How developers can prevent bad actors - Lacework

How developers can prevent bad actors

Sowmya Karmali, Director, Product Management

10. Mai 2022

How developers can prevent bad actorsThe cloud is a game-changer for both developers and attackers because of the countless new opportunities it presents. To ensure businesses are prepared to protect their systems from these threats, it’s essential to understand the motives of bad actors.

Why opportunities for hackers are at an all-time high

As the number of cloud providers continues to grow, we see increasingly more offerings from platform, software, and storage solutions that enable companies to easily innovate. This makes it easy for developers to create new applications and re-architect old ones. In the past, developers needed to acquire databases or web server licenses before they could begin creating applications, which was time- and cost-consuming. Docker and Kubernetes have simplified the development process, so developers can now write new applications and deploy them in multiple places at scale. As a result, more companies are starting in the cloud or moving to the cloud, which levels the playing field for newcomers. The cloud has a unique shared-responsibility approach to security. Companies must secure their services and platforms; however, each individual user is responsible for protecting their content and data. Because of this shared-responsibility approach and the new ease and speed of cloud innovation, security often takes a back seat, accelerating new opportunities for bad actors.

Our latest edition of the 2022 Cloud Threat Report Volume 3, which highlights threats within the public cloud, revealed the new and most traveled avenues cybercriminals are using to take advantage of businesses. We’ve broken down some of the most popular trends we’re seeing among hackers and three ways you can protect your organization:

1. Implement security controls in CI/CD pipelines
The cryptocurrency mining tool XMRig is the tool most commonly installed by attackers. Attackers have numerous applications to choose from, but usually go after the ones that will have the biggest payoff. They use tools to help them exfiltrate data or escalate privileges to get this information. It is easy for attackers to exploit information in the cloud because they can take advantage of so many different configurations and settings. If cloud users make even a small error on one of their configurations, it can be vulnerable to attack.

While security analysts usually are the ones who detect a security incident, they need to pass it along to DevOps teams to fix the issue. Developers want to move fast, check code, and then quickly navigate to developing the next feature in a long backlog. The last thing they want is to be alerted to a security incident after the application is in production, then have to backtrack to figure out where it occurred and how to fix it.

This is why it’s essential for DevOps to implement security controls in CI/CD pipelines to prevent deploying vulnerabilities in the first place. We recommend enabling two-factor authentication and implementing signed commits in revision control software to prevent credential hacking. It’s also helpful to use a software bill of materials to inventory and track the use of software in your environment.

2. Create a registry of pre-approved images to use in your code
Attackers compromise exposed Docker sockets by deploying malicious container images and hosting malicious images in public repositories. Attackers also are good at hiding malware, so developers often don’t realize there is something malicious in their container image. To prevent this, it’s important for developers to use only approved images in their code. Teams can perform inline scanning, pre-approve their images, and put them in a registry before deployment to assess their container images for vulnerabilities. This provides developers with a safe set of images to use and prevents them from accidentally downloading malicious images from the internet.

3. Use canary tokens with cloudnative tools to send alerts when certain resources are accessed
Lacework observed many exploited payloads shortly after Log4j’s critical remote code execution flaw disclosure. The most successful exploitation attempts were benign; however, the number from malicious sources grew as time went on. This is because attackers improved their payloads and continued to adapt their exploitation methods to stay ahead of the signature-based detections most security products use. In this case, an effective method for developers to defend themselves and their systems is to implement canary tokens. Canary tokens are resources — such as directories, files, or accounts — that alert an administrator when someone accesses them. Developers can pair canary tokens with cloudnative tools and customize them to send alerts when certain resources are accessed. This is a best practice to quickly notify the appropriate person about post-compromise activity in an environment.

Outsmart the attackers
Attackers are constantly finding new ways to exploit your systems, but developers can outsmart them by implementing best practices, establishing controls on CI/CD pipelines, scanning images, and conducting pre-approved checks and balances to secure code. For a more comprehensive look at how to protect your systems, see Lacework’s Cloud Threat Report.