Chaos in the Cloud: Rampant Cloud Activity Requires Modern Protection
Published 05/17/2023
Originally published by CrowdStrike.
Digital transformation isn’t only for the good guys. Adversaries are undergoing their own digital transformation to exploit modern IT infrastructures — a trend we’re seeing play out in real time as they increasingly adapt their knowledge and tradecraft to exploit cloud environments.
According to the CrowdStrike 2023 Global Threat Report, observed cloud exploitation cases grew by 95% over the previous year. Likewise, cases involving cloud-conscious actors — adversaries who are aware of their ability to compromise cloud workloads and use this knowledge to abuse features unique to the cloud — nearly tripled from 2021.
How are they getting in? Throughout 2022, cloud-conscious actors primarily obtained initial access to target cloud environments by using existing valid accounts, resetting passwords or exploiting public-facing applications such as web servers then placing webshells or reverse shells for persistence.
These types of credential-based intrusions against cloud environments are among the more prevalent exploitation vectors used by eCrime and targeted intrusion adversaries. Criminal actors routinely host fake authentication pages to harvest legitimate credentials for cloud services such as Microsoft Office 365, Okta or webmail accounts. Actors then use these credentials to attempt to access victim accounts.
And when they succeed, data shows their activity is not limited to the cloud. There is increasing evidence that adversaries are growing more confident leveraging traditional endpoints to pivot to cloud infrastructure. The reverse is also true: cloud infrastructure is being used as a gateway for lateral movement to traditional endpoints. It’s clear that cloud is an increasingly dangerous attack vector that must be fully protected as part of a holistic security strategy.
Complete Protection for Modern Cloud Environments
To protect cloud and hybrid environments, IT and security leaders need cloud-native technologies and a cloud-focused mindset — both of which must be rooted in maintaining flexibility, scalability and consistency across their IT infrastructure. This is where a combined agent-based and agentless approach to cloud security delivers the most comprehensive protection.
Why both agent-based and agentless? Because today’s IT and security teams must enforce continuous monitoring and security from the development process to runtime. An agent-only approach typically falls short here due the rate of change seen in modern cloud environments. Not only are cloud resources routinely spun up and taken down, but teams have to account for short-lived containers and serverless functions as they come in and out of existence.
A complicating factor is that IT and security teams typically don’t have access or control over all the hosts in an environment, and therefore can’t deploy agents on them. This lack of coverage creates security blindspots that attackers can exploit.
An agentless approach is equally ineffective on its own, as it offers only partial visibility and lacks remediation capabilities. Plus, agentless security relies on snapshots of cloud environments taken at set intervals. Given the average breakout time for interactive eCrime intrusion activity declined from 98 minutes in 2021 to 84 minutes in 2022, adversaries could presumably slip into a cloud environment unnoticed and move laterally on their path to removing access to accounts, terminating services, stealing or destroying data and deleting resources.
By combining agentless scanning with agent-driven protection, you get complete visibility and real-time threat detection and response to stop breaches.
Some vendors strive to offer this level of protection by combining cloud security capabilities. It might sound good on paper, but the reality is that when separate companies bundle tools that aren’t built for integration, users are burdened with multiple consoles and interfaces. These “marriages of convenience” often drive higher cost and complexity with worse security outcomes. Misconfigurations, for example, are a common consequence of this complexity, leading to vulnerabilities and increased risk due to the scale and speed of cloud environments.
One Platform to Stop Breaches
While companies seek the best in cloud protection, they also strive to reduce the number of tools to manage. In the face of today’s evolving threat landscape, where adversaries are attacking from multiple fronts, organizations should look for a cloud-native security platform that uses agentless and agent-based scanning to meet their security needs.
Related Resources
Related Articles:
How to Demystify Zero Trust for Non-Security Stakeholders
Published: 12/19/2024
Why Digital Pioneers are Adopting Zero Trust SD-WAN to Drive Modernization
Published: 12/19/2024
Managed Security Service Provider (MSSP): Everything You Need to Know
Published: 12/18/2024
Zero-Code Cloud: Building Secure, Automated Infrastructure Without Writing a Line
Published: 12/16/2024