In multi-cloud environments, detecting suspicious and malicious activity is crucial to maintaining the security of your cloud resources. Here are some common examples of suspicious and malicious activities that a CSPM tool should help detect or can also work in tandem with other existing security tools to detect:

• Anomalous access patterns: Unusual patterns of accessing resources, such as logging in from unfamiliar locations or devices, or accessing resources at odd hours. These are also referred to as impossible travel activities. These patterns could indicate compromised accounts or unauthorized access attempts.
• Brute-force attacks: A brute-force attack is a method that’s used in computer security and cryptography to gain unauthorized access to a system, account, or encrypted data by systematically trying all combinations of passwords, encryption keys, or other credentials until the correct one is found.
• Account takeover attempts: The goal of an account takeover is to gain control of the targeted account and potentially use it for malicious purposes, steal sensitive information, or perform unauthorized actions. This can be noticed by intelligent systems as they closely monitor sudden changes in user behavior, such as accessing resources they typically do not, changing settings, or escalating privileges. These activities may indicate an ongoing account takeover attempt by an attacker who has gained access to a legitimate user’s credentials.
• Unusual data access or exfiltration: Large-scale downloads or transfers of sensitive data, especially if the data is being sent to unfamiliar external locations. This activity could indicate data exfiltration, where an attacker is stealing sensitive information.
• Suspicious API calls: Unusual or unauthorized API calls, such as those not typically associated with the application or service. These calls might represent attempts to exploit vulnerabilities or gain unauthorized access to resources. It is recommended to use strong authentication and authorization mechanisms to ensure that only authorized users or applications can access the API and its resources.
• Resource configuration changes: Changes to critical resource configurations, security groups, firewall rules, or access policies. Unexpected changes could indicate that an attacker is trying to open pathways for unauthorized access or data manipulation. In a cloud environment, resource configuration changes may involve modifying the size of virtual machines, adjusting storage allocations, changing network configurations, or altering auto-scaling thresholds.
• Privilege escalation: Privilege escalation can allow attackers to gain broader access to resources, increasing the potential impact of a breach. These are activities that suggest users or entities are attempting to escalate their privileges within the cloud environment. Privilege escalation can be divided into two types – verticaland horizontal:
  • In vertical privilege escalation, an attacker with lower-level access tries to gain higher-level privileges – for example, a regular user attempting to gain administrative or root-level access to a system.
  • In horizontal privilege escalation, an attacker with a certain level of access tries to gain the same level of access for a different user or account. This might involve impersonating another user or exploiting vulnerabilities in account management systems.
• Suspicious network traffic: Unusual or unexpected network traffic patterns that might indicate communication with known malicious IP addresses or domains. This could indicate a compromised resource or an ongoing attack.
• Service or instance hijacking: Unauthorized provisioning, termination, or modification of cloud resources. Attackers might attempt to hijack or take control of cloud instances or services to conduct malicious activities. This can lead to serious consequences for organizations, including data breaches, disruptions, and malware distribution. Attackers can access and steal sensitive information, potentially leading to financial losses and reputational damage.
• Data manipulation or injection: Attempts to modify, delete, or inject malicious data into databases or storage systems. These activities could lead to data corruption, unauthorized access, or data breaches.

Promptly detecting and responding to such activities is essential to mitigating potential security breaches and minimizing the impact on your multi-cloud environment.

Best practices and lessons learned

It is crucial for every organization that relies on hybrid and multi-cloud environments, be it small or large-scale, to have a security-first mindset. Organizations need to follow recommended guidelines and insights to prevent, detect, and address misconfigurations that can lead to security vulnerabilities and breaches in their cloud infrastructure. The following best practices are based on experiences and lessons drawn from real-world incidents and challenges related to misconfigurations in the cloud. Let’s start with best practices for network security misconfigurations.