What are the security risks in the age of cloud adoption?

Insight: SentinelOne

What are the security risks in the age of cloud adoption?

Organizations are rapidly embracing digital transformation, with the public cloud and containers as key strategies. Traditional infrastructures are shifting to cloud-native platforms and containerized applications to create more efficient workflows, cut costs and build resilience. Gartner predicts that 95% of new digital workloads will run on cloud-native platforms by 2025, up 30% from 2021. By 2028, 70% of all workloads will be in the cloud, compared with 25% today.

The attention of attackers

The rapid adoption of cloud technologies is attracting the attention of attackers. Organizations increasingly target these new infrastructures as they move their mission-critical data to the cloud. Security professionals are not only seeing an increase in the frequency of attacks but also in their complexity. We measure this complexity by the growth in techniques used by attackers, as identified by the MITRE ATT&CK Foundation. According to the MITRE ATT&CK Foundation, the number of attack techniques in the Cloud IaaS Matrix increased from 50 to 61 and in the Containers Matrix from 28 to 39 over the past two and a half years. This increased attention also leads to more reported incidents and breaches related to cloud and container environments. According to a recent report by Thales, 39% of respondents in its State of Cloud Security have experienced a cloud breach in the past year.

Automated attacks

Another notable trend is the increasing number of automated attacks. SentinelOne is increasingly seeing automated scripts, such as automated “scraping of secrets” for credential harvesting, including scanning for configuration errors, deploying cryptominers and exploiting control- and app-level vulnerabilities. For example, the LemonDuck botnet can attack misconfigured Docker APIs within 12 seconds and automatically deploy a malicious container for cryptojacking. Automation and open-source tools such as AlienFox and Predator AI lower the threshold for attackers. These tools can extract and misuse credentials from insecure environments, facilitating unauthorized system access.

Causes of cloud incidents

With the increase in cloud-related incidents, it is crucial to look at the most common problems and where security teams should focus their attention. The three main causes of cloud incidents are misconfigured assets connected to the Internet, compromised credentials and vulnerable Web apps hosted in the cloud.

  • Misconfigured assets: There was a long period of unintentionally exposed S3 buckets before Amazon made changes to make default configurations private. Despite increasing controls and default settings from cloud vendors and the emergence of Cloud Security Posture Management (CSPM) tools, misconfigured environments remain widespread.
  • Compromised credentials: Not surprisingly, many cloud incidents begin because an attacker has gained access to credentials, often through credential harvesting. In 2023, GitGuardian reported that over 1 million instances of leaked Google API secrets, 250,000 Google Cloud secrets and 140,000 AWS secrets were discovered on GitHub.
  • Vulnerable web apps in the cloud: OS- and application-level vulnerabilities remain a major cause of cloud incidents. While not exclusively related to cloud and containers, the increased known exploitable vulnerabilities (KEV) and vulnerabilities with proof-of-concept exploits are noteworthy. VulnCheck provides a detailed overview of these trends over the past decade. One notable observation is the speed at which attackers are adopting proof-of-concept exploits. An example from CloudFlare shows that attackers used a PoC exploit against TeamCity just 22 minutes after publication.

The power of three

Vulnerabilities, compromised credentials and misconfigured environments are the leading causes of incidents. Advanced cloud attacks often involve tactics and techniques that involve all three of the above causes. Many attacks begin with an OS- or application-level vulnerability that enables Remote Code Execution (RCE). Popular tactics within cloud attacks include stealing credentials and modifying or disabling cloud services. Theft of credentials is an effective way to achieve privilege escalation and increase the scope of the breach.

The rapid adoption of cloud technology poses significant security risks, including increasing complexity and automated attacks. Organizations should focus on active security measures – such as better configuration management, strong credential security and rapid patching of vulnerabilities – to protect their cloud environments from the growing number of advanced threats.

This article is offered to you by SentinelOne.