Beyond vulnerability scanning: Enhancing attack surface management for more proactive security

December 17, 2022

How Cloud Migration Increases Your Attack Surface Risk

By: Randori Blog

Share on facebook
Share on twitter
Share on linkedin

Cloud migration raise breach risk because they give cybercriminals new paths to compromise an organization’s assets. Assets hosted in public, private, and hybrid cloud environments are, by definition, exposed somewhere on the internet. Everything you put on the cloud is part of your attack surface. 

In the past 12 months:

However, safe cloud migration is possible. 

Attack surface management allows organizations to understand how cloud migration changes their attack surface risk.  

How the Cloud Migration Grows Your Attack Surface

Cloud migrations grow attack surfaces by putting more assets online, exposing management panels, and shortening the time it takes to create and deploy assets.

When companies migrate to the cloud and embrace DevOps, they move towards a distributed network environment that uses microservices. Over three-quarters of organizations either use or are planning to use cloud microservices.

This means that instead of putting all of their services inside a single monolithic environment, organizations can spin up many domains that link to microservices that power minute parts of their operations (for example, a calculator on their website). Cloud microservices are autonomous and can be linked together through pathways like APIs. Each will have its own domain address (for instance, https://yourorgname/calculator). 

By breaking down service processes in different domains and putting more of them online, distributed architecture inevitably grows an organization’s attack surface. Although each service has a relatively small attack surface, the greater the number of distributed cloud services an organization uses, the bigger its cumulative attack surface gets.

The admin and control planes that control cloud-hosted assets are themselves online and part of your attack surface. These planes are a common target for hackers and are the root cause of many cloud breaches. 

Embracing the cloud also adds dynamism to how an organization’s development teams create and deploy assets. This allows organizations to be highly flexible when it comes to spinning up new environments, but it comes at a cost: the faster you create assets, the quicker they can become invisible or forgotten. 

Limited cloud visibility is a top concern for most enterprises. 

Cloud inventory debt has been described as “a new kind of technical debt.” Even a small organization with a couple of hundred employees could have thousands of cloud-hosted assets, ranging from IP addresses to S3 buckets. 

In the cloud, IP addresses are dynamic and liable to change. Multi-cloud use and interlinked public and private cloud environments make it hard to understand the scope that network changes have and where configuration risks are. 

ASM and the Cloud Attack Chain 

Cloud migrations expose organizations to a new kind of attack chain. ASM is essential for stopping attacks on cloud environments. 

ASM is the process of monitoring potential points of access, weak spots, and active attack vectors by combing through the corporation’s entire network. With ASM, defenders can build up a better picture of what cloud assets they own and where they are on their network.

This is vital because hackers don’t always start with a target in mind. Often, they target cloud environments by looking for vulnerabilities and picking victims based on where they find weaknesses. 

Here’s a simplified version of how this happens:

  1. Using automated tools to find exploitable vulnerabilities on the web, threat actors come up with a list of potential targets for rapid data exfiltration.
  2. Once they find an organization with an exploitable asset, threat actors gain access by exploiting control layer access mistakes or vulnerabilities in connected applications.
  3. After getting access, threat actors use APIs to move around a target’s cloud environment. Insecure APIs cloud assets use to talk to one another are a top attack vector.
  4. Threat actors use less visible parts of the network to exfiltrate valuable information.

This kind of “smash and grab” attack chain is how breaches like those that affected Twitch and Uber happen. They are enabled by organizations’ systems design and architecture decisions during cloud migrations. Security suffers when ease of access is the main priority during cloud migrations. 

Almost 70% of the security challenges created by cloud use result from poorly configured cloud environments. They are widespread among different asset classes. For example, Microsoft Azure virtual machines have a misconfiguration rate of over 60%. 

ASM is a powerful tool for getting ahead of these kinds of common cloud risks. It is a way for security teams to find and secure misconfigured or forgotten assets. ASM allows security teams to understand where their weak points are before threat actors do.

Critically, ASM is continuous—security teams can keep track of how their cloud environments change and evolve their risk profile over time. 

Randori and ASM

Randori’s ASM platform shows organizations what a hacker sees when they look at your cloud environment. 

Most cloud breaches don’t happen because of a lack of security controls. They happen because a misconfigured or vulnerable asset has been forgotten by the organization that created it or left behind during a cloud migration process.

Randori helps you find all of your internet-facing cloud assets, everything from passive DNS, PTR records, and TLS cert details to forgotten S3 buckets. 

Read our case study about how Randori helped a Global NGO securely migrate to the cloud

Gain an Attacker's Perspective

Uncover your true attack surface with the only ASM platform built by attackers. Stay one step ahead of cyber-criminals, hacktivists and nation-state attackers, by seeing your perimeter as they see it.