The CrowdStrike eBook, “Protectors of the Cloud: Combating the Rise in Threats to Cloud Environments,” reveals how adversaries target and infiltrate cloud environments and recommends best practices for defense.
As organizations move critical applications and data to the cloud, these resources have come under increasing attack. Adversaries view cloud environments as soft targets and continue to refine tactics and tradecraft to exploit the vulnerabilities and misconfigurations within them.
Though this attack trend was underway before the COVID-19 pandemic, the need to support mostly remote, distributed workforces increased organizations’ reliance on cloud resources — which in turn amplified adversaries’ focus on exploiting the cloud. Attackers were circling throughout 2021, often attempting to compromise cloud infrastructure and assets by exploiting misconfigurations and stolen user credentials.
In “Protectors of the Cloud: Combating the Rise in Threats to Cloud Environments,” we outline common attack vectors adversaries use to breach cloud environments, including credential theft, vulnerability exploitation, abuse of cloud service providers, exploitation of misconfigured image containers, and use of cloud services for hosting malware and command and control.
Additionally, you will learn:
- How state-sponsored adversaries, such as COZY BEAR, target IT and cloud service providers to exploit trusted relationships and supply chain partners
- How sophisticated adversaries harvest, then exploit stolen credentials and identities to amplify ransomware big game hunting (BGH) attacks and infiltrate cloud environments
- How malicious actors intensify attacks on critical cloud infrastructure by exploiting misconfigured image containers and targeting vulnerabilities
- How adversaries target neglected cloud infrastructure slated for retirement that still contains sensitive data
- Which best practices cloud security experts recommend for defending cloud infrastructure
Adversaries Seek to Exploit Trust in the Cloud
The ebook shows how, in addition to credential theft and vulnerability exploitation, adversaries leverage cloud service providers in an attempt to abuse the trust between these service providers and their customers. In doing so the adversary seeks access to additional targets through lateral movement from cloud-hosted enterprise authentication assets. If an adversary can elevate their privileges to global administrator levels, they may be able to pivot between related cloud tenants to expand their access. Other covered adversarial tactics and trends include exploiting misconfigured image containers and using legitimate cloud services to host malware and perform command and control activities.
The ebook also describes the tactics of two significant threat groups, FANCY BEAR and COZY BEAR, that are Russian in origin and target cloud services as part of their strategy.
- In 2021, FANCY BEAR targeted numerous cloud-based email providers — including Microsoft O365 and webmail services likely to be used by individuals — using a variety of tactics. Credential theft is a critical part of FANCY BEAR’s strategy, which serves as a reminder that organizations should focus on anti-phishing technologies and user awareness training to aid the identification of phishing emails and other credential-stealing techniques.
- COZY BEAR has demonstrated extensive knowledge of cloud service infrastructure and administration as well as the use of extensive operational security methods to reduce their chances of being detected.
Given threat actors’ increasing focus on attacking the cloud, CrowdStrike takes an adversary-focused approach that unifies on-premises and cloud security by combining capabilities such as cloud security posture management and cloud workload protection for multicloud environments with the latest threat intelligence. As adversaries grow more sophisticated, protecting cloud assets will likely become more complex. Battling these adversaries will require a comprehensive approach to security that enables organizations to maintain compliance, visibility and enforcement regardless of where their data and applications reside.
Leave a Reply