What seems like a million years ago, before “real” password management and Active Directory, user passwords were stored locally on each device itself.  This caused regular maintenance to be a monumental effort and as such, a centralized password manager was built. This effort benefitted system and network administrators but also provided a huge benefit to attackers as now compromising an account or two offered significant lateral movement options.  Why steal the milk when you can steal the cow?! […or something like that]

Fast forward and organizations have been slowly and steadily moving to cloud – whether offloading an enterprise-wide application like email, leveraging a third-party service such as SFDC/Box/GitHub, or leveraging third-party hosting infrastructure like AWS.  At face-value the benefits outweigh the downfalls. But the security shortcoming is a biggie.

In most of these situations your security team will lose visibility into that environment!  Most reputable cloud services will offer a security alert feed, but it likely won’t be as granular or flexible as the team will need, or in a digestible file format. This leaves the organization blind and completely reliant on the cloud provider’s internal team.  Admittedly, most large service providers have very large security teams…some of the best in the industry actually! But those teams are hamstrung by the inverse problem – only having access to what they see and not the full picture.

So now, put yourself in the shoes of an attacker.  Historically you’ve been targeting individual companies – one-by-one via script or hands on a keyboard launching your attack against 20 to 30 different companies either at once or staggered across a couple of campaigns.  Seems like a big hassle. Particularly when you suspect 85% of your targets are leveraging a similar cloud provider for some aspect of their business. Why not target that provider and grab access to all your victims at once?!  Not only are there efficiencies to be gained, but it also creates some obfuscation…ding, ding, ding! Sounds like a winning strategy.

With all organizations moving to some form of cloud, it’s pretty reasonable to assume every attacker — whether nation-state, crimeware, etc. — is now aiming attacks against these bigger targets in order to find that initial foothold into the unwitting downstream victim.  So as companies move to cloud hosts, buckle up — because it’s just a matter of time before implosion.