Monitor Cloud Systems and Detect Threats
Learning Objectives
After completing this unit, you’ll be able to:
- List how a cloud security engineer detects attackers and prevents them from exploiting vulnerabilities within their organization's infrastructure.
- Describe a cloud security engineer's role in monitoring the security posture of cloud systems and infrastructure.
Detect Attackers and Prevent Exploitation of Vulnerabilities
In the last unit, you learned about Lisa, the cloud security engineer working on building a cloud-based application for a nonprofit. Lisa has securely developed, tested, and released the application to production. Lisa probably needs a well-deserved break, but not so fast. Now that the application has been released to production, her next task is to work with the operations team to help detect threats and monitor the security posture of the system.
New cyber risks and threats arise daily. Let’s take a look at some of the steps Lisa takes to help detect threats and prevent them from exploiting vulnerabilities.
One of the steps Lisa takes is performing threat simulations to detect possible risks. She emulates attacker tactics, techniques, and procedures to test the security infrastructure and discover weaknesses that need to be remediated before attackers do. Some of the threats Lisa simulates include:
-
Phishing: Attackers seek to gain a foothold in the organization’s cloud environment through social engineering to collect credentials that have access to the cloud environment.
-
Distributed Denial-of-Service (DDoS) attacks: A type of attack that uses excessive resource consumption from multiple sources against a target to make a website or application unavailable to users. This can come from a group of attackers, or even a single attacker using multiple infected devices, to send excessive network traffic to an application or website.
-
Malware: The term malware is short for malicious software—designed to disrupt, damage, or gain unauthorized access to a computer system. Malware comes in multiple forms, including Trojan horses (a type of malware that is often disguised as legitimate software), ransomware, and adware.
-
Insider threat: This occurs when an employee of the company takes action to inappropriately access, modify, or delete data. Insider threats can be motivated by financial gain, espionage, or a disgruntled employee. They can also be unintentional mistakes as a result of careless and reckless behavior.
Lisa performs threat simulations and penetration tests from both the internet, emulating an anonymous attacker, and the cloud environment within the context of a customer’s access. She emulates the impact a compromised customer system or partner network may have by escalating privileges within the customer environment, gaining access to the cloud’s backbone infrastructure, and even possibly compromising other cloud service tenants making use of the same infrastructure.
Using a vulnerability scanner (such as Nessus, BurpSuite, or IBM Security QRadar), Lisa also looks for possible security vulnerabilities in her cloud applications on a regular basis to find weaknesses for remediation before threat actors do. Testing for security vulnerabilities regularly allows Lisa to keep control over the quality of her cloud-based applications while moving forward with the confidence that current and future releases will meet security standards.
Lisa also protects against zero-day threats to guard against emerging threats in the cloud. Zero-day threats are those that were previously unknown, and therefore do not yet have a patch available to fix the flaw, leading to potential exploitation by cybercriminals. By being proactive in simulating threats and using penetration testing, Lisa may be able to identify these threats before they compromise the data stored and processed by her organization’s cloud systems.
Monitor the Security Posture of Cloud Systems and Infrastructure
Lisa uses monitoring to ensure visibility across hosts and services in her cloud environment. She reviews and manages the operational workflow and processes within the cloud asset, using automated monitoring software. Let’s take a look at some of the monitoring tasks Lisa tackles:
- She configures monitoring for key systems to verify the Confidentiality, Integrity, and Availability (CIA) of resources and critical processes.
- She reviews system and application logs to verify completion of critical scheduled jobs, such as backups, and to detect any malicious activity.
- She inspects encrypted and unencrypted traffic to detect threats across the entire kill chain.
Lisa also develops, maintains, and reports on key cloud security metrics, such as tracking:
- The number of unmanaged devices having access to sensitive data on the cloud
- The instances of sensitive data on the cloud without organization-managed encryption keys
- The number of unmanaged cloud applications for which logs are not in place for tracking user activity
This allows her to document security findings and the risk level associated with the cloud application in order to make informed decisions on how to prioritize issues for remediation. She uses these reports to discuss her security findings with other technical experts and explain their impact to the team and any relevant customers. They work together to remove vulnerabilities and harden the application’s security in a continuous loop of detection, monitoring, and response and remediation.
Resources
-
Trailhead: Protect Against DOS and DDoS Attacks with AWS Shield
-
External Site: Norton: Zero-Day Vulnerability
-
Trailhead: Zero Trust Security in the Cloud
-
External Site: CISA: CISA Develops Factsheet for Free Tools for Cloud Environments
-
External Site: Simplilearn: 5 Things You Must Know About Cyber Security in the Cloud