According to a recently published report for the first quarter of 2017, there has been a significant rise in consumer and enterprise accounts in the Cloud. As more and more organizations migrate to the Cloud, the frequency and sophistication of Cloud-based attacks is growing.
Analysis of data that Microsoft collected from more than one billion systems over the course of the last year revealed a rise of 300% in various types of attacks (phishing, brute-force, hacking of a third-party entity, etc). Additionally, the volume of brute-force attacks against Cloud services from malicious IP addresses increased 44% during the same period.
One possible reason for these statistics is the transition to hybrid work environments in multiple organizations all around the world, which also includes extensive usage of Cloud services. This transition is attracting the attention of cyber criminals, who take advantage of stolen credentials, traded in illegal platforms, to hack the accounts of Cloud users.
Another prominent finding addressed in this report is Cloud weaponization, namely the exploitation of hacked Cloud systems, such as virtual machines, for future attacks. In this scenario, after the attacker successfully takes control over a machine located in a Cloud environment, he can use it for other attacks – brute-force against other targets, spam campaign distribution, phishing and others. These kinds of attacks are already occurring in the wild.
Of note, the majority of hacking incidents involving Cloud accounts have occurred due to insufficient security policy, mainly usage of generic and weak passwords. Additionally, attackers are aware that many users tend to re-use the same passwords on multiple services, thus making the risk even more severe.
Following are several recommendations to mitigate these kinds of threats:
- Strict Password Policy – As already mentioned multiple times, employees should be instructed to use strong passwords, and not to re-use them on several platforms.
- Multi-Factor Authentication (MFA) – an extra layer of protection on top of the username and password. After the user has been provided with both a username and a password to connect to his account, he will have to provide another code (a second layer of protection), sent to his phone (a token in possession of the user).
- IP Range Restriction – prevents unauthorized users from accessing accounts by granting access only to known IP addresses, and explicitly denying access to every other IP address.
- Identity and Access Management (IAM) – a web service that enables customers to manage users and user permissions. This means you can manage the accounts, credentials and access keys of every user.
- Intrusion Detection & Prevention – IDS and IPS both increase the security level of networks, monitoring traffic and inspecting and scanning packets for suspicious data. Detection in both systems is mainly based on previously detected and recognized signatures.
- Encryption of data at rest – Encryption of data in persistent storage helps protect and safeguard users’ data. The infrastructure of the Cloud itself provides the service of encrypting and decrypting the data stored, so that users do not have to manage the process behind the scenes.
- Cloud Access Security Brokers (CASB) – an on-premises or Cloud-based security policy enforcement point that is placed between Cloud service consumers and Cloud service providers, “to combine and interject enterprise security policies as Cloud-based resources are accessed.
- Access Auditing – enables IT professionals to constantly monitor and access events for compliance, repudiation and forensics purposes.