The newest Palo Alto Networks Unit 42 Cloud Menace Report discovered that delicate information is present in 66% of cloud storage buckets. This information is weak to ransomware assaults. The SANS Institute recently reported that these assaults may be carried out by abusing the cloud supplier’s storage safety controls and default settings.
“In simply the previous few months, I’ve witnessed two completely different strategies for executing a ransomware assault utilizing nothing however authentic cloud security measures,” warns Brandon Evans, safety marketing consultant and SANS Licensed Teacher. Halcyon disclosed an assault marketing campaign that leveraged one in every of Amazon S3’s native encryption mechanisms, SSE-C, to encrypt every of the goal buckets. A couple of months prior, safety marketing consultant Chris Farris demonstrated how attackers may carry out an identical assault utilizing a unique AWS safety function, KMS keys with exterior key materials, utilizing easy scripts generated by ChatGPT. “Clearly, this matter is top-of-mind for each risk actors and researchers alike,” notes Brandon.
To handle cloud ransomware, SANS recommends organizations to:
- Perceive the facility and limitations of cloud safety controls: Utilizing the cloud doesn’t routinely make your information secure. “The primary cloud companies most individuals use are file backup options like OneDrive, Dropbox, iCloud, and others,” explains Brandon. “Whereas these companies often have file restoration capabilities enabled by default, this isn’t the case for Amazon S3, Azure Storage, or Google Cloud Storage. It’s crucial for safety professionals to know how these companies work and never assume that the cloud will save them.”
- Block unsupported cloud encryption strategies: AWS S3 SSE-C, AWS KMS exterior key materials, and comparable encryption strategies may be abused as a result of the attacker has full management over the keys. Organizations can use Id and Entry Administration (IAM) insurance policies to mandate the encryption technique utilized by S3, corresponding to SSE-KMS utilizing key materials hosted in AWS.
- Allow backups, object versioning, and object locking: These are among the integrity and availability controls for cloud storage. None of them are enabled by default for any of the Massive 3 cloud suppliers. If used correctly, they’ll improve the probabilities that a company can get well its information after a ransomware assault.
- Stability safety and value with information lifecycle insurance policies: These security measures value cash. “The cloud suppliers should not going to host your information variations or backups at no cost. On the similar time, your group isn’t going to provide you a clean examine for information safety,” says Brandon. Every of the Massive 3 cloud suppliers permits prospects to outline a lifecycle coverage. These insurance policies enable organizations to routinely delete objects, variations, and backups when they’re not thought of needed. Remember, nonetheless, that attackers can leverage lifecycle insurance policies as properly. They have been used within the beforehand talked about assault marketing campaign to induce the goal to pay the ransom rapidly.
To be taught extra, watch Brandon’s webcast, “The Cloud Will not Save You from Ransomware: This is What Will”, by visiting https://www.sans.org/webcasts/cloud-wont-save-you-from-ransomware-heres-what-will/
All for further techniques for mitigating assaults within the Massive 3 cloud suppliers? Try Brandon’s course, SEC510: Cloud Security Controls and Mitigations at SANS 2025 in Orlando or Stay On-line this April. This course can be obtainable with Brandon later within the 12 months in Baltimore, MD in June or Washington, DC in July.
Source link