Over the past several years, organizations have taken tremendous steps to adopt cloud services and infrastructure, transforming the way business is done. And as our recent data shows, threat actors have done the same.
Observed cloud exploitation cases grew by 95% in 2022, according to CrowdStrike’s latest Global Threat Report. Cases involving cloud-conscious actors — adversaries who are aware of their ability to compromise cloud workloads and use this to exploit features unique to the cloud — nearly tripled from 2021.
The pattern is clear: eCrime and nation-state actors alike are adapting their knowledge and tradecraft to increasingly target cloud environments. This is clear in the top cloud-focused tactics, techniques, and procedures (TTPs), which our experts identified and tracked over the course of the past year.
Cloud-focused attacks are evolving. Throughout 2022, cloud-conscious actors primarily gained initial access to cloud environments by simply logging in with existing valid accounts, resetting passwords, or exploiting public facing applications such as web servers. We saw more attackers pursuing cloud account discovery, a shift from the comparatively heavier reliance on cloud infrastructure discovery observed in 2021.
This underscores a key finding from this year’s report: Threat actors are actively targeting the cloud and using legitimate credentials to do so. eCrime and targeted intrusion adversaries have shifted their focus to credential-based attacks when targeting the cloud. While cybercriminals’ tactics can vary, successful credential-based attacks are often done via fake login pages masquerading as Microsoft Office 365, Okta and other email accounts or SaaS providers. These credentials are the keys to the kingdom of a network and extremely valuable to the threat actor for their future plans to target an organization.
Let’s take a closer look at the TTPs attackers use once they’re inside a cloud environment.
Zeki Turedi is EMEA CTO at CrowdStrike.
Using credentials to infiltrate the cloud
Cloud-based workloads are dynamic and often short-lived, forcing actors to be tenacious in their attempts to maintain access. Most intruders we observed established persistence by harnessing legitimate cloud accounts they already had, creating new accounts, or resetting the password of already targeted accounts. If the actor gained access through a web server, they placed webshells or reverse shells on the compromised machine for persistence.
During the initial discovery process, attackers mostly focused on cloud accounts to achieve both persistence and privilege escalation. In addition, they often searched for reachable network services, cloud permission groups, infrastructure, and storage buckets. To move laterally around the environment, attackers primarily used protocols like RDP, SSH and SMB. Those with console access used services like EC2 and instance connect, as well as internal cloud tools such as Systems Manager Session Manager.
Several industry reports have claimed resource hijacking was the most common impact technique used last year; however, we saw the most widespread impact technique was destructive. Attackers removed access to accounts, terminated services, destroyed data, and deleted resources. If they collected data, they took it from local systems and internal information repositories.
To protect cloud and hybrid environments, IT and security leaders need cloud-native technologies and a cloud-focused mindset — both of which must be rooted in maintaining flexibility, scalability and consistency across their IT infrastructure. An approach that combines agent-based and agentless cloud security delivers the most comprehensive protection.
Creating a stronger enterprise cloud defense
Why both? Today’s IT and security teams must enforce continuous monitoring and security from the development process to runtime. An agent-only approach typically falls short due to the rate of change in modern cloud environments. Not only are cloud resources routinely spun up and taken down, but teams have to account for short-lived containers and serverless functions as they come in and out of existence.
Complicating matters is the fact that IT and security teams typically don’t have access or control over all the hosts in an environment; therefore, they can’t deploy agents on them. This lack of coverage creates security blind spots where attackers can strike.
An agentless approach is equally ineffective on its own because it only offers partial visibility and lacks remediation capabilities. Further, agentless security relies on snapshots of cloud environments taken at set intervals. Given the average breakout time for eCrime intrusion activity declined from 98 minutes in 2021 to 84 minutes in 2022, adversaries could presumably slip into a cloud environment unnoticed and move laterally to remove access to accounts, terminate services, destroy data and delete resources. This is why both agentless scanning and agent-driven protection are needed to fully protect cloud environments from today’s adversaries.
As organizations continue to expand their cloud infrastructure, and cloud-focused attacks continue to become more prevalent, it is imperative security teams adopt a strong cloud security posture. This requires an adversary-focused approach that takes common TTPs into account, prevents identity-based threats, addresses misconfigurations and protects endpoints and cloud workloads.