[BreachExchange] Why it’s time to fight back against cyber risk to cloud computing and virtual machines

[Destry Winant]

https://www.cloudcomputing-news.net/news/2018/oct/31/why-cyber-risk-cloud-computing-virtual-machines/

Cloud computing is now a primary driver of the world’s digital
economy. Governments, large corporations and small businesses are
increasingly implementing cloud-based infrastructures and solutions to
store their sensitive data and manage their operations.

While the cloud offers lower costs, scalability and flexibility, it
also expands a company’s risk profile exponentially. In fact,
attackers are continually refining their techniques to take advantage
of the millions of identical binary templates for virtual environments
(aka golden images) that power those cloud and Virtual Machine (VM)
benefits.

Cloud and VM environments share parallels with Genetically Modified
(GM) crops – yields are extremely high around carefully developed
identical DNA sequences, but a single bug or virus can scale to
destroy not just one, but all crops in a monoculture since there is no
natural diversity to protect them. In a cloud context, a zero-day
attack can take down all production systems and disaster recovery
systems, disrupting business continuity and prompting financial loss.

Because traditional cybersecurity protections such as encryption,
firewalls, intrusion prevention, and endpoint protection have been
historically successful, adversaries have introduced new zero-day
techniques to bypass them. Such modern techniques include memory
corruption, return/jump oriented programming (ROP/JOP), and
compromised supply chain attacks. The White House described the recent
NotPetya supply chain attack as the “the most destructive and costly
cyber-attack in history.”

Growing risks in cloud computing

One of the greatest unintended consequences of both the cloud and VMs
is that they expand the attack surface. Whenever data is stored across
remote servers and VMs, risk is not just involved, but elevated. While
a company may know its own source code, configurations, equipment,
personnel and processes, cloud computing introduces the
vulnerabilities of globally sourced third-party hardware, software and
configurations that surround, penetrate, and bind the remote
environment altogether.

Unfortunately, zero-days are not conveniently located in easy to
inspect areas but can instead spread between components and layers in
the network, storage, and server stack, from firmware, to bootloaders,
hypervisors, containers, operating systems, middleware, libraries, and
frameworks, and apps. A report by the Ponemon Institute found that
“fileless” (memory-based) malware attacks are now almost ten times
more likely to succeed in infecting a machine than traditional
file-based attacks. These attacks evade detection by using a system’s
own trusted files to obtain access.

Supply chain attacks are also on the rise and grew by more than 200
percent in 2017, according to Symantec's annual Internet Security
Report. And so far in 2018, the Zero Day Initiative noted a 275
percent spike in virtualisation software bugs that offer the
possibility of compromising within or across VMs.

Even in the physical world, examples of massively replicated golden
images exist. In 2015, hackers compromised one Jeep truck, forcing
manufacturer FCA Group to recall 1.4 million vehicles for updates –
the world’s first vehicle cybersecurity recall. And in 2017, the FDA
recalled nearly 500,000 pacemakers for firmware updates when it
discovered lax cybersecurity could allow the devices to be hacked.

Why once successful security tools now fail

Traditional perimeter security tools no longer offer full protection
in this complex and connected environment. The cybersecurity paradigm
over the last 40 years has been one of increasingly clever detection
via patterns, rules, analytics, and artificial intelligence rather
than on preventing attacks from happening in the first place.
Zero-day is another name for the increasing numbers of attacks
detection engines miss, inadvertently adding an organisation’s name to
yet another “wall of victim logos” slide for the next cybersecurity
forensics and after-action reporting conference.

There is already a growing chorus for stronger security. The
Department of Defense says cyber defence must move beyond “just the
networks,” and the National Security Agency notes adversaries are
increasingly turning to supply chain exploitation.  Security standards
and common defence can differ from provider to provider. Many strive
to meet the standards of their industry, whether that be FedRAMP for
government or PCI for finance. But even being compliant with
standards, rules and regulations sometimes isn’t enough.

The problem is that most standards focus on detection and after-action
reporting with limited attention to newer fileless or supply chain
attacks.  A common hope is that strong encryption will somehow catch
new types of attacks, However, there is actually no effect on memory
corruption or compromised supply chain attacks that can come hidden in
correctly signed and encrypted updates, or simply be pre-positioned
within third party infrastructure.

Adding a deeper layer of defence

RASP is a term initially coined in a 2012 Gartner report titled,
“Runtime Application Self Protection:  A Must-Have, Emerging Security
Technology.” It’s a technology that is linked or built into an
application or application runtime environment that is capable of
controlling runtime execution and detecting and preventing real-time
attacks. Forresternotes that RASP tools are used as a deeper layer of
application defence by using insider information of the applications
they protect to help more effectively detect and deflect malicious
attacks. RASP techniques are enjoying widespread adoption – so much so
that the RASP market is forecast to grow at a CAGR of 48% between 2018
and 2022 by ResearchandMarkets.com.

An implementation of RASP can bridge the growing security gap in the
cloud. It can stop attacks and attack scaling rather than simply
remediating symptoms. RASP offers built-in security to prevent
real-time attacks with techniques such as binary stirring, control
flow integrity, and stack frame randomization, reducing the attack
surface and rendering zero-days built on memory corruption and supply
chain attacks inert.

Early attempts at RASP added too much overhead to the code, were too
limited in scope or perturbed functionality by trying to graft agents
onto code. Others also had impractical requirements like the need for
access to source code and recompilation, or the need for new hardware,
new software or new services that made them impractical to use. But
those limitations have now been overcome. Modern RASP can be added to
existing or new binaries quickly, easily and economically.

RASP is also not a replacement for current tools since all the
traditional attack vectors still occur; but it represents a new layer
of protection that can quickly and easily integrate with existing
on-premises, cloud, or web-based development deployments and update
processes.

At a time when cloud-based applications and virtual machines are
critical to the operations of government institutions and private
enterprises, we can no longer put all of our security in the perimeter
security and detection tools basket. Utilising RASP technology might
just be our best chance for society to stay one step ahead of
attackers, and prevent scaling, memory and compromised supply chain
attacks from executing.