Cloud Threat Report 2H 2020

Executive Summary : Cloud Threat Report 2H 2020

Cloud is poised to become the dominant way that organizations store their data and manage applications. Our own data shows 46% of organizational workloads are already there, with the figure likely to grow to 64% in the next 24 months. To better understand the threat landscape associated with this rapid shift, Unit 42 researchers focused deeply on identity in the cloud. They analyzed methods that attackers use to silently perform reconnaissance operations, as well as common threat actors. Researchers also carefully identified steps organizations can take to build a cloud security program based upon identity best practices. The research took place between May and August 2020 and was global in scope—spanning terabytes of data, thousands of cloud accounts, and more than 100,000 GitHub code repositories. Overall, the findings indicate that identity misconfigurations are prevalent across cloud accounts and represent a significant security risk to organizations, which can lead to costly data breaches.

Cloud Identity Flaws Are Difficult to Detect

During a Red Team exercise, Unit 42 researchers were able to use a customer misconfiguration to compromise an entire Amazon Web Services (AWS®) environment, with thousands of workloads, in less than one week. They were able to do this by exploiting a single misconfigured IAM trust policy. With this flaw, an attacker could launch any number of attacks against an organization, including denial-of-service (DoS) and ransomware, or even open a door for an advanced persistent threat (APT) adversary. Because identity defects are difficult to detect, especially at scale, many go unnoticed by organizations until it’s too late.

Identity Misconfigurations Lead to High-Impact Failures

In the same Red Team exercise, Unit 42 researchers identified an IAM role used by hundreds of users, which they were able to compromise. This allowed them to achieve administrative access outside of the development area. Once outside of development, the misconfigured IAM role allowed researchers to identify and hijack a legitimate administrator account and establish full administrative control over the entire cloud environment. With the “keys to the kingdom,” attackers could launch any number of attacks against an organization, such as stealing sensitive data or wiping out the entire infrastructure.

Download the report to find more.