[German]The run on the cloud continues unabated, but the number of vulnerabilities and security threats is steadily increasing. Misconfigurations, weak credentials, lack of authentication, unpatched vulnerabilities and malicious (infected) open source software (OSS) threaten security. Some developers hard-pack credentials into the source code of their software, making unauthorized access easy. Palo Alto Networks' (cybersecurity provider) Unit 42 Cloud Threat Report (Volume 7, April 2023) looks at how vulnerabilities in access to cloud services affect enterprise security posture.
Advertising
Over the past 12 months through April 2023, Palo Alto Networks' Unit 42 has surveyed more than 1,300 enterprises and analyzed workloads across 210,000 cloud accounts/subscriptions/projects at all major cloud solution providers (CSPs). So far, there are no signs of a slowdown in the pace of cloud migration. From $370 billion in market volume in 2021, this is expected to rise to $830 billion in 2025.
The downside is attacks on these cloud instances, with attackers trying to exploit common problems in the cloud. This includes misconfigurations, weak credentials, lack of authentication, unpatched vulnerabilities and malicious OSS packages. Key points from the Thread report are:
- On average, security teams take 145 hours to resolve a security alert. 60 percent of organizations take more than four days to remediate security issues.
- 80 percent of alerts are triggered by just five percent of security rules in most organizations' cloud environments.
- 63 percent of production codebases have unpatched vulnerabilities rated high or critical (CVSS >= 7.0).
- 76 percent of organizations do not enforce MFA for console users, while 58 percent of organizations do not enforce MFA for root/admin users.
- Sensitive data, such as personally identifiable information, financial data or intellectual property, resides in 66 percent of storage buckets and 63 percent of publicly accessible storage buckets.
- Fifty-one percent of codebases depend on more than 100 open source packages, though only 23 percent of packages are imported directly by developers.
The report also includes an updated Cloud Threat Actor Index, which incorporates new cloud threat actors and activities. In addition, the report provides a breakdown of two cloud attack incidents handled by Unit 42's incident response team in 2022.
Cloud Threat Report Volume 7: Growing Attack Surface
The cloud attack surface is as dynamic as the cloud itself, Unit 42 writes, and as organizations around the world increasingly share, store and manage data in the cloud, the enterprise attack surface expands exponentially. This expansion often happens in unknown, overlooked or inadequately secured ways. For attackers, every workload in the cloud represents an opportunity, and without proper management, organizations are exposed to risk in myriad ways.
While previous reports focused on a single threat (e.g., identity access management, supply chain attacks, and container security), the Unit 42 Cloud Threat Report Volume 7 addresses a larger, more comprehensive problem: Attackers have become adept at exploiting common, everyday problems in the cloud. These issues include misconfigurations, weak credentials, lack of authentication, unpatched vulnerabilities and malicious open source software (OSS) packages.
Advertising
The report provides a breakdown of two different real-world cloud attack cases observed by Unit 42 in 2022. After anonymizing and de-identifying the victims, the researchers show how attackers exploited sensitive data that surfaced on the dark web and the business disruption caused by ransomware.
Recommendations from the report
Below is a sampling of key findings and recommendations from the "Unit 42 Cloud Threat Report, Volume 7: Navigating the Expanding Attack Surface."
- On average, security teams take 145 hours (about six days) to resolve a security alert. Sixty percent of organizations take longer than four days to resolve security issues.
- In most organizations' cloud environments, 80 percent of alerts are triggered by just five percent of security rules.
- 63 percent of production codebases have unpatched vulnerabilities rated high or critical (CVSS >= 7.0)
- 76 percent of organizations do not enforce MFA for console users, while 58 percent of organizations do not enforce MFA for root/admin users.
Common monitoring measures in the cloud
Based on extensive data collected in 2022, the report examines real-world security breaches that affected medium and large enterprises. It describes the issues observed in thousands of multi-cloud environments and analyzes the impact of OSS vulnerabilities on the cloud.
Specifically, researchers analyzed workloads in 210,000 cloud accounts across 1,300 different enterprises. With many enterprises now having multiple cloud deployments, vulnerabilities are becoming increasingly targeted by attackers.
Time in days it takes organizations to resolve security alerts.
While user errors such as insecure configurations remain the primary problem, Unit 42 researchers also found issues stemming from the ready-to-use templates and default configurations provided by cloud service providers (CSPs). While these settings and features are convenient and make it easier to adopt new technologies, they do not put users in the safest possible starting state.
Sample results:
- 76 percent of organizations do not enforce MFA for console users.
- Sensitive data was found in 63 percent of publicly accessible storage buckets..
Impact and risks of open source software (OSS) in the cloud
Open source software has been one of the driving forces behind the cloud revolution. However, the increasing use of OSS in the cloud also increases complexity – and with it the likelihood of outdated or abandoned software, malicious content and slower patching cycles. This puts the onus on end users to vet OSS before integrating it into applications. This task is especially difficult when organizations must manage numerous projects, all dependent on potentially thousands of OSS.
Number of vulnerabilities in CNCF projects broken down by programming language.
Recommendations: Making life difficult for the attackers
Enterprises should expect the attack surface for cloud-native applications to continue to grow as attackers find increasingly creative ways to attack the misconfiguration of cloud infrastructures, APIs and the software supply chain itself. To protect against these threats, the report provides practical guidance on closing the gaps in cloud security, such as:
- An automatic backup process should be in place for all cloud workloads that would disrupt business operations in the event of a failure.
- Backups should be stored in protected locations isolated from the production environment in multiple geographic locations to avoid a single point of failure.
- All enterprises should have plans for business continuity and disaster recovery
In addition, researchers predict that the industry will move away from point security solutions to cloud-native application protection platforms (CNAPPs) that provide a comprehensive set of capabilities across the application development lifecycle. Gartner backs up this assertion that there will be a significant uptick in CNAPP adoption, reporting a 70 percent increase in customer inquiries about CNAPPs between 2021 and 2022.
As the report makes clear, the only way to defend against the changing scope and severity of today's security threats is to stay one step ahead of the attackers perpetrating them. The full report is available for download at Unit 42 Cloud Threat Report, Volume 7 (registration required).
Advertising