How to Stop a Cloud Attack Chain With Illumio CloudSecure
More companies are using cloud services than ever, and it’s expanding the attack surface at an alarming rate. There are many more opportunities for attackers to break into networks and move around until they reach your critical assets or install ransomware.
But cloud intrusions can be difficult to detect. Since modern cyber crime methods don’t deploy malware, there’s no abnormal behavior to call attention to them. They usually use legitimate ports to move through the network to the target.
That’s why it’s so important to build Zero Trust in the cloud. It moves the trust boundary as close to critical resources as possible. In this blog post, walk through a real cloud attack chain and learn how Zero Trust Segmentation with Illumio CloudSecure can help you stop attack chains in the cloud.
Real-life example: A successful cloud attack chain
Most application security platforms protect the cloud by finding and responding to threats. But this method isn’t enough — many cloud security breaches in recent years weren’t discovered for a long time. In fact, 47% of all data breaches in the last year originated in the cloud, according to research by Vanson Bourne.
It's just as important to survive undetected threats as it is to protect against the ones we know about. Both known and unknown threats need to be stopped.
What happened? The attack chain
Attackers used stolen high-level credentials to breach the network. The organization had multiple security solutions in place, but attackers created backdoors into the network to successfully steal data. They avoided detection tools and didn’t deploy malware, leaving the breach undetected for months.
The organization’s security tools were only looking for known threats and suspicious behavior. Since the attacker’s behavior used legitimate means to access the network, they were able to easily move across the environment, or move laterally, to access applications.
The network layer had some level of segmentation in place using security groups, but they were broad segments. Once the attackers had accessed the initial application, it was easy for them to move to other applications.
What could’ve been done? Stopping lateral movement
It would’ve been far more difficult for the attackers to reach resources if they couldn’t move between applications. Limiting lateral movement would’ve protected the cloud environment from not only known breaches but also undetected, unknown ones.
A successful security architecture needs to protect against both the known and unknown threats without adding operational complexity.
In the example above, only security groups at the cloud network boundaries were restricting lateral movement. The problem with security groups in virtual private clouds (VPCs) or virtual networks (VNETs) is that they’re network-centric solutions. With many app owners not fully understanding traffic dependencies between their applications, security groups are all too often added to the network very broadly – or not at all. This allows a wide range of traffic to pass through, creating wide-open doors that attackers can easily move through.
Relying on traditional network security tools doesn’t work in modern hybrid cloud architectures. This is because resources constantly spin up and down and can be moved around between hosts for optimal performance. Traditional network addressing is no longer a reliable way to identify an application in the cloud.
How Zero Trust Segmentation tackles cloud attack chains
It’s time to separate cloud workload and application security from network-centric security. They have very different priorities.
Zero Trust Segmentation (ZTS) acts as the backstop to cloud attack chains. It uses segmentation controls at the application level without relying on traditional network-centric segmentation.
Most modern operating systems have ports open by default and in listen mode, such as Linux Secure Shell (SSH) and Windows Remote Desktop Protocol (RDP). If attackers compromise a workload, they can use either of these ports to connect to a neighboring host. Then, they can use them to gain access to critical resources or deliver malicious payloads.
From the perspective of threat actors, these open ports are unlocked doors which are easy to pass through as they move around the network, hunting for the desired target. ZTS stops this unnecessary lateral access between applications. This means attackers get contained to their original entry point and can't spread further into the network.
How Illumio CloudSecure extends ZTS to the hybrid multi-cloud
With Illumio CloudSecure, you can build application-centric ZTS at scale. By focusing on the unique security needs of each application, CloudSecure reduces your attack surface and stops lateral movement.
Here are the three steps CloudSecure takes to stop a cloud attack chain before it spreads across your applications.
1. See all cloud traffic and application dependencies
You can’t enforce what you can’t see. That's why it's crucial to get end-to-end visibility into all application traffic across your entire hybrid, multi-cloud environment.
As part of the Illumio ZTS Platform, CloudSecure will show all traffic between all workloads for any application in your cloud environment:
2. Define least-privilege access between applications
CloudSecure uses a label-based policy model which maps existing cloud tags to Illumio’s multi-dimensional labels. It identifies workloads along boundaries that make sense to business owners and application owners instead of network-centric addressing. These labels define policies on hosts that belong to applications.
3. Automatically implement cloud security policies
CloudSecure will then implement these policies using cloud-native security tools, such as security groups and network security groups (NSGs).
Security teams don’t need to use IP addresses and ports to implement policy. CloudSecure puts the application-centric policy into the syntax that cloud-native controls can understand. Then, it discovers the required cloud-native controls it needs to deploy this policy on.
Using a label-based policy model means that every cloud resource associated with an application will have the right label.
In the cloud attack example above, if the system was divided into segments, it would’ve made it much harder for the attackers to move from one application to another. The attack would’ve been contained to a small group of resources instead of spreading quickly to all of them before being detected.
Start your free trial of Illumio CloudSecure today. Contact us to learn more about stopping breaches across your hybrid multi-cloud with the Illumio ZTS Platform.