Protecting your Public Cloud after Meltdown and Spectre
In early January, researchers unveiled several major security vulnerabilities. Dubbed Meltdown and Spectre, these two vulnerabilities pertained to a hardware flaw in CPUs, including Intel, Qualcomm, and ARM processors. Through a complicated series of exploits targeting “speculative execution,” an optimization technique used in most modern CPUs, attackers could gain access data currently being processed on the computer. This might include passwords or business-critical information. For more information on how these vulnerabilities might be exploited, read the following:
– Talos – Meltdown and Spectre
– Meltdown and Spectre
– Time-traveling exploits with Meltdown
Since these vulnerabilities can access data processed by other applications on the same physical machine, the potential consequences are particularly great in the cloud, where a single appliance could host data and processes from numerous different client organizations.
Now it is important to say that patches have already been issued to address these vulnerabilities by Amazon Web Services (AWS), Google Cloud Platform, and Microsoft Azure. However, you should still take steps to ensure all of your instance operating systems are properly patched. As of now, there is no way to know if either of these vulnerabilities were abused in the wild, but security practitioners still need to do their due diligence and ensure they are protected.
What you can do to protect your cloud infrastructure
As I mentioned earlier, patches have been rolled out across all major cloud infrastructure providers, but you still need to ensure your instance operating systems are patched as well.
Of course, if an attacker had foreknowledge of this vulnerability and actively exploited before it was patched, you will need to keep a close eye on your systems. The major risk is access credential compromise. Privileged memory access means an attacker could use this vulnerability to steal access credentials, which could then be used to compromise your cloud services.
You should make sure all of your cloud user accounts have multi-factor authentication enabled and have changed their passwords since the vulnerability was patched. In addition, you should monitor cloud access for abnormal and suspicious activity, such as a user logging in from unusual geographies. For instance, your US-based network admin logging in from Eastern Europe hours after logging in from Los Angeles is probably a sign of credential abuse. Also, look for unusual communications, such as an abnormally large transfer to an unknown server, which could be indicative of data exfiltration.