How organizations can learn from cloud security breaches

When Enterprise Strategy Group senior analyst Melinda Marks and I asked organizations if they had experienced a cloud-focused cyber attack in the last 12 months, an alarming 99% claimed their organization had.

Our research on cloud threat detection and response -- which surveyed 393 security pros and asked about their cloud environments' security controls and strategic cloud security plans -- is worrying, but organizations have an opportunity to make lemonade out of lemons here.

The following are the top five cyber attacks cited, along with guidance on appropriate countermeasures against future attacks:

• 30% of organizations reported a cyber attack based on exploit(s) of a misconfigured cloud service, workload, security group and/or privileged account. This common attack vector involves adversaries capitalizing on assorted instances of human error. To counter these issues, organizations must establish documented policies around all areas related to cloud configurations, put controls in place to prevent misconfigurations upon deployment and continuously scan cloud applications and infrastructure for configuration drift, with alerts generated for all violations. Finally, organizations must run alerts through a risk scoring algorithm to help security, development and operations teams prioritize remediation actions.
• 30% of organizations reported the misuse of a privileged account by an employee. Misuse suggests malicious activity, but it could simply come down to administrator ignorance or negligence. Addressing this situation starts with clear policies and training for administrators. Training should cover general best practices, as well as the nuances of the individual administrator actions and functionality associated with different cloud service providers. Continuous monitoring, alerting and risk scoring are important.
• 29% of organizations reported the misuse of a privileged account, secrets or access keys via stolen credentials. It's also important to address the issue of stolen credentials. Are administrators using basic passwords or sharing passwords? Are they the victims of spear phishing attacks? Are they securing their personal access tokens when using code repositories? The answers to questions like these might uncover areas for more training, or the need for strong authentication technologies.
• 28% of organizations reported malware that moved laterally to cloud workloads. I'm assuming this describes a kill chain that starts with a system compromise and then progresses to some type of malicious cloud activity, such as cryptomining or a data breach, using various tactics, techniques and procedures (TTPs). To mitigate this, assess the efficacy of endpoint and network security technologies in areas including malware and anomaly detection. Operationalize the Mitre ATT&CK framework to track attack progression and pinpoint other potential TTP activity to investigate. Once again, expand user training.
• 28% of organizations reported unauthorized access by a third-party consultant or vendor. At the risk of sounding like a broken record (Note: an antiquated colloquialism indicating repetition), countermeasures start with basic access policies on who can and can't access cloud resources. Formalize and enforce these policies, especially for third parties. Put role-based access policies in place to enforce least privileges. Support policy enforcement by monitoring and alerting.

My recommendations aren't earth shattering; they are best practices any CISSP could rattle off in their sleep. Why are these breaches occurring then? Too many organizations are so enamored with cloud technology and application development opportunities that they fail to put in basic safeguards.

Companies should commit to a strong cloud security foundation in 2024, starting with the essentials: governance, policies and cloud security training for software developers, IT operations and security professionals. When supplemented with continuous monitoring, alerting and risk scoring, CISOs can avoid many cloud security problems.

Jon Oltsik is a distinguished analyst, fellow and the founder of TechTarget's Enterprise Strategy Group cybersecurity service. With more than 30 years of technology industry experience, Oltsik is widely recognized as an expert in all aspects of cybersecurity.

Enterprise Strategy Group is a division of TechTarget. Its analysts have business relationships with technology vendors.