WithSecure™ Cloud Webinar Series:

How to detect, identify and successfully respond to common cloud attacks

The WithSecure™ Cloud Webinar: How to detect, identify and successfully respond to common cloud attacks took place on 12th May 2022 – it’s the first in a series of two such events. Our panelists went over time trying to address all of the questions posed by attendees, so this article tackles two outstanding queries from our audience.

Answers are provided by Mehmet ‘Mert’ Surmeli, Senior Incident Response Consultant and Nick Jones, Principal Security Consultant.

Q1. With hybrid (cloud/on-premise environments) how have IT security roles and responsibilities changed for local IT teams over time and what is the future looking like?

Mert: Everyone is responsible for the security of their organizations. With cloud having learned from the lessons of the on-prem networks, we are seeing the majority of the cloud IT teams adopting this approach and keeping security in their foremind when planning and building new solutions – and this is the way it should be. IT security can be a vast number of teams with different objectives, but in terms of helping other IT departments. It is the responsibility of the IT security teams to train the other IT teams on thinking security first and abiding to the golden advice of network segregation, credential security and ensuring systems are patched continuously.

Nick:Organizations that have been successful in their cloud adoption have largely chosen to integrate their cloud engineering with their existing IT functions, rather than as standalone teams or organizations. The same applies for security teams - those who are successful, integrate cloud expertise into their existing organization and workflows. The future lies in integrating security more tightly with the development and engineering processes, and building security knowledge directly within the engineering teams.

Over time, more successful organizations are seeing security take a greater role in supporting engineering, rather than acting as gatekeepers – as has often been the case historically. I expect to see the makeup of security teams in high-performance organizations shift accordingly, with an even greater emphasis on hiring for engineering skills and cloud experience over traditional security knowledge.

As hybrid environments grow, it becomes harder and harder to scale security teams to match the demands of growing environments. As such, organizations that are not well equipped to leverage automation to support many of their security tasks will struggle to keep pace with the demands of the organization. This presents significant risk to the business, as this is when things begin to slip through the cracks.

Q2: How do we protect on-premise backups from being encrypted?

Mert: This question has multiple layers to it; but generally, from the incident we observed, following advice is critical.

A. Ensure backup systems are patched.

B. Ensure the account/credentials used by the solution is hardened and is restricted as per the advice of the vendor(!).

C. Ensure the backup systems are network-segmented into a secure VLAN with restrictions to certain communication ports. This also allows you to isolate the backups environment if you need to! Again, most vendors will have guidance on how to establish this.

For answers to a lot more cloud cyber attack questions, watch the full webinar here.

Speakers

Mehmet ‘Mert’ Surmeli
Senior Incident Response Consultant, WithSecure™ Consulting

Mehmet Surmeli is a Senior Incident Response Consultant at WithSecure™, a research-led cyber security consultancy.

Mehmet initially started his cyber security career in the telecommunication industry as an incident responder, specializing in forensic investigations and malware reverse engineering. Since joining WithSecure™, he has undertaken several research projects including a Linux Triage Collection project called “Linux CatScale” and Microsoft Azure and M365 Investigation scripts. He has led multiple major investigations at multi-national organizations involving advanced threat actors. Mehmet has also authored several blog posts on WithSecure’s website and Labs portal, and has presented at CRESTCon UK 2021.

Nick Jones
Principal Security Consultant, WithSecure™ Consulting

Nick Jones is a principal security consultant at WithSecure™ Consulting, where he leads the cloud security team. Nick focuses on AWS security in cloud-native organizations and large enterprises, and in helping organizations build detection capability against cloud-native attacks. He has previously spoken on the topic at RSA, fwd:cloudsec, DEF CON Cloud Village, t2 and others, and maintains Leonidas, an open source cloud attack simulation framework.