Honeypots Reveal How Hackers Might Attack Your Business’s Cloud-Based Systems

When cloud services first entered the business scene, they were met with trepidation. One of the biggest concerns was security. Many business leaders believed that cloud-based solutions were not as secure their on-premises counterparts.

Nowadays, businesses have fully embraced the cloud. A 2018 report indicated that 96% of companies use at least one cloud service. Unfortunately, it is not uncommon for companies to set up cloud-based systems with little or no thought about security. This mindset could get companies into trouble, as cybercriminals are increasingly attacking cloud-based systems.

To learn more about the frequency and nature of these cyber attacks, security researchers at Armor conducted an experiment using honeypots. Honeypots are decoy computer systems designed to deceive and engage hackers. When operated in a research setting, honeypots are used to monitor hackers’ behaviours and learn their tactics.

The Experiment

The researchers set up three honeypots in a real public cloud. The first honeypot, decoy server A, did not have any security protections enabled and was included to establish a baseline for the attacks. The second honeypot, decoy server B, was protected using the firewall offered by the cloud service provider. This basic setup is common among small and midsized businesses, according to the researchers. The last honeypot, decoy server C, was protected with advanced security tools, such as intrusion detection and vulnerability scanning systems.

On the front end, the researchers built a website and patient portal for a fictitious small doctor’s office. The site and portal were fully operational. Even links to Facebook, Twitter, and LinkedIn accounts were added to make the site seem real.

The Results

The cyberattacks started just minutes after the honeypots were activated, according to the researchers. Initially, there was a steady stream of attacks, but later the number of attacks skyrocketed after a hacker posted a note about the “new target” on Pastebin, a site where hackers often share information about their exploits. Overall, decoy server A was attacked around 2,500 times per week. Decoy servers B and C became hacker targets an average of 563 and 509 times per week, respectively.

The hackers typically tried to access the decoy servers through SSH ports (usually port 22, which is the default SSH listening port) using brute-force authentication attacks. In this type of attack, cybercriminals typically use password-cracking tools to ascertain login credentials. These automated tools systematically try every possible character combination as a password.

The Takeaway

Cloud service providers institute many security measures to protect their customers’ server instances and the apps and data on them. However, as the results of the honeypot experiment illustrate, it is a good idea for businesses to take additional measures, such as:

• Set up a firewall
• Use public-key authentication rather than password-based authentication for SSH ports since hackers commonly use brute-force authentication attacks to try to crack SSH passwords
• Keep all operating system software and applications running on your service instances up to date so that known security vulnerabilities are patched
• Use strong, unique passwords for all apps and systems that use password-based authentication
• Encrypt the data in case hackers infiltrate the server instances on which it is stored.

The specific measures that your business should take will depend on several factors, such as the types of apps and data you have in the cloud. We can walk you through your options and help you implement the measures that make the most sense for your company.