January 28, 2023
Continued growth in cloud spending highlights the maturing of organisations’ use of cloud services to deliver measurable business and technology outcomes. According to Gartner, worldwide spending on public cloud services is expected to reach nearly USD$500 billion in 2022, up from just over $410 billion in 2021, driven largely by growth in IaaS, DaaS and…

Continued growth in cloud spending highlights the maturing of organisations’ use of cloud services to deliver measurable business and technology outcomes.

According to Gartner, worldwide spending on public cloud services is expected to reach nearly USD$500 billion in 2022, up from just over $410 billion in 2021, driven largely by growth in IaaS, DaaS and PaaS. 

However, with this growth comes heightened attention on the cloud from malicious actors that use sophisticated techniques and malware to disrupt business, steal data and compromise corporate reputations.

Earlier this year Sysdig put out the fifth annual Sysdig 2022 Cloud-Native Security and Usage Report, which examines how our customers are securing cloud and container environments–and makes for sobering reading. Many best practices are not being followed.

We found that 75 percent of container images incorporate patchable vulnerabilities. Our monitoring uncovers tens of thousands of vulnerabilities in customer environments every day. 

We also identified that many customers made mistakes when configuring specific resources as well as at the cloud account level — 73 percent of cloud accounts included publicly exposed S3 buckets. In addition, many customers regularly receive security alerts indicating poor security hygiene in container environments.  

Our research also found that while teams typically understood the need to scan for container security vulnerabilities, they may not be scanning for common configuration mistakes — opening up another potential threat vector. 

How did we get here?

While the move to the cloud opens a world of opportunities, teams are often stuck, not knowing where to begin with security. Speed is the overarching goal behind the design of modern cloud applications, but the underlying technologies powering this transformation pose challenges to security teams.

Developers configuring infrastructure at will and deploying containerised microservices, create a visibility gap for security teams. The endless list of software vulnerabilities and misconfigurations combined with the fast pace of software releases causes developer fatigue, which in turn leads to a remediation backlog. At the same time, security teams struggle to keep up with alerts, often riddled with false positives, in the face of resource constraints, shortage of cloud-native talent, rapid proliferation of cloud services, and siloed security tools. Teams are left wondering where to begin.

Addressing vulnerabilities and mitigating risk

So what does your organisation do? For example, in the case of patchable vulnerabilities in runtime, do they delay deployments to fix these problems, or accept the security risk, continue to release software, and simply hope malicious actors ignore the opportunity these vulnerabilities present? 

We believe businesses need to proactively address vulnerabilities and mitigate risk when moving to cloud or starting out as a cloud-native operation. 

They need to be aware that cloud attacks can cause extensive financial damage — for example, while few stories emerge of businesses being crippled by a cloud-specific threat, cryptojacking can impact an organisation and its relationship with its cloud providers.

While some cloud providers use features that stop illicit mining for cryptocurrency on third-party computers, businesses need to be accountable for their own resources and workloads in the cloud. This means using tools to detect and shut down cryptojackers quickly to minimise financial losses.

Businesses also need to re-evaluate their view of container security. Traditional perspectives held that containers were too niche for attackers to engage with and the risk of exploits was minimal. Unfortunately, today, attackers view containers as target and tool. They know how to exploit them and  leverage containers at scale for malicious activity such as planting cryptojackers or planting credentials for use as a backdoor into an environment. 

In summary, the same value cloud delivers to businesses — scalability, automation, rapid development, the ease of creating and tearing down environments — provides opportunities for attackers. Bad actors are already taking advantage of these capabilities to make money or disrupt.

Effective cloud and container defence means keeping up to date with the threat landscape. If businesses are not aware of changes in the way attackers run exploits and design infrastructure, they cannot ascertain how attackers are going to come after them. 

To understand how the landscape is changing, businesses may choose to employ research staff; pay a threat intelligence agency or similar provider to provide feeds of the evolving landscape; or demand updates from a tool vendor.

Securing the software supply chain

Software supply chain attacks are among the most insidious and damaging attacks. The software supply chain echoes the physical supply chain, with raw materials — in the case of software, common libraries, code, hardware and the tools that transform code — into a deliverable such as a user-facing application. 

A malicious element within the chain can propagate downstream and cause severe damage to businesses, consumers, partners and others.

Docker Hub — a public repository from which businesses can pull down container images–can present a serious risk to software supply chains. The Sysdig Threat Research Team built a custom system to scan Docker Hub and identify malicious container images — and found attackers were actively using Docker Hub to spread malware. 

As well as cryptojackers, The Sysdig 2022 Cloud-Native Threat Report  found malicious websites, hacking tools and containers disguised as legitimate packages such as pytorch and Drupal. 

So how do businesses identify malicious container images and avoid infiltration? The answer is to validate all images from Docker Hub or other repositories as legitimate and scan them with a vulnerability management tool. They should also apply policies to ensure that an image is checked as it traverses the pipeline to ensure it is still the verified, scanned version.

Cloud and container security does not stop with the right tools and internal controls, as clever attackers and even malicious insiders can find ways to bypass them. Attackers will want to execute their disruptive plans, while internal teams may be time-poor or simply not have the skills to implement appropriate cloud security  controls. Even the strongest prevention program needs a safety net. For businesses, this means applying a run-time detection and response process, incorporating a security monitoring system that provides timely alerts when required.

As attackers now understand l the value of cloud resources and containers to cryptomining, operational disruption and theft of data and finances, proper defence assumes even greater importance. All defence strategies should incorporate visibility of cloud and container environments as part of a comprehensive threat response posture.

Anthony Leverington is the Country Manager — Australia & New Zealand for Sysdig