Cloud environments are critical to an organization’s ability to innovate—which also makes them a prime target for a new class of cyberattackers: the cloud-conscious adversary.
In their 2023 Cloud Risk Report, CrowdStrike covers the tactics, techniques and procedures (TTPs) employed by these threat actors and how prolific they’ve become in their pursuit of information and financial gain.
Attackers are Exploiting Trusted Identities
The report highlights some staggering statistics: a 95-percent increase in cloud exploitation and a 288-percent increase in cloud-capable actors year over year. Breakout time—the time it takes an attacker to exfiltrate data after gaining an initial foothold—averaged 84 minutes, which is shorter than the previous year. This increase in speed indicates these adversaries are getting more confident at infiltrating and operating in the cloud.
Cloud entitlements and permissions are notoriously complex, and it's not uncommon for services like AWS to have thousands of different access controls. CrowdStrike notes these authenticated credentials play heavily in these incidents, and adversaries have been stealing permissions or initializing brute force password attacks. Once inside, they move laterally through the cloud, evading defenses and requesting credentials to escalate privileges for greater access. Of the cloud incidents observed, CrowdStrike saw that 67 percent of identity and access management (IAM) roles were "over-privileged," or escalated beyond their requirements.
Container Security Remains Tricky
Container workloads continue to grow in popularity for their smaller footprint relative to virtual machines (VMs) and their ease of deployment across multiple architectures. Unfortunately, the ephemeral nature of containers make them difficult to secure. It's common for containers to be spun up, run, then spun down in a matter of minutes, making them even more difficult to discover. Furthermore, the layered nature of IaaS, PaaS, and Serverless infrastructure increase the chances of blindspots or misconfigurations. CrowdStrike reports that 60 percent of observed container workloads lack properly configured protections.
Even when there is security in place, teams often lack visibility in these environments. Adversaries are able to access containers through external-facing services, such as APIs or SSH. Once inside, they can hide within existing containers—or create their own—to avoid defenses, which gives them time to introduce malicious code into the environment. The report also notes that incident response teams only get a partial view of container incidents, which means that compromised workloads are often missed.
Protect Cloud Workloads with Continuous Network Visibility
Cloud-conscious adversaries pose significant risk, but even the most sophisticated attackers leave a trail. Our strategic partnership with CrowdStrike combines Reveal(x) 360 network intelligence with Falcon endpoint data and threat intelligence for full-coverage detection, investigation, and response capabilities. Reveal(x) 360 lights up the east-west corridor and discovers post-compromise behaviors like lateral movement to help keep your cloud secure.
Reveal(x) 360 also unifies security across containerized environments and orchestration services with AI-powered peer group analysis to detect advanced threats as they occur in highly dynamic environments. Analysts can identify when threat actors may be using compromised credentials to access and use assets with malicious intent and stop them in their tracks—before they can reach the cloud.