Responding to Cloud Acceleration


A move to Cloud, otherwise referred to as the ‘Cloud Shift,’ that has triggered a change in the way organisations run, is accelerating across businesses.

SecurityHQ says it has experienced this shift across practically every sector and, in response, is highlighting the new threats that are emerging out of this shift.

A Positive to Business – Cost Reduction!

Now that this model of service is gaining confidence, has been tried and tested, even smaller companies are choosing to make the shift to cost-effective models of Cloud operation.

A Negative for Business- Greater Threat Surface!

While costs may be reduced, a change in Cloud configurations and administration means that there are many new opportunities for adversaries to detect vulnerabilities, and to exploit misconfigurations in Cloud environments.

Businesses must take into consideration the follow key points, to reduce their threat surface when making the shift to Cloud.

A Shift to API Monitoring

With many additional intercommunications between applications and automations, Application Programming Interfaces (API’s) are more powerful than ever. Almost all admin activities and enumeration activities are possible via API calls. One such Example can be enumeration of all S3 Buckets:

The following command uses the list-buckets command to display the names of all your Amazon S3 buckets (across all regions):

aws s3api list-buckets –query “Buckets[].Name”

Typically, developers use this a lot. However, with some modelling and learning we can catch some bad actors here.

Federated Accounts

With hybrid Cloud models, often during transition phases, we may see attackers ambushing trust relations where the cloud accounts are likely still integrated with traditional identity management systems, such as Windows Active Directory. It is important to monitor behavioral use cases, to watch and catch adversaries moving laterally to Cloud resources.


This age-old technique of leveraging misconfigurations is still relevant. Although many Cloud computing solutions today allow auto fixing of the overly permissive policies or configurations, the business continuity and pressure to get things working will always have a higher priority.

Watch out for default security group configurations, which allow unrestricted outbound access. This is an easy channel for adversaries to conduct data exfiltration.

Firewall Controls

With Cloud infrastructure, the pricing model greatly depends on storage being utilized. In many cases, you may notice that logs are one of the biggest consumers of storage than the application itself. Traditionally, for on-prem models, the perimeter security firewalls were crucial to be monitored and further internal activity revolved around application and access logs generated by the systems themselves.

With Cloud monitoring Virtual Private Cloud (VPC), traffic is an essential element to monitor, especially traffic between different security groups. This can be optimized by logging crown jewels as these flow logs tend to be noisy.

There are several use cases that can be built around the VPC logs to detect traditional access attempts and excessive failures, which may indicate a broken service or an attack as well.


Correlation is key element when it comes to Cloud-based models. We cannot just have one single data domain to check for. Typically, in Cloud infrastructure, with AWS as an example, you will get data correlation from the following data sources:

Network Checks: IAM, Cloudtrail, VPC, S3 Bucket, Route53

Host Checks: IAM, Cloudtrail, Process Creation

Application-Level Checks: AD Logs, DB queries, Cloud trail, cloud watch, any vendor application logs

An Attackers Eye View

An attacker will usually following the below sequence.

  1. Check for exposed services
  2. Exploit a vulnerable or misconfigured service
  3. Escalate privilege
  4. Move laterally
  5. Detonate – final objective

It is just that indicators or trails of attack which are left, are different when it comes to Cloud-based attacks. Which means it becomes increasingly important to know how the client is set up on the cloud. This is crucial for investigation especially with serverless computing.