Through advances in cloud technology, data access is now readily available. This is a boon for developers. For security practitioners, though, it presents a challenge. With datasets increasingly made available to company employees via cloud adoption or migration, the potential for personal and identifiable data falling into the wrong hands increases.
Implementing a robust and systematic security program to secure your cloud environment is the first step to ensuring sensitive internal data doesn’t fall into those hands.
In this post, we will detail the top 10 cloud security risks every organization should address to prevent becoming the next cloud breach headline.
In the recently released Cloud Threat Report, Volume 7: Navigating the Expanding Attack Surface, Unit 42 and Prisma Cloud researchers identify 10 critical risks that require an architectural and operational focus to ensure the detection of advanced threats within cloud environments.
This list will assist organizational leaders across any industry and vertical to secure their cloud environments against cloud threat actors.
Unit 42 researchers have curated an index of known cloud threat actors groups (CTAG) that actively target cloud environments. You can view indicators of compromise (IOC) for each CTAG under respective tags that include Automated Libra, Adept Libra, Thief Libra, Money Libra, Aged Libra and Returned Libra.
The link between these threat actor groups is their common IAM credentials target and use of automation to exfiltrate identifiable IAM credentials within seconds of compromising a cloud environment.
According to Unit 42’s latest Cloud Threat Report, 83% of organizations have hard-coded IAM credentials within their source control management systems, and 76% of organizations don’t enforce MFA for their cloud accounts.
Proper IAM policy creation is an essential security requirement for maintaining a secure cloud. To ensure your organization is adequately protected from IAM credential theft, consider implementing the following security measures:
Cloud platforms, their services, and cloud-native applications generate vast quantities of data. This data is a gold mine for security operations and incident response teams if they can access and view it. But 76% of organizations don’t implement cloud storage audit logging policies within their cloud environments, according to Cloud Threat Report, Volume 7.
Many reasons prompt organizations to forgo logging cloud audit and infrastructure usage. Logs are often noisy and expensive to store, but not having them can cripple security teams trying to detect and remediate a security breach.
To effectively store and use logging data, Unit 42 recommends implementing the following action items:
Once logging access is available to security teams, they can begin actively monitoring and hunting for threats within their cloud environments. But logging is only a foundational component. Responding to alerts is equally important to the long-term success of security teams.
But the average alert dwell time is 145 hours (6 days), according to Cloud Threat Report, Vol 7. What’s more, researchers found that 5% of critical alerts were generating 80% of total alerts, introducing avoidable noise and contributing to alert fatigue.
Implement the following tactics to help your security teams identify and respond to critical alerts in a timely fashion.
Sixty-three percent of production cloud codebases contain unpatched vulnerabilities rated critical or high severity level, as reported in Cloud Threat Report, Vol. 7. If that doesn’t give you pause, consider that 11% of the exposed cloud web services contain critical or high severity vulnerabilities — and 71% of these are at least two years old.
These two findings demonstrate that organizations should spend more time scanning their cloud infrastructure for vulnerabilities and misconfigurations, especially given that many cloud-based attacks are successful due to misconfigurations within cloud environments.
The following five tactics can give organizations solid ground in knowing and securing their cloud threat exposure.
Sun Tzu said, “Know your enemy and know yourself; in a hundred battles you will never be defeated.”
When you know your cloud threat landscape, you’re halfway there to defending it. And though it may seem like an onerous endeavor, you’ll find numerous resources available to assist you, including Unit 42’s Actionable Threat Objects and Mitigations (ATOM).
The following tactics can help your organization to identify CTAGs important to your operations and what actions they can take to mitigate these actor groups.
Cloud endpoint runtime monitoring is available for many organizations using single and multicloud platforms. Runtime monitoring for virtual machine, container, and serverless cloud instances are required of organizations that want to know if their cloud instances operations were designed to perform (i.e. interacting with known command and control (C2) nodes or running malicious binaries post-compromise).
With 63% of production cloud codebases containing a vulnerability of high or critical severity level, the need to monitor cloud instances is greater than ever. Tactical measures an organization should take to ensure they can view runtime operations within their cloud instances include:
Several security tools available to detect security threats might seem logical. After all, redundancy is a key component to ensure visibility. But for 76% of organizations, the use of multiple point tools creates blind spots. With more security tools in place, more time is required to configure those tools, and once tools are established, the number of alerts climbs, exacerbating alert fatigue among security professionals.
In light of these facts, Palo Alto Networks researchers recommend the following tactics:
In a recent Unit 42 IR case, researchers were tracking the actions of a CTAG that gained access to an organization’s cloud environments through an exposed and vulnerable cloud instance resulting from a cloud misconfiguration. The misconfiguration was caused by a communication failure.
Two security measures were put in place by two teams, neither of which had knowledge of the other’s actions. The development team had created a security network group, allowing public access to the vulnerable application. Meanwhile, the IT team had altered an overarching access control list (ACL) mechanism, which would have protected the exposed instance.
Lacking a centralized owner of cloud security operations within the organization allowed the two teams to make independent alterations to their security perimeter. The compromised cloud instance then allowed the CTAG to collect sensitive IAM credentials that gave them access to two of the organization's cloud platforms and resulted in the loss of sensitive data.
The following tactics are recommended to ensure that organizations maintain a secure environment for all teams.
Consider the ecosystem of controls available to an organization across the network, endpoint, cloud, application layer, and IoT. Identity management is the control linking these layers and, as such, IAM policies are the bedrock of a secure Zero Trust architecture.
But implementing Zero Trust isn’t easy, and cloud threat actors view the burden of this difficulty as their golden ticket to your environment.
Identity is the new perimeter of your environment, making IAM the most critical factor to your organization’s operation. Begin implementing the principles of Zero Trust architecture within your IAM policies, roles and users. A strategic approach to cybersecurity eliminates implicit trust and continuously validates every stage of digital interaction.
If you’re just starting your Zero Trust journey, the following tactics can give your organization a jumping-off point.
Incident response (IR) plans are essential for organizations to properly recover from a breach or security incident. Cloud environments offer unique scenarios that need consideration when implementing a cloud IR operation.
Although costs to maintain a record of events taking place within your cloud environment can be high, you’ll find cost-reducing solutions to cloud logging with a little investigation. Properly implementing Zero Trust principles when designing IAM policies, roles, and users can be strenuous but will pay off significantly by reducing your threat landscape. Lastly, cryptojacking events are costly. Monitoring cloud instances for indications of malicious activity will boost your ROI.
Tactics to help your organization establish a solid cloud IR plan include:
By addressing the top 10 cloud security risks, Unit 42 researchers believe the security of cloud environments can be dramatically improved, raising the bar for cloud security operations and allowing organizations to build manageable, well defended cloud environments.
For a comprehensive look at the current cloud security landscape, based on large-scale data and real-world attack scenarios, download Unit 42’s Cloud Threat Report, Volume 7: Navigating the Expanding Attack Surface.
By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.