Identity & Access Management
,
Security Operations
Attackers Exploit Cloud Credential Exposure and ‘Over-Permissioning,’ Experts Warn
Attackers don’t need to hack into a network when they can simply log in – a mounting reality for cyber defenders who see hackers ignoring their digital walls and moats and crossing unbidden into the network.
See Also: Proof of Concept: Identity Security in the Face of AI Scams
Failing to keep user identity secure has become “a critical point of failure” inside organizations, says a Tuesday report from threat intel firm ReliaQuest.
The firm found that 44% of all “true-positive security alerts” during the third quarter traced to some type of identity issue, as did 33% of raw alerts, meaning they might not have been malicious but still needed to be triaged. Having identity be “both the top cause of confirmed breaches and the noisiest source of alerts” creates a burden that “overwhelms security teams and drives up operational costs.”
Attackers keep targeting cloud-based identities to help them bypass endpoint and network defenses, says an August report from cybersecurity firm CrowdStrike. That report counts a 136% increase in cloud intrusions over the preceding 12 months, plus a 40% year-on-year increase in cloud intrusions tied to threat actors likely working for the Chinese government.
“The cloud is a priority target for both criminals and nation-state threat actors,” said Adam Meyers, head of counter adversary operations at CrowdStrike (see: Nation-State, Cyber and Hacktivist Threats Pummel Europe).
ReliaQuest sees two primary challenges at play: credentials for cloud environments are often stolen or exposed, and attackers are too easily able to escalate privileges.
Cloud credential exposure comes in many forms – being hard-coded into code repositories, exposed through log files or misconfigured applications, targeted using malicious software package managers or harvested by info-stealing malware. Just in the first half of this year, infostealers harvested more than 1.8 billion credentials from 5.8 million infected hosts and devices, reported threat intelligence firm Flashpoint (see: Infostealers Run Wild).
Repeat ‘Over-Permissioning’ Problem
Failing to maintain least-access principles is also a challenge. “Identity-related privilege escalation accounted for 52% of all confirmed identity-based alerts, with the root cause being the overwhelming availability of over-privileged identities,” ReliaQuest said, based on its third quarter research.
Cloud-based identities with too much access is a longstanding problem. Palo Alto’s Unit 42 threat intelligence group in 2022 studied 680,000 identities across 18,000 cloud accounts from over 200 different organizations and found that “99% of the cloud users, roles, services and resources were granted excessive permissions.”
A more recent study of organizations’ use of public cloud resources found that “on average, 92% of all identities with access to sensitive permissions did not use them over 90 days,” suggesting that the vast majority of cloud identities remain over-permissioned.
One challenge is that enough cloud identities justify elevated permissions, putting organizations at elevated risk when their credentials are exposed.
Take security operations centers and incident response teams. In general, while “the principle of least privilege and minimal manual access” is a best practice, first responders often need immediate and “necessary access,” says an August report from Darktrace. “Security teams need access to logs, snapshots and configuration data to understand how an attack unfolded, but giving blanket access opens the door to insider threats, misconfigurations and lateral movement.”
Rather than always allowing such access, experts recommend using tools that only provide it when needed, for example, through Amazon Web Services’ Security Token Service. “Leveraging temporary credentials, such as AWS STS tokens, allows for just-in-time access during an investigation” that can be automatically revoked after, which “reduces the window of opportunity for potential attackers to exploit elevated permissions,” Darktrace said.
Other dedicated technology exists to help manage these challenges, including in the form of cloud infrastructure entitlement management tools now being offered by numerous vendors. As market researcher Forrester notes: “To manage the risk of over privileged access and configuration errors, CIEM enforces least-privilege access, automates policy enforcement and monitors entitlements.”
More focused vulnerability management can help too. Based on studies of its customers’ environments, ReliaQuest found that over 70% of cloud security tool alerts in Q3 traced to just these four flaws:
- Log4Shell (CVE-2021-44228): This vulnerability in a Java library facilitates unauthenticated, remote code execution;
- OpenSSH (CVE-2024-6387): Enables remote code execution in OpenSSH servers;
- Microsoft Windows (CVE-2023-36884): Attackers can use specially crafted files to remote execute code;
- Jenkins (CVE-2024-23897): Command-line-interface arbitrary file read vulnerability can lead to remote code execution on Jenkins servers.
ReliaQuest said one immediate fix more organizations need to put in place is to ensure they’re bringing automated security tools to bear throughout their DevOps pipeline, to prevent these types of vulnerabilities from persisting in their containerized images. Also regularly scanning all cloud images and DevOps templates can help to prevent such flaws from continuing to get reintroduced.
“While the top CVEs aren’t exclusive to the cloud, automation magnifies their impact” across virtualized environments, it said.
