The document presents an overview of cloud security challenges, emphasizing the complex and evolving nature of cyberattacks. It highlights the increased attack surface due to cloud adoption, noting that hybrid environments face 2.5 times more security incidents than public clouds. Additionally, it discusses the significance of proactive security measures and the shared responsibility model in addressing vulnerabilities and protecting data.

1. UNDERSTANDING YOUR
CLOUD ATTACK SURFACE
LIVE HACK
Oliver Pinson-Roxburgh

2. 2
Hacking doesn’t look like this

3. 3
It Doesn’t look like this

4. 4
Technology Innovation – We want things fast
Reaching
50 Million
Users
75 years
35 days
38 years
WWW 4 years
3.5 years

5. 5
Cloud Has Disrupted Traditional Security
Agility & automation Hyper-scalability

6. 6
Attack Surface
21 80 25
3389
22
143
3

7. 7
The Cloud Attack Surface /s
443

8. 8
Alert Logic Cloud Security Report 2017
550 DAYS
AUG 1, 2015 –JAN 31 2017
2,207,795
TOTAL TRUE POSITIVE SECURITY
INCIDENTS ANALYZED
32.5 MILLION
EVENTS DRIVING ESCALATED
INCIDENTS
147 PETABYTES
OF DATA ANALYZED
3807 CUSTOMERS
ANALYZED
452
INDUSTRIES ACROSS 3 CONTINENTS

9. 9
Web App Attacks – King of the Hill
WEB APP
ATTACK
Recon
5%
Server-side
Malware
2%
DoS / DDoS
1% Other
1%
75%
DOS/DDOS
1% OTHER
1%
SERVER-SIDE
MALWARE
2%
RECON
5%
BRUTE
FORCE
5%
SQL INJECTION
55%
SECURITY INCIDENT TYPES ESCALATED

10. 10
Web App Attacks – King of the Hill
WEB APP
ATTACK
ute Force
16%
Recon
5%
Server-side
Malware
2%
DoS / DDoS
1% Other
1%
75%
DOS/DDOS
1% OTHER
1%
SERVER-SIDE
MALWARE
2%
RECON
5%
BRUTE
FORCE
5%
SQL INJECTION
55% REMOTE
CODE
EXECUTION
22%
XXE
3%
APACHE
STRUTS
RCE
6%
WEB APP
ATTACK
RECON
5%
FILE
UPLOAD
6%
OTHER
4%
SECURITY INCIDENT TYPES ESCALATED

11. 11
Workload Environments Impact Incident Volumes
2.5x
more security incidents
observed in Hybrid vs
Public Cloud
51%
higher rate of
security incidents in
on premises vs Cloud
AVERAGE PER CUSTOMER SECURITY INCIDENT COUNTS

12. 12
Covering all layers of your stack is complex
Vulnerabilities
in
YOUR CODE
Vulnerabilities
in
YOUR
CONFIGS
Vulnerabilitie
s
YOU INHERIT

13. Today’s Attacks are Becoming More Complex
THE CYBER KILL CHAIN¹ THE IMPACT
Financial loss
Harm brand and reputation
Scrutiny from regulators
IDENTIFY
& RECON
INITIAL
ATTACK
COMMAND &
CONTROL
DISCOVER
& SPREAD
EXTRACT &
EXFILTRATE
• Attacks are multi-stage using multiple threat vectors
• Takes organizations months to identify they have been compromised
• 205 days on average before detection of compromise1
• Over two-thirds of organizations find out from a 3rd party they have been
compromised2
1 – IDC Worldwide Security and Vulnerability Management 2014–2018 Forecast
2 – M-Trends 2015: A View from the Front Lines

14. 14
Enter Machine Learning
Over nine months :
8-10% of the customers we
monitored were targeted by
actors with better-than-
average levels of skill and
determination
Each attack
had a High
degree of
complexity
Identified,
approx. 231
attacks

15. 15
Behind the Data
Web apps can be the final destination…or initial entry point
Perimeter AND Network
AND System /log-based
Detection defend your
hosts
see N / S / E / W in all of
your protected
environments
WAF blocking/virtual
patching, IDS, and log
monitoring as air cover as
you burn down your web
app vulnerabilities
• Redistribute malware directly / indirectly (exploit
kits / watering hole)
• Monetization through fraud (SEO, Coin Mining,
Spam)
• Entry point into Infrastructure
• Lateral movement, privilege escalation
• Steal data (exfiltration of information from
databases)

16. 16
Multi-stage Attacks
Time: Day 1
Event: Early stage recon event
Criticality: Medium
Time: Day 3
Event: SQL Injection recon
Criticality: Medium
Time: Day 4
Event: SQL table enumeration
Criticality: High
Time: Day 4
Event: Injection
Criticality: Critical
Situation: Multiple address spaces and disparate unrelated events over days

17. 17
Surgical Exfiltration
1 IP Address
Duration: 7 minutes
Surgical Exfiltration
1 IP Address
Duration: 2 minutes
Precision Recon
1 IP Address
Duration: 12 minutes
Precision Recon
1 IP Address
Duration: 8 minutes
Precision Recon
1 IP Address
Duration: 1 minute
Precision Recon
1 IP Address
Duration: 11 minutes
Sustained, Multi-stage Attack for Intellectual Property Theft
September2016 2017AprilOctober November December January February March
Jan 16th
Jan 3rd
Nov 2nd
Feb 6th
Continuous SQLi Reconnaissance to Better Understand the Environment (49 Unique IPs)
Continuous General SQLi Testing (172 Unique IPs)

18. 18
Zooming Into Adversary Activity

19. 19
Attack Progression Timeline Over 6+ Months

20. 20
Zoomed View of a Single SQLi Exfiltration Attempt
1) Tables belonging to specific owner
exist?
2) Enumerate table names for owner
3) Count the number of columns for a specific table of interest
4) Enumerate column names for
specific table
5) Count the rows of
data within the table
of interest
6) Enumerate column values from
specific table (exfiltration event)
Time
Attackspecificity

21. New Approach
The Principles of security do not change but your
Approach to security needs to change

22. STORAGE DB NETWORKCOMPUTE
Logical network segmentation
Perimeter security services
External DDoS, spoofing, and scanning prevented
Hardened hypervisor
System image library
Root access for customer
Secure coding and best practices
Software and virtual patching
Configuration management
Access management
Application-level attack monitoring
Cloud Security Is A Shared, But Not Equal, Responsibility
Access management
Patch management
Configuration hardening
Security monitoring
Log analysis
Network threat detection
Security monitoring
Configuration best practices
CUSTOMER RESPONSIBILITY
APPS
HOSTS
NETWORKS
FOUNDATION
SERVICES
• SQLi
• Cross-site scripting
• Web app exploits
• Middleware exploits
• Brute force attacks
• Recon
• Web shells
• Command & Control
• Service Misconfiguration
• Suspicious IAM Activity

23. Live Hack – Getting closer

24. Live Hack – Much more like it

25. PRAY TO THE
LIVE HACK –
GODS!!!!