This is my completely informal, uncertified, unreviewed and otherwise completely unofficial blog inspired by my reading of our fifth Threat Horizons Report (full version) that we just released (the official blog for #1 report, my unofficial blogs for #2, #3 and #4).
My favorite quotes from the report follow below:
- “Identity and trust relationships in and between cloud environments will continue to get more complex, challenging visibility and enabling threat actors to have wider and deeper impact on organizations. We anticipate an increase in targeting of identities that allow cross-platform authentication as actors recognise the value in compromising identities rather than endpoints. ” [A.C. — this is one of our “intel-driven” predictions, and it just reminds everybody that even if you thought that ‘identity in the cloud is important’ than in reality it is even more important :-)]
- “The top malware used by short-term infections will still be cryptominers in 2023, but other forms of monetization, such as phishing or ransoming customer environments, could grow as well.” [A.C. — to me, this reminds the security teams and SOCs in particular that in the cloud they need to move at cloud speed… A short-term system compromise is still compromise — and you are still owned, even if you are owned 1000 times of 10 minutes each :-)]
- “Threat actors diversified their initial access vectors. Weak passwords continued to be the most common factor at 41% of observed compromises. However, API key compromise [A.C. — take a look at this new resource!] played a role in nearly 20% of cases studied last quarter. […] In particular, the use of API compromise may suggest increased levels of automation by threat actors” [A.C. — while you talk about ‘security automation’ in general terms, attackers deploy new offensive automation…]
- “Mandiant estimated that 15 percent of their incident response investigations involved public cloud assets, demonstrating a shift in both enterprise planning and attacker operations against IT networks” [A.C. — this data point is from 2020, so treat this as a low boundary in 2023. This also reminds me that if you are owned, your cloud environment is probably also owned…]
- “Mandiant research indicates that threat actors are increasingly targeting backups to inhibit reconstitution after an attack. In addition, targeting, and in some cases creating, backups allows threat actors to engage in reconnaissance of affected organizations, escalate privileges, and gather intelligence. ” [A.C. — not truly ‘new news’, but a useful reminder to those who assume, circa 2015, that ‘backups solve ransomware’. It also reminds us that an unauthorized backup run is a solid indicator of compromise.] BTW, our advice here includes this gem: “Create IAM permissions that segment the access and roles needed for creation, deletion, and changes to backups, thereby ensuring that account compromises do not create a direct pathway to move to the backups. Monitor for events on backups and create alerts for these”
- While it sounds like an obvious tactic, it really is! And attackers do use it: “In Q3 Trust and Safety systems flagged free tier or trial accounts abusing Google Cloud resources by conducting outbound DDoS attacks. […] We observed the attackers creating cost-optimized GCE instances, and within 2 hours of creation 50% of these flagged projects triggered DDoS alerts.”
Now, go and read the report!
- Google Cybersecurity Action Team Threat Horizons Report #4 Is Out!
- Google Cybersecurity Action Team Threat Horizons Report #3 Is Out!
- Google Cybersecurity Action Team Threat Horizons Report #2 Is Out!
- Illicit coin mining, ransomware, APTs target cloud users in first Google
- Cybersecurity Action Team Threat Horizons report
- All past and future reports are posted at Google Cybersecurity Action Team site.