By: Mr. Eric Swenson, Director of Solutions Marketing at Palo Alto Networks
In the latest edition of the Unit 42 Cloud Threat Report, our researchers explore the cloud threat landscape with a deep focus on identity and access management (IAM) misconfiguration risks. The research took place between May and August 2020 and was global in scope – spanning terabytes of data, thousands of cloud accounts and more than 100,000 GitHub code repositories.
The findings indicate that identity misconfigurations are prevalent across cloud accounts and represent a significant security risk to organizations. However, Unit 42 researchers also note that there are best practices that organizations can use to build effective security programs and help minimize these risks.
Protecting Against IAM Risks
Unit 42 researchers shed light on a number of different possible risks surrounding IAM and provide guidance on remediation to minimize those risks.
Automation Is Needed to Address Complex Multi-Cloud Permissions Policies
The report details a Red Team exercise where Unit 42 researchers used a single misconfigured IAM trust policy to compromise an organization’s entire public cloud environment. An attacker could leverage the same flaw to launch any number of attacks against the organization, including denial-of-service (DoS) and ransomware, or even advanced persistent threats (APTs). Worse still, these defects often go unnoticed and unfixed in enterprise organizations.
In the same exercise, the Unit 42 researchers were also able to identify and hijack a legitimate administrator account and establish full control over the entire cloud environment. With the “keys to the kingdom,” attackers could then launch any number of attacks against the organization.
Organizations can reduce the risk of similar attacks by establishing auto-remediation to address over-privileging and by monitoring IAM APIs, among other best practices discussed in the report. These tasks are generally complex enough to warrant cloud native security platforms that can help simplify the processes.
Basic Security Practices Can Still Be Effective
Research showed that 75% of organizations in Japan and Asia-Pacific (JAPAC) and 74% of organizations in Europe, the Middle East and Africa (EMEA) that use Google Cloud are running workloads with administrative privileges. A little over half of organizations in the Americas (54%) run with the same type of privileges. Attackers that compromise these workloads would be able to move laterally across cloud resources, making it easier to establish cryptojacking operations. Cryptojacking is the term for malicious cryptomining operations. In this case, an unauthorized actor uses cloud computing resources to mine for cryptocurrency.
As organizations mature in their cloud security models, the basic foundations of good security will still be effective in situations such as this. Researchers note in the report that enabling multi factor authentication (MFA) on top of configuring strong password policies are still effective protections, no matter how complex an environment becomes.
Good Identity Hygiene Has Multiplier Effects
The research also highlights that cryptojacking affects at least 23% of organizations globally that maintain cloud infrastructure – a sharp rise from the 8% that researchers observed in February 2018.
Protecting your cloud infrastructure against cryptojacking operations begins with practicing the identity best practices discussed here and in the report. Additional protections, including container security and threat intelligence, are strengthened in their effectiveness with this groundwork.
How to Begin Identifying Your Risks
The full Unit 42 Cloud Threat Report provides in-depth analysis on the methods that attackers use to silently perform reconnaissance operations, as well as common threat actors. Researchers also carefully identify steps organizations can take to build a cloud security program based upon identity best practices.
