Navigating The Cloud – Expert Insights On Emerging Cloud Threats And Complexities

Jordan: So good afternoon, everyone, and welcome to today’s fireside chat. We’re super excited to be here. Today’s fireside chat is called ‘Navigating the Cloud: Expert Insights on Emerging Cloud Threats and Complexities’. My name is Jordan with the team here at Cado Security, so I’ll be moderating a little bit at the beginning and at the end, but James will be our main moderator today.

I’m really excited to welcome our presenters to you today. So we have James Campbell, who is Cado’s CEO and co-founder and Robert Wallace, Senior Director at Mandiant. So thank you both for joining us today. But before I pass it over to you guys to do some brief introductions and to kick us off, I wanted to note a few things at the front of today’s webinar.

So first, for all attendees, we are going to leave time for an open Q&A at the end of today’s session, so you can feel free to post questions inside the Q&A function at the bottom of the Zoom screen and we’ll address as much of those as we can at the end of today’s session. Also, this webinar is being recorded and will be available on demand later, as well.

Okay, I think that’s it from my side to kick things off. So, without any further ado, I’ll hand it over to James and Robert. So, why don’t you guys just do some brief introductions and then James, you can kick off the conversation.

James: Yeah, sure thing. Robert, you are the guest, so I’m going to let you go first. And then I’ll go after you. Not a problem.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


Robert: All right, sure. So, hey, everyone. Happy to be here. Robert Wallace, Senior Director at Mandiant. I’m an incident responder consultant. Been doing digital forensics for a long time now. I’m hesitant to quote the number because, we’ve got…

James: I like how you hesitated when you were trying to figure out how long it’s been.

Robert: We’ve been at this, we’ll just say north of 15 years and we’ll just cut it right there because we’re splitting hairs at that point. We’ve been doing this a long time. I’ve been at Mandiant for nine years and prior to joining Mandiant I used to work at PwC doing computer forensics and response, which is interesting, so that’s how James and I first met working cases together at PwC. What 10 years ago? It’s been a minute.

James: I’d say it’s been close to 10 years, which is pretty scary. But yeah, I think you’re about right.

Robert: Yeah, absolutely. So James and I go way back. We’ve been in the trenches for a long time now. So I’m happy to be here and working with Cado. We’re partners now, right? And it’s a fascinating partnership from our perspective, because James, like you, you’ve been doing this work for the majority of your career, and now you’re building tools for investigators to leverage. And, from my perspective, there aren’t a lot of tools that are born out of actual incident responsive forensics. And so, you know what you’re building, it just caters to a very specific need.

James: Born out of a need .

Robert: Absolutely. I have to ask you, you know, going back in the day did you ever envision this of yourself? When we were working cases together and always fighting with our tools and so frustrated with them and always imagining ‘It’d be so much better if someone did this’ and I feel like that’s like your origin story.

James: Oh, yeah, to be honest, my origin story is like, so for those on the line, and thank you for joining, so my background as Robert said it’s cyber incident response as well, starting out with the Australian Signals Directorate, better known as the Australian Cyber Security Centre now, doing incident response for national government. But now I live in London working as a consultant as well and doing incident response for PwC across Europe and that’s how Robert and myself met.

And I guess the one thing, and I think we’ll touch base on some of it today, talking about some of the threats and how we’re dealing with it now versus how we were dealing with it then, nice segue to that is, a lot of what we’re doing at Cado just came off the back of my own daily grind, trying to help customers deal with incidents. And I think one of the things that really fascinated me about our space is it’s like even today, right, some of the tooling we use in incident response has the exact same interface I had when I was a graduate in 2007.

It’s the same kind of coursework, the same everything, and largely hasn’t changed. And so, I think today would be great I think for the audience here to hear from yourself, Robert, about what’s changed in our environment, how attackers have changed. And I think more importantly why it’s so important that the space of incident response and forensics starts to modernize, I guess, in a way which is going to keep up with the challenge because at the pace we’re going right now, it is a struggle, right? So it is a struggle.

Robert: Yeah, absolutely. I mean, it’s a nice segue there, teeing up into what we’re seeing and how the space is evolving. So I have to put a plug out there: today we’ve released the Mandiant MTrends 2024 report. We put that out annually and it tracks all the trends that we’re seeing over the past year. A lot of stats, a lot of metrics and some of the stories that go with that, but there’s a section in there just dedicated to what we’re seeing in the cloud.

The report just came out, so I’m probably going to butcher the stats, but I was studying up on it the past week. I think In our customer base 90% of our customers that we’re doing incident response for leverage the cloud in some capacity, right? So, from our perspective, like the cloud’s ubiquitous, pretty much everyone’s using it. And that also is the same for attackers, right? That’s where the data is.

There’s also a lot of keys that are stored in the cloud. And that’s a big trend within the interim report is targeting the cloud, it’s not just for like, stealing data from publicly-exposed S3 buckets. We’re seeing a lot of supply chain attacks where it’s like, let’s see how many AWS IAM keys I can steal and then pivot into all those customers’ environments. And you just see just hopping in and out of everyone’s clouds.

And that type of activity, it’s been around, right? We saw it in data centers back in the day, right? Now we just see it in a new form and we still see the data centers and on prem and all those other sort of components of an investigation playing a part in it, right? The cloud’s just one other source of evidence. It’s not to say that all the threats are just in the cloud, right? We see a lot of what we call ‘vertical movement’, right? You may be familiar with the traditional lateral movement of attackers moving in and around the data center internal reconnaissance. Now we’ll see them socially engineer a user, get onto an endpoint, typically developer and then move vertically into the cloud once they’ve stolen the data.

James: Do you find, say, this is exactly why we have you on here, Robert and, getting it from the horse’s mouth, so to say, I think there’s no better place than Mandiant to talk about the experience of what’s genuinely happening every day across multiple enterprises.

And I guess, when you come across these kinds of incidents that are involving some element of cloud, and no doubt involves on prem a bit of SAS platforms like Office365 or whatever it might be and also potentially cloud environments who’ve got multi-premise-style situations that you have to investigate as part of one thing. But do you find most customers prepare, particularly when it involves cloud, or are they even aware around what the threats are and how it’s different to how they deal with the on-premise side of things? Or do you think there’s a lot more education to be had in there?

Robert: There’s a lot more education to be had, but also a biased point of view, right? A lot of organizations we’re working with, they weren’t previously thinking about all this, which is largely why they’ve engaged reactive consulting services to help them respond.

So, yeah, definitely seeing like, folks just being unaware of like, oh, here’s how attackers are bypassing multifactor authentication to take your keys. And then pivot into the cloud environment, for a lot of people, it’s it once they look at it, they’re like, ‘oh, that was relatively trivial to pull off. How do we secure that going forward?’ It’s a different part of the equation, beyond the investing piece of it, but it also is an opportunity to help folks harden their environments and just also, make sure you get the logs, right? I mean, how many times are you going to just, oh man, there’s no evidence, right?

James: Well, I guess on that point as well, I think some of the things we’ve seen, I’m sure it resonates with you as well. I’m interested if it does is I think people’s perception around the kind of shared responsibility model. So it’s we’re using cloud, it’s the cloud provider’s responsibility for security which isn’t usually the case, actually, and it’s like a shared responsibility model there, which I think a lot of people struggle with getting their heads around.

Do you feel like people taking onboard cloud services and the likes, that maybe they’re thinking, oh, actually, some of that security should be baked in or how does that come across on your side?

Robert: Yeah, not necessarily the sort of that shared responsibility, I know there’s been a lot of major cases in the news that Microsoft’s been dealing with. Google has this shared faithful philosophy in terms of how they approach it. But still, organizations need to be getting logs, right? They need to have visibility, they need to manage their secrets, right, and manage those keys properly. I would also say where we see a lot of it especially in the cloud space, we recently worked a Web3 case together, right? And if you look at a lot of Web3 organizations they are obviously very security-conscious, right? Because of the sort of the area they’re working in.

But also they build really fast, right? They go fast and they just forget to like, hey, we need to be logging this. We’ll call it Web2 stuff, right? Some of their internal infrastructure stuff. Not just on chain on chain, and so I mean, we just see really smart people who just weren’t even aware of all these configuration settings and how to harden environments and how also you need to monitor those components and those pieces of it.

James: That’s something I’d like to dive down into a little bit is that kind of complexity and the, I guess, that problem space. I guess wrapping up your kind of, opening statements there, which was really useful, thank you. You’re kind of clean cut, right? It sounds like you guys are dealing with quite regularly attackers leveraging cloud, right? That’s pretty straightforward. And it’s quite interesting, we do come across kind of customers where they don’t necessarily feel like that’s where a lot of the threat is, but certainly it seems, even from our point of view and your own that it is just a daily occurrence, given that data is shifting to the cloud, but operational activities for organizations rely on cloud as well. And so why wouldn’t attackers be there too?

My kind of final thought on that, and then I’d love to touch on, why is this a little bit complicated, I guess, and what complexities you’re dealing with that cloud brings to the table. But why do you think it is that a lot of people don’t think there’s a lot of stuff happening in cloud? So I would say there’s a bit of an understatement from a public perspective at least that not a lot is happening in cloud. But in fact, someone like yourself, who’s at the coalface of it every day, there is a lot going on.

Robert: Yeah, absolutely. I think people are just really focused on building, and cloud enables you to build really fast, scale really quickly. I’m sure even as a small business owner, right, you guys are building rapidly, you’re iterating, you’re constantly releasing stuff, right? And I think for really lean organizations they maybe sometimes overlook that need for monitoring and investigation capabilities, right?

I think they’re just moving so fast and they have the right mindset, they’re just overlooking some of these, I’m going to say, maybe they’re perceived as historical hacking problems, but it’s not. It’s the same threat actors. It’s every threat actor, right? From espionage to criminal to scammers, you name it. Everyone is in the cloud, from customers and clients to threat actors.

James: It was quite interesting. I quite often have the conversation where an organization is doing a bit of a lift and shift of a lot of their data center capabilities into the cloud whether it be any one of the major vendors. And I often have the conversation of like, ‘Oh, cool. Okay. That’s quite a risky period, right? You’re moving things, which are traditionally on prem, which have had a firewall and kind of a gateway in the way straight into cloud. Have you guys profiled that risk?

Have you got a way of detecting new threats or even responding to them as well? Like, if you found something as part of that transition, what do you do next?’ And they’re like, ‘Oh yeah, we’re definitely on our roadmap on our program, but we’re going to wait until the data is into the cloud and the systems are in the cloud. And then we’re going to look at our security program.’ which seems a little bit backwards to me.

Robert: It does, right? And you’re right. That’s a really vulnerable point in time when you’re doing that shift. And oftentimes what we see is like post-shift, people keep that data center running for a little while just because it makes them feel secure because they still have all that. Those data centers, that legacy stuff actually gets hacked a ton and then they just pivot right into the cloud.

So once you do that lift and shift, really make a concerted effort to sunset all of that old legacy infrastructure because that stuff’s just hanging out there as an avenue right into your cloud.

James: Yeah, no. Nice. And I guess from your perspective, what sort of complexities, and I’ll give us some examples myself, but I’d love to hear from you first, why do you think people are finding dealing with cloud challenging? It’s almost as if they know they have to do this, but it’s quite a task, it’s quite complex. What sort of challenges, like, what’s different between on prem and cloud in that respect?

Robert: I think one of the things that’s really different is some of the containers and ephemeral architecture things that aren’t persistent per se. How do you grab evidence from those things? How do you know if keys were taken from, like, I think the ephemeral nature of it is one of them, right?

James: Things are scaling up and down all the time.

Robert: Yeah, absolutely, right? There’s that component of it. And then I think the other one is just really taking the time to read the manuals, if you will, to figure out how to tune your logging just right. There are plenty of cases we’ve gone into like ‘oh, yeah, we have logging cloud trail logs’, for example, right? But they don’t have object-level auditing on. It’s just like, I didn’t turn this feature on. We know the attacker is here, but we can’t see what they’re doing because it’s not locked. Let’s go turn that feature on, right?

So I think those are the two main ones, right? The ephemeral nature of it and just the log. I think cloud actually makes things a lot easier. And I think, and this is what I love about Cado. Like, instead of it being a challenge, you flipped it on its head. It’s like, no, we’ll use the cloud in order to investigate the cloud and speed this whole thing up.

James: Yeah, and I think we’ll touch on that in a second. I think one of the really important things around cloud is using its strength to also deal with a little bit of that weakness there. And that’s through that automation kind of component. But I guess resonating on the ephemeral infrastructure point of view, right? Like, I’ve talked to a few customers out there where they’re like, hey, we’ve got detections in our Kubernetes environment in say, AWS, just to pick one, it could be Azure or Google, of course in Kubernetes as well.

And then I whip up roughly a 15-minute life cycle on our containers that serve our external customers. We get a detection in there, the data’s gone by the time we get anywhere near trying to work out what’s going on. You could be at lunch, get a detection, data’s gone. That’s a scary position to be in. We’re on premise, right? If it was a server, you had a detection, server’s not really going anywhere, you can go and grab it, right? But with cloud, you’ve got audio scaling groups, you’ve got family infrastructure, even got serverless like Lambda and the likes of that, so all functions. And they’re isn’t even a server or something to query in that sort of case.

So, a lot of people just say, ‘Okay, cool. Now I have a hundred detections this month, which I had no way of triaging or saying I did the right things.’ And so that’s a hugely different challenge from that perspective.

Robert: Huge, right? Like, for me, I’m like, man, I wish all my customers had Cado deployed, so when we show up, we can just hop into Cado and evidence is being preserved.

James: That’s the idea. Yeah, all through automation. To give you an idea, we have some honeypotting infrastructure, of course, to keep an eye on some of the threats. And last time I was at an RSA conference, I was just actually demonstrating live compromises of the honeypotting infrastructure. And it was a container running in a cloud service provider. And we only had one vulnerable service, just one vulnerable service. We didn’t run a hundred of them, just one at a time, and it would get popped on average about every 15 to 20 minutes which is crazy, right?

Like, could you imagine just having an exposed service of some variety available to you? Just even for half an hour, chances of it being compromised is relatively high. What’s even worse is that most people don’t have the ability to actually see that they were compromised in the first place, which is a little scary, which is where we’ve seen some issues unravel bigger issues.

So, as an example, developers and the likes of that, obviously can have a container running, seems like not a big deal, it only lasts 15 minutes, right? So, security maybe not a top priority, but let’s say we store the keys to access another system or to spin up another cloud resource, or even credentials to a database that might be available elsewhere.

And they can suck that down and then use that to go somewhere else. And in fact, we did a SANS presentation once where we showed the example of a hacker actually breaking out of a container onto a node and in Kubernetes and then actually creating their own console account for that cloud provider. Which, again, that’s a different level there, isn’t it? Because you’re going to run time and then now you’re on like a control plane. So you’re on the console and nothing you’re running from an agent or anything like that from a runtime perspective is going to spot that activity.

Robert: Yeah, it’s a challenge, right? But I’d say, taking in a holistic picture, right, of a security program, right, and bringing all those things together, whether it be through Sam whatever folks are into, having the ability to respond to it is the next step, right? Largely people are blind to it and then there’s no way to respond to it. Now it’s like, hey, you need that visibility, right? I can’t protect what I can’t see. And then you just need the ability to respond when you do see something to triage those alerts.

James: Absolutely. And I guess that probably brings us a nice little segue. So, not necessarily all doom and gloom. And I guess, there’s a lot going on. So we’ve established that plenty of stuff that people aren’t aware of as well. I can 100% say that from our perspective, too. And then the cloud brings a new level of complexity through kind of resources, just spinning up, spinning down. Also, complexity in the sense of, it’s so easy to leverage the technologies and just spin things up and down. Maybe you won’t have an agent or logging or any kind of that. So a bit of shadow IT, so to say, just on steroids from that perspective.

So, moving on to some of the strategies or, how does kind of automation play a role here with cloud? And I guess you’ve had some experience with Cado, and I don’t want to make this about Cado necessarily, Robert, but like, what do you think? What are some things that people could be thinking about or should be thinking about when it comes to protecting themselves in the cloud? And I think logging was one of the first ones you hit the nail of the head on at the earlier part.

Robert: Yeah, logging’s a big one. Hardening the environment. I know that’s a generic term, but there are a lot of guides out there, especially from the three big cloud providers, right? You can find all this documentation and turn that on. That part of it’s key. I think it’s a component of an overall security program in general, right? It’s hard to say, like, ‘oh, you should only focus on cloud or only on point. You should focus on security and find the right balance around risk and things of that nature.’

And then, I know this isn’t about Cado per se, but I would say, I mean, for Mandiant retainer customers that have IR retainers, I would encourage them that you should consider having something like a Cado in your environment for folks who are operating in the cloud. I mean, you have a retainer, right? You’re ready to respond. In an event you’re going to have your evidence, too. It’s just going to make for a much faster response time. The average dwell time is down to like 10 days now for attacks, right?

I think that also can correspond to why incident response times are down as well, right? We have to go faster means we got to work more cases and we got to do them in a shorter amount of time and so having these types of capabilities It just it reduces the impact to an organization when something bad does happen.

James: Absolutely. I guess, say 100% I would recommend people do embrace cloud. Cloud is an amazing technology and it allows your organization to move quickly as well. But obviously that comes with new risks. Usually it takes a while to provision a server and then make sure you punch a hole through the firewall and all that sort of thing. But those things don’t exist anymore. It’s a very different playing field, right?

Robert: The security does show. The bad guys don’t go away.

James: The bad guys don’t go away, yeah, it’s just shifted. Exactly. And I think one of the things, obviously it’s something that Cado is designed to do out of the box is to help solve a lot of these challenges. But, focusing on the core kind of thing beyond Cado is, well, how do you deal with things like spinning up and down resources? How do you deal with things disappearing?

And also random assets all over the place. Like, let’s be honest. I think a lot of cloud networks tend to have a Wild West component to them. And so how do you deal with all that and also keep your sanity, too? Because, also, as an incident responder, okay, yes, you’ve got to have high-level knowledge of all the different cloud technologies, but there are whole job roles just for a kubernetes expert, right? That’s a day job for someone. And you can’t know the ins and outs of all the different flavors of containerized and docker systems, etc. You can’t know all the flavors or the various different cloud technologies. And so, good to have the high level knowledge, of course, and understand the threat and risk so you can advise customers on what’s next.

But really, I think what I found resonated the most is, and this is playing to the cloud’s strength is really automation. So automating a lot of those components and getting that data to yourself or the team, or to especially Robert off the back of a retainer, having that data ready to roll to dive into as and when you need to. And automation plays a key role there for you to be able to adopt a cloud in a way you should, right? You shouldn’t have cloud just be an expensive data center. That’s going to get very expensive very quickly. But you should be using all those scaling groups. You should be using a fair amount of infrastructure. And this is also how you save loads of money with the cloud as well if you’re using it right.

But that brings that challenge. And so automation is like, okay, cool, I now have that detection in that container, I better go automate that data capture from that container at that moment in time and have all that forensic information ready to roll. Even though that container spins down, you’ve still got that kind of forensic data. And that’s super important and making sure that’s all automated. I guess, Robert, to your point, really, it’s about being prepared to make sure you have not only retained providers such as yourselves, but also talk to them about what sort of logging should we enable if you’re not sure what’s available.

How can we get ahead of that? How do we turn that on? And then how do we actually get this automation in place so when somebody does fire, I don’t need to worry about how do I connect to a container running in Kubernetes and grab all the forensic data before it spins down? So, you shouldn’t be stressing about that because cloud can actually solve its own problem there, I think.

Robert: Yeah, absolutely. And we were cobbling together scripts all these years, right? And we still do, right? Like, yeah, I got a script for this and a script for that. But you took all that and you’re like, because I’d be like, oh, I need a GCP one and I need an AWA andiIt gets confusing. And you have experts around the world and each one, like you said, has its own particular job function, right? And you just put them all together and it’s like, hey, we got it all right here. And it’s like we have the cloud hybrid all covered now.

James: And as the industry responder, right? Like you guys need to do what you do best. And that is, working out what the bad guys are doing and doing that quickly on behalf of the customer. Stemming the risk and the flow there. And I think the last thing you want to do is be playing around with Hackey scripts and all sorts while there are attackers running around. I did a job once where we had it was an Iranian ABT group, we had to go and investigate about 80 odd systems, right? And this was before Cado, this was my consulting role. And it took us nearly a month to go collect those systems, like a month to go and collect 80 systems. And that’s a crazy long time just to go collect the data. But with cloud, we can do that within an hour now.

Robert: Oh yeah, I love it. And also no deployment either, right? Think of the pain of deploying technology during investigation, right? Pushing out agents if you don’t have them.

James: Not that you have experience with that, Robert.

Robert: It can be painful for everyone involved.

James: Pushing tech out in a crisis situation. It’s never easy.

Robert: How long does it take to deploy Cado, right?

James: Minutes, because it’s all API. So no agents or anything like that, which is pretty cool. And I know you guys like it for that particularly because you deal with quite a lot of XDR as well on deployments. And doing that in a live fire situation is, I’m sure, very tricky for you guys.

Robert: Yeah, but now we can show up and clients a lot of times have EDR technologies in place, which is great. Now we can operate on top of what they have deployed and bring in other tools where necessary, right? So it’s like, we can get endpoint coverage, we can get cloud coverage. and all the other different places where we need to get visibility. It’s great. And for us, Cado is an important tool in the tool belt.

James: That’s awesome. No, we’re happy you guys are involved. I guess one last final thought and then we’ll go to questions. I think Jordan came online just a moment ago to give us the hurry along. But we could talk all day long, I think. But I’d be silly not to ask this question of you, Robert. I know we talked a lot about automation, but how do you think AI and LMs are playing a role here in our space right now? Does it have a home in incident response? Do you think it’s a beneficial thing or a bit overhyped?

Robert: A little of both. It is beneficial though overall, yeah. I think it’s going to be key in automating a lot of the work within the SOC, you know, for if you look at security operations in general, hugely beneficial there. I still look at it as an assistant. However, we’re in the early stages of this, right? And I think it’s going to evolve from assistant to analyst. So, we’ve been doing some really interesting research on our side, James.

And I was reading some stuff the other day about how the buyer’s total team has been able to use Gemini 1.5. And as a malware analyst. They trained it and they can submit up to a 1MB binary and within seconds get a malware analyst triage report in the same way you would get from your malware analyst that you work with on a case, right?

So, it’s evolving. It’s coming along. That’s just one use case.

James: Like leveling up your sandbox to the max.

Robert: I think there’s so much more coming, but the way they did it was they basically fed it the decompiled code. I think it can also handle disassembled. So, someone went through the steps to decompile it and then plop it in there and let it stay. But again, we’re just at the beginning. So, I want to see it go from assistant to analyst. I don’t see replacing jobs, I see it augmenting what we’re doing.

James: Yeah, augmenting, yeah. Getting good information fast, yeah. You’ve still got to get the right information into it, right? Otherwise you get a crap output at the end of the day. Okay, great, and I think we’re getting close to the time here where we can take some questions. So if people have some questions, Jordan, how do they do that?

Jordan: Yeah, they can post this at the bottom. So we’ve received some questions, but feel free if you haven’t. We probably won’t get to all of them today, but we can definitely follow up if we don’t get to them today. I think we should take a few and then close out in a few minutes, if that makes sense for you guys.

Cool. Okay, so I have two questions that are similar, so I’m going to combine them and I’ll throw it out there to either of you to answer. And I think it’s very timely with the M trends report coming out because it’s around threat trends.

So, someone asked around, what are the biggest cloud threat trends that you see moving forward? And then also another similar question about a popular objective in the cloud being crypto mining and wanted to hear your thoughts on that, if you see this kind of being an ongoing trend, or if you can elaborate more on any diversification here.

Robert: Yeah, absolutely. So, I’d say the biggest threat, it’s really around credentials, right, is attackers accessing infrastructure.There are all types of ways to get in, but basically that identity and access management layer is like the firewall for the cloud nowadays. Being able to manage who has access to what I think modern security now is really around hardening those ACLs.

And then as it relates to the threat of crypto mining, also a huge problem, right? One way organizations detect it is through expensive bills. I don’t like that as a technical solution to detecting evil in my environment, but that is one way organizations are picking up on it. It’s like, why do we have 1,200 extra EC2 instances deployed? Things like that. It’s definitely a big trend, but I think the detection part of it goes back to your standard sort of detection and response capabilities.

The crypto mining thing, that is a real threat. And I know James, you run into it all the time as well. It’s like a nuisance and a resource drain, but it also leverages a lot of the same sort of PTPs that you would see in other types of attacks. So, all that is to say is like building out robust detection response capabilities, understanding your threat profile, who’s coming after you, I think that helps inform your risk-based decisions on where to harden, how to harden, and where to monitor.

James: Yeah, that makes sense to me. And I think one of the interesting things, we tracked a couple of kind of groups which do a lot of crypto mining and particularly in things like containers, obviously, but there’s definitely been a pivot there where, and to be honest, most people don’t notice this because they don’t have the ability to, or haven’t got that kind of pre-deployed ability to investigate. But they’re not only just running crypto mining, but they’re also stealing credentials, as you say, so credential theft and leveraging that for other purposes.

In some cases, we’ve seen them use those credentials to leverage attacks on other infrastructure, using your own cloud network. We’ve definitely seen loads of that happening and really a lot of those credentials can gain access to some pretty sensitive information. So, I won’t go through some of the examples just in case it embarrasses anybody particularly, and I think what’s quite interesting is that, you get this crypto mining detection, but you don’t get anything around what else did they do on that system? What else did they grab? What was the risk?

And so people were like, ‘Oh, okay. Crypto mining. Okay. Not a big deal. I’m going to close this ticket.’ And then next thing you know, you find out a month later something horrible actually happened. So yeah, it’s quite an interesting situation.

We tracked one group actually, they even post online how many cloud systems they’ve compromised at any one moment. It’s like 20,000 or something. It has been a long time since I checked. But that’s how brazen it is. But yet it’s so successful. And I would say that’s, I won’t shout it out too loud, but on the lower end of the sophistication scale. So, more opportunistic kind of stuff. So imagine all the stuff that’s happening when it comes to the targeted side, which is, I’m sure what you’re dealing with more and more.

Robert: Yeah, absolutely.

James: Thank you, Jordan. Any other questions, Jordan?

Jordan: Let’s take one more question and then we’ll close out. And any unanswered questions we’ll follow up after the webinar. I like this question because you guys talked a little bit about how this organization is definitely not alone. So this is the question. Our organization has just migrated a lot of resources to the cloud, and they’re just starting to ramp up essentially on the security side of things. And they’re asking if they have if you guys have any suggestions on what’s a good first step?

Robert: On the security cloud migration, I’d say first step for whichever cloud provider you’re utilizing is to read through the documentation on the logging capabilities and turn on each one of those relevant features. And then make sure you’re actually analyzing these logs and monitoring there. So get your logging right.

And then second, I would say check out some of the hardening guides. Mandiant publishes these on a regular basis. If you scour our website and our blog, you’ll find, I know that isn’t a great answer, but there are definitely hardening guides out there that I think people might find useful. I know it hurts as they start their journey. You’re not going to be perfect on day one, but you have visibility, you have logs, you’re ahead of most organizations.

James: I think from my perspective to just add to that is really understanding what’s in your cloud. It’s trying to understand what sort of data is in there, how it relates to your day-to-day business operations, and it will help you profile that risk a little bit better.

Also, make sure you can access stuff when it comes time to respond or investigate. Quite often people will be like, ‘Oh, man, we’ve got this really crazy detection on this system. We need to look at it now.’ And it’s a system in another region that they don’t really know about, that they don’t even know who the owner of the system is, and it takes them a while to find out and it takes them a while to get access to that information. All the meanwhile, everything’s on fire and they’re freaking out.  So, if you prepare well, cloud can be a really good strength there in making sure you get quick access to information and data as and when you need it. I think it’s game changing from that perspective. So, really good.

Robert: And be militant with those keys, right? Whether it be IAM access keys, SSH keys, things like that. Hackers love stealing keys. And I’ve been surprised because in a lot of our investigations, there are just keys everywhere, just all over the place. It’s just like, they all got stolen, but in any event, be aware of those keys and how it’s accessed. Be sure you’re tracking those. We’ll see some that it’s like, oh, this key is four years old, no one’s used it, but somehow the attacker had it and they just logged into our environment. And you’re just like, oh, great.

James: It’s that simplicity in it creating. It’s great, you can create a key and create instant access to systems to do your job, but it also creates a minefield from a risk perspective.

Robert: Yeah, absolutely.

Jordan: Thank you so much, Robert. Thank you so much, James, for your time and for sharing your knowledge today. I really enjoyed listening in on the conversation. So, thank you so much. I hope everyone who joined as well enjoyed and found today’s content valuable. We will follow up with any questions that went unanswered. Thank you so much for submitting those. And with that we will close out today and have a great rest of your day. Thank you so much.

James: Hey, thank you everyone for joining. Thank you, Robert. Thank you, Jordan.

Leave a Comment