The Flavor of Clouds: Are Some Cloud Platforms More Attractive to Attackers?

Significant financial loss and sensitive data exposure continue to be a significant risk for entities that host systems in the cloud. Identifying if attackers prefer attacking systems hosted in one cloud provider over another could assist architects and engineers in selecting a provider.

Honeypots were deployed to Amazon Web Services (AWS), Azure, and Google Cloud Platform, incorporating a Social Engineering lure to measure human interaction and bot interactions to determine if attackers preferred one cloud provider over another. The data analysis did not identify human interactions, leaving only bot interactions for further examination. Hosting providers that hosted the bots were identified by enriching the data during analysis.

The results showed that the SSH server hosted in AWS experienced significantly fewer attacks, and far fewer attacks originated from AWS. Determining causation from this metric alone was not possible. AWS is likely employing undocumented mitigation strategies, attackers may prefer other clouds over AWS, or resources are allocated based on the number of usernames used in the attacks against SSH.

The data also showed that a very low percentage of bots attacked all three cloud providers overlapped with one another, indicating that bot herders are configuring attack infrastructure to focus on particular clouds rather than directing bots to crawl the internet mindlessly. Bots were tailored to the environments they attacked based on analysis of how they interacted with the web servers. Defenders, engineers, and architects should not deviate from required and selected security frameworks regardless of attacker preferences that may be identified.