Intrusion refers to any attempt made by attackers to access, compromise and misuse your organization’s network. Various examples include launching injection attacks that modify server databases; exploiting system vulnerabilities to spread Trojan horse software; and conducting large-scale DDoS attacks to disrupt enterprise services. The cloud’s rapid adoption has seen cracks open up in enterprise security. 

On the surface, the solution is simple: system vendors could proactively identify vulnerabilities and issue patches far in advance of any successful intrusions. This seemingly hands-off approach fails to recognize some of the physical realities of software development: patches take time to build and release. Even worse, if the patch holds some dependencies over an organization’s critical systems, their implementation will likely have to be scheduled in advance. 

As time ticks away, cybercriminals are often hastily shotgunning the newly-reported exploit across entire industries. Security leader Rapid7 – in their 2022 Vulnerability Intelligence Report – shed further light on the intensely efficient cybercrime industry. 56% of vulnerabilities are now exploited within a week of their public disclosure – an 87% increase since 2020.

As time runs out on attack path compromise, it’s becoming increasingly important to find and fix your own exploit paths – before attackers do. 

#1. Intrusion detection and prevention – protect pre-patch 

Updates from system vendors take time; not to mention the logistical complexity of installing updates in critical infrastructure. The primary task of intrusion and detection tools is to defend against attacks before an official update is installed. 

At the core of exploit prevention is detection, achieved in a variety of ways. Network Intrusion Prevention Systems (NIPS) are the classic example; strategically positioned throughout an organization’s network, this monitors the flow of traffic in and out of the perimeter. This allows the organization to see any suspicious activity going on at the network layer, such as packet fragmentation. 

As the size and scope of cloud networks spread, more focus has since been placed on host-based intrusion detection systems (HIDS). These monitor the incoming and outgoing traffic of each endpoint. Increasing endpoint granularity allows HIDS to discover malicious threats that originate from an otherwise trustworthy host – such as an internal device becoming infected with malware that then attempts to replicate itself across the organization’s system.

Anomaly-based Intrusion Detection (AID) represents the next advancement in IDS, observing network traffic and comparing it to a predefined baseline of “normal” behavior. This approach identifies unusual activities and behaviors, such as unusual bandwidth usage, devices, ports, and protocols. Utilizing machine-learning methods, AID dynamically adapts the organization’s security policy in response to unexpected network behavior, enabling faster detection of emerging threats.

However, IDS is only a detection device. The anomalies that it discovers are pushed through the security team’s stack to be more closely examined at the application and protocol layer. Enter the Intrusion Prevention System (IPS). When suspicious activity is detected, it takes the appropriate neutralization steps. For example, if NIPS flags up a packet fragmentation case, the prevention component is able to reassemble the packet data on the fly. This helps break down some of the evasion tactics that cyber attackers try to hide behind.

#2. Network segmentation – reduce & control attack surfaces

As organizations navigate the complexities of the shared responsibility model, many overlook the threat protection opportunities residing in their own network architecture. Network segmentation grants more direct control and visibility over the entirety of an organization’s tech stack – furthermore, it limits a threat’s ability to move freely throughout the system.

Cloud resources are often managed through Virtual Private Clouds (VPCs).  A VPC closely resembles the traditional on-prem network, and offers a first level of segmentation by defining the range of IP addresses available for use.  Selecting this range of IP addresses needs two key considerations to be taken into account. Firstly, if you opt for a block of 256 potential addresses, your VPC can accommodate a maximum of 256 resources. As these begin to be split into various subnets (more on them shortly), that VPC’s usable capacity begins to drop. This is an opportunity for organizational security: a set of small VPCs that cluster similar assets can be peered together through peering tunnels or a transit gateway. 

With the first step toward network segmentation in place, it becomes possible to segment each VPC into subnets. Every subnet essentially acts as an independent system with unique access and security controls – allowing you to control the flow of data traffic between sections.  Access Control Lists (ACLs) provide further, highly-granular attack path protection to individual subnets by monitoring and filtering traffic.

By clustering sensitive resources in specific VPCs, the potential for security tooling to identify and stop specific attack paths is greatly increased. 

#3. IAM – know who’s accessing what

Identity Access Management (IAM) is a security framework that empowers you to recognize, verify, and grant permissions to individuals, groups, and entities that rely on your cloud services. IAM solutions enforce rules and limitations on their access, safeguarding both the data within your ecosystem and the ecosystem itself.

Firstly, employing systematic identity management enables DevOps to categorize identities into groups based on their role’s true access requirements. From there, IAM policies can be accurately applied to each group. This categorization approach not only allows for efficient management of identities, but also allows your IAM structure to adhere to least-privilege practices.

Having comprehensive visibility into all identities and their corresponding permissions is crucial. Without this transparency, any identity might acquire excessive access, exposing your organization to unnecessary vulnerabilities. This level of visibility is attainable through third-party cloud security platforms.

While IAM categorization helps you see who’s accessing what area of the network, the other component to blocking malicious account access is client-side. Authenticating who’s behind the screen is vital to identifying potential attacks. Multi Factor Authentication (MFA) lets you implement another layer of identity protection via a second verification method. 

#4. Monitor and log events – understand your attack surface

By now, the elephant in the server room is the complexity of cloud infrastructure. While the previous approaches help block potential attack paths, they can make comprehensive visibility a minefield – and you can’t protect something you can’t see. 

Logging data allows you to re-define your approach to cloud visibility.  Helping troubleshoot  current issues and prevent future ones, logging provides a platform through which you can begin automating and streamlining your cloud’s attack path management. Depending on your industry and architectural choices, compliance regulations will shape your logging priorities.  For instance, HIPAA compliance demands all access to highly sensitive data to be logged. Financial transactions, on the other hand, are a necessary focus of PCI DSS compliance. 

Alongside industry-specific event logging, it’s important to highlight activities surrounding any vital part of enterprise infrastructure. Server authentication attempts can allow real-time insight into credential stuffing campaigns, while logs that monitor server-executed commands can give you a headstart on incoming malware payloads. 

Just as event logging helps you keep a handle on your cloud’s dozens of moving parts, all of this event data can be processed and streamlined by a Security Information and Event Management (SIEM) solution. This helps give you a more macro overview of your cloud security positioning, with a streamlined view that cuts across event log data from users, endpoints, applications, data sources, cloud workloads, and networks. Alongside deeper insight, into your own network, some SIEM solutions are enriched with real-world threat intelligence.

Given the rapid shifts in the cybersecurity arena, organizations must have confidence in tools capable of identifying and addressing both familiar and unfamiliar security risks. By harnessing combined threat intelligence sources and artificial intelligence, SIEM solutions enhance security teams’ capacity to rapidly respond to today’s array of cyber assaults.

#5. Penetration testing – put it to the test

Having secured visibility into your users, networks, and services, the final component to attack path detection is actively stress-testing the systems you’ve put in place. Car manufacturers don’t release new models before extensive crash testing – your organization needs to take the protection of employees and customers just as seriously.  

Penetration testing allows you to pinpoint the vulnerabilities and attack paths in your cloud infrastructure before adversaries do. This assessment serves two main purposes: recognizing vulnerabilities and gauging how well your current security tooling withstands adversaries under pressure. 

The North Star of pentesting is the STRIDE threat model, developed by Microsoft to identify specific computer security scenarios for consideration in cloud penetration testing. This model enhances comprehension of security issues. These scenarios focus on categorizing various threat types, though there remain numerous potential deployments and applications that necessitate their own testing protocols. 

The STRIDE model encompasses the following threat types:

• Spoofing: Pilfering cloud environment credentials to exploit the privileges associated with a stolen identity.
• Tampering: Encompasses actions like modifying cloud logs, altering hosted images, tampering with APIs, repositories, or data with malicious intent.
• Repudiation: Encompasses actions like erasing or disabling cloud logs or using cloud services to obscure actions or incidents.
• Information disclosure: Entails leaking data from incorrectly configured public cloud data repositories.
• Denial of service: Encompasses actions such as destroying or encrypting cloud resources, deactivating accounts, credentials, or users.
• Elevation of privileges: Relies on misconfigured IAM permissions to enable escalation or exploits permissions granted to compromised or targeted services and systems.

Combine all 5 into a cohesive security strategy

Security strategy faces an Everest-scaling task: align and coordinate during a constant background of threat evolution.

The first step to an all-encompassing security strategy is the ability to precisely outline the present condition of your own security landscape. This is where logging, intrusion detection, and pentesting play the largest role. By proactively finding and addressing flaws, your teams are given cohesive and actionable improvements. As your security capacity grows, then segmentation and IAM crackdowns can begin actively toughening your cloud defenses.   

The ongoing enhancement of security procedures is what keeps the field exciting – supporting DevSecOps with emerging novel technologies allows your security policy to synchronize with tomorrow’s evolving threat landscape.