75% Surge in Cloud Intrusions Driven by Identity-Based Attacks

Roland Daccache, Senior Manager for Sales Engineering at CrowdStrike MEA, discusses the latest Global Threat Report, which reveals a 75% increase in cloud intrusions driven by identity-based attacks. Threat actors exploit cloud vulnerabilities using valid credentials and social engineering. Effective defense requires advanced multifactor authentication, continuous monitoring, and comprehensive cloud security solutions.

What are the key findings from the latest Global Threat Report regarding cloud security? Can you provide an overview of the trends in cloud environment intrusions observed over the past year? What factors do you believe are contributing to the significant increase in cloud environment intrusions? How are threat actors leveraging identity-based attacks to gain persistent access to cloud environments?
The report revealed that as more businesses move to the cloud, adversaries are increasingly targeting the cloud. Cloud intrusions increased by 75% from 2022 to 2023. Adversaries’ preference for identity-based techniques is evident in their cloud-focused attacks. Adversaries often use valid credentials to access cloud-facing victim environments and then use legitimate tools to execute their attack — making it difficult for defenders to differentiate between normal user activity and a breach. Adversaries escalate privileges by obtaining access to additional identities from stored credentials, social engineering campaigns or insecure password-reset portals.

Are there specific industries or sectors that are more vulnerable to these cloud intrusions? If so, why?
In recent years, companies have pushed cloud transformation, rapidly pushing out projects, taking shortcuts in order to do so. Many of these cloud environments were built insecurely or with mistakes. We therefore are seeing threat actors targeting cloud environments, attempting to exploit weaknesses or mistakes. 

How have the tactics, techniques, and procedures (TTPs) used by threat actors in cloud intrusions evolved recently?
As organizations increasingly move business to the cloud, adversaries are advancing their capabilities to exploit this, and abuse features unique to the cloud, as well as exploit gaps in cloud protection.

The adversary SCATTERED SPIDER, for example, predominantly drove cloud-conscious activity increases throughout 2023, accounting for 29% of total cases. Throughout the year, SCATTERED SPIDER demonstrated progressive and sophisticated tradecraft within targeted cloud environments to maintain persistence, obtain credentials, move laterally and exfiltrate data.

Can you elaborate on the advanced identity-based attacks mentioned in the report? What are the common vulnerabilities or weaknesses that attackers exploit in identity and access management systems? What specific techniques have been observed in persistent access methods related to identity-based attacks?
Adversaries have continued to move beyond malware to faster, more effective means such as identity attacks (phishing, social engineering and access brokers) and the exploitation of vulnerabilities and trusted relationships. This trend is apparent over the last five years, as malware-free activity represented 75% of detections in 2023 — up from 71% in 2022.

Adversaries spanning multiple motivations and regions continue to use phishing techniques spoofing legitimate users to target valid accounts, as well as other authentication and identifying data, to conduct their attacks. We observed an increased focus on social engineering, boosted by generative AI for more effective phishing. Adversaries improved their tactics and devised sophisticated methods, such as SIM-swapping, MFA bypass, and the theft of API keys, session cookies and Kerberos tickets to gain initial access.

We have several observations of cloud- and identity-focused activities categorized by the MITRE ATT&CK® enterprise tactics of Initial Access, Persistence, Privilege Escalation, Credential Access, Lateral Movement, Exfiltration and Impact.

Adversaries relied on valid credentials to achieve initial access and obtained these credentials via accidental credential leakage, brute-force attacks, phishing/social engineering, credential stealers, access brokers, insecure self-service password-reset services and insider threats. To, for example, maintain access to Azure and Microsoft 365, adversaries commonly achieved persistence at the identity level. Achieving persistence at the identity level is commonly achieved by registering additional authentication factors in Entra ID. SCATTERED SPIDER, for example, used an identity provider to establish persistence with a federated domain in Entra ID, initially relying on aadinternals Azure AD Backdoor. This provided them with persistent access to multiple Entra ID identities. Later, SCATTERED SPIDER transferred the concept to Okta and added a federated identity provider to a victim’s Okta tenant.

What best practices would you recommend for organizations to defend against cloud intrusions and identity-based attacks?
To defend against intrusions and identity-based attacks, organizations must implement phishing-resistant multifactor authentication and extend it to legacy systems and protocols, educate teams on social engineering, and implement technology that can detect and correlate threats across identity, endpoint and cloud environments. Addressing sophisticated access methods such as SIM swapping, MFA bypass and the theft of API keys, requires proactive and continuous hunting for malicious behaviour.

When it comes to cloud, businesses need full cloud visibility, including into applications and APIs, to eliminate misconfigurations, vulnerabilities and other security threats. CNAPPs are critical: Cloud security tools shouldn’t exist in isolation, and CNAPPs provide a unified platform that simplifies monitoring, detecting and acting on potential cloud security threats and vulnerabilities. Selecting a CNAPP that includes pre-runtime protection, runtime protection and agentless technology helps discover and map apps and APIs running in production, showing all attack surfaces, threats and critical business risks.   

Are there any specific CrowdStrike solutions or services that you would recommend for bolstering cloud security against these types of threats?
There are several CrowdStrike solutions that can bolster cloud security. CrowdStrike Falcon Cloud Security provides a full view of cloud infrastructure, workloads and applications and prevents misconfigurations from the start to stop cloud breaches at runtime. Falcon Cloud Security contextualizes vulnerabilities and weaknesses based on exploitability and impact, and also eliminates silos and empowers diverse teams to remediate the riskiest issues first. Cloud threats are stopped in real-time with advanced runtime protection built on the same revolutionary unified agent as the CrowdStrike leading EDR and Identity protection, providing deep visibility across the entire cloud-native stack.  

What role does continuous monitoring and threat intelligence play in protecting cloud environments?
Continuous monitoring and threat intelligence are highly important when it comes to protecting cloud environments, as they provide real-time visibility into activities and threats. Through continuous monitoring, organizations can detect anomalies and potential threats early. On the other hand, threat intelligence enhances proactive defences by providing insights into emerging threats, as well as trends on attacks. 

Based on the findings of the report, what are your predictions for the future landscape of cloud security threats?
Adversaries will likely continue to target and abuse trusted relationships. The high ROI for these attacks, particularly in terms of access to potential downstream compromises relative to the limited effort required to compromise one target, will likely motivate attacks throughout 2024. Regarding those at risk of the exploitation, CrowdStrike foresees that organizations operating in the technology will be most vulnerable. 

What emerging technologies or strategies should organizations be aware of to stay ahead of potential threats?
Organizations should have full cloud visibility, including into applications and APIs, to eliminate misconfigurations, vulnerabilities and other security threats. Key to this is Cloud-Native Application Protection Platforms (CNAPPs). CNAPPs provide a unified platform that simplifies monitoring, detecting and acting on potential cloud security threats and vulnerabilities. Organizations can select a CNAPP that includes pre-runtime protection, runtime protection and agentless technology.