CrowdStrike Cloud Risk Report 2023 - The Findings

With the increasing adoption of cloud technology, malicious actors are exploiting the cloud to amplify the consequences of their attacks. According to CrowdStrike, cloud-based cyberattacks escalated rapidly from 2021 to 2022, with cloud exploitation cases growing by 95%; these staggering figures make defending cloud environments more important than ever. However, to do that, businesses need knowledge of what threat actors are doing, how they gain entry and move laterally, which resources they target and how they manage to avoid detection. 
The CrowdStrike 2023 Cloud Risk Report enables businesses to understand how adversaries are targeting the cloud and the common tactics, techniques and procedures (TTPs) they use. Moreover, the report shines a spotlight on critical oversights that are creating vulnerabilities and provides guidance on how to defend against the ever cloud-conscious adversary. 

Key Adversary Behaviours in the Cloud

While the objectives of adversaries operating within cloud environments are often similar to their intrusion goals outside the cloud, such as gaining initial access, establishing persistence, and moving laterally, the transient nature of the cloud environment demands a more resilient approach for adversaries to achieve success. CrowdStrike observed an evolution of TTPs used throughout 2022 and the following stood out as key adversary behaviours in the cloud:

  • Identity is the Key Access Point - valid accounts were used to gain initial access in 43% of cloud intrusions in 2022. 
  • Cloud Accounts are the Focus During Discovery - during initial environment discovery, threat actors primarily focused on cloud accounts and looked for potential privilege escalation; they also searched for cloud permission groups, infrastructure and storage buckets.
  • Escalated Privileges Led to Compromise - 67% of cloud security incidents found identity and access management roles with escalated privileges that could have been used to compromise the environment and move laterally. 
  • New Protocols Were Used for Lateral Movement - threat actors used protocols including SSH, Remote Desktop Protocol (RDP) and Server Message Block (SMB) and also leveraged cloud orchestration where they had console access. 
  • New Techniques Emerged for Evading Detection - some threat actors inactivated security products running inside virtual machines, while others masqueraded as valid users by choosing proxy exits close to expected victim locations or renaming virtual machines. 

Common Cloud Security Misconfigurations

The other significant finding in the report is that human error is a key driver of cloud risk. The fact is that cloud configurations, gaps, errors and vulnerabilities are an open door to adversaries. For example, CrowdStrike observed 60% of containers lacking properly configured security protections and 36% of cloud environments with insecure cloud service provider default settings. CrowdStrike also noted some common misconfigurations and insecure cloud provider default settings that were core contributors to cloud breaches, such as:

  • Excessive Account Permissions - accounts provisioned with greater privileges than needed led to data exfiltration, destruction, code tampering, lateral movement, persistence and privilege escalation.
  • Ineffective Identity Architecture - user accounts not rooted in a single identity provider that enforces limited session times, uses MFA, and can flag or block irregular or high-risk sign-in activity.
  • Insecure Cloud Provider Default Settings - more than one-third (36%) of detected misconfigurations are related to insecure default settings that were not properly updated, including:
  • Public Snapshots and Images - while accidentally making a volume snapshot or machine image public is rare, when it happens, it allows opportunistic adversaries to collect data from that public image, including passwords, keys and API credentials. 
  • Open Databases, Caches and Storage Buckets - when made public without sufficient authentication and authorisation controls, these can expose the entire database or cache to opportunistic adversaries. 
  • Neglected Cloud Infrastructure - cloud infrastructure not maintained by the security team creates an opportunity for threat actors to search for sensitive data left behind.

Top 5 Steps to Defending the Cloud

In the report, CrowdStrike offers businesses five key recommendations to help defend their cloud environments:

  1. Prioritise Cloud Identity Protection - businesses should establish proper permissions and apply the principle of least privilege to all cloud providers. 
  2. Gain Visibility into Security Gaps - improved visibility and real-time insights can allow businesses to identify misconfigurations before issues arise. Application security testing can also be used to identify vulnerabilities and mitigate the risk of attack. 
  3. Use Real-Time Monitoring - continuous monitoring across cloud and endpoint systems can enable businesses to detect and prevent lateral movement, performance distribution and compliance issues. 
  4. Update Software Regularly - businesses should regularly update software in their cloud environments so that vulnerabilities can be patched in a timely manner. They should also conduct regular assessments of hosted applications to identify issues.
  5. Monitor for Unusual Behaviour - monitoring for suspicious activity such as newly created cloud instances and accounts, newly added credentials, changed firewall rules or access to resources by new or unexpected entities is vital to identifying potential intruders. 

How to Protect Your Cloud Environment

CrowdStrike expects cloud targeting to continue to accelerate. As threats evolve, it’s vital that organisations learn what they are up against in order to effectively protect their cloud environments. 
To understand more about how to protect your cloud environment, download the 2023 CrowdStrike Cloud Risk Report. Meanwhile, if you’d like any more information on CrowdStrike Falcon Cloud Security, Cloud Threat Hunting, Complete Cloud Security, and Cloud Security Services, get in touch with the cybersecurity experts at InfoTrust today.

see our

Related resources