Name: Surviving Cloud Attacks:
Uploaded: 2026-05-14T17:46:10.760Z
Duration: 30 min 8 s
Description: Surviving Cloud Attacks:

Transcript for "Surviving Cloud Attacks:": Welcome everyone to the webinar, Surviving Cloud Attacks, A Practical Blueprint for Cloud Resilience. I'm Anirudh Dubey. I drive product marketing for Rubrik's cloud data protection suite, and I'm glad to welcome you to this webinar. But first, let's start with the hard truth. The industry is currently caught in a spending paradox. Organizations are pouring more money into perimeter defenses and prevention tools than ever before. Yet, the frequency and the cost of ransomware continue to hit record highs. You would ask why because the game has changed. Attackers aren't wasting time trying to hack their way through your firewall anymore. They are simply logging in. By hijacking identities, these threat actors are turning our own admin tools against us. Today, we are moving past the fantasy of this 100% prevention and leaning into the reality of the assumed breach mindset. We aren't just talking about how to build a bigger wall. We are talking about how to ensure your business keeps running even when an attacker has the keys to the front door. To survive a cloud attack, you first have to understand the modern adversaries playbook. Our first guest is Joe Hladic from Rubrik Zero Labs. Joe and his team spend their days in the trenches analyzing how sophisticated actors like Storm o five zero one pivot from a single compromised credential to what we call the cloud got mode. He's gonna walk us through the anatomy of an identity based attack and show us exactly how the control plane we use to manage our cloud can be weaponized to destroy our backups. Joe, the floor is yours. Failure often comes not from what we don't know, but from what we were sure we knew that turned out to be wrong. For the next ten minutes, I wanna show you exactly how today's attackers exploit these false assumptions, especially our assumptions about hybrid identity and cloud recovery. My team at Rubik's Zero Labs is on a mission to provide actionable vendor agnostic insights on these exact problems. And what we see every day is that for years, we've all been trained to look for malware and defend the perimeter, but the game has fundamentally changed. Today's most sophisticated attackers have shifted their focus from malware based compromise to identity compromise. They're not just trying to find a vulnerability to get in. They're stealing valid credentials to be in. Operating with the full privileges of your own admins, they've realized that compromising your identity is the key to their new endgame, cloud native data destruction. To make this real, I want to walk you through the anatomy of what really happens using the blueprint of a real active and highly financially motivated threat actor that my team at Xero Labs tracks closely. Storm o five zero one. Now you know you may not know the name Storm o five zero one, but you know their work. They're affiliated with some of the biggest ransomware as a service names out there, like Black Cat, Hive, and LockBit, but they've evolved. They are the perfect avatar for this new model. They become experts at pivoting from on prem to the cloud, and they are masters of living off the land. So let's walk through their playbook. It starts simply. Storm o five zero one gets a foothold in one of two ways. First, the one we all know, exploiting public facing apps. You know, unpatched tools on the Internet, that soft perimeter. They are masters at this, exploiting known vulnerabilities in tools like Zoho Manage Engine or Citrix NetScaler. But the second way, the one that's much harder to stop is using valid accounts. They purchase or acquire compromised credentials to get a quiet foothold. They're already in looking like a real employee from day one. From there, they immediately live off the land. This is key. They're running commands with native tools your own admins use every single day, like PowerShell or Windows remote management. They're not deploying new malware with known bad hashes that your tools can scan for. They're actively evading detections by emulating a legitimate user. Next, they need to escalate. They perform what's called a DC sync attack to harvest password hashes. They're credential dumping, looking for the keys to the kingdom. And this brings them to the critical hybrid pivot, a move that Storm o five zero one has perfected. They are hunting for one specific highly privileged account. It's a bit of a tongue twister, but you need to know it. The Entre Connect directory synchronization account. Think about what this account is. It's the trusted, synchronized service account that bridges your entire on prem active directory to your Entra ID in the cloud. It's the gateway. Once they steal those credentials, that trusted bridge, it essentially becomes a freeway for them. They use that power to enroll new MFA methods on other nonhuman identities. They are literally taking over your identities and then protecting themselves with new security. With that one hybrid account, they have hijacked your cloud environment. They grant themselves global administrator and Entra ID, and then from there, they assign themselves the Azure owner role across all of your subscriptions. It's cloud god mode. They own everything. Now the heist begins. They're still living off the land. They use tools like AzureHound to map out your entire cloud graph and then use the as copy command line tool, which Microsoft itself explicitly flags as an actor favored mechanism for bulk data theft from blob storage. They are quietly exfiltrating petabytes of your most sensitive data. And while they're in, they set up durable backdoors. We've seen Storm o five zero one add a new malicious federated domain to their victim's ENTRE ID. This is a devastating persistence method that lets them authenticate as almost any user anytime they want, and it's incredibly difficult to find. But here's the gotcha. This is where it gets terrifying. Once the data is stolen, they execute their leverage play. With that owner access, they don't just delete your production data. They go for the kill to ensure you cannot recover. They specifically target and delete all of your cloud native backups and snapshots. Let me say that again. They use the cloud's own control plane to destroy your cloud's own backups. Why? To block any and all recovery operations. They know that if you can't recover, you're more likely to pay. This isn't a side effect. It's the primary objective. And then the pressure tactic. We've seen Stormwall five zero one used to compromise accounts to send the extortion demand directly from an executive's own Microsoft Teams account. Imagine getting that ransom note from your own CFO. That's the level of control they have. It leads to a fundamental truth from modern resilience. If you own the backup, you own the business. So as you're watching this unfold, you're asking, why did the Storm o five zero one playbook work? Why did no alarms go off? Well, first, your endpoint security was completely blind. This was an identity based attack, not a file based one. There was no malware, no file to scan. Second, your SIM was bypassed. Now, I'm not saying it was confused as if it has intelligence. It was doing its job, but it was subject to detection evasion. The attacker's activity looked like a legitimate admin using legitimate tools. How do you write a rule for as copy when your real admins use it every day? Your security team isn't flagging signals anymore. They're trying to flag behaviors, which is a much more complicated false positive prone problem. Third, your defenses were fragmented in siloed. This is a huge one. When I say fragmented, I'm not talking about teams. The data is fragmented. You have one identity that has access to your on prem environment, but it also has access to a dozen different cloud environments and SaaS tools. No single tool, no single team can see the full attack path. And finally, it all comes down to this. The attacker hijacked your hybrid identity. The hybrid privileged account became the crown jewel. They owned the control plane itself, and they used it to get access to literally everything. This Storm o five zero one playbook proves that old assumptions about security are broken. It leaves us with a new set of hard questions or really a new set of requirements for anyone serious about cloud resilience. First, if an attacker lives off the land and looks exactly like legitimate admin, how do you shift your strategy from trying to find the entry to reliably detecting the impact? How do you spot anomalous behavior against your data when all the users identity signals look legitimate? Second, if an attacker gets owner access, they can destroy everything. What is the architectural requirement to make your backup survive that compromise? How can you fundamentally sever the trust between your production control plane and your recovery data so they can't be deleted by the same stolen credentials? Third, what does recovery really mean when your entire identity infrastructure is compromised? How do you build a trusted recovery plan that guarantees you aren't just reinfecting your clean environment? How can you be certain your recovery point doesn't contain the same malicious backdoors like that federated domain that you just got hit with? Fourth, after the breach, how do you precisely answer that first inevitable question from your board? What exactly did they take? How did you get the data visibility to find the blast radius and prove what sensitive customer data was or wasn't exposed when the exfiltration was done with a legitimate tool like ASCOPHY? And finally, the fifth requirement, how do you build an insurance policy for your data that is truly isolated, immutable, and air gapped from the very identity plane and control plane that an attacker can and will compromise? Thanks, Joe. It's a sobering look at how quickly owner access can turn into a total data wipeout. It's one thing to lose your production data, and it's entirely a different crisis when the attacker uses your own credentials to burn that safety net. But as Joe highlighted, knowing the playbook is only half the battle. If the old way of defending perimeter is broken, we need a new architecture for resilience. Joining us now is Matt Castriata, Rubrik's field CTO for cloud. Matt is going to take those hard questions that Joe left us with and turn them into a practical blueprint for cloud resilience. He's gonna show us how to build an air gap defense that survives even a total identity compromise and how to orchestrate a recovery at business speed from a clean point of recovery. Matt, over to you. Joe just walked us through the exact playbook of a sophisticated threat actor like Storm o five zero one. He painted a stark picture of how the game has changed. Hacker has the keys to the front door. The perimeter is irrelevant. This validates the mindset shift we must all adopt, assume breach. We don't say this to be alarmist. We say it because Joe just showed us the reality. You cannot completely prevent the unpreventable. The definition of success has changed. The only question that matters now is how fast can you recover? That is the new mandate. Joe laid out the requirements. I'm here to give you the blueprint on how to answer them. This blueprint is built on three pillars, preparation, incident response, and recovery orchestration. Resilience starts long before the attack. It starts with having an insurance policy, your backups. But in the cloud era, simply having backups isn't enough. To build the last line of defense that actually holds when the wall collapses, you have to construct it correctly. First, you have to ensure your defense covers everything. You cannot protect what you cannot see. The reality is most organizations are sitting on mountains of dark data, unprotected assets, shadow IT, or just obsolete data that's a liability waiting to be exploited. To solve this, the blueprint requires cloud data posture management, and Rubrik delivers this through cloud posture risk or CPR. We automatically discover and inventory your entire cloud estate. We show you clearly what's protected by Rubrik, what's relying on native tools, and what is completely unprotected. Crucially, we also identify unused or stale data that is worthy of deletion. By removing this data you no longer need, you can actively reduce your attack surface. Overall, CPR enables you a comprehensive last line of defense from day one. Second, you need to ensure that protection is always up to date. A gap in protection is a gap in your recovery. That demands robust automated protection, and Rubrik provides SLA driven, always on protection through our SLA domain model. Instead of micromanaging individual jobs, you simply define the policy outcomes, the frequency, the retention, replication, any archival needs, and then you assign workloads to that domain. That's it. You tell us the what, we handle the how. Our platform automatically discovers new data as it's created and applies your protection policy automatically. There are no gaps for an attacker to exploit. There are no blind spots, no human error, no forgotten workloads. It's always on. Third, and this is the critical part, we have to address the owner access problem. Joe warned us that if an attacker gains keys to the kingdom, they will try to burn your backups to the ground to force a payment. You need truly isolated and indelible copies, and our answer is Rubrik Cloud Vault. It's our credential isolated, Rubrik managed vault that provides native immutability and a logical air gap. Think of it this way. If an attacker gains that ultimate level of administrative control that Joe had described, they cannot see, alter, or delete your Rubrik backups. The vault uses a completely different set of credentials that you don't need to manage. This zero trust model is then bolstered by robust security features like retention lock and quorum authorization, which enforces a two person rule for any critical changes. That's true immutability. Finally, once your data is protected and your backups are secure, you need to understand the value of what you're holding. Given data exfiltration is a primary goal for attackers like Storm o five zero one, you cannot wait until after a breach to ask what did they take. That requires sensitive data classification. This is where data discovery and classification comes in. We simplify and automate the identification of your sensitive data, PII, PHI, PCI. We can tell you if it's within compliance and even who has access to it. And crucially, we do all this by scanning your backups, not production. You get all the insight with no production impact, allowing you to proactively mitigate your risk. This is how you get ahead of massive regulatory fines and reputational damage before the attack even happens. So your foundation is secure, but now the attack happens. This is the fog of war. In a traditional recovery, this is when the clock starts ticking and slowing down. Your RTOs extend significantly because your teams are forced into a manual panic, trying to figure out three questions. What's the scope of the attack? What sensitive data was hit? And the hardest one, where is a clean point to recover from? Only then after weeks of hunting can the recovery process actually begin. Your cyber resilience blueprint must shrink this timeline. It demands two things, the ability to restore to a clean state, free of reinfection, and the ability to do it fast. And this is why Rubik was designed from the ground up with a different architectural foundation. We call it our preemptive recovery engine. Instead of waiting for an attack to start investigating, this engine works preemptively. It continuously scans your backups as they are written, creating a time series history of your data and metadata. It generates precalculated hashes, unique fingerprints for every file and every change. This means the heavy lifting is done before the crisis. We don't need to rehydrate or restore your data to investigate it. We simply query the intelligence we've already built. This architectural advantage is what allows us to instantly light up three critical capabilities you need to answer those hard questions. First, we address detection. Joe asked a critical question. If an attacker is using legitimate tools and looks like a legitimate admin, how do you ever reliably detect them? And he's right. Your EDR is blind to authorize user behavior. Our blueprint takes a different approach. We don't look at the user. We look at the data. And this is anomaly detection. This doesn't just start when the attack hits. Rubrik leverages machine learning to continuously monitor and scan your backup data for deviations from historical baselines that could be changes in file entropy or spikes in modification rates or unusual encryption activity. Because it's always running, when the attack executes, it instantly triggers. It provides an early warning based on the data impact, not the user signature, defining the exact blast radius and providing a high fidelity alert to your SOC team before they even know the admin was compromised. Once the attack is detected and the blast radius is established, you are immediately faced with the boardroom question Joe just mentioned. What exactly did they take? And to answer this, we use sensitive data reporting. This is where your work from Pillar one pays off. Remember the data discovery and classification we ran? Because our engine is already mapped to your sensitive data, it can now instantly overlay that map with the attack blast radius. So you're not starting a new weeks long scan. You're just comparing two existing datasets. And this allows you to confidently tell your board, your legal team, your regulators exactly which sensitive files were impacted. This is how you meet regulatory requirements in minutes, not weeks. Finally, we have to address the trust gap. Once there has been an overall compromise of your environment, you cannot really trust anything, including your backups. You and your SOC team need to ensure that we aren't reinfecting the environment. And in a traditional world, this is a maddening process. You detect a breach, you investigate, and then you enter this loop of conflict. You restore a backup to a sandbox, you check for malware, you find that it's infected, and then rinse and repeat. And this trial and error can take weeks while the business bleeds money. Rubrik changes this game completely. We give your analysts the precise scalpel and not a sledgehammer, and this relies on threat monitoring and threat hunting. This is where the engine's power becomes critical. It works in two ways. Proactively, our threat monitoring continuously scans your backups against known indicators of compromise from world class third party feeds like Google Mandia. The results are automatically added to the threat dashboard in Rubik's Security Cloud. And any calculated file hashes are indexed in our hash catalog for future reference. It's like having a twenty four seven security guard for your backups, finding threats that you didn't even know what to look for. Reactively, when you find a specific indicator you use threat hunting. Because our engine has already indexed everything, this does not involve the backups themselves. It's simple, ultra fast database query. The results come back far faster than any other backup based threat hunt, easily searching 75,000 snapshots in under sixty seconds. You pinpoint exactly where the malware is and identify the last guaranteed clean point for recovery, and then you get the visibility the SOC team needs without the downtime that IT ops peers. This is how you answer what happened, what did they take, and where is it safe to recover from, all before you've even started the recovery itself. You built your fortress, you've assessed the attack, you found your clean copy, and now it's time to act. This addresses Joe's critical concern about trusted recovery. In a traditional attack, this is the hope it works moment, fumbling with static, 100 page runbooks that are never tested and always fail. Our blueprint is different. The cyber recovery orchestration you see here is to pay off work that begins back in the preparation phase. It's a simple three step process, plan, test, and execute. First, you plan. Like drawing up a battle strategy, this starts with cyber recovery planning. With Rubrik, you can easily define recovery plans for your cloud workloads. You aren't just listing servers. You are specifying the critical parameters that make them work. Setting the boot order priorities to ensure databases start before apps, defining the destination network configurations so that they have a place to land. You create these logical bundles of key components so that you can prioritize recovery and recovering your minimum viable business first. Get those mission critical systems online first. Worry about the rest later. Second, you test. A plan you've never tested is just a hope. You can then simulate your cyber recovery plans by cloning your backup data to isolated environments. Here, you can easily test and validate the success of your recovery plans. From individual VMs to mass recovery without impacting production systems, this isn't just a technical drill. This is a business assurance tool. This promotes proactive cyber preparedness with reliable, thoroughly vetted recovery processes, all while minimizing operational overhead. This is how you prove your resilience to your auditors and your board before the crisis hits. Finally, you have to execute. Now when the attack actually happens, your team isn't panicking. They're not reading a 100 page PDF. They're executing a plan that's already been validated. You've already found your clean backup copies and threat monitoring and hunting. Now you execute that pre validated recovery plan to orchestrate a rapid reliable recovery to either an alternate subscription or even a a new tenant to ensure isolation. Throughout this process, Rubrik provides comprehensive recovery reporting. A centralized dashboard allows you to monitor key outcomes in real time, check the status of operations, and download on demand reports. With this visibility, you can meet audit and compliance requirements, demonstrating the robustness of your cyber recovery capabilities. This is the final step. This is how you turn a week long chaotic reaction into a confident, proven, and automated response. So let's look back at this blueprint. Joe and his Xero Labs team laid out the playbook for Stonewall five zero one. This attack is designed to create chaos by bypassing your tools and destroying native backups. Our blueprint for cloud resilience is the answer to the requirements he laid out. It fights back with order. It's not just one product. It's an end to end strategy. Prepare with an immutable air gap foundation and full data visibility. Respond by preemptively assessing the blast radius and identifying clean data turning weeks into minutes. And orchestrate your entire cyber recovery at business speed with a plan you've already proven. This is the blueprint for true cloud resilience. This is how you answer the new mandate, and Rubrik is the only platform that delivers all of it. We've covered a lot of ground today. We started with Joe's breakdown of how identity hijacking has replaced malware as the primary threat vector. We ended with Matt's blueprint for fighting this very attack vector back. If there is one takeaway from today's session, it's this. Resilience is an architectural choice. It's essentially built on three key pillars. First, prepare by creating a credential isolated air gapped wall that the production control plane cannot touch. Second, respond by looking at data behavior and not just user signature to find that blast radius in minutes as well as to outline your sensitive data impact. And third, orchestrate by replacing those dusty 100 page manual runbooks with an automated proven recovery orchestration plan that allows you to recover from a validated clean point. When the unpreventable breach happens, the only metric that will matter to your board and your customer is how fast you can get back to work. Thank you for joining us and for taking the first step towards true cloud resilience. We'll see you next time. Time.