Attackers Are Redirecting Their Efforts to the Cloud
Katie Nickels, a SANS-certified instructor and director of intelligence at the Red Canary, presented two techniques cybercriminals have adapted for use in the cloud. “Back in 2020 — it seems like so long ago — my colleague, Ed Skoudis, talked to you all about this technique, living off the land, using built-in binaries and operating systems. And that’s something we still have to worry about. But now I would argue we have to worry about something else that I’m calling living off the cloud.”
Nickels posited that threat actors are using the cloud for the same reason any other organization does. “Simple, it’s easy, it’s cheap, it’s convenient to set up infrastructure, right? Adversaries can really easily spin up infrastructure to compromise our organizations,” she said.
She also pointed out how much easier it is for attackers to blend in. She described how difficult it is for defenders to differentiate between legitimate cloud traffic and malignant activity. “We all use cloud services legitimately in our organizations. That stuff goes right through those firewalls and proxies.”
Her advice in defending against these attacks begins with another classic security cliché: Know normal, find evil. And when malignant activity is identified, it’s critical to report it to the cloud provider.
Attackers Are Recycling Old Tactics for New Uses
Nickels mentioned another trendy yet dangerous attack technique: multifactor authentication bypass. She related the story of a Russian hacker who was able to evade MFA by correctly guessing the password of an unused account that hadn’t been disabled in the company’s Active Directory. The attacker re-enabled the account through Active Directory and then bypassed the company’s MFA service by enrolling a new device.
Johannes Ullrich, dean of research at the SANS Technology Institute, agreed with Nickels in stressing the value of MFA along with the need to be mindful of the details. “One of the things that I often see missing when people implement multifactor authentication is, how are you dealing with lost, broken or stolen second factors? How are you recovering them?”
Ullrich also emphasized the importance of backups, even though he called them boring. “In some ways, boring is good for security. I love security when it's boring. Usually, security gets bad when it gets exciting.”
He expressed concern for the many organizations that suddenly find themselves implementing multiple backup solutions for various environments. Remote users might be backing up on a USB device, while the company is still using some on-premises backups. Now, cloud backups are being added to the mix. “And for each one of these backup solutions, we have some unique attacks that could be launched against those solutions,” Ullrich said. All of these varied solutions leave an organization’s backup system vulnerable because an attacker could reconfigure your backup solution to a different destination.