Cloud Threat Report Volume 6

IDENTItY AND ACCESS MANAGEMENT
 (IAM)

The First Line of Defense

Identity and Access Management (IAM) has become increasingly critical and complex due to the pandemic-induced transition to cloud platforms. To understand how IAM policies affect cloud security posture, Unit 42 researchers analyzed 680,000 identities in 18,000 cloud accounts over 200 organizations.

CAN YOU GUESS WHAT WAS DISCOVERED?

Percentage of cloud users, roles, services, and resources granted permissions not being used

0%

Percentage of organizations that have publicly exposed resources

0%

Percentage of cloud accounts using weak IAM passwords

0%

Uncover more staggering findings by downloading the report.

WEAK IAM CAN BE A REAL BREACH

Our findings came to the conclusion that most organizations have misconfigured or overly permissive identity access controls. Adversaries know this and are leveraging new tactics, techniques, and procedures (TTPs) to take advantage of the situation.

Unit 42 researchers have defined a malicious attacker employing these new TTPs as a Cloud Threat Actor (CTA) — an individual or group posing a threat to organizations through directed and sustained access to cloud platform resources, services, or embedded metadata.

Scroll through to meet the top five CTAs:

cta image

The Adept


Team TNT is the most well-known and sophisticated credential targeting group.

cta image

The Thief


WatchDog is considered to be an opportunistic threat group that targets exposed cloud instances and applications.

cta image

The Money


Kinsing is a financially motivated and opportunistic cloud threat actor with heavy potential for cloud credential collection.

cta image

The Old Timer


Rocke specializes in ransomware and cryptojacking operations within cloud environments.

cta image

The Returned


8220, a Monero mining group, purportedly elevated their mining operations by exploiting Log4j in December 2021.


LOWER RISKS WITH MORE INSIGHTS

Our team has created an industry-first Cloud Threat Actor Index, charting the operations performed by actor groups that target cloud infrastructure.

INITIAL ACCESS
Execution
persistence
Privilege Escalation
Defense Evasion
Credential Access
Discovery
Lateral Movement
TTPs

These charts (included in the report) detail the TTPs of each cloud threat actor, allowing your security team and wider organization to evaluate your strategic defenses and build the proper monitoring, detection, alerting, and prevention mechanisms.

Want to win the battle against Cloud Threat Actors?

We recommend the following ways to defend your organization against threats that target the cloud:

  • Cloud Native Application Protection Platform (CNAPP) suite integration
  • Harden IAM permissions
  • Increase security automation

Cloud Native Application Protection Platform (CNAPP) suite integration

Harden IAM permissions

Increase security automation

Download our recommendations and 8-step best practices for hardening IAM permissions today

For more details on our recommendations, as well as an eight-step best practices guide to hardening IAM permissions, download your copy of the Cloud Threat Report today.

The Unit 42 Researchers

Palo Alto Networks Unit 42 brings together world-renowned threat researchers with an elite team of security consultants to create an intelligence-driven, response-ready organization. As threats escalate, Unit 42 is available to advise organizations on the latest risks, assess their readiness and help them recover when the worst occurs. The Unit 42 Cloud Threat Report, published annually, is one of the industry's most anticipated and trusted examinations of the modern threat landscape.

Keep Reading

Threats don't go away - they evolve. Explore our Unit 42 Cloud Threat Report archive to see what was on our radar - and what remains in our sights.