Sysdig, the leader in cloud security powered by runtime insights, recently released the 2023 Global Cloud Threat Report, which revealed that the average time from recon to attack completion is now merely 10 minutes. The Sysdig Threat Research Team used worldwide honeynets for the report, shedding light on the frightening reality of cloud security: cloud breaches can be lightning fast, with enterprises having minutes to respond between detection and severe damage.
The same features that attract enterprises to the cloud are being taken advantage of by cloud attackers. Defenders need to secure their entire software development life cycle (SDLC), but attackers only need one successful attempt, which is made easier by automation.
Here are some of the key takeaways from the report:
- Cloud automation is being weaponized: Cloud attacks happen quickly, and recon and discovery are even quicker. Automating these techniques allows attackers to act as soon as they find a gap in the target system. The first indication that something is amiss is a recon alert, but a discovery alert indicates that any response has come too late.
- Attacks are initiated in 10 minutes: Cloud attackers are fast and opportunistic, initiating attacks within just 10 minutes. This leaves a small window within which security teams can respond to minimize damage.
- 90% isn’t safe enough for a supply chain: Standard tools are unable to detect 10% of advanced supply chain threats. Attackers use evasive techniques to hide malicious code until an image is deployed, and identifying this type of malware requires runtime analysis.
- Telcos and fintech constitute 65% of cloud attack targets: Both telecommunication and finance companies hold valuable information that offer malicious actors an opportunity to quickly profit. These industries make lucrative targets for fraud schemes.
“Cloud-native attackers are ‘everything-as-code’ experts and automation fans, significantly reducing their time to impact on the target systems and increasing the potential blast radius. Open source detection-as-code approaches like Falco are how blue teams can stay ahead in the cloud,” says Alessandro Brucato, a Threat Research Engineer at Sysdig.
“The reality is, attackers are good at exploiting the cloud. It’s not just that they can script recon and autodeploy cryptominers and other malware, but they take the tools that unleash the power of the cloud for good and turn them into weapons. Abusing infrastructure-as-code to bypass protective policies is one example,” says Michael Clark, Director of Threat Research at Sysdig.
The 2023 Global Cloud Threat Report is based on data collected between October 2022 and June 2023 through open source intelligence (OSINT) and Sysdig’s global data collection, along with other publicly available information from the Falco open source community. The research covered Asia, Australia, the European Union, Japan, North and South America, and the United Kingdom.
