The Technology Headlines DEMAND FORCASTING & AI | Page 9

THE TECHNOLOGY HEADLINES
EXPERT ANALYSIS
“ One successful spear-phishing attack shouldn’t be able to
“
bring down your entire cloud environment
providers? This provides convenience and transparency,
but also drastically increasesthe blast radius of a successful
compromise. from that position. Can other instances be accessed? Or
worse, can they achieve privilege escalation within the
account and gain full control of the cloud account?
These are all important issues that are crucial to
understand,and questions that need to be answered in order
to determine which avenues an attacker might take within
your estate. In the course of many simulated attacks on cloud
environments, Context researchers have found exploitable
weaknesses in all these areas. For private hybrid cloud environments, where a public cloud
provider is not being used for any public-facing services but
purely as an extension of an on-premise environment, an
egress assessment serves to determine if any services have
not been locked down sufficiently to allow data to flow out
from the VPC to the Internet, or worse, out from an on-
premise instance, through the VPC and out to the Internet.
To help understand your exposure to various attacks, start
with a baseline account configuration review. This can be
done in AWS, Azure, and Google Cloud Platform, for example,
and assesses the configuration of a cloud account itself, its
access permissions, and any resources deployed within the
account. What resources are users able to access,how could
resources be misconfigured and how might a potential
attacker leverage these misconfigurations?
The next step is an assumed compromise breakout
assessment. This involves starting from an assumed
compromise position on a compute instance and assessing
what the blast radius is, and what an attacker can achieve
AUGUST 2019
Finally, a bespoke scenario assessment can be tailored
specifically to your estate, to assess the risks posed by
each threat actor in your threat model. These can all also
be performed inside cloud environments such as web
application assessments, build reviews, and internal and
external infrastructure assessments.
Migration to the cloud is only going one way, butour
research and experience shows that vulnerabilities in cloud
environments can have real-world consequences if exploited
by malicious attackers. So, you need to find and fix those
weak links before they do.
9