For a long time, cybersecurity operated on a now-dangerous assumption: that traditional cyber security should focus on detection and perimeter defense.
But as cyberattacks grow more sophisticated, that assumption has become dangerous.
"Failure often comes not from what we don't know, but from something we were sure we knew that turned out to be wrong," says Jen Easterly, former Director of the Cybersecurity and Infrastructure Security Agency (CISA) and the architect of the US government’s Secure by Design cybersecurity posture.
Indeed, today’s most advanced attackers have moved past trying to punch a hole in your network. They now employ a more devastating strategy: identity compromise. They are stealing valid credentials to operate with the full privileges of your own administrators. Now these threat actors can achieve their ultimate objective: total cloud destruction.
Ready to protect your cloud identities? Watch former CISA Director Jen Easterly’s presentation at the Rubrik Cloud Resilience Summit and learn how.
How Attackers Destroy Your Cloud
Let’s look at the playbook of the financially motivated threat actor Storm-0501. They are experts at pivoting from on-premises to the cloud and are masters of "living off the land." Here’s how they do it.
The Pivot: First, they steal the keys to your kingdom—often via buying valid accounts or exploiting a soft perimeter. An intruder can use a global admin cloud account to access your cloud identity platform. Now they can bridge to your on-prem instances amd gain total access to your entire infrastructure.
The Kill: Next, they target your recovery capabilities to prevent you from bringing your business back online. "They specifically target and delete all of your cloud data, backups, and snapshots,” says Easterly. “Why? To block any and all recovery operations." With your enterprise under total control, they can begin their leverage play, exfiltrating sensitive data using native tools like AzCopy, a command-line utility that transfers data to and from Azure Storage. Indeed, Microsoft itself explicitly warns that AzCopy is favored by threat actors for bulk data theft from BLOB storage.
This attack works because it exploits fragmented security and stolen credentials to gain total control of your cloud infrastructure. You don’t see it coming. You don’t even know it’s happening. Why?
Endpoint Security Is Blind: This is an identity-based attack. There’s no malware, no YARA rules, no files to scan.
The SIEM Is Bypassed: The attacker’s activity looks like a legitimate administrator using legitimate tools. How do you write a rule for AzCopy when your real admins use it every day?
Fragmented Defenses Are Exploited: If an attacker gets access to the right, high-level cloud identity, they get access to your on prem environment and (potentially) a dozen different cloud environments and SaaS tools. And since you don’t have a single view of your identity portfolio, you cannot see the attack path.
The New Requirements for Resilience
How do you protect yourself against a threat you can’t see? According to Easterly, the solution lies in moving beyond prevention and embracing Secure by Design principles. These principles insist that security be built into software and systems, making them inherently safe to use out of the box with minimal configuration required.
Key Secure By Design principles include:
Ownership of Security Outcomes: Manufacturers must take responsibility for security outcomes. Blaming customers for slow patching or misconfigurations is not an option.
Security By Default: Products must be shipped with the safest setting enabled, at no additional cost to the customer. Tools like multi-factor authentication and secure logging must be active at installation.
Design For Resilience: Vendors must assume that prevention will fail. Resilience must be the priority: that means being able to contain the blast radius if a compromise occurs and enable quick, clean recovery.
Shifting Left: Security requirements and testing must be integrated into the earliest conceptual design and development phases of a product.
Radical Transparency: Vendors must be open and timely about vulnerability disclosure, remediation timelines, and overall product security posture.
Minimal Attack Surface: Only expose necessary features, interfaces, and services.
Principle of Least Privilege: Access permissions are strictly limited for users, processes, and services to contain damage from a compromised identity.
To avoid making new investments in the legacy cybersecurity mindset, security leaders must have confidence that their vendors are following Secure By Design principles. That means asking your vendors some tough questions, such as:
What is your vendor’s cybersecurity track record?
What is their data on vulnerability remediation time and transparency?
If a cyber incident occurs, can they limit the blast radius?
Do they have features like role separation, just-in-time privilege, and immutable recovery of data.
With the right-minded vendors at your side, you must now build a trusted recovery architecture. Since attackers are living inside environments and poisoning backups, simply restoring from a traditional backup is no longer sufficient. You must be able to prove your recovery is clean.
Easterly says that your recovery environment must be physically and logically separated from the operational environment, “If your backups and your orchestration systems and your identity systems are all in the same trust domain, you fundamentally don't have resilience," she says.
Trusted recovery requires three core components:
Architectural Isolation: Your backups must be immutable and tamper-resistant in an isolated, logically separated recovery environment.
Verification: You need to be able to scan snapshots for indicators of compromise and malware, before you restore. Treat your backup copies as security artifacts.
Rehearsal: "Trusted recovery is not just about technology. It's about people, it’s about culture,” says Easterly. “You have to rehearse recovery like you rehearsed incident response."
A Challenge for Leaders: Interrogate Your Assumptions
Software vendors don’t promise security—they simply make it possible. According to Easterly, security starts with leadership and vision.
"I challenge every leader to be curious about assumptions,” she says. “How your systems are going to work, how your teams operate under pressure, and what you believe is going to happen in a crisis."
Two core assumptions leaders need to interrogate: that identity controls are sufficient and that backups are clean.
But with the right partners and the right mindset, security leaders can build environments that can recover when credentials are stolen.