Written by: Vikram Navali, Senior Technical Product Manager – Today, cloud deployments and services are mainstream business practices for many organizations. Serverless architectures allow developers to build and run applications without having to manage infrastructure. Serverless applications depend on a combination of managed cloud services and function-as-a-service (FaaS).
Adopting a serverless architecture gives DevOps a substantial advantage since organizations no longer must worry about infrastructure, network, or host security. However, such operational efficiencies typically increase the attack surface with new attack paths security risks associated with serverless environments. The Cloud Security Alliance published a report for The 12 Most Critical Risks for Serverless Applications 2019, a great roundup of serverless infrastructure risks. This blog reviews several of them and discusses how one could adopt deception as a strategy to mitigate those risks using the Attivo Networks ThreatDefend platform.
- Insecure Serverless Deployment Configuration: Serverless architectures offer many customizations and configurations to users for each specific need and task. Many applications built for serverless deployments depend on cloud storage infrastructure to store and persist data between executions. The growing number of cloud data breaches result from storage service misconfigurations. As per the State of DevSecOps Report – Summer 2020 report, misconfigured cloud storage services were commonplace in 93% of cloud deployments. These misconfigurations have critical implications on the overall security posture of the application.
- Insecure Applications Secrets Storage:As applications are growing on a large scale, the need for maintaining application storage and secrets like API keys, database credentials, encryption keys, and configuration settings have become crucial. One common mistake is storing application secrets as environment variables in plain text. While environment variables are a useful way to persist data across serverless function executions, these variables can leak sensitive data to adversaries in some instances.
- Functions Execution Flow Manipulation: Serverless applications often follow the microservices design paradigm and contain many discrete functions chained together in a specific order that implements the overall application logic. Application flow manipulation may help adversaries disrupt application logic that bypasses access controls, privilege escalation, or even causes Denial of Service attacks.
The Attivo ThreatDefend® platform helps customers create and deploy deceptive access tokens, breadcrumbs, and other AWS native services, including serverless functions. The production environment can host decoy entities with similar URLs and web contents to create the deception overlay. When adversaries access decoy entities by launching websites, the ThreatDefend platform will trigger an alert and generate forensic reports.
The Endpoint Detection Net (EDN) solution helps create and distribute decoy cloud objects (such as access certificates, credentials, decoy documents, or URLs) as lures on both endpoints and servers. Adversaries steal credentials and access serverless websites involving any of the decoy assets from the compromised endpoints. The Attivo EDN solution detects adversary actions and misdirects their lateral movement attempts from the serverless infrastructure to the engagement environment.
Organizations that are rapidly migrating from traditional computing to serverless computing need to change the way they think about security. Customers often consider the benefits of better scaling and low cost as the reasons to move to the cloud. However, identifying the security risks and deploying a deception solution are just as important aspects to address.
For additional information, please visit https://attivonetworks.com/solutions/threat-detection/cloud/.