Cloud Threat Landscape Report 2020

Introduction

With organizations increasingly using cloud environments for scaling and accelerating operations, understanding the unique cyber threat landscape of this field is critical. Leveraging IBM’s global presence and cloud incident response capabilities, we have conducted an in-depth analysis of cloud-related cybersecurity incidents our team has responded to over the past year in order to discern the top threats in this arena. This paper will dive into what IBM Security sees on the front lines of defending the cloud, including:

• Who is targeting cloud systems
• How we’re seeing threat actors access cloud environments
• What threat actors are doing once they have gained access to a cloud environment
• Common shortcomings we observe in cloud security
• Recommendations for improving your organization’s cloud security posture

Key findings

• Financial gain is the most common motivation of threat actors targeting cloud environments, based on IBM Security Incident Response data collected since 2019.
• Bruteforcing and exploitation of cloud applications are the two most common infection vectors, accounting for 45% of the cases examined in this report.
• Data theft—such as appropriation of personally identifiable information (PII)—is the favored activity of cybercriminals once they penetrate a cloud environment.
• Misconfiguration of cloud environments led to over one billion lost records in 2019.
• Ransomware is the most commonly deployed malware in infiltrated cloud environments, accounting for three times as many cases as cryptomining and botnet malware, which follow in second and third place respectively.
• Leveraging cloud platforms for use as malicious infrastructure is often a favorite ploy of sophisticated threat actors, enabling them to ramp up operations with a single compromise. This has the added appeal of allowing them to minimize their own costs at the expense of their targets and appear to originate from otherwise legitimate sources.
• Depending on the organization impacted and the type of applications run in the cloud, infiltration can bring this swift and hefty price tag.
• Redeploy assets, don’t reimage them: Organizations that redeploy assets vs. reimage affected cloud environments are more capable of performing effective forensic investigations, which may prevent subsequent harm to the organization.
• Defense-in-depth is a necessity: Malware developers, aware of increasing cloud adoption, have begun making malware that disables many common cloud security products, leaving many companies unknowingly vulnerable.