云威胁狩猎与防御态势研究报告

By Insikt Group® Cloud Threat Huntingand Defense Landscape Vulnerability and misconfigurationscanning campaigns, alongsideinitial access brokers,represent theprimary means by which threat actorsobtain cloud credentials. Threat actors targeting cloudenvironments rely mainly on exploitingmisconfigurationsand employingcoercion tactics for initial access. As organizations increasingly adoptcloud infrastructure,they encounternovel and unique security challenges thatthreat actors are actively exploiting Executive Summary In a review of recently observed attack methods, Insikt Group identified five attack vectors thatcurrently pose the greatest potential threat to cloud environments. Three of these attack methods,vulnerability exploitation, endpoint misconfiguration, and credential abuse leading to account takeover,can grant threat actors initial access. In certain circumstances, these three attack methods can also beemployed following initial access to gain increased permissions within a cloud environment, modify thecloud environment, and allow lateral movement, either to additional cloud environments, traditionalon-premise environments, or user devices. The two remaining attack methods, cloud abuse and cloudransomware, demonstrate impact actions threat actors can perform within a cloud environment. Hunting for each of these threats often requires the implementation of robust logging within cloudenvironments to ensure that data such as network communications, user access, and cloud serviceusage metrics can be readily accessed and scrutinized for aberrations. Log data assists in bothproactive discovery of suspicious activity originating at the edge of cloud environments, such as ininstances where misconfiguration and vulnerability scanning occur, and in identifying instances wherecloud accounts and resources are abused for malicious purposes. To mitigate threats from impacting cloud environments, proper configuration of the environment isparamount, both at the edge of the cloud environment, including the methods by which users andservices interact with the environment, and within the environment itself. Cloud environments that areconfigured appropriately minimize the risk of initial access and can significantly limit the maliciousactions a threat actor is capable of performing post-initial access. Additionally, the most common cloudplatforms provide native services focused on security for cloud environments, such as web applicationfirewallsWAF, identity and access managementIAMservices, secrets storage and managementsuites, and secure data connectors for hybridized cloud environments, that allow cloud architects tomitigate the threats discussed in this report with relative ease. Key Findings ●Most initial compromises start with exposed or misconfigured cloud endpoints, with attackersusing open‑source scanners to identify misconfigured endpoints.●Stolen or weak credentials, often gathered from initial access brokersIABsand previousmalicious actions performed by the attacker, remain the fastest path to full‑tenant cloudtakeover.●Threat actors increasingly abuse legitimate SaaS and IaaS resources, shifting costs to theowners of victimized environments and abusing resources to complicate the detection offollow-on malicious actions, such as phishing campaigns.●Ransomware groups have adopted cloud‑native tactics, encrypting S3 and Azure storagedirectly and disabling backups to maximize leverage.●Hybrid infrastructure lets attackers pivot seamlessly between on‑premise and multi‑cloudenvironments, so visibility and controls must extend beyond the cloud environment to thedevices and services that access it. Introduction During the past decade, a steady shift from traditional on-premise IT infrastructure to cloud-basedinfrastructure and hybrid cloud infrastructure has taken place. According to PwCʼs2023 Cloud BusinessSurvey, 39% of private respondents stated that the entirety of their operations had been moved tocloud environments. Cloud computing has become a trusted and integral part of many corporationsʼday-to-day operations. Since the time of PwCʼs reporting, cloud computing as an industry has onlygrown with no signs of slowing. The breadth of cloud products and the depth of services provided by cloud environments continue togrow daily. In a jointstudyconducted by Amazon and Telecom Advisory Services, cloud adoptionaccounted for a total of $1 trillion in the global gross domestic product, with a projected increase to $12trillion between 2024 and 2030. This estimate indicates that traditional computing environments willcontinue to migrate to cloud environments rapidly in the coming years. That demand for cloudcomputing resources will continue to increase for the foreseeable future. The success of cloud computing can be squarely attributed to the benefits that adopters are provided.When properly configured, cloud environments allow their adopters to shift costs associated withtraditional on-premise env