The most recent Palo Alto Networks Unit 42 Cloud Menace Report discovered that delicate knowledge is present in 66% of cloud storage buckets. This knowledge is susceptible to ransomware assaults. The SANS Institute just lately reported that these assaults could be carried out by abusing the cloud supplier’s storage security controls and default settings.
“In simply the previous few months, I’ve witnessed two totally different strategies for executing a ransomware assault utilizing nothing however respectable cloud security options,” warns Brandon Evans, security marketing consultant and SANS Licensed Teacher. Halcyon disclosed an assault marketing campaign that leveraged certainly one of Amazon S3’s native encryption mechanisms, SSE-C, to encrypt every of the goal buckets. Just a few months prior, security marketing consultant Chris Farris demonstrated how attackers may carry out an identical assault utilizing a distinct AWS security function, KMS keys with exterior key materials, utilizing easy scripts generated by ChatGPT. “Clearly, this subject is top-of-mind for each menace actors and researchers alike,” notes Brandon.
To deal with cloud ransomware, SANS recommends organizations to:
- Perceive the facility and limitations of cloud security controls: Utilizing the cloud doesn’t mechanically make your knowledge protected. “The primary cloud providers most individuals use are file backup options like OneDrive, Dropbox, iCloud, and others,” explains Brandon. “Whereas these providers often have file restoration capabilities enabled by default, this isn’t the case for Amazon S3, Azure Storage, or Google Cloud Storage. It’s important for security professionals to grasp how these providers work and never assume that the cloud will save them.”
- Block unsupported cloud encryption strategies: AWS S3 SSE-C, AWS KMS exterior key materials, and comparable encryption strategies could be abused as a result of the attacker has full management over the keys. Organizations can use Identification and Entry Administration (IAM) insurance policies to mandate the encryption methodology utilized by S3, reminiscent of SSE-KMS utilizing key materials hosted in AWS.
- Allow backups, object versioning, and object locking: These are among the integrity and availability controls for cloud storage. None of them are enabled by default for any of the Massive 3 cloud suppliers. If used correctly, they’ll enhance the possibilities that a corporation can get well its knowledge after a ransomware assault.
- Stability security and price with knowledge lifecycle insurance policies: These security options price cash. “The cloud suppliers aren’t going to host your knowledge variations or backups free of charge. On the identical time, your group is just not going to present you a clean test for knowledge security,” says Brandon. Every of the Massive 3 cloud suppliers permits clients to outline a lifecycle coverage. These insurance policies permit organizations to mechanically delete objects, variations, and backups when they’re now not thought of obligatory. Remember, nonetheless, that attackers can leverage lifecycle insurance policies as effectively. They have been used within the beforehand talked about assault marketing campaign to induce the goal to pay the ransom rapidly.
To be taught extra, watch Brandon’s webcast, “The Cloud Will not Save You from Ransomware: Here is What Will”, by visiting https://www.sans.org/webcasts/cloud-wont-save-you-from-ransomware-heres-what-will/
Fascinated with extra techniques for mitigating assaults within the Massive 3 cloud suppliers? Take a look at Brandon’s course, SEC510: Cloud Safety Controls and Mitigations in Baltimore, MD in June or Washington, DC in July.
