Cloud computing is now a primary driver of the world’s digital economy. Governments, large corporations and small businesses are increasingly implementing cloud-based infrastructures and solutions to store their sensitive data and manage their operations.
While the cloud offers lower costs, scalability and flexibility, it also expands a company’s risk profile exponentially. In fact, attackers are continually refining their techniques to take advantage of the millions of identical binary templates for virtual environments (aka golden images) that power those cloud and Virtual Machine (VM) benefits.
Cloud and VM environments share parallels with Genetically Modified (GM) crops – yields are extremely high around carefully developed identical DNA sequences, but a single bug or virus can scale to destroy not just one, but all crops in a monoculture since there is no natural diversity to protect them. In a cloud context, a zero-day attack can take down all production systems and disaster recovery systems, disrupting business continuity and prompting financial loss.
Because traditional cybersecurity protections such as encryption, firewalls, intrusion prevention, and endpoint protection have been historically successful, adversaries have introduced new zero-day techniques to bypass them. Such modern techniques include memory corruption, return/jump oriented programming (ROP/JOP), and compromised supply chain attacks. The White House described the recent NotPetya supply chain attack as the “the most destructive and costly cyber-attack in history.”
Growing risks in cloud computing
One of the greatest unintended consequences of both the cloud and VMs is that they expand the attack surface. Whenever data is stored across remote servers and VMs, risk is not just involved, but elevated. While a company may know its own source code, configurations, equipment, personnel and processes, cloud computing introduces the vulnerabilities of globally sourced third-party hardware, software and configurations that surround, penetrate, and bind the remote environment altogether.
Unfortunately, zero-days are not conveniently located in easy to inspect areas but can instead spread between components and layers in the network, storage, and server stack, from firmware, to bootloaders, hypervisors, containers, operating systems, middleware, libraries, and frameworks, and apps. A report by the Ponemon Institute found that “fileless” (memory-based) malware attacks are now almost ten times more likely to succeed in infecting a machine than traditional file-based attacks. These attacks evade detection by using a system’s own trusted files to obtain access.
Supply chain attacks are also on the rise and grew by more than 200 percent in 2017, according to Symantec’s annual Internet Security Report. And so far in 2018, the Zero Day Initiative noted a 275 percent spike in virtualisation software bugs that offer the possibility of compromising within or across VMs.
Even in the physical world, examples of massively replicated golden images exist. In 2015, hackers compromised one Jeep truck, forcing manufacturer FCA Group to recall 1.4 million vehicles for updates – the world’s first vehicle cybersecurity recall. And in 2017, the FDA recalled nearly 500,000 pacemakers for firmware updates when it discovered lax cybersecurity could allow the devices to be hacked.
Why once successful security tools now fail
Traditional perimeter security tools no longer offer full protection in this complex and connected environment. The cybersecurity paradigm over the last 40 years has been one of increasingly clever detection via patterns, rules, analytics, and artificial intelligence rather than on preventing attacks from happening in the first place. Zero-day is another name for the increasing numbers of attacks detection engines miss, inadvertently adding an organisation’s name to yet another “wall of victim logos” slide for the next cybersecurity forensics and after-action reporting conference.
There is already a growing chorus for stronger security. The Department of Defense says cyber defence must move beyond “just the networks,” and the National Security Agency notes adversaries are increasingly turning to supply chain exploitation. Security standards and common defence can differ from provider to provider. Many strive to meet the standards of their industry, whether that be FedRAMP for government or PCI for finance. But even being compliant with standards, rules and regulations sometimes isn’t enough.
The problem is that most standards focus on detection and after-action reporting with limited attention to newer fileless or supply chain attacks. A common hope is that strong encryption will somehow catch new types of attacks, However, there is actually no effect on memory corruption or compromised supply chain attacks that can come hidden in correctly signed and encrypted updates, or simply be pre-positioned within third party infrastructure.
Adding a deeper layer of defence
RASP is a term initially coined in a 2012 Gartner report titled, “Runtime Application Self Protection: A Must-Have, Emerging Security Technology.” It’s a technology that is linked or built into an application or application runtime environment that is capable of controlling runtime execution and detecting and preventing real-time attacks. Forrester notes that RASP tools are used as a deeper layer of application defence by using insider information of the applications they protect to help more effectively detect and deflect malicious attacks. RASP techniques are enjoying widespread adoption – so much so that the RASP market is forecast to grow at a CAGR of 48%between 2018 and 2022 by ResearchandMarkets.com.
An implementation of RASP can bridge the growing security gap in the cloud. It can stop attacks and attack scaling rather than simply remediating symptoms. RASP offers built-in security to prevent real-time attacks with techniques such as binary stirring, control flow integrity, and stack frame randomization, reducing the attack surface and rendering zero-days built on memory corruption and supply chain attacks inert.
Early attempts at RASP added too much overhead to the code, were too limited in scope or perturbed functionality by trying to graft agents onto code. Others also had impractical requirements like the need for access to source code and recompilation, or the need for new hardware, new software or new services that made them impractical to use. But those limitations have now been overcome. Modern RASP can be added to existing or new binaries quickly, easily and economically.
RASP is also not a replacement for current tools since all the traditional attack vectors still occur; but it represents a new layer of protection that can quickly and easily integrate with existing on-premises, cloud, or web-based development deployments and update processes.
At a time when cloud-based applications and virtual machines are critical to the operations of government institutions and private enterprises, we can no longer put all of our security in the perimeter security and detection tools basket. Utilising RASP technology might just be our best chance for society to stay one step ahead of attackers, and prevent scaling, memory and compromised supply chain attacks from executing.