Cloud ransomware attacks: Are you doing enough to protect your cloud infrastructure?

As cloud ransomware attacks increase in both their frequency and severity, many companies have found themselves scrambling to protect their sensitive internal data and systems from breaches. Because the threat landscape is dynamic and cyber criminals’ methods are constantly evolving and becoming more sophisticated, cloud cyber security has become more challenging than ever before. Here’s a look back at one of the biggest cloud ransomware attacks of all time, and our tips on cyber risk management for your cloud infrastructure.

12 May 2017 marked a black day in cyber history. During one of the most notorious ransomware attacks of all time, which lasted three painful days, companies across the world found themselves paralyzed by cyber criminals. The WannaCry attack rendered some 300,000 computers running Windows environments unusable, preventing critical daily functioning and operations for companies in vital industries such as banking, food, health, transportation, national infrastructure, and more.

The incident elevated public and corporate awareness around ransomware, but despite the estimated billions of dollars in damage caused by WannaCry, cyber security still remains a woefully misunderstood subject for many businesses around the world. While companies may believe that they’ve stepped up their cyber defenses, cyber criminals are adapting their tactics to the times and constantly launching more sophisticated attacks.

Researchers at cyber security firm Check Point recently found that the demands of ransomware attackers are steadily increasing each year. In 2020 alone, companies were extorted for some $20 billion, and attacks nearly doubled from 2020 to 2021. Payments are made via digital currencies such as Bitcoin, making it impossible to trace where the attackers are located. Because of the high financial benefit for cyber criminals, ransomware attacks have exploded in popularity in recent years.

According to the 2022 UK Cyber Security Breaches Survey, a staggering 39% of UK businesses identified a cyber attack in the last year, with one in three admitted that they’d been successfully breached. 21% of businesses said they’d been targeted by malware or ransomware.

The massive shift from on-prem to cloud systems, exacerbated by the pandemic, creates a whole new attack vector for bad actors. As more companies migrate their business-critical systems and data to the cloud, cyber criminals have spotted a golden opportunity.

Recognizing the very real risks of ransomware and other attacks on cloud infrastructure, KPMG’s Cyber Incident response teams have noted the following common risk factors and vulnerabilities facing companies in crafting an effective cyber security strategy for their cloud systems.

Companies that are single-mindedly focused on easing operations for their DevSecOps and development teams may be overlooking basic security best practices, which can result in catastrophic consequences. We’ve seen that businesses primarily concerned with creating the most seamless experience and environment for their developers may end up unintentionally jeopardizing standard security controls and validation gates. This provides the perfect opportunity for cyber criminals to take advantage of overlooked security procedures and insecure coding practices and gain access to the entirety of a business’ cloud infrastructure.

Hybrid and public cloud systems mean that bad actors can gain partial or full access to organizations via the internet. The fact that hybrid cloud infrastructure is connected to the internet means that boundaries which need to be protected by security administrators are wider than ever before. Simultaneously, the hybrid cloud model has paved the way for cyber criminals to utilize tunneled access between on-prem and cloud implementations, so they can steal privileged access and enjoy longer dwell time.

Unfortunately, many IT, IS and Security teams operate under the (incorrect) assumption that baseline configurations, such as virtual machines images, are secure until proven otherwise. But a robust and effective cloud protection strategy should involve the complete opposite outlook - a presumption that systems are vulnerable and insecure until they’re fortified. Considering a major uptick in zero-day vulnerabilities in today’s landscape, cyber criminals have a plethora of potential targets and plentiful opportunities to exploit gap’s in a cloud network’s security structure.

The very nature of cloud adoptions means that third-party connections and complex trust relationships are par for the course. However, many of these connections and relationships are never tested or screened for their security risk, and controls to prevent network lateral movement are often inadequate. Just one network segment being breached means that bad actors gain access to many, if not all, virtual networks within the company’s cloud infrastructure.

It’s clear that cloud infrastructure is here to say, and organizations need to roll out robust, effective safeguards in order to keep their systems running smoothly, while remaining secure and protecting sensitive internal data and processes. Here are what we advise businesses to do in order to protect themselves from cloud ransomware and other cyber attacks.

Companies need to take a big picture, holistic look at vulnerabilities and weak points that can be exploited by cyber criminals within their cloud assets, systems, data, people and capabilities. Understanding the scope of the problem and potential breach points helps you craft the right cyber security strategy, including incident response controls, for your organization's unique needs and cloud infrastructure.

Look over your cloud security architecture and roll out new policies and features aimed at strengthening your Identity & Access Management (IAM) capabilities. Requiring the use of Multi-Factor Authentication (IAM), just-in-time access for Remote Desktop Protocol (RDP) traffic, and introducing private endpoints for your storage accounts are all critical for keeping your cloud infrastructure safe.

Ensure you have established your cloud forensics and incident response environment in advance (including golden images, access to passwords, keys, and other certificates), so you can quickly access that critical information when you need it most. Finally, take inventory of your IT assets, make sure that they are regularly patched, create backups in accordance with your RPO requirements, and save immutable copies in isolated networks.

Enlisting your teams and employees as stakeholders in your cloud security strategy is key. Be sure that your people are part of an active shared responsibility model between your Cloud Service Provider (CSP) and your organization. Clearly define your cloud security processes, and get buy-in from your leadership team. According to the 2020 Oracle and KPMG Cloud Threat Report 2020, a whopping report 69% of CISOs only became involved in cloud projects after a security incident - meaning that previous to the attempted or successful breach, there was little or no oversight regarding cloud infrastructure adoption.

Providing regular cyber security awareness training to end users, and educating your people on how they can quickly spot suspicious or phishing emails, adds another line of defense to your cloud. Finally, rotation and cross training for your cloud security response team enables them to be ready, 24/7, to respond to a potential incident.

Cloud infrastructure brings unmatched automation capabilities, so consider using cloud-native Security Information and Event Management (SIEM) and Security Orchestration, Automation and Response (SOAR) tools to automate security monitoring, threat detention and incident response procedures. By using an alert library, investigation playbooks, and leveraging existing automation processes within your organization, you can free up human capital for more important activities, such as coordination of different teams and communications with internal and external stakeholders.

After you’ve developed your incident response plan, it is extremely important to frequently test your procedure, conducting full rehearsals of your security response and recovery capabilities. You can do this by utilizing cloud-focused adversary simulations, and you should be sure that you can successfully execute restoration from backup for both your data and applications.

We provide the following services that assist you in strengthening your cloud security and incident response capabilities.

Cloud security advisory

We assess the maturity of your cloud security strategy and develop and/or implement your cloud security controls (including incident response playbooks) in Azure, AWS, GCP or OCI.

Cloud compromise assessment

We’ll review your company’s cloud resources to identify potentially compromised assets and assist with digital forensics, as required.

Cyber response retainer services

We have an incident response on-call agreement that allows clients to leverage KPMG’s Cyber Response Services at a moment’s notice to respond to cloud security incidents.

Cloud response platform

We can rapidly deploy cloud native security monitoring, automation, and orchestration capabilities to transform your incident response, using Azure Sentinel.

For more on building the right cloud security and incident response capabilities for your business, please get in touch with our cyber team.

This article is based on an article published at KPMG global by Tahir Soomro, Senior Manager | Iakov Fedoseenko, Author | Abhijeet Kasurde, Author | Article Posted date18 May 2022