News

Cloud Data Security Experts Answer User Questions on Ransomware, More

• By David Ramel
• 10/22/2021

With cloud data security all over the news these days, experts Joey D'Antoni and Allan Liska recently answered user questions about the latest trends in ransomware and other current threats, best practices for cloud data protection and more.

The duo fielded questions from an audience of hundreds who attended the recent online tech event, Cloud Data Attacks & Prevention Summit, held by Virtualization & Cloud Review and RedmondMag.com, now available for free on-demand viewing.

D'Antoni, a principal consultant at Denny Cherry and Associates Conulting, and Liska, known on Twitter as the "Ransomware Sommelier🍷," each answered questions after conducting one-hour presentations.

D'Antoni, for example, discussed "top do's and don'ts," with a short list of the former represented in this graphic:

Liska, as befitting his Twitter moniker, focused on ransomware for much of his presentation.

"So let's start in talking about ransomware in the cloud," Liska said. "It's been a very hot topic this year, obviously, and will continue to be a hot, hot topic. The head of the NSA just said earlier this week that we can expect to hear about at least a ransomware attack a day -- or ransomware attacks every day -- for at least the next five years. So it's not going anywhere, unfortunately.

"But one of the areas that we don't see a lot of coverage of when we talk about ransomware is ransomware attacks in the cloud. So there are a few ways that ransomware groups right now are going after cloud infrastructure. And one of them is targeting your cloud infrastructure. So we definitely have ransomware actors that are going after the broader cloud infrastructure."

He then went on to explain how ransomware bad actors are attacking targets ranging from ESXi servers to exposed, "leaky" storage buckets.

But much of the value of these online tech summits comes in audience interaction, where attendees avail themselves with one-on-one access to certified subject matter experts to ask the presenters questions particular to their own circumstances.

With that in mind, here are some representative questions asked of both presenters, in no particular order.

Do you find that new cloud setups fail to become familiar with best practices in configuration?
D'Antoni: "That's a really good question. I think the cloud providers do a decent job for sort of telling you what to do, but they also allow you to kind of trip over yourself. I'll give two examples. And I'll make fun of those cloud vendors. Specifically in Azure, one of the things I really hate is, is when you create a VM, they put on a public IP on it. And I think 3389 is maybe open, which is the remote desktop port. 3389 is open to the world on that port, by default -- or on that IP by default. 3389 may not be open, but the public IP option is always checked. I hate that. It's a dumb thing. So that's something you can kind of fall into if you didn't know better."

"In Amazon, it's a little bit different. So you may have heard of like, there are 8,000 data breaches or more that are associated with data stored in S3 buckets that are open to the internet. And I always wondered why that was the case. And I didn't use Amazon for a time and I did again, recently in the last six months, and it's really, really challenging to enable network access to your S3 account. You have to write JSON, and do a bunch of stuff to do that. In general, the cloud will warn you of the things you're doing, but it won't necessarily inherently prevent you from doing, so that's kind of how you can get into those scenarios."

We stopped using Azure because of security, is there a way to know of a proven source provider to track any open holes or dark web users?
D'Antoni: "Yeah, just disconnect all of your systems from the internet [laughter]. There's not a great answer. No matter who your provider is, you're always gonna have some level of risk, even if your systems are completely air gapped, per the NSA. That's just always going to be a little bit of a challenge. I don't really necessarily think any of the clouds are more secure than than others."

Have you seen cases where bad actors will manipulate stored tokens, extending tokens, getting more time to perform bad acts? Is this a widespread issue?
Liska: "You know, it's a really interesting question. So in our own company and my own company Recorded Future, we rely heavily on AWS for our back end. And so we use a lot of AWS tokens. So token security is a really, really big problem for us. It's something that we have to watch. And so yes, especially for abusing cloud services, we've definitely seen a lot of threat actors will take and manipulate stored tokens so they can extend those tokens' time, and often use it for things like coin mining and other uses in AWS.

"For us, one of the things that we do is we use "honey" tokens that we kind of plant on the systems that don't have any value to them. But if we see that they're starting to be used or the threat actor uses them, that may be a sign that they've invaded our infrastructure, and we can then act to initiate a threat hunting mission, look for the bad guy, shut the tokens down on whatever system. So that gives us one sort of early warning system that threat actors may be looking to abuse the tokens that we have in our systems."

MFA usually requires a code that is sent to a phone to verify and we have computers in a part of our building that does not allow cell phones. Do you have suggestions for situations like this that would still allow us to use MFA?
D'Antoni: "Yeah, I mean, honestly, I would almost go back to looking at secure ID tokens, if you can't have a phone. I think that's the only good solution I can think of there. And they still make them. We had a customer recently, he wanted us to get them. And if you're not familiar, those are just a key fob that's got the seed in it, and that connects you. And I see somebody else [from the audience] commented a YubiKey would be good. That's a good point. So when I worked at a large cloud provider, we used card keys as our MFA. So we didn't actually use a phone."

In an IaaS [Infrastructure-as-a-Service] scenario, would Microsoft be also in charge of recovery in case of a ransomware outbreak with our Azure?
Liska: "No, not that I'm aware of. As far as I know, none of the cloud providers, even when you're talking about Infrastructure-as-a Service, are responsible for recovery after a ransomware attack. They're all relying on you to be able to do that, or hopefully preventing a ransomware attack in the first place. Which I know that's basically like, fingers crossed and hope for the best.

"But yeah, no, depending on which version of IaaS you have, and there are a whole lot of different variables here. One of the advantages of IaaS is if everything dies, they may have an immediate backup that they can pull and restore. And their backups are stored separately and stored offline, which is best practices for protecting against a ransomware attack. So you may have downtime. They may not be able to help recover, but they may be able to just wipe the infected system and pull up the restore from backup.

"But again, that's something that you absolutely have to check with your cloud provider. This is a really good conversation to have with your salesperson or your sales engineer, and say, 'hey, what happens when I get hit with a ransomware attack?' And then they're gonna tell you, 'oh, that could never happen. We have these protections in place and blah, blah, blah.' And okay, yeah, that will happen. So that gets defeated and kind of really gets to the brass tacks of what happens if there's a ransomware attack -- what's your responsibility and what's my responsibility? -- so that you have a clear understanding, and you can add that to your DR and IR plans and say, 'we're going to have to do this,' as our Azure infrastructure gets hit with a ransomware attack. And one last piece of advice, while you're having that conversation, make sure they're buying you lunch, so if nothing else, if they're going to give you bad news, you'll at least get a free lunch out of it." [laughter]

How do you view tape backup as immutable?
D'Antoni: "It's write once and then it goes into a box, and then it gets shipped off to your vendor [laughter]. It's not connected to my network. That's by far the biggest thing. And it's going to go live in Iron Mountain. In the event of Azure Archive and Amazon Glacier, those services store that data and ... it can't be deleted within like ... it's a super soft delete. So when you delete it, it doesn't get deleted for 14 days, and there's no way to override that. So that's something you would obviously -- if somebody issues an unscheduled delete -- you would want to be alerted on that. But that's definitely a kind of a feature of the services. Like I say, the tapes get written, and then at every company I've worked for, they go into a metal box, and then Iron Mountain comes back and picks up the box every day."

Is there an MFA based on voice print?
D'Antoni:"I've had MFA based on voice print. Microsoft, I know has a call option. I almost never use it. I use their app, or I use the code. So typically, I use admin notifications. And if I'm on a plane or something, I'll use the code. But I knew when I worked at Comcast, we had a voice-based application.

How can I scan my sites for signs of Magecart or other credit-card skimmers?
Liska: "So there are a lot of different ways that you can do this. Honestly, really cheaply: urlscan.io. If you plug your URL of your e-commerce site into there, it will look to see if there's any malicious JavaScript or anything like that that's indicative of a credit-card skimming site. That's just a quick-and-dirty way to take a look, especially for small businesses that may not have extensive security infrastructure. Generally speaking, aside from that, web application firewalls are your friend here, you can put in signatures that look for traffic that is similar to those that are that are indicative of major card activity."

Do you see the cloud as a safer alternative to on-premise systems given the trend of ransomware attacks? Do you think going back to the way of the "mainframe and dummy terminal" will be the future given how the cloud has taken the place of the traditional mainframe of yesteryear?
D'Antoni: I think there are organizations that can do security better than the cloud providers do. But I think in general, the cloud providers are going to do a better job at providing security and giving you an overview of what the security problems are than you can. If you work in a really giant IT organization, and you have big, massive datacenters, and you're really good at automating things, for sure.

"But in general, I think you're going to have better protections available to you, especially for a smaller organization. You're going to have access to stuff from a security perspective, and kind of from a network perspective too, that you wouldn't, you just wouldn't have access to if you're on-prem. You'd have to buy 20 or 30 different tools in order to get those things that are kind of just built into AWS and Azure."

And More!
Of course there were many more questions answered by both presenters, along with their presentations chock full of expertise, advice and commentary. As noted, you can watch the above session for free to catch up on everything.

But attending live summits provides multiple benefits, including the Q&A period (and prize giveaway!), so here's a list of some summits coming in the next few weeks that also focus on different aspects of cloud computing and security:

• Remote Workforce Summit -- Oct. 27
• Hybrid Cloud/Multicloud Security Summit -- Oct. 29
• Cloud Data Protection for 2022 Summit -- Nov. 2
• Microsoft Teams: Security, Performance & More Summit -- Nov. 5
• Enterprise Disaster Recovery in 2022 & Beyond Summit -- Nov. 10
• Top Security & Ransomware Threats Summit -- Nov. 12