CrowdStrike Cloud Risk Report 2023 - The Findings
With the increasing adoption of cloud technology, malicious actors are exploiting the cloud to amplify the consequences of their attacks. According to CrowdStrike, cloud-based cyberattacks escalated rapidly from 2021 to 2022, with cloud exploitation cases growing by 95%; these staggering figures make defending cloud environments more important than ever. However, to do that, businesses need knowledge of what threat actors are doing, how they gain entry and move laterally, which resources they target and how they manage to avoid detection.
The CrowdStrike 2023 Cloud Risk Report enables businesses to understand how adversaries are targeting the cloud and the common tactics, techniques and procedures (TTPs) they use. Moreover, the report shines a spotlight on critical oversights that are creating vulnerabilities and provides guidance on how to defend against the ever cloud-conscious adversary.
Key Adversary Behaviours in the Cloud
While the objectives of adversaries operating within cloud environments are often similar to their intrusion goals outside the cloud, such as gaining initial access, establishing persistence, and moving laterally, the transient nature of the cloud environment demands a more resilient approach for adversaries to achieve success. CrowdStrike observed an evolution of TTPs used throughout 2022 and the following stood out as key adversary behaviours in the cloud:
- Identity is the Key Access Point - valid accounts were used to gain initial access in 43% of cloud intrusions in 2022.
- Cloud Accounts are the Focus During Discovery - during initial environment discovery, threat actors primarily focused on cloud accounts and looked for potential privilege escalation; they also searched for cloud permission groups, infrastructure and storage buckets.
- Escalated Privileges Led to Compromise - 67% of cloud security incidents found identity and access management roles with escalated privileges that could have been used to compromise the environment and move laterally.
- New Protocols Were Used for Lateral Movement - threat actors used protocols including SSH, Remote Desktop Protocol (RDP) and Server Message Block (SMB) and also leveraged cloud orchestration where they had console access.
- New Techniques Emerged for Evading Detection - some threat actors inactivated security products running inside virtual machines, while others masqueraded as valid users by choosing proxy exits close to expected victim locations or renaming virtual machines.
Common Cloud Security Misconfigurations
The other significant finding in the report is that human error is a key driver of cloud risk. The fact is that cloud configurations, gaps, errors and vulnerabilities are an open door to adversaries. For example, CrowdStrike observed 60% of containers lacking properly configured security protections and 36% of cloud environments with insecure cloud service provider default settings. CrowdStrike also noted some common misconfigurations and insecure cloud provider default settings that were core contributors to cloud breaches, such as:
- Excessive Account Permissions - accounts provisioned with greater privileges than needed led to data exfiltration, destruction, code tampering, lateral movement, persistence and privilege escalation.
- Ineffective Identity Architecture - user accounts not rooted in a single identity provider that enforces limited session times, uses MFA, and can flag or block irregular or high-risk sign-in activity.
- Insecure Cloud Provider Default Settings - more than one-third (36%) of detected misconfigurations are related to insecure default settings that were not properly updated, including:
- Public Snapshots and Images - while accidentally making a volume snapshot or machine image public is rare, when it happens, it allows opportunistic adversaries to collect data from that public image, including passwords, keys and API credentials.
- Open Databases, Caches and Storage Buckets - when made public without sufficient authentication and authorisation controls, these can expose the entire database or cache to opportunistic adversaries.
- Neglected Cloud Infrastructure - cloud infrastructure not maintained by the security team creates an opportunity for threat actors to search for sensitive data left behind.
Top 5 Steps to Defending the Cloud
In the report, CrowdStrike offers businesses five key recommendations to help defend their cloud environments:
- Prioritise Cloud Identity Protection - businesses should establish proper permissions and apply the principle of least privilege to all cloud providers.
- Gain Visibility into Security Gaps - improved visibility and real-time insights can allow businesses to identify misconfigurations before issues arise. Application security testing can also be used to identify vulnerabilities and mitigate the risk of attack.
- Use Real-Time Monitoring - continuous monitoring across cloud and endpoint systems can enable businesses to detect and prevent lateral movement, performance distribution and compliance issues.
- Update Software Regularly - businesses should regularly update software in their cloud environments so that vulnerabilities can be patched in a timely manner. They should also conduct regular assessments of hosted applications to identify issues.
- Monitor for Unusual Behaviour - monitoring for suspicious activity such as newly created cloud instances and accounts, newly added credentials, changed firewall rules or access to resources by new or unexpected entities is vital to identifying potential intruders.
How to Protect Your Cloud Environment
CrowdStrike expects cloud targeting to continue to accelerate. As threats evolve, it’s vital that organisations learn what they are up against in order to effectively protect their cloud environments.
To understand more about how to protect your cloud environment, download the 2023 CrowdStrike Cloud Risk Report. Meanwhile, if you’d like any more information on CrowdStrike Falcon Cloud Security, Cloud Threat Hunting, Complete Cloud Security, and Cloud Security Services, get in touch with the cybersecurity experts at InfoTrust today.
see our
Related resources
Mimecast recently released its State of Email Security Report for 2021. The fifth edition of its annual report used interviews with over twelve hundred of information technology and cybersecurity professionals across the globe to gather vital cybersecurity insights. The report offers an insight into the latest email threats along with advice on how to build cyber resilience and mitigate the risks of email-borne attacks.
Cyber attacks and data breaches have been commonplace in the news headlines for some time now. Although a warning from the media is certainly helpful, there is so much more that can be done when it comes to threat intelligence sharing. Threat intelligence sharing is an important part of the global cybersecurity community effort to tackle cybercrime and should form a part of every organisation’s cybersecurity strategy. Sharing cyber threat intelligence enables organisations to make informed decisions about their cybersecurity, building more effective and robust cyber defences.
One of my favourite annual reports to read is the Verizon Data Breach Investigations Report. It’s packed full of insights about the threat landscape and security leaders, in my opinion, should read this report to get a pulse on what’s happening in cyber-scape.
After all, as cyber leaders, we are here to stop breaches – so the insights gained from real cyber incidents and breaches is gold in learning how to tighten up our defences.
All businesses, large and small, are under increasing pressure to demonstrate that they are managing the risk of cyberattacks. This means having the right processes and controls in place to identify risks and vulnerabilities, protect information, as well as detect, respond, and recover in the event of cybersecurity incidents. As such, many businesses are turning to certification authorities and security frameworks to demonstrate privacy and security best practice and achieve compliance with regulatory bodies. System and Organisation Controls (SOC 2) is one such compliance framework that can help organisations to create a structured approach to cybersecurity.
Frost & Sullivan has recently released its 2021 Frost Radar: Email Security report, where its findings provide a benchmarking framework to help businesses protect their email from cyber threats.
As we operate in an increasingly digital world, every business collect, store, and share more and more data. And, amongst that data is personal information. With the OAIC marking this year’s Privacy Awareness Week (PAW) from Monday 3 May to Sunday 9 May 2021, it’s time for us all to review how we protect our customers’ personal information.
We're Here To Help