A targeted attack can begin within five minutes of credential discovery, and by the time another five minutes have passed, the attackers have completed their goal. This is according to Sysdig’s 2023 Global Cloud Threat report, which looked into cloud-based attacks.
“Using their worldwide honeynets, the Sysdig [Threat Research Team] shed light on an alarming truth: Attacks in the cloud are lightning fast, with mere minutes being the difference between detection and serious damage,” Michael Clark, director of threat research at Sysdig, wrote in a blog post.
According to Sysdig, attackers are able to move through their attacks so quickly because they are making use of automated reconnaissance and discovery tools. These tools can help attacks discover opportunities for attacks, such as discovering publicly-exposed credentials.
In addition to becoming speedier, they are also conducting their attacks in stealth. Because the cloud is already so complex, it’s not difficult for them to blend in. For example, they can use a target’s cloud services and policies to move through their cloud environment, Sysdig explained.
Attackers have also been found to be obfuscating their IP addresses to appear benign, which gets around the target’s traditional security measures.
They also found an instance of an attacker using AWS CloudFormation to do privilege escalation. “Roles might be locked down, but if the organization is using CloudFormation, it may offer another route to get the privileges the attacker needs,” Clark wrote.
Sysdig also discovered that runtime analysis found 10% more hidden malicious images that static analysis and vulnerability scanning didn’t catch, indicating the need for companies to utilize runtime analysis more.
“Attackers are embracing and taking full advantage of the same cloud resources that defenders and security managers are using. They will only continue to become more savvy as cloud-native tools and applications are the primary means of networks and security. As CSPs and security vendors continue to improve their security offerings, we expect to continue seeing supply chain compromises as a priority for both attackers and defenders alike,” Clark wrote.