Skip to content

TIPS #14: How can you secure what you don’t see? The hidden risks of ephemeral assets

Shane Shook

February 29, 2024

  • Blog Post
  • TIPS

Issue: Ephemeral assets have experienced massive growth in the age of cloud computing, remote work, and SaaS- but often slip through the cracks of traditional IT and cybersecurity stacks.  

The rapid rise in cloud computing, remote work (and using personal devices for business), the Internet of Things (IoT), third-party platforms, and software-as-a-service (SaaS) has dramatically increased the number of devices and assets accessing company networks.  

Collectively, these are ephemeral assets: physical and virtual devices that serve time-bound user needs. They often access company networks for a short period of time before disconnecting (though their persistence can vary).  

While ephemeral assets offer significant business benefits including reduced costs, scalability, and efficient collaboration, it’s a challenge to maintain network visibility and control over them. For example, scheduled vulnerability scans will likely miss a device accessing a network for just 5 minutes. As a result, ephemeral assets often fall outside the scope of IT departments and traditional cybersecurity stacks, leaving companies at risk.  

Impact: Unmanaged and under protected ephemeral assets bring serious risks.  

Ephemeral assets can create an expanded attack surface and make it more difficult to prevent unauthorized network access. When personal devices or third-party platforms lack enterprise-level security access and store sensitive company data, there’s a heightened risk for data breaches. An infected device that connects with a company network may also introduce ransomware or other threats that compromise business systems. Since many ephemeral devices (like cloud assets) are clones, one vulnerability can easily spread beyond a single device as well. 

Cybercriminals have targeted ephemeral assets including virtual machines (VMs), micro VMs, and Kubernetes clusters for years and increasingly leverage them today. Just this month (February 2024), CISA issued an advisory regarding a threat actor that compromised a VM while infiltrating a state government organization. 

VM compromises present an interesting case study. Threat actors store malicious toolkits within legitimate VMs they operate from breached endpoint devices- hiding in plain sight and avoiding detection with Living off the Land techniques while compromising systems or data.  

Threat intelligence firm Mandiant reported a textbook example of this in May 2023. The company revealed that threat actor group UNC3944 had stolen admin account credentials via a phishing attack and accessed Microsoft Azure Serial Console to compromise VMs within company networks. The attackers then installed legitimate third-party VM extensions to gain network information before escalating account privileges, using network tunneling to avoid security measures, and stealing data.  

Action: Prioritize observability, response, and remediation for ephemeral asset threats- and reduce risk with a proactive posture.  

1) Address the gaps in your network, Kubernetes, and endpoint security visibility and response. 

     a) Network

Ephemeral assets quickly spin up and spin down. Companies need real-time observability to identify new and existing network assets acting improperly. Lumu’s continuous compromise assessment and customizable NDR capabilities help businesses detect, analyze, and respond to network threats.   

     b) Kubernetes

Kubernetes clusters are one of the most exploited ephemeral assets. KSOC’s cloud native Kubernetes security platform contextualizes risks and automates visibility, showing you who is accessing Kubernetes clusters, how they are using them, and how you can quickly respond to and mitigate threats.  

     c) Endpoint

Mobile Device Management (MDM) tools and other device security software can give you real-time endpoint visibility, helping you remotely monitor and control devices to enforce security policies and restrict access. Endpoint Detection and Response (EDR) tools should also be a pillar of your security stack. Huntress’ managed EDR for SMBs detects and eliminates threats including persistent footholds.

2) Maintain a proactive security posture to lower ephemeral asset risks.  

     a) Network

Implement a security policy requiring virtual private networks (VPNs) for remote work. This extends company networks while securing data, lowering ephemeral risks.  

     b) Endpoint

Bring your own device (BYOD) and Acceptable Use policies bolster endpoint security and lower the risk of compromises. As always, regular patching and updating to address vulnerabilities is a must for all devices.  

     c) Identity

Strengthen user identities with strong password policies and mandatory multi-factor authentication (MFA). 1Kosmos’ advanced biometric MFA and passwordless enterprise authentication secure digital identities.  

     d) Data

Data security is an important piece of the puzzle- compromised ephemeral devices can access and store company data. Symmetry Systems’ data security posture management (DSPM) platform visualizes and mitigates risks including ephemeral data stores in your organization. 

     e) Cloud

Cloud-based ephemeral assets are increasingly common with cloud and hybrid environments being the new norm. Uptycs’ cloud security posture management (CSPM) helps your company visualize, contextualize, prevent, and respond to threats.  

     f) Third-party risk

External software, platforms, and vendors can introduce risk to your company. Whistic’s platform helps you assess third-party security risks to meet compliance requirements and build customer trust.