 trillion in business value. In two years’ time, most companies aim to shift 80% of their IT hosting spend to the cloud. But how secure is it?
Inevitably, the confluence of these trends has led to the proliferation of so-called “ransomcloud” attacks. With more data and digital operations on the cloud than ever before, it has become a target of choice for cyber criminals.
Cloud security challenges
One of the many benefits of cloud solutions is that anyone can quickly and easily spin up a server, whereas previously hardware and various levels of approval were needed. The ease of deployment and the fact cloud is virtually set up in someone else’s environment, means people can just as quickly forget it exists. For this reason, many cloud customers are confronted with unexpected costs due to a lack of clear understanding of their assets in the cloud. This also presents a security risk because, as we will see, visibility and asset management are key to mitigating the risk of ransomcloud attack.
So, why don’t cloud providers solve this problem? Cloud operators run a Shared Responsibility Model, meaning they are responsible for the security of their own hypervisor and any infrastructure they provide. However, regardless of whether you adopt a public, hybrid or multi-cloud infrastructure, securing access to it falls under the customer’s responsibility.
Large attack surface
There are multiple ways in which ransomware can infiltrate your cloud environment, such as via phishing emails, links to stolen cloud credentials or an outright attack on your cloud service. Once in the cloud, the malware has invaluable access to a wealth of data – emails, files, documents, databases, accounts and more – which it can encrypt and hold for ransom.
Most cloud deployments are hybrid meaning that the cloud is not isolated from the internal network, therefore the connections from domain controllers and servers will typically hold premise over VPNs. This means attackers can pivot through the cloud and gain access to the corporate network, putting your company’s “crown jewels” at risk.
The most common reasons we see this happen is down to lack of visibility and misconfigurations. For example, we’ve recently seen many exploits on VPN devices through a software bug that provides attackers access and the ability to send data directly to the device.
To minimise the risk of ransomware attackers targeting your cloud environment, here are four key steps to follow:
1. Visibility and asset management
When thinking about security in the cloud, visibility is always paramount. When we place data in someone else’s cloud, it is easy to forget it’s there. If we can’t see what’s there, it’s very difficult to secure it. It’s crucial to understand what is running in your cloud environment, and to monitor it – enabling you to spot any deviations from the norm. The attack surface can also be reduced by only opening up necessary servers on the cloud, and ensuring they aren’t exposed.
2. Controls and basic cyber hygiene
Once you have a good understanding of your cloud environment, it’s important to apply the same cyber hygiene basics that you would for your on-premise environment. This includes regular patches and understanding what needs to be patched – and when.
Given securing access to the cloud environment is down to the customer, implementing multi-factor authentication and strong password policies are also a must. Security teams should treat their cloud servers as they would servers in their own data centres.
3. Monitoring your environment
Having a good overview of your cloud environment and assets is one thing, making sure you are monitoring everything is another. Do you know the cloud server exists? Do you collect logs? Do you have a SOC that collects logs? These are questions you should be asking when thinking about monitoring your cloud environment.
It is impossible to know for sure what might happen in your cloud or how an attacker might choose to enter. However, using a highly automated monitoring system and leveraging machine learning to correlate the data enables incident responders to have real-time visibility and to spot and act on any unusual network behaviour.
4. Implementing a response plan
The last key step is ensuring you have a response plan in place, ready to activate should your business fall victim to a ransomcloud attack. Assume the worst situation will happen, then plan for it and run practice scenarios.
Ransomware attacks are not just an IT issue, they can affect an entire business. Ensure key stakeholders understand their role – from the technical first response team to the Board and C-Level executives. It’s also worth asking your cloud providers if they have any plans for recovery after a ransomware attack.
As with many rapid technological changes, security can often be a secondary consideration. With cloud playing such a vital role in company infrastructure nowadays, it is crucial to have robust security measures in place, and where possible in-house security teams or third parties to help manage operations. Following these steps will help ensure your company’s data, money and reputation are as protected as they can be against ransomcloud attacks.
Share
