Protecting Cloud Environment from Ransomware
June 28, 2017
Raina Zakir (56 articles)

Protecting Cloud Environment from Ransomware

The cloud technology which is becoming the key to faster collaboration and data transfer is also enabling cybercriminals to quickly spread ransomware. Businesses are moving to the cloud, taking advantage of the increased speed and efficiency it provides for data transfer and collaboration. Unfortunately for them, threat actors are abusing the same technology to accelerate the spread of cybercrime.

A few measures to protect against such cyber crimes are:

Secure cloud compute layer:

The most critical thing you can do, out the gate, is go and secure the cloud computer layer. It’s easy to automate, easy to approach for startups and big enterprises alike. Securing the compute layer will ensure the availability of both systems and data, and prevent threat actors from leveraging your computing power to drive the spread of malware throughout your organization. To start, he says, enable secure login by issuing SSH keys to individuals.

Separate data storage:

Getting to know where your formal and informal assets are located seems a common oversight but important step in planning for and addressing a ransomware attack. Many developers are spinning up servers in the cloud for quick testing, but aren’t fully aware of the security and compliance implications of doing so. Sometimes they expose full copies of production databases, a mistake that adds confidentiality issues in addition to the ransomware and availability issue.
For restoration, use cheap cloud storage to grab snapshots, files, folders, and anything you need to reconstitute your operations. Store them in cold storage on a separate MFA-protected account. This is about disaster recovery, not just an intrusion incident where someone merely copied PII and left your network and data otherwise intact. It is also recommended to separate data storage, specifically offline backups, to stay safe in the event of an attack.

Network segmentation:

Businesses should take advantage of the opportunity to segment their networks, now that the architecture is available for them to do it. This can limit and contain the spread of a propagating ransomware attack.
In the cloud, Pironti continues, security teams can use architecture that enables them to put “gates” between critical activities. Walls and containment areas around components can protect them if they’re in trouble.

Identity management:

Without strong identity management, you don’t have an idea of who’s doing what outside your critical security layers. Once you have your core security layers in place, knowing people by uniqueness and their normal behavioral patterns, it helps you make smarter business decisions. This is increasingly important as more people use the cloud to work from wherever they want. The distributed workforce is making a “huge difference” in the importance of monitoring activity and finding anomalies.

Data access management:

In addition to enforcing complex, secure passwords and multi-factor authentication, businesses should also limit employees’ access to sensitive information. People should only be able to access the accounts and systems they need to be productive. This limits the damage an attacker can do if they access an account.
Identity and Access Management (IAM) policies and Access Control Lists can help organize and control permissions to cloud-based storage. Bucket policies let you set or deny permissions by accounts, users, or conditions like IP address or date. The challenge of securing privileged accounts may prove less of a challenge for security pros struggling with management. You may not be able to cover thousands of user accounts, but you can cover 200 administrative accounts.

Use a jump host:

A jump host sits in a different security zone and provides the only means of accessing other servers or hosts in the system. It’s a one-stop methodology for inbound access from a management perspective. The host is a single administrative entry point into the business. It is configured with a standard DNS name and IP address, and only accepts logins from corporate IPs before giving them broader access to the environment. Because the jump host is a single entry point, it simplifies the process for protecting this server and maintaining strict access controls. If the single server gets jumped, it’s easy to create a new one.

Cloud-based security-as-a-service:

One of the most important considerations is to realize it’s getting harder and harder to know which endpoints are vulnerable to ransomware -let alone try to install security software to protect them. Businesses implement a cloud-based security-as-a-service solution, which shares a common threat intelligence repository and can block ransomware downloads.

Set hypervisor firewall rules:

Managing firewalls at the hypervisor level enables security leaders to set definitive rules about who can send, receive, and access inbound and outbound data, which data can be sent, and how much.
Many pros are hesitant to set outbound rules, but they are important because ransomware threatens exposure of intellectual property. If you can write real-time monitoring and enforcement actions on the firewall, there is a better chance of maintaining consistency across the environment.

Don’t let services call home to SaaS systems:

Be cautious against allowing services to call home to SaaS services like Github. Once a threat actor gets access to your Git repo, they can infect and potentially gain access to more corporate systems the next time one of those systems calls home. Businesses should try to store their Git or code repositories in their own cloud environments but acknowledges this practice may take time to adopt.

Source | darkreading