Over the last several years, there has been an unyielding growth in cloud adoption. With more services being moved to the cloud, coupled with the sanctioning of microservices, the evolving attack surface provides many opportunities for threat actors to gain access and maintain persistence to crucial services and data.
As more services move to the cloud, the composition of digital ecosystems changes. Cloud security remains critical, with unique challenges related to shared responsibility models and misconfigurations.
Unmanaged attack surfaces are a critical concern due to several factors. With the widespread adoption of cloud services and the rise of remote working, the exposure becomes more fragmented. Each new workload that connects with public networks presents a new potential risk associated with unmanaged assets.
On average, over 20% of externally accessible cloud services change monthly across organisations. This volatility introduces new security risks. For instance, over 45% of high-risk, cloud-hosted exposures in a given month are observed on new services that weren’t present on an organisation’s attack surface previously. The creation of new, publicly accessible cloud services (both intended and unauthorised) contributes significantly to high-criticality exposures.
Cloud environments dominate security exposures. Approximately 80% of security exposures occur in cloud environments. Misconfigurations, the shared responsibility model, shadow IT, and the inherent connection of cloud services to the internet all contribute to this higher distribution. Additionally, visibility challenges exacerbate the problem, making it challenging to manage and secure cloud assets effectively.
Some resources remain subtly exposed, even under stringent defences. For example: Cloud infrastructure that utilises Amazon S3 buckets to store sensitive data. These buckets are typically configured with strict access controls, limiting who can access them. However, they can become vulnerable via DNS requests.
When users or applications access resources over the internet, they rely on the Domain Name System (DNS) to translate domain names (like example.com) into IP addresses. These DNS requests are sent in plaintext, making them vulnerable to interception and analysis.
As legitimate users access various resources (including Amazon S3 buckets), their DNS requests reveal domain names. Even if the S3 bucket names themselves are well-hidden, the DNS requests leak crucial information about the existence of these buckets.
Armed with this DNS data, the attacker may be able to identify bucket names related to the organisation (e.g., company-data, project-backups, etc.). This reconnaissance allows attackers to plan targeted attacks, such as brute-forcing credentials, crafting convincing phishing emails, or exploiting any misconfigurations.
To mitigate these risks, more proactive management is required. Regular assessment and monitoring of publicly exposed services are crucial. Tools that detect subtle information leaks and unauthorised exposure enhance visibility.
However, organisations must also strike a balance - understanding that using the public internet or cloud inherently exposes an attack surface, while ensuring operational needs align with security considerations.
Reporting
Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).