Check Point Research reports a 48 per cent year-on-year (Y-o-Y) increase in cloud-based cyberattacks for 2022, as organisations increasingly move operations to the cloud due to escalated digital transformations. The largest increases were seen in Asia (+60 per cent), followed by Europe (+50 per cent) and North America (+28 per cent). Check Point Research finds that hackers are leveraging newer CVEs from the past two years to attack via the cloud, when compared to on-premises attacks. Check Point Research warns organisations that cloud-based cyberattacks can lead to damaging data loss, malware and ransomware attacks and offers five cyber safety tips.
As many as 98 per cent of global organisations utilise cloud-based services, and approximately 76 per cent of them have multi-cloud environments, featuring services from two or more cloud providers.
Cloud adoption in general has grown rapidly in recent years, and Covid-19 accelerated this transition. With the normalisation of remote work, companies needed to be able to support and provide critical services to their off-site workforce. With the move to the cloud comes a need for cloud security as the largest the adaptation of technology, so comes the increase in amount of attacks on it. These cloud-based applications must be protected against attack, and cloud-hosted data must be protected against unauthorised access in accordance with applicable regulations. This year saw a significant example of how critical this protection might get, when Thailand’s most extensive mobile network, AIS, accidentally left a database of eight billion internet records exposed, leading to one of the most expensive breaches ever recorded, costing the company $58 billion to resolve.
In November, The FBI and CISA revealed in a joint advisory that an unnamed Iranian-backed threat group hacked a Federal Civilian Executive Branch (FCEB) organisation to deploy XMRig cryptomining malware. The attackers compromised the federal network after hacking into an unpatched VMware Horizon server using an exploit targeting the Log4Shell (CVE-2021-44228) remote code execution vulnerability.
Growth in the number of attacks against cloud-based networks
When examining the past two years of cloud-based networks landscape, we see a significant growth of 48 per cent in the number of attacks per organisation experienced in 2022, compared to 2021. When examining the growth in number of attacks per organisation, according to geographical regions we see that Asia sees the largest increase, Year of year, with 60 per cent growth, followed by Europe that has seen a substantial growth of 50 per cent and North America with 28 per cent.
Newer and major CVE’s impact higher in cloud-based networks compared to on-prem
Although the current number of attacks on cloud-based networks is still 17 per cent lower than in non-cloud networks, when drilling down to types of attacks, and specifically to Vulnerability Exploits, there is a higher usage of newer CVE’s (disclosed 2020-2022) compared to on-prem networks for attempted attacks on cloud-based networks. The difference between the two types of networks can be seen in the visual below.
Further analysis of specific high profile global vulnerabilities reveals that some major CVE’s have had a higher impact on cloud-based networks compared to on-prem. For example, the Text4shell Vulnerability (CVE-2022-42889), which was disclosed in October and was exploited soon after, has shown a 16 per cent higher impact on cloud-based environments compared to its impact against on-prem networks. This vulnerability, based on the Apache Commons Text’s functionality, allows attacks over a network without the need for any specific privileges or user interaction.
Additional examples of prominent CVEs disclosed this year that have shown a similar trend:
- VMware Workspace Remote Code Execution (CVE-2022-22954) – 31 per cent higher impact on cloud-based networks
- Microsoft Exchange Server Remote Code Execution (CVE-2022-41082) – 17 per cent higher impact on cloud-based networks
- F5 BIG IP (CVE-2022-1388) – 12 per cent higher impact on cloud-based networks
- Atlassian Confluence—Remote Code Execution (CVE-2022-26134) – 4 per cent higher impact on cloud-based networks
The 7 Pillars of Robust Cloud Security
While cloud providers offer many cloud native security features and services, supplementary third-party solutions are essential to achieve enterprise-grade cloud workload protection from breaches, data leaks, and targeted attacks in the cloud environment. An integrated cloud-native/third-party security stack provides the centralized visibility and policy-based granular control necessary to deliver the following industry best practices as listed :
- Zero-trust cloud network security controls across logically isolated networks and micro-segments
Deploy business-critical resources and apps in logically isolated sections of the provider’s cloud network, such as virtual private clouds (AWS and Google) or vNET (Azure). Use subnets to micro-segment workloads from each other, with granular security policies at subnet gateways. Use dedicated WAN links in hybrid architectures, and use static user-defined routing configurations to customize access to virtual devices, virtual networks and their gateways, and public IP addresses.
- Shift your security left
Incorporate security and compliance protection early into the development lifecycle. With security checks integrated continuously into the deployment pipeline, rather than at the end, DevSecOps are able to find and fix security vulnerabilities early, accelerating an organisation’s time-to-market.
- Keep code securely hygiene with vulnerability management (perhaps you may want to re-edit as it should be securely hygenic
Set guardrails polices ensuring your deployment meets the corporate code hygiene policies. These policies will alert on deviation from the policy and can block deployments of non-compliant artifacts. Build remediation processes by alerting the development team on non- compliant artifacts with appropriate remediation.
Incorporate tools which provide the ability to explore vulnerabilities and SBOM (Software Bill of Materials) to quickly identify resources with critical vulnerabilities.
- Avoid misconfiguration with continuous posture scanning
Cloud security vendors provide robust Cloud Security Posture Management, consistently applying governance and compliance rules to virtual servers. This helps to ensure they are configured to the best practices and properly segregated with access control rules.
- Safeguarding all applications (and especially cloud-native distributed apps) with active prevention via IPS (Intrusion Prevention System) and next-generation web application firewall
Stop malicious traffic from reaching your web application servers. With an automatically updates WAF rules in response to traffic behavior changes, and is deployed closer to microservices that are running workloads.
- Enhanced data protection with multi-layers
Enhanced data protection with encryption at all transport layers, secured file shares and communications, continuous compliance risk management, and maintaining good data storage resource hygiene such as detecting misconfigured buckets and terminating orphan resources will provide that additional security layer for an organisation’s cloud landscape.
- Threat intelligence that detects and remediates known and unknown threats in real-time
Third-party cloud security vendors add context to the large and diverse streams of cloud-native logs by intelligently cross-referencing aggregated log data with internal data such as asset and configuration management systems, vulnerability scanners, etc. and external data such as public threat intelligence feeds, geolocation databases, etc. They also provide tools that help visualise and query the threat landscape and promote quicker incident response times. AI-based anomaly detection algorithms are applied to catch unknown threats, which then undergo forensics analysis to determine their risk profile. Real-time alerts on intrusions and policy violations shorten times to remediation, sometimes even triggering auto-remediation workflows.