How Developers Can Thwart Bad Actors
The cloud brings a host of new opportunities for developers, but also opportunities for attackers to introduce new threats.
To protect businesses from these threats, it’s crucial for developers to understand what attackers look for and why it is easier than ever for them to access your sensitive data.
Lacework’s newest edition of its quarterly cloud threat report, which highlights threats within the public cloud, revealed the new and most popular avenues cybercriminals are using to take advantage of businesses.
We’re breaking down what these trends are, why they’re gaining traction and how to protect against them.
Cryptocurrency Mining Tools Used to Steal Data
The cryptocurrency mining tool XMRig is the tool most commonly installed. Attackers have numerous applications to choose from but usually go after the ones that will have the biggest payoff. Attackers use tools to help them exfiltrate data or escalate privileges to help them get this information. It is easy for attackers to exploit information in the cloud because they can take advantage of so many different configurations and settings. If cloud users make even a small error on one of their configurations, it can be vulnerable to attack.
While security analysts usually are the ones who detect a security incident, they need to pass it along to DevOps teams to fix the issue. Developers want to move fast, check code and then quickly navigate to developing the next feature in a long backlog. The last thing they want is to be alerted to a security incident after the application is in production and then have to backtrack to figure out where it occurred and how to fix it.
This is why it’s essential for DevOps to implement security controls in CI/CD pipelines to prevent deploying vulnerabilities in the first place. We recommend enabling two-factor authentication and implementing signed commits in revision control software to prevent credential hacking. It’s also helpful to use a software bill of materials to inventory and track the use of software in your environment.
Images Are the New Gateways for Attacks
Attackers compromise exposed Docker sockets by deploying malicious container images and hosting malicious images in public repositories. Attackers also are good at hiding malware, so developers often don’t realize that there is something malicious in their container image.
To prevent this, it’s important for developers to use only approved images in their code. Teams can perform inline scanning, preapprove their images and put them in a registry before deployment to assess their container images for vulnerabilities. This provides developers with a safe set of images to use and prevents them from accidentally downloading malicious images from the internet.
Detecting Post-Exploitation Activity Is Just as Important
Lacework observed many exploit payloads shortly after Log4j’s critical remote code execution flaw disclosure. Shortly after the flaw was discovered, most successful exploitation attempts were benign; however, the number from malicious sources grew as time went on. This is because attackers improved their payloads and continued to adapt their exploitation methods to stay ahead of signature-based detections that most security products use.
In this case, an effective method for developers to defend themselves and their systems is to implement canary tokens. Canary tokens are resources — such as directories, files or accounts — that alert an administrator when someone accesses them. Developers can pair canary tokens with cloud native tools and customize them to send alerts when certain resources are accessed. This is a best practice to quickly notify the appropriate person about post-compromise activity in an environment.
Cloud Services Present Opportunities for Hackers Too
The number of cloud providers keeps growing with new offerings from platforms, software and storage solutions that enable companies to easily innovate, regardless of their size or location.
This makes it easy for developers to create new applications and re-architect old ones. In the past, developers needed to acquire databases or web server licenses before they could begin creating applications, which was time- and cost-consuming.
Docker and Kubernetes have simplified the development process, so developers can now write new applications and deploy them in multiple places at scale. As a result, more companies are starting in the cloud or moving to the cloud, which levels the playing field for newcomers. This is why we’re seeing so many new cloud native businesses — for example, FinTech companies, which use technology to improve or automate financial services.
The cloud has a unique shared-responsibility approach to security. Companies must secure their services and platforms; however, each individual user is responsible for protecting their content and data. Because of this shared-responsibility approach and the new ease and speed of cloud innovation, security often takes a back seat and this presents new opportunities for bad actors.
Understanding What Attackers Want Is Key
Attackers are constantly finding new ways to exploit your systems, but developers can outsmart them by implementing best practices, establishing controls on CI/CD pipelines, scanning images and conducting preapproved checks and balances to secure code. For a more comprehensive look at how to protect your systems, see Lacework’s Cloud Threat Report.