Why Ransomware Attacks Steer Clear of the Cloud
Ransomware made news headlines worldwide earlier this month after a
successful attack against one of Toyota Motor Corp.’s parts suppliers forced the automaker to shut down 14 factories in Japan for a day, halting their combined output of around 13,000 vehicles.
That attack was the latest example of the threat ransomware poses to all industries. The most recent edition of SonicWall’s annual threat report states that the volume of ransomware attacks in 2021 has risen 231.7% since 2019. And an advisory jointly issued by the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the NSA reveals the latest trend is ransomware as a service — gangs of bad actors essentially “franchising” their ransomware tools and techniques to less organized or less skilled hackers.
Clearly, protecting against ransomware attacks must be part of your organization’s holistic cybersecurity strategy—if you’re still operating data center infrastructure and not cloud infrastructure. Hardening data centers and endpoints to protect against ransomware attacks is mandatory, but cloud infrastructure faces a different kind of threat. And if your organization is all-in on cloud, ransomware is less of a worry.
Don’t confuse a ransomware attack with a data breach, which involves stolen data. The purpose of ransomware is not to steal your data (although that can also occur during a ransomware attack), but rather to take control of the systems that house or encrypt your data and prevent you from accessing it—until you pay the ransom. This can have a devastating impact on an organization by effectively shutting down operations until access to the data is restored.
So, while ransomware is a major cyber security threat, we’re simply not seeing ransomware attacks executed against cloud environments. The reason for this involves fundamental differences between cloud infrastructure and data center infrastructure.
Your cloud environment is not simply a remote replica of your onsite data center and IT systems. Cloud computing is 100% software-driven by application programming interfaces (APIs) — the software “middlemen” that allow different applications to interact with each other. The control plane is the API surface that configures and operates the cloud.
For example, you can use the control plane to build a virtual server, modify a network route, and gain access to data in databases or snapshots of databases (which are actually a more popular target among cloud hackers than live production databases). The API control plane is the rapidly growing collection of APIs your organization uses to configure and operate the cloud.
The priority for all cloud platform providers like Amazon, Google, and Microsoft is to ensure your data is robust and resilient. And replicating data in the cloud is both easy and cheap, and a well-architected cloud environment ensures there are multiple backups of your data. That’s the key inhibitor to an attacker’s ability to use ransomware: Multiple copies of your data negates their ability to lock you out. If an attacker is able to encrypt your data and demands ransom from you, you can simply revert to the latest version of the data prior to the encryption.
The redundancy and resiliency that AWS, Microsoft, and Google are building for hundreds of thousands of their customers running millions of servers and networks are impossible for you to replicate in your own data center infrastructure. And if your access to your on-premises systems is taken away from you and encrypted, it can be extremely difficult—and in some cases effectively impossible—for you to regain access without paying the ransom.
Security in the cloud is different because it’s a function of good design and architecture, not intrusion detection and security analysis. Hackers are not trying to penetrate your network in order to lock you out of your systems, they’re trying to exploit cloud misconfigurations that enable them to operate against your cloud control plane APIs and steal your data right out from under you.
A misconfiguration can vary from individual resource misconfigurations that can appear simple, such as leaving a port open to significant architectural design flaws that attackers use to turn a small misconfiguration into a massive blast radius. And I can guarantee that if your organization is operating in the cloud, your environment has both kinds of vulnerabilities. The good news is that because cloud infrastructure is software that can be programmed, these kinds of attacks can be prevented with software engineering approaches using policy as code.
When developers build applications in the cloud, they’re also building the infrastructure for the applications—as opposed to buying physical infrastructure and deploying apps into it. The process of designing and building cloud infrastructure is done with code, which means developers own that process, and this fundamentally changes the security team’s role.
In a completely software-defined world, security’s role is that of the domain expert who imparts knowledge to the people building stuff — the developers — to ensure they’re working in a secure environment. And that knowledge is delivered as automated developer tooling that leverages policy as code rather than checklists and policy documents written in a human language.
Policy as code enables your team to express security and compliance rules in a programming language that an application can use to check the correctness of configurations. It’s designed to check other code and running environments for unwanted conditions or things that should not be. It empowers all cloud stakeholders to operate securely without any ambiguity or disagreement on what the rules are and how they should be applied at both ends of the software development life cycle (SDLC).
At the same time, policy as code automates the process of constantly searching for and remediating misconfigurations. There are no other approaches that in the long run are successful at this because the problem space keeps growing. The number of cloud services keeps growing, the number of deployments you have, and the amount of resources keeps growing. And so you must automate to relieve security professionals from having to spend their days manually monitoring for misconfigurations and enable developers to write code in a way that is flexible, that can be changed over time, and that can incorporate new knowledge, such as the latest big data breach that makes news headlines.
Organizations that have implemented effective cloud security programs share some characteristics that any enterprise can emulate to harden their cloud security posture:
- Know your environment: Conducting weekly or quarterly cloud security audits is inadequate because cloud environments are constantly changing, and hackers use automation to detect misconfigurations they can exploit. Continuously survey your cloud environment, including all resources and configurations, to maintain situational awareness at all times.
- Be proactive, not reactive: Shift your security mentality toward preventing misconfiguration vulnerabilities and away from intrusion detection and interdiction. Cloud control plane compromise attacks happen too fast for any team or technology to stop attacks in progress.
- Empower your developers: Enlist the developers in the process by empowering them with automated security tooling that leverages policy as code. After all, since you’re now focusing on prevention, who is better positioned to prevent misconfigurations than the engineers who are building these environments and systems?
- Measure and operationalize: Successful organizations measure what matters to know where they stand, where they’re going, and to quantify their progress at preventing vulnerabilities and the resulting security incidents. Ultimately, they fully operationalize cloud security to minimize risk and maximize innovation velocity in the cloud.
I don’t want to downplay the threat ransomware attacks pose to your organization and encourage you to visit www.StopRansomware.gov, the U.S. federal government’s resource for learning how to protect yourself from becoming a ransomware victim.
But I also want to emphasize that although your cloud environments are not highly vulnerable to ransomware, the risk of a data breach due to misconfigurations is high and growing as you adopt more cloud-based platforms and services.
The best defense is prevention. Use policy as code in the development phase, in the continuous integration/continuous delivery (CI/CD) pipeline, and in the runtime to quickly identify and remediate misconfigurations. As you gain maturity, these steps can be operationalized throughout your DevOps processes so that the entire process is automated and efficient.