Cloud Attacks Are Following Enterprise Workloads

Enterprise workloads are shifting to cloud and hosting environments in ever greater numbers and attacks that have historically targeted on-premises environments are following them.

Enterprise workloads are shifting to cloud and hosting environments in ever greater numbers and attacks that have historically targeted on-premises environments are following them, according to a new report. But while attacks on cloud environments have increased significantly in frequency and are becoming as diverse as those targeting on-premises data centers, the data also reveal thatthe cloud is not inherently less secure than traditional on-premises environments.

Enterprise workloads are shifting to cloud and hosting environments in ever greater numbers and attacks that have historically targeted on-premises environments are following them, according to a new report.

But while attacks on cloud environments have increased significantly in frequency and are becoming as diverse as those targeting on-premises data centers, the data also reveal that the cloud is not inherently less secure than traditional on-premises environments.

"Cloud deployments are no less secure than your own data centers," says Stephen Coty, chief security evangelist at Alert Logic, a provider of managed security services for on-premises data centers as well as hosting and cloud service providers. "That's what the numbers are really showing across the board."

Alert Logic this week released its Spring 2014 Cloud Security Report, the latest in a series of cloud security reports it began releasing in early 2012.

The Spring 2014 report is based on a combination of real-world security incidents captured in customer environments secured via Alert Logic's intrusion detection system (IDS) and honeypot data gathered using low-interaction software to emulate a vulnerable OS. The report draws from 232,364 verified security incidents (validated by a team of Global Information Assurance Certification (GIAC)-certified security analysts) that were identified from more than one billion events observed between April 1 and September 30, 2013.

Alert Logic says the customer set includes 2,212 organizations across multiple industries, located primarily in North America and Western Europe. Of those customers, 80 percent use cloud hosting provider (CHP) environments, while 20 percent represent on-premises data centers.

Attacks Have Increased Across All Incident Types

Alert Logic found that with a single exception, attacks have increased across all incident types malware/botnet, brute force, vulnerability scan, Web app attack, recon and app attack in both on-premises and CHP environments.

In CHP environments, brute force attacks (exploit attempts enumerating a large number of combinations in hopes of finding a weakness) increased from 30 percent of customers in the 2013 report to 44 percent of customers in the current report. Vulnerability scans (automated vulnerability discovery in applications, services or protocol implementations) increased from 27 percent to 44 percent in the same period.

The sole exception to the increases was app attacks (exploit attempts against applications or services not running over HTTP) in on-premises environments, which were experienced by 19 percent of on-premises customers in 2013 and 16 percent in 2014. On the CHP side, app attacks increased from 3 percent of customers to 4 percent of customers over the same period.

Coty notes that while brute force attacks and vulnerability scans have historically been far more likely to target on-premises environments, the data show that they are now occurring at near-equivalent rates in both CHP and on-premises environments. Likewise, malware/botnet attacks, which are the most prevalent form of incident for on-premises data centers (affecting 56 percent of customers), are on the rise in CHP environments; they now affect 11 percent of customers.

Most Prevalent Incident Types Vary Between On-Premises and Cloud Still, the most prevalent types of incident do vary between on-premises environments and CHP environments. The top three incident classes for on-premises data centers were malware/botnet (affecting 56 percent of customers), brute force (49 percent of customers) and vulnerability scans (40 percent of customers). For CHPs, the most common incidents were brute force (44 percent), vulnerability scans (44 percent) and web application attacks (44 percent).

"Our intelligence suggests that the observed increase in cloud attacks is correlated to the growth of cloud adoption in the enterprise," Coty says. "As more enterprise workloads have moved into the cloud and hosted infrastructures, some traditional on-premises threats have followed them. This reinforces the necessity for enterprise-grade security solutions specifically designed to protect cloud environments."

"The number one thing you need to really understand in a cloud environment is that security in the cloud is a shared responsibility," Coty says. "The service provider is responsible for the foundation. They're even responsible for some level of perimeter security, hardening the hypervisor, giving you root access to your instance. But other than that, you as a consumer are 100 percent responsible for what happens in that environment. The better you understand the shared model between you and your service provider, the better you'll be able to secure your environment. That really applies to all service providers."

Honeypots in European Clouds Attract the Most Flies Alert Logic's cloud honeypots also told an interesting story. The company deployed its honeypots in public cloud infrastructures around the world in an effort to observe the types and frequencies of attacks, as well as how they vary geographically. Alert Logic found that honeypots in European clouds experienced the highest number of attacks four times more than honeypots in U.S. clouds and twice as many as honeypots in Asian clouds.

The incident attack types against European honeypots were tremendously varied. They included: MS-SQL Server (13 percent), MySQL (13 percent), HTTP (13 percent), RPC (13 percent), FTP (13 percent) and MS-DS (35 percent).

"The attacks in Europe were probably more diverse than anywhere else in the world," Coty says. "Outside of attacks on Microsoft Directory Services, everything was about 13 percent across the board."

Coty attributes the number and variety of attacks in Europe to Eastern European malware "factories," primarily in Russia, testing their efforts locally before deploying worldwide.

"The Eastern European guys who write a lot of this code test it in their own backyard," Coty says. "It originates from Europe. Once they've successfully deployed one place in Europe, they just go all over the globe now."

In Asia, the story is different. Attacks on MS-DS represent 85 percent of incidents there, particularly attacks on port 445. Coty attributes this to the plethora of pirated (and unpatched) Microsoft software in China and some other Asian countries. Port 445 supports direct hosted "NetBIOS-less" SMB traffic and file-sharing in Windows environments and, if not locked down appropriately, it is an easy target for accessing files and infecting systems.

Attacks on U.S. honeypots included MS-SQL Server (12 percent), MySQL (13 percent), HTTP (23 percent) and MS-DS (51 percent).

Alert Logic also notes that 14 percent of the malware collected through its honeypot network was not detectable by 51 percent of the world's top antivirus vendors. That's not because it was zero-day malware, Coty notes. Instead, much of the malware that was missed was repackaged variants of older malware like Zeus and Conficker.

Security in Depth Is Key in Cloud "The threat diversity for the cloud has increased to rival that of on-premises environments," Alert Logic says in the report. "And new threats uncovered by our honeypot research demonstrate how top antivirus software vendors cannot be solely relied upon to detect attacks. The continued focus by hackers on infiltrating IT infrastructure underscores the importance of adopting the right security procedures and tools, and of continuously evaluating and adjusting those procedures and tools as attackers find new ways to thwart defense."

Coty says that much as with on-premises data centers, security in depth is the key. He says a cloud security solution should address: Network.: Firewall, intrusion detection and vulnerability scanning to provide detection and protection, while also lending visibility into security health. Compute: Antivirus, log management and file integrity management to protect against known attacks, provide compliance and security visibility into activity within an environment and to help you understand when files have been altered (maliciously or accidentally).

Application: A web application firewall to protect against the largest threat vector in the cloud: web application attacks. Encryption technologies should be ubiquitous for data in-flight protection, and some companies select encryption for data-at-rest when necessary, assuming applications can support it.

Application Stack: Security Information Event Management (SIEM) can address the big data security challenge by collecting and analyzing all data sets. When deployed with the right correlation and analytics, this can deliver real-time insights into events, incidents and threats across a cloud environment.