Strengthen the Security of Your Organisation's Cloud Services

20 January 2021

Many organisations have adopted cloud-based IT services. With the proliferation of telecommuting, organisations may allow employees to use both personal and corporate devices to access cloud-based resources. Despite the use of security tools and cloud monitoring products, poor cyber hygiene and "Bring Your Own Device" (BYOD) policies may be exploited by threat actors to conduct attacks on organisations' cloud services. [1]

This advisory describes common causes of successful attacks against organisations' cloud services and provides recommended mitigations for organisations to strengthen their cloud environment configuration. In light of recent incidents related to the compromise of network monitoring products, organisations need to put in place adequate measures to monitor network traffic to cloud-based resources, strengthen their cloud environment configuration, and adopt good cyber hygiene measures to reduce the risk and impact of a possible cloud attack.

Common Causes of Cloud Attacks

Phishing

Threat actors may use phishing emails with malicious links to harvest users’ cloud service account credentials. In some cases, these emails may look like the login page of a legitimate file hosting service. Upon gaining access to the victim's cloud service account, threat actors may send phishing emails to other accounts within the organisation. These emails may contain links to documents within what appears to be the organisations' file hosting service. Some threat actors may also obfuscate their identities by logging in to the victim's account via a proxy or Tor (software for anonymous web traffic).

Authentication Bypass

Threat actors can use stolen session cookies for authenticating to web applications and cloud-based services. This technique can bypass some multi-factor authentication (MFA) protocols since the session is already authenticated. This is also known as “pass-the-cookie” attack.

Additionally, threat actors may attempt brute force logins on some accounts, using numerous username/password combinations to try and gain access to accounts.

Modified Email Forwarding Rules

After gaining access to a user's cloud-based email account, threat actors may collect sensitive information by modifying or creating new email forwarding rules. Employees typically use email forwarding rules for forwarding work emails to their personal email accounts. To abuse/exploit this, threat actors may update the rules to forward emails to the threat actors' accounts. Moreover, threat actors may modify existing rules to enable keyword searching and cherry-pick emails that contain finance-related keywords within the emails' subject and body.

Some cloud-email providers may alert users to possible phishing emails. To circumvent this, threat actors can create new mailbox rules that forward their phishing emails to the Really Simple Syndication (RSS) Feeds or RSS Subscription folder, to prevent warnings from being seen by legitimate users.

Recommended Measures

Organisations are recommended to adopt the following measures to strengthen their cloud security:

Secure Users' Accounts

Implement and enforce MFA for all users to prevent brute-force logins.
Consider setting restrictions on email forwarding rules to prevent threat actors from modifying existing rules. All email forwarding rules and alerts should also be reviewed routinely.
Enable existing built-in filtering and detection products (for spam, phishing, malware, safe attachments and links), to thwart attempts to gain access via phishing.
Users should only allow app integrations that have been pre-approved by an administrator to protect sensitive data and assets.

Monitor Network Connections and Review System Logs

Verify that all cloud-based virtual machine instances with a public IP do not have open Remote Desktop Protocol (RDP) ports. Place systems with open RDP ports behind a firewall and allow users to access them only via a virtual private network (VPN).
Ensure that client site requests are resolved internally to your network.
Establish a baseline for normal network activity within your environment.
Enable user access logging and consider using a Security Information and Event Management appliance (SIEM) for aggregation and monitoring of logs to maintain visibility even after logging periods.
Routinely review both Active Directory sign-in logs and unified audit logs for unusual activity.

Implement Robust Security Policies

Use a trusted mobile device management solution to manage your BYOD policy.
Implement conditional access (CA) policies based upon your organisation's needs; conditional access should be understood and implemented with a zero-trust mindset. Zero trust assumes that users are not trusted based on their physical/network location. It is a response to recent trends including remote working, BYOD, and cloud-based assets that are not located within an enterprise-owned network boundary. As such, authorisation and authentication should be required when establishing a session to an organisation's resources.
Use a CA policy to block legacy authentication protocols.
Establish clear channels for employees to report suspicious cyber-activity or when they believe they have been a victim of a cyberattack.

Conduct Security Awareness Training

Employees should be aware of common threats (such as phishing), and how they are delivered.
Develop a mitigation plan and guide/drill employees on the procedures in place, and to understand when, how, and why to reset passwords and revoke session tokens. In the unlikely event that your organisation is affected by an attack, having a plan in place and exercising it will help the staff know what actions to take and respond to the attack swiftly.

Additional Measures specific to your Cloud Platform

Depending on the cloud technology your organisation is using, you may consider these additional measures.

For organisations using Microsoft 365

Limit the number of unsuccessful login attempts. Refer to Microsoft’s documentation for instructions on how to configure these settings. [2][3]
Audit email rules with enforceable alerts via the Microsoft Security and Compliance Center or other tools that use the Graph API to warn administrators of any unusual activity such as the forwarding of sensitive emails to suspicious email addresses.
Disable PowerShell remoting to Exchange Online for regular Microsoft 365 users. Disabling this function for non-administrative users will lower the likelihood of a compromised user account being used to programmatically access tenant configurations for reconnaissance.
Consider using open-source PowerShell-based tools such as Sparrow or Hawk to detect any unusual or malicious activities in your Microsoft 365 environment. [4][5]
Assign one to three trusted users as electronic discovery (or eDiscovery) managers to conduct forensic content searches across the entire Microsoft 365 environment (Mailboxes, Teams, SharePoint, and OneDrive) for evidence of malicious activity.

For organisations using G Suite or Google Cloud Platform (GCP)

Use OAuth whitelisting to select third-party apps that can have access to your users' data across G Suite apps such as Gmail, Drive and Calendar. You may review third-party apps by examining the services requested by the app or checking for 'verified status'. Visit Google's App Access Control for more details. You may also consider some of G Suite's Best Practices for IT admins. [6][7]
Use Early Phishing Detection to warn users of suspicious emails.
Enable the unintended external reply warning in Gmail to protect your organisation from an unintentional leak of internal data.
Regularly review and update your Google Groups sharing permissions to ensure that all groups with sensitive information are kept private.
Use GCP Identity and Access Management (IAM) to control access by defining who has access to which resource and implement access based on a least-privilege principle. [8]
Use GCP's advanced Virtual Private Cloud (VPC) features to monitor inbound and outbound network traffic. [9]
Monitor API and other admin activity in Stackdriver Admin Activity Logs and data access activity in Data Access Logs. [10]
Remove obsolete virtual machine images and ensure that the latest security patches have been installed to hosts within your environment.

For organisations with cloud services hosted on Amazon Web Services (AWS)

Implement a robust password policy using AWS IAM. [11]
Use MFA for Bucket Deletion and restrict access to CloudTrail Bucket Logs.
Assign IAM Roles to EC2 Instances. An assigned IAM role eliminates the need for applications to use AWS credentials when making API requests.
Monitor and control inbound and outbound traffic by using AWS Security Groups, which acts as a virtual firewall. [12]
If your server infrastructure requires more than one server, use Amazon VPC to define a private network for a group of servers.

References

[1] https://us-cert.cisa.gov/ncas/analysis-reports/ar21-013a

[2] Password Smart Lockout: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-smart-lockout

[3] Sign-in Activity Logs: https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-sign-ins

[4] Sparrow: https://github.com/cisagov/Sparrow

[5] Hawk: https://github.com/T0pCyber/hawk

[6] Google App Access control: https://support.google.com/a/answer/7281227

[7] G Suite Best practices: https://cloud.google.com/blog/products/g-suite/take-charge-your-oauth-ecosystem-these-best-practices)

[8] GCP IAM: https://cloud.google.com/iam

[9] GCP VPC: https://cloud.google.com/vpc/docs/vpc

[10] GCP Logging: https://cloud.google.com/logging/docs/audit

[11] AWS IAM: https://aws.amazon.com/iam/