Although only a small number of cloud workload providers were identified as having been affected, it raises questions about the efficacy of cloud workload protection software—or any installed software—in an enterprise’s public cloud. In this case, the adversary exploited well-known and highly advertised vulnerabilities including the infamous Apache Struts 2, Oracle WebLogic, and Adobe ColdFusion to achieve their mission. Getting in was the easy part. Since most mature security organizations assume compromise is inevitable, this is when additional layers of security are supposed to raise alarms. But if those detection products are uninstalled, uh oh.
Because this attack effectively penetrated north-south perimeter defenses and immediately gained administrative control, most traditional security products would have trouble stopping progression and limiting the “blast radius,” i.e., preventing the malware from removing the security software, in real time. Intrusion detection/intrusion protection systems may pick up on suspicious network behavior, but by then, the damage is likely done.
Establishing zero trust control
Edgewise has thought long and hard about this problem: How do we stop cyber attacks from progressing? It’s impossible to prevent vulnerabilities and therefore impossible to prevent attackers from gaining access to the network (whether that network is on-premises or in the public cloud) and installing malware. It’s not, however, impossible to prevent any new software or services from communicating and therefore causing damage on the network, even if those software and services have been installed using admin privileges.
The key is combining zero trust principles and software identity-based authorization and authentication. When new software or services appear on the network and try to communicate, Edgewise verifies their cryptographic fingerprint before a request is sent. But that’s not all; Edgewise uses symmetric verification to re-authenticate the legitimacy of the software or service again before it’s allowed to connect to the intended host/application/server. This process ensures that even if software is tampered with in transit it cannot connect and propagate an attack — malware would be contained and prevented from doing further damage. In the case of this Rocke attack, the command-and-control would have been prevented. All communication inside an Edgewise-managed network is treated as malicious and if it doesn’t match a verified identity, execution is denied. Moreover, the Edgewise agent employs tamper-resistance countermeasures and alerts on the backend should an agent be uninstalled or lose heartbeat.
In an article on Threat Post, researchers at Palo Alto question whether ”agent-based cloud security solution[s] may not be enough to prevent evasive malware targeted at public cloud infrastructure.” But Edgewise was built precisely for this purpose — to protect public cloud and other virtual infrastructures. Only Edgewise uses the cryptographic identities of software and services—as opposed to address-based information—as the basis for security control. This means that even when the attackers get in, they can’t use the network itself to further an attack.