Several notorious cloud hacks between 2020 and 2022 were the result of simple technical errors that could have been thwarted by faster detection and response.
In a study of six major cloud security incidents in 2021-2022, Mohamed Shaaban, solution architect at Sysdig, found that attacks on the cloud are becoming more advanced, particularly in the volume of attacks and in attacker’s use of automated tools, meaning defenders need to speed up their detection and response capabilities in order to thwart them.
Shaaban and his colleague Rafik Harabi will present a talk at Black Hat Middle East on “Lessons from 6 Headline-Grabbing Security Breaches” next week.
The researchers found some telling threads among the six incidents. Among them: attackers are building tools that automate the scanning, finding, and exploiting of the target in the attack, and they access systems via leaked credentials and common vulnerabilities.
The researchers selected attacks from different industries to analyze a range of cloud incidents:
Lessons Learned
Shaaban says the intention of the research into these attacks was to learn lessons of “what really went bad and what could have been done better.” Those takeaways can help organizations reflect on their cloud environments and review the security controls and processes that they have put in place — especially by focusing on what the technical aspects of the incidents were and the long-term impact.
The researchers say the attack and response patterns in these incidents can provide insight into how to better protect and respond to cyber threats in the cloud.
Shaaban says one challenge is that security teams often must decide whether to have a prevention approach, where you harden your defenses, or to focus on detection and response, which requires multiple levels of security tools.
Therefore, he notes, a benchmark for detection and response is required, especially as defenders need to move faster in defense to protect a wider surface area and against attackers who can use automated tools in their attack efforts.
In that vein, Sysdig has proposed the 5/5/5 benchmark, where a company takes five seconds to detect, five minutes to triage, and five minutes to respond to a threat.
“In the cloud, because everything is really quick, we need everything to be fast, and we need the detections, triage, and response to be very fast, and this is why we have proposed the 5/5/5 benchmark,” Shaaban says.