Aqua Blog

Combating Unknown Unknowns In Hybrid IT Environments

Combating Unknown Unknowns In Hybrid IT Environments

Recent years have seen a dramatic 1400% increase in unknown unknowns, zero-day and fileless attacks, representing one of the most serious threats in cybersecurity today. The financial services sector is especially vulnerable given its complex, hybrid cloud IT environments comprising both legacy systems and modern cloud native platforms. 

Security teams operate with a false sense of security, as most tools don’t detect attacks in runtime. There is an urgent need for security solutions that can provide real-time detection and response against these stealthy, evasive and often financially motivated threats. 

Challenges in Multi-Cloud and Hybrid IT Environments in the Financial Sector   

As digital transformation accelerates within the financial sector, we see a rise in cloud native environments and SaaS applications being integrated side by side with legacy systems that are the foundation of more traditional monolithic environments. 

An example of such an environment will be a new application built and designed to run in a cloud native environment interacting with an existing application deployed in a legacy environment.

Another example of a hybrid IT environment could even be the case of modern containerized applications running on top of Linux operating systems such as Redhat Linux and Ubuntu, which are also often used in legacy environments.

These are all done whilst managing sensitive financial and customer data, and ensuring regulatory compliance. 

When performing cloud migrations, the financial sector faces an increasingly larger attack surface due to the borderless nature of public clouds. Difficulties in implementing unified security controls across hybrid legacy and multi-cloud systems while cloud migration is happening leaves gaps that attackers can exploit as different teams often have disparate and siloed technology stacks with inconsistent reporting setups or policy engines. 

These fragmented environments make it challenging to enforce consistent security policies, gain end-to-end visibility and consistent reporting, putting the organisation further at risk.

The high volume of security alerts generated can also overwhelm security teams. Unable to determine which alerts truly matter, critical threats slip through the cracks often resulting in reputation and financial losses for the impacted organisation.

The Unique Characteristics of Cloud Native Applications.

What is cloud native and why should you care? 

Referencing an earlier Aqua blog, cloud native is a methodology that aims to change the very structure of applications, their development, packaging and deployment. It also removes a big piece of the human factor along the way. Cloud native applications consist of independent microservices, with each service doing one thing only. They build, deploy, and then replace services with another automatically. No inline management, no human fingers in the pot, and no changes allowed while the service is up and running. 

This approach results in the immutability of workloads designed not to change once they are deployed. When workloads are immutable, it becomes easy for you to separate noise from actual in-progress attacks. This results in quicker mean time to detection, lower cost of response and will result in the upgrading of the security posture within the enterprise.

Understanding and Addressing Unknown Unknowns in Multi-Cloud and Hybrid IT Environments for the Financial Sector

Understanding Unknown Unknowns

Also referred to as zero-day exploits by advanced persistent threats (APT), unknown unknowns exploit previously undisclosed, undetected, or unpatched vulnerabilities in Linux-based cloud native applications, kubernetes, container orchestration platforms and serverless computing.

Since the vulnerabilities leveraged by these attacks are unknown to the vendor or security researchers, there are no signatures or patches available to defend against the exploit. By nature, these unknown unknowns are extremely difficult to prepare for or prevent, especially in the financial sector where the IT environment is more complex.

Attackers leveraging unknown unknowns typically have substantial resources and conduct extensive reconnaissance on a target’s infrastructure over long periods. They can then meticulously craft exploits tailored to vulnerabilities identified through the reconnaissance. This allows them to infiltrate networks and systems while evading detection. Unknown unknowns tend to be highly targeted, focusing on specific organisations and assets. 

Understanding Fileless Attacks  

In order to evade detection, attackers have been executing fileless attacks that do not rely on installing any malicious payloads, binaries, or files onto the attacked system. Therefore, they do not leave typical malware footprints or artefacts on the file system. 

Such attacks have been observed to impact Microsoft Windows network environments and are well covered by many of the endpoint security tools today.

However, according to Aqua’s research, fileless attacks have also been increasingly observed to abuse and hijack legitimate cloud native applications which are optimised for speed and scalability, such as entire database systems that run entirely in memory. These hijacked systems can be used by attackers to hide their malware in memory. This allows any file system footprints to evade detection by most security products that are focused on protecting the Microsoft Windows network environment. 

By never dropping malware files or attack artefacts onto disk, fileless attacks can completely evade antivirus, endpoint detection, and other security solutions that rely on fingerprinting malware. Memory-only infections also make forensic analysis after an attack much harder. 

Fileless techniques observed in cloud native environments include hijacking the Linux dynamic loader, where a shared object is loaded directly into memory and linked to a running process for execution. Scripts can also execute malicious shell commands solely in memory.

Attacks leveraging an unknown unknown or a fileless technique will usually expand from a compromised cloud native workload and make their way to take over the host operating system as well.

A container breakout that can leverage vulnerabilities within the operating system kernel or the container runtime engine is a good example. This type of attack typically begins in a container and ends up with an attacker gaining full administrative access to the container host. The attacker breaks out of the isolation offered by containers and gains unauthorised access to host container resources (e.g. filesystem, network stack) from within a container, allowing them to move one step closer to their attack goals.

While an existing endpoint agent may have the capabilities to detect an attack on the host operating system level, it won’t: 

  • Have any visibility of the container runtime activities, and no visibility of malicious activity within an application container. Putting them always a step behind the attacker.
  • Have any context as to which application had been compromised or the ability to trace the owner of the application where remediation needs to happen. Thus increasing the incident response time.

Once a workload has been compromised either via an unknown unknown or a fileless attack, its behaviour strays from its original purpose. This is when a drift occurs, compromising the normally immutable nature of cloud native workloads, where no changes should occur after the service is up and running.

To learn more speak with our team

The Scale of the Threat and the Financial Services Industry Response

Fileless attacks are rising fast, and financial services organisations typically have a large and growing number of digital identities they need to secure across their entire IT environment. This makes for example areas like Identity Access Management (IAM) challenging in organisations with both multi-cloud and legacy on-premise environments, where the centralisation and streamlining of policies is more complex. 

For example, the Equifax breach of 2017 is considered one of the most disastrous in history, with threat actors exploiting an unpatched system vulnerability and the company’s overall weak security posture. 

Attackers accessed approximately 147 million highly sensitive customer records which included full names, dates of birth, Social Security numbers, driver’s licence numbers, and even credit card data. The depth and breadth of access and exfiltration of sensitive personal and financial information made this a hugely impactful event.

From a development perspective, 2023 data from Aqua’s software supply chain team showed that software supply chain attacks grew by more than 300% year-over-year. Software supply chain attacks leverage commonly used open-source tools such as GitHub, PyPI, Ruby, and NPM. As cloud-based software and applications developed by financial organisations are made of multiple layers of interdependent components, securing all the layers proves the most challenging.

As financial services continue or move towards a more cloud native infrastructure, risks such as identity attacks are heightened, primarily due to employee errors. The Harvard Business Review reports that over 60% of breaches in this sector stem from mistakes like misconfigured cloud servers and susceptibility to phishing, rather than malicious intent, leading to significant vulnerabilities.

In response to rising attacks, financial regulators in regions including Australia and Singapore have introduced stringent cybersecurity regulations. These compel financial organisations to implement robust security controls and improve incident response capabilities.

To strengthen defences in a hybrid, enterprise environment, Gartner recommends consolidating the technology stack by integrating tools versus having siloed solutions across separate teams or environments. This allows for a single policy engine and centralised end-to-end visibility across a hybrid enterprise environment.

Here, CNAPP solutions like Aqua Security are critical in helping financial services firms improve security against unknown unknowns across their hybrid cloud infrastructure.

  • Aqua provides a flexible, integration-focused single policy engine approach spanning legacy, multi-cloud, containers, and more.
  • Aqua delivers unified security policies across your hybrid IT environments by providing real-time threat detection and visibility through hardening policies, enforcing runtime immutability on cloud native workloads, blocking zero-day and fileless attacks for both containers and host operating systems with a single policy agent.
  • Aqua also provides real-time threat detection and visibility, thus going beyond just detecting threats post-incident.

In this context, Aqua’s vulnerability management capabilities are also critical, as they prevent threats during production rather than identifying them afterwards. As Gartner notes, “Vulnerability management across the entire application lifecycle has become critical for security and risk management leaders.” Aqua allows organisations to stop attacks by neutralising vulnerabilities before they can be exploited.

Conclusion

Fileless attacks and unknown unknowns represent an urgent and dangerous threat to financial institutions in today’s complex, multi-cloud and hybrid IT environments. As cybercriminals increasingly leverage these stealthy, evasive techniques, the potential damage continues to grow.

While the challenges are immense, advanced security solutions tailored for modern hybrid cloud infrastructure can effectively combat these attacks. Platforms like Aqua Security provide a single policy engine across legacy systems and multi-cloud environments to provide unified visibility, security policy, and threat prevention/response. 

To protect themselves in the face of this rising threat, financial services firms must seek out comprehensive end-to-end solutions that close security gaps across their organisation.

Zhi Hao Tan
Mr Tan Zhihao is a recognised cyber security expert who is much sought-after by enterprise clients for his vast experience in proposing and supporting security initiatives, and for his in-depth knowledge in IT.

He has 17 years of technical and pre-sales experience in the IT services sector and has became a strong subject matter expert in cyber security strategies across the enterprise network in particular with privileged access security and cloud native security. This expertise enabled him to support and provide strategic counsel to companies across the Asia Pacific region, gaining him a reputation as a trusted expert.

Prior to joining Aqua Security, Zhihao was the Solution Engineering Manager for Southeast Asia with CyberArk Software. Before that, he worked in leading IT technology firms managing and driving various security projects for large private sector firms as well as government bodies.