The perfect storm: Why cyberspace needs defence in the Cloud

By Tom Kellermann and Rick McElroy, Carbon Black

Cyberspace is a free-fire zone in which corporations are regularly under siege from multiple threat actors. The global cyber-arms bazaar has allowed criminals and nations to wage long-term campaigns against corporations and government agencies. These attackers stalk businesses and consumers from the fog of the Dark Web.
Evidence suggests the Dark Web has become an economy of scale where the cyber-crime syndicates have begun to target the interdependencies of our networks. This year has ushered in a foreboding era of digital colonisation of cyberspace.

The cloud has not slowed this down: if anything it has given malicious actors blind spots to hide in and more avenues of attack. As data has moved to the cloud, security programs have not kept up.
When we think of the risks facing organisations leveraging the cloud, let's begin by considering those brave souls whose mission it was to fly into the clouds over enemy territory and deliver strategic bombing campaigns to weaken the enemy during World War II.

While an organisation surely has a different mission, it is still trying to deliver a service to customers and partners in an environment where often there is little visibility into what is actually happening.

As the cyber-criminal community burrows into networks, we must understand that after the initial theft of data, they tend to hibernate. This allows for secondary monetisation schemes. Some of these criminal endeavours include reverse business email compromise against customers and/or selective watering-hole attacks. Cyber criminals realise there is implicit trust in a company's brand, which they can and will exploit.

Cyber criminals' modus operandi has been modernised and we should allow their offence to inform our defence, from whom is accessing systems to what threats are hitting cloud endpoints.

One of the most elegant cybercrime conspiracies of 2017 was leveraged by a group named StonePanda (i.e. APT10.) In what is known as the 'Cloud Hopper Campaign' these hackers have launched an elegant campaign of attack against Fortune 1,000 corporations. What began with a spear-phishing attack leveraging fileless malware, escalated into hijacking a victim's website and using their brand to target consumers. The attack then metastasised into the interconnected networks of their supply chain via cloud hopping. One of the more interesting features of this campaign was watering holes.

The Watering Holes: executed a remote JavaScript-based reconnaissance to target MSSPs. Once in, they deployed HAYMAKER, a backdoor that can download and execute additional payloads in the form of modules and a secondary infection via an open-source, remote-access Trojan (RAT).  These criminals were not conducting a burglary, rather they were executing a home invasion.

During World War II, various methods were employed to protect high level bombers from flak, fighter aircraft and radar detection, including defensive armament, escort fighters, chaff and electronic jamming. To help ensure the success of bombing raids The Army (Air Force) failed fast and iterated through changes. One of the key takeaways was the absolute need for bombers to have fighter escorts in order to mitigate the risk of unseen attackers lurking in the clouds.

The lesson here for cyber defenders is that trying to build a 'fortress' that is impervious to innovation on the attacker side is a formula for repeated failure.
This is where endpoint protection comes in. Consider that two major advances tipped the scale to effective bombing campaigns: the use of escort fighter pilots to ensure the safety and success of the missions (protection); and the employment of the Norden bombsight and radar (visibility).

A corresponding endpoint defence solution delivers prevention against attacks by interrupting attackers' behaviour to ensure the systems supporting the strategic delivery of services for an organisation remain in service. It provides a proactive defensive posture levelling the battlefield and tipping the advantage back to defenders.

A solution with endpoint detection and response (EDR) solution gives visibility into how the attackers are attacking, the defence team can respond and remediate faster. Raising the bar on each attack and making the attacker change what they are doing to attack will provide a defending team with the most accurate information possible. This allows them to pinpoint root cause and remediate whatever the vulnerability was quickly. It also gives them the ability to proactively find the threats sooner, ensuring their strategic objectives.

Much like air combat in World War II, modern cyber operations consist of human(s) v. human(s). The adversaries want to interact with an organisations systems when they get in. They want as much intel as possible to leverage against a company and its partners. Whenever the offence pivots, so must defenders. The team that can better Observe, Orient, Decide and Act  when under attack will be miles ahead of those that lack the basic visibility into what attackers are doing.

So how does one respond who assumes the enemy lurks in the clouds waiting to take their flying fortress down? They do so by securing the battlefield. They partner with an organisation like VMware, which has a unique market share. They do so by providing better visibility into what the attackers are doing, and by rapidly providing visibility into what the enemy is doing and enabling teams to find them and remove them.

To unlock the very same benefits of security in the cloud one has to move upstream of the problem and be positioned to drive change with a company that enables the cloud. A selected endpoint security partner can cover your rear.