New IBM X-Force team research supports what we already know to be true: organizations are falling behind on basic security practices in the cloud, exposing them to even greater risk. The annual report is now in its third year, and references data from various sources within IBM’s X-Force team including Threat Intelligence, their Red Team, Incident Response, and a third-party organization. The report aims to examine how criminals are compromising the cloud, and what their behavior is once they’re in.
Below, we’ll review the report’s main findings, and provide insights on what this means and recommendations on how your organization can remediate these risks.
Top 3 Takeaways
Vulnerabilities in on-prem networks and infrastructure reigned as a major entryway into organization’s databases, and as IBM’s report blog title suggests, old habits die hard. This year’s report uncovered that vulnerability exploitation remains the most common way to achieve cloud compromise. IBM came to this conclusion after 26% of cloud compromises that X-Force responded to were caused by attackers exploiting unpatched vulnerabilities – the greatest contributor.
In fact, cloud-related vulnerabilities are increasing steadily, with a 28% rise in new vulnerabilities over the past year. Now, vulnerability management holds a lot of attention and focus from security practitioners and executives, so it is important to note we often try to shine a light into other areas of cloud risk like platform, identity, and data risks.
However, vulnerability management still is a tried and true method to gain entryway, and how you should approach managing them totally changed in the cloud.
In this new landscape, it is less about how an attacker can compromise your cloud (the report noted The Log4j vulnerability and a vulnerability in VMware Cloud Director as the most leveraged this past year) and more about understanding what an attacker can do once they’re in. This is where understanding the true blast radius of a vulnerability is critical. Blast radius is referring to how great the environmental impact is – is the resource on the internet, is there an identity on that resource that is overpermissioned, and eventually what data, and how sensitive is the data, that an exploit of this vulnerability cloud lead to?
In order to gain this sort of visibility, you need a cloud security tool with full insight into all the complex relationships between the configuration of your cloud as well as the identities, data, and workloads in your cloud. All of these factors are a part of the modern day cloud attack path. The overall attack path is similar to that of its on-prem predecessor and follows the infiltration, recon, lateral movement, exfiltration, and impact formula, however, there’s a few different things to note specific to the cloud. The speed and scale of the cloud increases the scale and uniqueness of risks. IBM recommends: not only identify weaknesses in their environment, like unpatched, exploitable vulnerabilities, but prioritizing them based on their severity in context. This sort of contextual prioritization can only come if you have visibility into data, identity, and platform configurations, allowing you to understand the gradation of sensitivity levels. You can get this through solutions like Cloud Workload Protection Platforms (CWPP) or Cloud Native Application Protection Platforms (CNAPP.)
The second major difference in the cloud attack path is that lateral movement stage. Identities are now the stepping stone for moving around an environment, whether through identity permission chains, or privilege escalation abilities. This tees up the next major finding perfectly.
Cloud Access Control
In 99% of pen testing engagements, X-Force Red was able to compromise client cloud environments through excess privileges and permissions on cloud Identities. In other words, 99% of cloud identities (person and non-person meaning, service accounts, compute, roles, etc.) were overprivileged. This result is consistent with our own research at Sonrai, finding only 3% of permissions granted to actually be used. Increased privilege, especially unnecessary privilege, is just an increased attack surface.
Identities are proliferating, especially machine ones, and organizations cannot keep up. This is another use case driving organizations to leverage a cloud security platform. Automation is the only answer to solving the speed and scale of the cloud. We’ve measured 37,000+ unique actions across the major cloud providers, and also see that approximately 17 new permissions are being added to the cloud every day. The only way to keep up with all identities and their entitlements is automated inventorying and continuous monitoring of entitlements and usage. Access can be extremely covert in the cloud as it is granted indirectly through trust relationships, policies, nested groups, or indirectly from phenomena like toxic combinations.
IBM recommends a Zero Trust architecture in this year’s report. Zero Trust is a buzzword that is thrown around frequently and exceedingly hard to achieve. The way we understand it at Sonrai can be broken down into three core tenets:
1. Continuously and explicitly validate access. This means setting up controls like authorization and Multi-Factor Authentication (MFA). Past that, you need to continuously inventory identities and monitor their effective permissions, detecting deviation away from a secure baseline.
2. Assume breach and mitigate blast radius. Again, in the cloud, it is less about how and if they’ll get in, and more about what they can do when they are. Keep things tight. Work towards Least Access data policies. Set strict regulations around your most sensitive data. Controlling your blast radius is all about limiting what an attacker can do in your environment.
3. Achieve and maintain Least Privilege. Getting to least privilege means having an ongoing inventory of all identities and visibility into their true effective permissions. Then, stripping unnecessary or excessive privilege. You remain at least privilege with continuous monitoring.
Cloud on the Dark Web
Nefarious activity on the dark web is nothing new. X-Force detected a 200% increase in cloud accounts for sale in the last year. This translated to 100,000 accounts, leaving us to think compromise is becoming a concern of ‘when’, not ‘if’. X-Force found cloud credentials for sale accounted for 19% of all accounts advertised. The ease of use of compromised credentials and relatively low price makes them an attractive purchase. IBM recommends more stringent password policies, enabling Multi-Factor Authentication, and leveraging next generation IAM tools to combat this reality.
We’ll add to these recommendations, and note that the real mitigation work comes from building defenses within your cloud. IAM tools and best practices like MFA work to protect against an attacker successfully using compromised credentials or accessing your environment, but what about once they do get in? Your business can seriously reduce the impact an attacker can have or what they can do in your environment by taking precautions regarding identity and entitlement management. It doesn’t matter if the credentials up for sale belong to a low-level developer who mainly kicks around in a Sandbox environment. The reality is about 10% of all identities in your cloud have the power and access necessary to totally wipe out your cloud. That’s 1 in 10 identities. This reality is an awareness and visibility problem. Your organization’s goal is to reveal who and what these identities are with this privilege and detach permissions accordingly. Cloud Infrastructure Entitlements Management (CIEM) tools reveal these blaring risks & lock down your cloud to mitigate impact if an attacker finds their way in through dark web credentials.
Want to discuss the report further or chat with our experts? Learn about our Cloud Security Platform.