Mitigation Strategies

Chris Swagler | August 28th, 2024

 

The treachery and evolution of the cyber threat landscape is well known at this point, as is the importance of awareness of problems as a precursor to addressing them. With cloud computing and storage growing in users across the globe, maintaining awareness of the gravity and scope of the latest threats facing the cloud is important. What follows will take a look at the latest data on the cloud landscape, including brief case studies.

According to the 2024 Cloud Security Study published by @Thales, four of the top five most highly targeted vectors for cyberattacks are cloud-based, focusing on applications, storage, and management infrastructure1. This data indicates that the cloud has overtaken on-premises and locally hosted targets. While not entirely surprising given rapid technological advancements and adoption, this inevitable arrival highlights the urgent need for organizations to ensure a robust cloud-focused defense strategy in part of any cyber resilience program.

To further illustrate the complex challenges cloud-dependent organizations face in maintaining data integrity, research from @IBM indicates 40% of all breaches captured data stored either solely in either a public or private cloud and another 40% captured data that was stored in both cloud and on-premises locations2. As companies adopt more cloud-hosted and cloud-delivered technologies—around 60% of large organizations utilize “more than 25 SaaS [Software as a Service] applications and 30% have more than 50”—maintaining appropriate security regarding every single one of these applications is immensely challenging1.

As threat actors focus their attacks on cloud environments, it should be unsurprising to learn that close to 50% of businesses, per the Thales study, experienced a breach in their cloud environment. Many of these originate through these third-party applications. While not all breaches necessarily result in lost data or organizational downtime, the rate is yet another concerning statistic pointing to the profound challenge of securing sensitive data. Continued data migration and cloud usage will likely exacerbate these risks.

Case Studies

To more fully capture the nature and challenges of cloud cybersecurity, what follows are several actual case studies demonstrating the numerous ways in which threat actors access targeted networks.   

Healthcare: False Invoice

Victim: Government Health Insurance Program3

How it happened: The victim entities were scammed into wiring payments in a series of schemes involving several threat actors operating out of different states. In most cases, threat actors created email accounts that looked nearly identical to legitimate businesses and hospitals. Targets were tricked via social engineering schemes into updating the bank account details for reimbursement payments. To cover their tracks, the threat actors used stolen identities to open bank accounts in the name of shell companies.

~~~~~~~~~

Construction: Unauthorized Access & Lateral Movement

Victim: Construction Risk Management Firm4

How it happened: The victim organization first reported that suspicious activity was identified on their network, though there has been no definitive indicator as to how the initial breach occurred. Once in the network, the threat actor was able to access sensitive information related to more than 60,000 customers as well as current and former employees. Because the organization did not have robust network visibility and lacked proper access controls, threat actors were able copy and exfiltrate highly sensitive data after escalating their privileges and moving with relative freedom throughout the network.

~~~~~~~~

Education: Leaked Credentials

Victim: Large Urban School District5

How it happened: A Russian-based threat group, Vice Society, utilized the legitimate credentials of a school employee to access the broader district network. These credentials were available on the dark web following a prior cyberattack. The employee, in this case, had wide access, including the ability to login through the district’s VPN (virtual private network). As this attack occurred over the Labor Day weekend when internal teams were off duty, the threat actors were able to move extensively and unobserved throughout the environment. In the end, 500 GB of data was exfiltrated, including sensitive student information. The breach cost taxpayers approximately $18M to remediate.

Education: Social Engineering & Account Compromise

Victim: Public School District6

How it happened: A large school district lost more than $6 million after threat actors appeared to have gained access to the email account of the district’s chief operating officer (COO). The threat actors monitored the private email correspondence between the COO and a district vendor. Eventually, the threat actors impersonated both organizational leaders in order to divert district payments to its school bus contractor and a law firm to fraudulent accounts. So far, $3.6 million has been recouped.

~~~~~~~~

Government/Municipalities: Third-Party Data Breach

Victim: Department of Insurance, Securities and Banking (DISB)7

How it happened: The data breach at the Washington D.C. DISB originated with an attack on a third-party technology provider. The LockBit ransomware gang accessed and stole 800GB of data stored on the third-party vendor’s cloud, which contained sensitive client data. The technology provider discovered unauthorized activity in their private cloud hosting environment, leading to the breach. Following an investigation into the incident, it was determined that threat actors gained legitimate credentials via a brute force attack, which were subsequently used to takeover user accounts. Despite taking the system offline and launching an investigation, some of the stolen data was publicly exposed.

Factors Contributing to Data Breach Cost and Mitigation

While there is no singular or absolute way to avoid being a victim, there are various factors that contribute to raising or lowering the cost and difficulty of responding to a cloud-centered breach. One way to enhance your ability to identify and counter threats against your cloud environment is to limit, as much as is possible, the various factors that make them prime targets. The 2024 IBM Cost of a Data Breach Report identified several of these factors. Here are the top five, in order of additional cost:

Complicating Factors:

  1. System complexities, which can include overlapping tools, patch management processes (or lack thereof), data storage, and more
  2. Skills and personnel shortage, specifically related to the cybersecurity and IT teams
  3. Breaches of third-party vendors and software providers
  4. Regulatory non-compliance
  5. Migration of data from local network storage and operations to the cloud or from one service to another

Mitigating Factors

In conjunction with these compounding factors are those that “reduced the average breach cost” per the @IBM report. Again, the top five:

  1. Employee training, including for identifying and reporting phishing and social engineering attempts
  2. The utilization of AI to gain insights into network activity
  3. Implementation of a Security information and event management (SIEM) system to log and trend network activity
  4. The development and practicing of an Incident Response (IR) plan to better ensure a quick response in the event of a breach or cyber incident
  5. Encrypting all sensitive data coming into and leaving your network

This is not to say that improving upon these 10 areas will guarantee your company operations free from cyberattacks or other security incidents. What it does mean, however, is that your organization will be better positioned to learn from those who have experienced significant breaches and operational downtime and implement a robust security program to defend against predatory threat actors.

If you want to learn more about how we help organizations prevent these targeted attacks, navigate here: https://www.speartip.com/shadowspear-cloud-monitoring/

Sources

  1. Thales. 2024 Cloud Security Study – Global Edition. https://cpl.thalesgroup.com/cloud-security-research. Accessed 13 Aug. 2024.
  1. IBM. Cost of a Data Breach Report. 2024, https://www.ibm.com/downloads/cas/1KZ3XE9D.
  1. Thales. 2024 Cloud Security Study – Global Edition. https://cpl.thalesgroup.com/cloud-security-research. Accessed 13 Aug. 2024.
  1. Office of Information Security. Business Email Compromise (BEC) & Healthcare. 16 May 2024, https://www.hhs.gov/sites/default/files/business-email-compromise-healthcare-tlpclear.pdf.
  1. Thibault, Matthew. “Construction Insurer Hit in Data Breach.” Cybersecurity Dive, 6 Oct. 2023, https://www.cybersecuritydive.com/news/builders-mutual-data-breach/695697/.
  1. Gatlan, Sergiu. “Los Angeles Unified School District Investigates Data Theft Claims.” BleepingComputer, 6 June 2024, https://www.bleepingcomputer.com/news/security/los-angeles-unified-school-district-investigates-data-theft-claims/.
  1. Zaretsky, Mark. After Hackers Stole $6 Million in City Money, New Haven Works to Tighten Protocols, Recover Funds. New Haven Register, 11 Aug. 2023.
  1. City of Philadelphia. Notice of Privacy Incident. 20 Oct. 2023, https://www.phila.gov/media/20231018161713/Notice-of-Privacy-Incident_PDPH-Website_10_20_23.pdf.

Categories

Connect With Us

Featured Articles

EDR Silencers
Responding to the Exigent Emergence of EDR Silencers
06 December 2024
Illusion of Invulnerability
How the Illusion of Invulnerability Can Elevate Business Risk
22 November 2024
Critical Role of Annual Assessments
The Critical Role of Annual Assessments for Preventative Cyber Care
11 November 2024
Cybersecurity Measures
Enhancing Cybersecurity Measures for Business Continuity
29 October 2024

See ShadowSpear in Action

Identify, neutralize, and counter cyberattacks - provide confidence in your security posture

Stay Connected With SpearTip

inside the soc

Inside the SOC Newsletter

View our articles that cover trending topics in cybersecurity with insights from our 24/7/365 Security Operations Center.
shadowspear platform

ShadowSpear Platform

Cybersecurity actors are working around the clock, shouldn’t your security team be too? Technology solutions and security controls fail for a number of reasons, poor deployment, improper implementation, or just no one monitoring the alerts.
shadowspear demo

ShadowSpear Demo

Experience ShadowSpear for yourself. Our lightweight, integrated solution will help you sleep easier at night and provide immediate confidence in your security posture.