Protecting your Public Cloud after Meltdown and Spectre
In early January, researchers unveiled several major security vulnerabilities. Dubbed Meltdown and Spectre, these two vulnerabilities pertained to a hardware flaw in CPUs, including Intel, Qualcomm, and ARM processors. Through a complicated series of exploits targeting “speculative execution,” an optimization technique used in most modern CPUs, attackers could gain access data currently being processed on the computer. This might include passwords or business-critical information. For more information on how these vulnerabilities might be exploited, read the following:
Since these vulnerabilities can access data processed by other applications on the same physical machine, the potential consequences are particularly great in the cloud, where a single appliance could host data and processes from numerous different client organizations.
Now it is important to say that patches have already been issued to address these vulnerabilities by Amazon Web Services (AWS), Google Cloud Platform, and Microsoft Azure. However, you should still take steps to ensure all of your instance operating systems are properly patched. As of now, there is no way to know if either of these vulnerabilities were abused in the wild, but security practitioners still need to do their due diligence and ensure they are protected.
What you can do to protect your cloud infrastructure
As I mentioned earlier, patches have been rolled out across all major cloud infrastructure providers, but you still need to ensure your instance operating systems are patched as well.
Of course, if an attacker had foreknowledge of this vulnerability and actively exploited before it was patched, you will need to keep a close eye on your systems. The major risk is access credential compromise. Privileged memory access means an attacker could use this vulnerability to steal access credentials, which could then be used to compromise your cloud services.
You should make sure all of your cloud user accounts have multi-factor authentication enabled and have changed their passwords since the vulnerability was patched. In addition, you should monitor cloud access for abnormal and suspicious activity, such as a user logging in from unusual geographies. For instance, your US-based network admin logging in from Eastern Europe hours after logging in from Los Angeles is probably a sign of credential abuse. Also, look for unusual communications, such as an abnormally large transfer to an unknown server, which could be indicative of data exfiltration.
How Cisco can help
Cisco Stealthwatch Cloud can help you identify suspicious activities in your public cloud infrastructure. Stealthwatch Cloud monitors your public cloud environments using native telemetry, such as VPC Flow Logs. It then analyzes this data using sophisticated modeling and machine learning techniques to identify suspicious and malicious activities. And Stealthwatch Cloud does all this with minimal configuration and management – it works out of the box.
Most threats operate in similar ways, regardless of the initial attack vector. Stealthwatch Cloud was built to detect these activities to identify both current and future threats. These potentially malicious activities include geographically unusual remote access, abnormally large data transfers, users who disable multi-factor authentication, new connections to unusual servers, and much more. In short, Stealthwatch Cloud ensures you see the signs of an attack, regardless of the exploit used to initiate it.
Try Stealthwatch Cloud today for free
While it remains to be seen if anyone has fallen victim to a Spectre- or Meltdown-based attack, there are numerous methods threat actors can use to target cloud workloads. If you are worried about attacks targeting your public cloud assets, you can try Stealthwatch Cloud free with no risk for 60 days. Click here to get started.