Status Report: SX Research Team Reveals New X-Cloud Security Threat

Manuel Nedbal

Manuel Nedbal

March 21, 2018

In 2005, Gary McGraw and Brian Chess published a taxonomy of code vulnerabilities exploited by attackers.  Today, the “Seven Pernicious Kingdoms” continue to be used by MITRE to classify vulnerabilities. With the onset of cloud computing, it is time to begin a new taxonomy that accounts for attacks on cloud infrastructure.



Large data centers and cloud environments have opened new attack vectors. As organizations adopt cloud computing and virtualization technologies, hackers are taking full advantage of the data exfiltration and computer hijacking opportunities provided by the dissolving security perimeter. The increasing rate of security incidents shows the urgency of identifying and protecting against these evolving cloud computing threats. In fact, one well known incident response firm indicated that 15% of their investigations now center on cloud attacks.

With cloud computing, the perimeter moves within these new environments into unprotected territory. Most companies have heavily invested in traditional multi-layer, security appliances—like firewalls and intrusion prevention systems (IPS)—that provide in-depth “north-south” perimeter protection to guard against common cyberattacks. But, these controls are less effective in securing lateral or “east-west” traffic because they cannot move into public cloud environments and they were not designed to handle the sheer volume of cloud traffic or forwarding the right traffic to them represents an operational hurdle.

When enterprises lack lateral defenses, the attacker has the advantage once inside the perimeter. If an attacker finds a way into a public Amazon AWS or Microsoft Azure environment, he or she can then easily pivot into an on-premise data center. The seriousness of this problem is highlighted by an increasing number news headlines reporting massive data leaks, like the Equifax breach, or theft of computer resources, as was the case with the recent Tesla cryptocurrency mining attack.

In the last few years, attackers have become increasing skilled in using automation techniques to accomplish their goals. Network worms, like WannaCry, Petya and NotPetya, are perfect examples of how attacks can quickly spread laterally within networks using automation.

The opportunity for attackers is growing because most security practices still follow physical data center layouts, instead of aligning with the virtualized, overlay model of how today’s environments are utilized. When trying to use traditional security tools in virtualized environments, the following top three issues often lead to gaps in protection:

  • Problems operationalizing security controls (setup, scale, maintain)
  • Issues with coordinating multiple products for each environment
  • Aligning security controls with changes in environments



Our SX Threat Intelligence Team has been very busy studying the different forms of attacks enabled by cloud adoption. Over the next few weeks (and throughout the year as new attacks evolve), we will be outlining the cloud attack categories that our team believes will give cloud-enabled organizations the most trouble in 2018.

If your organization is considering a move to a virtualized or public cloud environment (or if you have already made the move), then it will be important to pay attention to this list and make sure your organization is prepared to proactively defend against these categories of cloud attacks.


Attack #1: Cross-Cloud (a.k.a., X-Cloud)

Many enterprises are under the impression that they can go easy on security if they don’t host ‘critical workload’ or ‘sensitive data’ resources in the cloud, but they couldn’t be more wrong. Attackers commonly use public clouds to gain entry into on-premise data centers.



Once your organization makes the decision to migrate any workloads into the public cloud, the perimeter of your on-premise data center also extends into that public cloud environment.

So the appropriate defenses are needed but, the security controls used to protect your on-premise data center cannot easily extend into your public cloud environment.

This forces many organizations to adopt a fragmented security posture that is complex to maintain and leaves the door open for attackers. Public cloud workloads can become infected with malware. As the malware replicates and spreads, the attack can easily jump from the public to the private cloud using standard protocols—if there are no lateral defenses in place.



Moving forward, we expect cloud attacks to accelerate and grow in sophistication. While there is no silver bullet solution that will address every cloud security risk, industry collaboration and intelligent cyber security will enable better defenses and in turn greater business value from cloud innovations.

To this end, we are building a compendium of cloud security threats that we hope will be enriched through industry collaboration. Our goal is to create a taxonomy that can not only be used to classify cloud security vulnerabilities, but also offer a standard way to evaluate the effectiveness of cloud security tools and provide a baseline for threat identification, mitigation and prevention efforts.

Stay tuned as we rollout our Stratus Report series which will highlight new and known cloud threat categories that security practitioners need to be aware of when planning their cloud defenses. Leveraging diverse inputs from academia, government, security practitioners and other commercial vendors, we hope to provide the breadth of structure and depth of knowledge needed to serve as a unified standard of cloud threat vectors.

If you would like to join in the conversation, feel free to comment—agree, disagree, or weigh in with a new cloud attack category below.