Cloud-Focused Attacks Growing More Frequent, More Brazen

Cloud-focused attacks have soared in recent years, with attackers growing more sophisticated, brazen and determined in cloud exploitation, according to a new report.

Exploitations targeting cloud infrastructure increased 95% from 2021 to 2022, and cases of adversaries targeting cloud environments have nearly tripled in the same timeframe, as noted in the CrowdStrike 2023 Cloud Risk Report.

This report by the cybersecurity platform company shares in rich detail how attackers are going after enterprise cloud environments, as well as how those threat actors use the same cloud platforms to support their own malicious campaigns.

One key finding is that hackers are becoming more adept — and more motivated — in targeting enterprise cloud environments through a growing range of tactics, techniques and procedures. These include deploying command-and-control channels on top of existing cloud services, achieving privilege escalation, and moving laterally within an environment after gaining initial access.

Many cloud-focused campaigns begin with a single set of compromised account credentials, which attackers use to gain a back door into a customer’s cloud environment. “One of the big things a lot of customers don’t realize is that the adversary will use their initial access to gain access to their identity system,” said James Perry, CrowdStrike’s senior director, incident response services, at the CrowdStrike Cloud Threat Summit, a virtual event held this past Tuesday and Wednesday. (Video presentations from the event are now available on demand.)

“That allows them to use single sign-on to access many other applications, including their cloud – all they need is one password,” Perry said. “That allows them to pivot from an on-prem identity into the cloud and gain that more destructive access.”

Hackers are also getting better at avoiding detection once they’ve breached an environment: In 28% of incidents during the period when CrowdStrike collected data for this report, an attacker had manually deleted a cloud instance to hide evidence and avoid detection. Threat actors also commonly deactivate security tools running inside virtual machines once they’ve gained access, the report noted, another maneuver to evade detection.

Cloud Misconfigurations Drive Risk

But the cloud isn’t just a target for adversaries — it’s a tool, too. Attackers will use cloud infrastructure to host tools, such as phishing lure documents and malware payloads, that support their attacks.

The CrowdStrike 2023 Cloud Risk Report offers a deep dive into the various methods and attack vectors modern adversary groups are deploying today, noting the ephemeral nature of some cloud instances is pushing attackers to become even more tenacious in their pursuit of cloud compromise.

Moreover, the relative infancy of many cloud-centric paradigms and technologies, such as containers and orchestration, expands the threat surface as well. Teams may simply not know all they need to know in order to keep their cloud infrastructure and workloads safe.

Among the report’s findings:

• Sixty percent of container workloads lack properly configured security protections, and nearly one in four are running with root-like capabilities.
• Kubernetes (K8s) misconfigurations can create similar risks at the orchestration layer: 26% of K8s Service Account Tokens are automounted, according to CrowdStrike, which can enable unauthorized access and communication with the Kubernetes API.

While attack vectors and methods are increasingly varied, they often rely on some common denominators, including the oldest one around: human error. For example, 38% of observed cloud environments were running with insecure default settings from the cloud service provider.

Indeed, cloud misconfigurations are one of the major sources of breaches.

Similarly, identity access management (IAM) is another huge area of risk rife with human error. In two out of three cloud security incidents observed by CrowdStrike, IAM credentials were found to be over-permissioned, meaning the user had higher levels of privileges than necessary.

This is inextricably linked with a broader misconfiguration problem: CrowdStrike found nearly half of all detected cloud misconfigurations considered critical were the result of ineffective identity and entitlement hygiene, such as excessive permissions.

“Threat actors have become very adept at pivoting from on-prem enterprises to directly into the cloud leveraging stolen identities,” said Adam Meyers, CrowdStrike’s senior vice president of intelligence. “Identity security has become a major concern across all of our enterprise customers, as they understand that there’s not a single hack that’s taking place that doesn’t involve a compromised credential.”

Creating a Stronger Security Posture

Misconfiguration and identity challenges are highly preventable when organizations invest in the people, tooling and processes needed to get it right.

“CrowdStrike is consistently called in to investigate cloud breaches that could have been detected earlier or prevented if cloud security settings had been correctly configured,” the report said.

That speaks to a broader point: The report isn’t a doomsday story. It’s more of a call to arms, offering a blueprint for how enterprises can fight back and best protect their cloud environments from malicious actors. Since so many cloud security incidents begin with leaky credentials or oversized permissions, for example, shoring up identity and entitlement management is table stakes for a strong cloud security posture.

CrowdStrike identifies four pillars of a cloud-focused security posture that makes life difficult for even the most sophisticated adversaries.

1. Cloud workload protection (CWP): A product that provides continuous threat monitoring and detection for cloud workloads across modern cloud environments.
2. Cloud security posture management (CSPM): A set of processes and capabilities that detects, prevents and remediates the misconfigurations adversaries exploit.
3. Cloud infrastructure entitlement management (CIEM): A set of features that secure cloud identities and permissions across multi-cloud environments, detects account compromises, and prevents identity misconfigurations, stolen access keys, insider threats and other malicious activity.
4. Container security: A set of tools that perform detection, investigation and threat-hunting tasks on containers, even those that have been decommissioned.

This multi-layered approach, starting at the workload level, is crucial in today’s security landscape, said CrowdStrike president Michael Sentonas.

“If you’re not on the workload, you can’t stop an attack,” Sentonas said. “At best, you’re detecting it without the ability to do anything about it.”

The multi-pronged approach is what’s needed to protect and mitigate against both active attacks and the persistent reality of human error, he said: “Organizations need the tight native integration of an agent and an agentless solution that spans runtime to CSPM to CIEM to stop breaches from both adversaries and human error.”

Read the full report to boost your cloud security awareness and strategy.