Unit 42, Palo Alto Networks’ threat research team, released the Unit 42 Cloud Threat Report.

Unit 42 Blog: Cloud Threat Report Volume 6

Resources for Reference:

  • Supply Chain Security Blogs:
  • COVID-19 Unit 42 Blog
  • Learnings from last time:
    • Corporate launch blog needs to take more of an angle of “what are the risks and what are you doing to protect against them” versus “here is the research but in a blog post format” – as in, take a best practices approach based on the data, not just presenting the data itself
    • Unit 42 blog – need to explain the problem, then the research that was done to address it, and solutions

Table of Contents:

Unit 42 Blog

Introduction

Why Identity and Access Management Takes Center Stage

Key Findings From Unit 42’s Cloud Threat Report: IAM The First Line of Defense

Why IAM Is a Target

How Threat Actors Target Cloud Identities

How to Defend Against IAM Cloud Threats

Who is targeting the cloud?

Top 5 Cloud Threat Actors

Top Nation-State Actors Utilizing & Targeting Cloud Infrastructure

Recommendations

Additional Resources


TRANSFERRED TO STAGING – FURTHER CHANGES WILL NOT BE REGISTERED – PLEASE REQUEST THEM DIRECTLY FROM ERICA NAONE IF NEEDED

Unit 42 Blog

IAM Your Defense Against Cloud Threats: The Latest Unit 42 Cloud Threat Research

By: Unit 42

Introduction

The ongoing transition to cloud platforms has meant that more sensitive data is stored in the cloud, making it more tempting for adversaries to exploit. When it comes to securing the cloud, identity is the first line of defense. Without proper identity and access management (IAM) policies in place, an organization can pay for any number of security tools – but comprehensive security will never be possible.

To understand how IAM policies affect organizations’ cloud security posture, we analyzed 680,000+ identities across 18,000 cloud accounts from 200 different organizations to understand their configuration and usage patterns. The results of our research were shocking.

Nearly all organizations we analyzed lack the proper IAM management policy controls to remain secure.

These misconfigured IAM policies open the door for what Unit 42 defines as a new type of threat: Cloud Threat Actors. We define a cloud threat actor as “an individual or group posing a threat to organizations through directed and sustained access to cloud platform resources, services or embedded metadata.”

We believe cloud threat actors merit a separate definition because we observe that they have begun to employ a fundamentally different set of tactics, techniques and procedures (TTPs) that are unique to the cloud – such as taking advantage of the ability to perform both lateral movement and privilege escalation operations simultaneously.

Below, we’ll present some of the highlights of the research and recommendations in Unit 42’s latest Cloud Threat Report, “IAM The First Line of Defense.”

Why Identity and Access Management Takes Center Stage

Throughout the pandemic, there were significant expansions of cloud workloads overall. Organizations increased their cloud usage – with a dramatic surge in the number of organizations that host more than half their workloads in the cloud (see Figure 1 below).

Figure 1. Percent change in cloud workloads since 2020, where blue represents cloud workload volumes and green represents organizations hosting more than half their workloads in the cloud.

As more organizations move workloads to the cloud, and develop applications natively in the cloud, identity needs to remain a key focus when building a cloud security strategy.

If you follow Unit 42 closely, you may remember that it was just a short time ago that we published a report on the importance of IAM. When attackers take advantage of misconfigured or overly permissive identity access controls, they don’t need to figure out how to pull off a technically complex compromise. Instead, they can simply gain access to resources as if they have a right to them.

Threat actors are hungry to target organizations that lack proper IAM controls, and pairing this hunger with an increased usage of cloud platforms creates a new kind of threat – one that is more sophisticated yet requires less effort to execute. The question turns to why and how this is possible.

Key Findings From Unit 42’s Cloud Threat Report: IAM The First Line of Defense

Why IAM Is a Target

Let’s address the “why” first by explaining some of the key statistics we uncovered:

  • Password reuse: 44% of organizations allow IAM password reuse.
  • Weak passwords (<14 characters): 53% of cloud accounts allow weak password usage.
  • Cloud identities are too permissive: 99% of cloud users, roles, services, and resources were granted excessive permissions which were ultimately left unused (we consider permissions excessive when they go unused for 60 days or more).
  • Built-in cloud service provider (CSP) policies are not managed properly by users: CSP-managed policies are granted 2.5 times more permissions than customer-managed policies, and most cloud users prefer to use built-in policies. Users are able to reduce the permissions given, but often don’t.

Figure 2. Average number of permissions granted by each policy type. CSP-managed policies (AWS_MANAGED_POLICY and AZURE_BUILT_IN_ROLE) grant 2.5 times more permissions than customer-managed policies.

With organizations allowing excessive permissions and overly permissive policies, attackers are too often welcomed into an organization’s cloud environment with keys to the kingdom.

How Cloud Threat Actors Target Cloud Identities

Most organizations are unprepared for an attack through the exploitation of weak IAM policies. Adversaries know this as well; they target cloud IAM credentials and are ultimately able to collect these credentials as part of their standard operating procedures. Case in point, they’re leveraging new TTPs unique to cloud platforms that organizations need to be aware of in order to implement a strategy to protect themselves.

Defense Against IAM Cloud Threats

To help organizations defend themselves against this threat, we created an industry-first Cloud Threat Actor Index that can be found in our report, which charts the operations performed by actor groups that target cloud infrastructure. These charts detail the TTPs of each cloud threat actor, allowing your security team and wider organization to evaluate your strategic defenses and build the proper monitoring, detection, alerting and prevention mechanisms.

Who Is Targeting the Cloud?

The Cloud Threat Actor Index highlights the top actors targeting cloud infrastructure, as well as nation-state actors that have been known to use the cloud to conduct attacks. Below is a preview of the top cloud threat actors that we’ve indexed. We charted their operations in our report, sorted by prevalence.

Top 5 Cloud Threat Actors

  • TeamTNT: The most well-known and sophisticated credential targeting group.
  • WatchDog: Considered to be an opportunistic threat group that targets exposed cloud instances and applications.
  • Kinsing: Financially motivated and opportunistic cloud threat actor with heavy potential for cloud credential collection.
  • Rocke: Specializes in ransomware and cryptojacking operations within cloud environments.
  • 8220: Monero mining group, purportedly elevated their mining operations by exploiting Log4j in December 2021. 

Top Advanced Persistent Threats Utilizing and Targeting Cloud Infrastructure

  • APT 28 (Fancy Bear).
  • APT 29 (Cozy Bear).
  • APT 41 (Gadolinium).

Figure 3. WatchDog Cloud Threat Actor TTPs. The red background denotes TTPs specific to cloud platforms, whereas the green background denotes TTPs which are container-platform specific. TTPs in red font denote operations that can lead to the wider compromise of cloud operations.

Recommendations

Proper IAM configuration can block unintended access, provide visibility into cloud activities and reduce the impact when security incidents occur.

Defense Against Cloud Threats

In particular, we recommend that organizations defend against threats that target the cloud in the following ways:

  • Cloud-Native Application Protection Platform (CNAPP) suite integration.
  • Harden IAM permissions.
  • Increase security automation.

In our report we provide details on each of these recommendations, including an eight-step best practices guide to hardening IAM permissions.

Download your copy of the report today and share the executive summary with your colleagues.

Additional Resources

Cloud Security Weakens as More Organizations Fail to Secure IAM

Misconfigured IAM Roles Lead to Thousands of Compromised Cloud Workloads

The Role of Zero Trust for Cloud Identities and Infrastructure

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s