Chaos in the Cloud: Rampant Cloud Activity Requires Modern Protection
Digital transformation isn’t only for the good guys. Adversaries are undergoing their own digital transformation to exploit modern IT infrastructures — a trend we’re seeing play out in real time as they increasingly adapt their knowledge and tradecraft to exploit cloud environments.
According to the CrowdStrike 2023 Global Threat Report, observed cloud exploitation cases grew by 95% over the previous year. Likewise, cases involving cloud-conscious actors — adversaries who are aware of their ability to compromise cloud workloads and use this knowledge to abuse features unique to the cloud — nearly tripled from 2021.
How are they getting in? Throughout 2022, cloud-conscious actors primarily obtained initial access to target cloud environments by using existing valid accounts, resetting passwords or exploiting public-facing applications such as web servers then placing webshells or reverse shells for persistence.
These types of credential-based intrusions against cloud environments are among the more prevalent exploitation vectors used by eCrime and targeted intrusion adversaries. Criminal actors routinely host fake authentication pages to harvest legitimate credentials for cloud services such as Microsoft Office 365, Okta or webmail accounts. Actors then use these credentials to attempt to access victim accounts.
And when they succeed, data shows their activity is not limited to the cloud. There is increasing evidence that adversaries are growing more confident leveraging traditional endpoints to pivot to cloud infrastructure. The reverse is also true: cloud infrastructure is being used as a gateway for lateral movement to traditional endpoints. It’s clear that cloud is an increasingly dangerous attack vector that must be fully protected as part of a holistic security strategy.
Complete Protection for Modern Cloud Environments
To protect cloud and hybrid environments, IT and security leaders need cloud-native technologies and a cloud-focused mindset — both of which must be rooted in maintaining flexibility, scalability and consistency across their IT infrastructure. This is where a combined agent-based and agentless approach to cloud security delivers the most comprehensive protection.
CrowdStrike Falcon® Cloud Security provides agent-based and agentless cloud security for the modern enterprise in a single platform. Why both? Because today’s IT and security teams must enforce continuous monitoring and security from the development process to runtime. An agent-only approach typically falls short here due the rate of change seen in modern cloud environments. Not only are cloud resources routinely spun up and taken down, but teams have to account for short-lived containers and serverless functions as they come in and out of existence.
A complicating factor is that IT and security teams typically don’t have access or control over all the hosts in an environment, and therefore can’t deploy agents on them. This lack of coverage creates security blindspots that attackers can exploit.
An agentless approach is equally ineffective on its own, as it offers only partial visibility and lacks remediation capabilities. Plus, agentless security relies on snapshots of cloud environments taken at set intervals. Given the average breakout time for interactive eCrime intrusion activity declined from 98 minutes in 2021 to 84 minutes in 2022, adversaries could presumably slip into a cloud environment unnoticed and move laterally on their path to removing access to accounts, terminating services, stealing or destroying data and deleting resources.
By combining agentless scanning with agent-driven protection, CrowdStrike provides complete visibility and real-time threat detection and response to stop breaches.
Other vendors strive to offer this level of protection by combining cloud security capabilities. It might sound good on paper, but the reality is that when separate companies bundle tools that aren’t built for integration, users are burdened with multiple consoles and interfaces. These “marriages of convenience” often drive higher cost and complexity with worse security outcomes. Misconfigurations, for example, are a common consequence of this complexity, leading to vulnerabilities and increased risk due to the scale and speed of cloud environments.
One Platform to Stop Breaches
While companies seek the best in cloud protection, they also strive to reduce the number of tools to manage. CrowdStrike provides a single unified platform to protect customers across endpoints, identities and cloud workloads — including multi-cloud and hybrid cloud environments.
And it goes deeper than a single pane of glass. The underlying infrastructure of Falcon Threat Graph, the brains behind the Falcon cloud-native platform, unifies these detections to provide a complete picture from endpoint to cloud.
In the face of today’s evolving threat landscape, where adversaries are attacking from multiple fronts, organizations should look for a cloud-native security platform that uses agentless and agent-based scanning to meet their security needs. CrowdStike delivers all of these capabilities from one platform and a single lightweight agent.
- Cloud-conscious adversaries are on the rise. Join us for CrowdStrike’s Cloud Threat Summit to learn more about modern cloud threats and the innovations we’re developing to fight them.
- Download the CrowdStrike 2023 Global Threat Report to learn how the threat landscape has shifted in the past year and understand the adversary behavior driving these shifts.
- Explore the latest cloud security innovations on the Falcon Cloud Security product page.
- Read how CoreWeave consolidated its security stack with CrowdStrike.
- Learn how the powerful CrowdStrike Falcon® platform provides comprehensive protection across your organization, workers and data, wherever they are located.
- Visit our Industry Recognition and Technology Validation webpage to see what industry analysts are saying about CrowdStrike and the Falcon platform.