Professional Documents
Culture Documents
Unit42 Cloud Security Trends Tips (Dec 2018)
Unit42 Cloud Security Trends Tips (Dec 2018)
Over just four months in mid-2018, there were multiple high-profile breaches
involving public cloud environments. It is important to note that none of these were
due to negligence on the part of the cloud service providers. This report highlights
key takeaways from these incidents, along with research by the cloud-focused
division of Palo Alto Networks Unit 42 threat research team, to shed light on current
and emerging trends.
29% 11%
of organizations had
32% 23% 46%
of organizations of organizations of organizations of organizations
experienced cryptojacking activity publicly exposed at have hosts missing accept traffic to
potential account within their least one cloud critical patches Kubernetes pods
compromises public cloud storage service in the cloud from any source
environments
27% 41%
to be vulnerable. Considering this, it is
worrisome that the research indicates 20
percent of organizations do not enforce of organizations of access keys
MFA for root users. This would be less of allow root have not been
an issue if organizations followed well- user activities rotated in more
established best practices that dictate
than 90 days
the use of root accounts should be
disallowed. However, the research also
shows that 27 percent of organizations
allow root user activities.
Unlike the breach described above, which was detected within days of the attack, some
incidents take months to discover. Consider a breach that occurred in December 2017, in
which an unauthorized user compromised an employee’s credentials and logged in from
an IP that resolved to the Netherlands. The unauthorized user went on to create an API
access key on the employee’s account, and then created a new user account, attached
administrator access to that account, and created an API access key on that account as
well. The unauthorized user performed reconnaissance over the next several months and
ultimately siphoned off personally identifiable information, including access keys to social
media sites. The day after the breach was discovered, the company that experienced the
incident began enforcing MFA on all accounts.
Rotating access keys every 90 days is important because it reduces the window of
exposure when credentials are compromised. However, our research reveals that 41
percent of access keys have not been rotated in more than 90 days. The research also
indicates that 38 percent of user accounts are dormant, having seen no activity in more
than 90 days. This is unsurprising as it is common for users to be granted access to an
environment to perform specific tasks, only for the administrator to forget to revoke
access once the tasks are completed.
Tips
4. Take advantage of machine learning to establish user and access key behavior
baselines as well as monitor for deviations to detect account compromises or
malicious insider activity.
26% 28%
price in late 2017 and early 2018 caught the
attention of hackers, who started scaling
up attacks in early 2018. However, the
of resources of databases
price drop seen in the latter half of the year do not restrict receive inbound
changed the economics of the attacks, outbound traffic connections from
making them less lucrative for hackers. at all the internet
Combined with greater awareness of the
threat and better detection capabilities, this
means hackers are being forced to consider
alternate revenue opportunities.
The team also observed that 28 percent of databases are receiving inbound
connections from the internet. In previous reports, this statistic varied between
31 and 37 percent. This goes against network architecture best practices and is a
common issue in public cloud environments. This issue can be attributed to the lack
of security oversight as developers create and deploy cloud resources on demand.
Tips
49% 32%
The bad news is that organizations are
still not employing best practices, such as
encryption, to protect sensitive data. 49
of databases of GDPR compliance
percent of databases are not encrypted, are not encrypted checks fail
which is exactly in line with the figure
from May 2018. Data encryption is an
important technique that could help meet
the pseudonymization requirement for the
GDPR and should be enforced as a security
best practice.
Clearly, organizations have a long way to go before they can claim compliance in their
public cloud environments.
1. Maintain a central asset inventory of all cloud resources across multiple cloud
providers.
23%
extreme advantage over their on-premises peers. As
part of the Shared Responsibility Model, cloud service
providers update their respective infrastructures of organizations
and services, providing an initial line of defense. have hosts missing
Organizations also need to address their obligations by critical patches
identifying and patching vulnerable hosts. However, the in the cloud
latest Unit 42 cloud research reveals that 23 percent of
organizations have hosts in the cloud that are missing
critical patches.
Tips
Tips
1. Follow the CIS best practices for configuring your managed and unmanaged
Kubernetes environments.
About Unit 42
Unit 42 is the global threat intelligence team at Palo Alto Networks. We believe threat intelligence should be
free, shared and available to all for the common good. We deliver high-quality, in-depth research on adversaries,
malware families and attack campaigns. Our analysts uncover and document adversary behaviors, and then
share playbooks that give insight into the various tools, techniques and procedures threat actors execute to
compromise organizations.
We share our findings freely so defenders everywhere can access world-class threat intelligence. Unit 42 is a
recognized authority on cyberthreats, frequently sought out by enterprises and government agencies around
the world.