Unit 42 by Palo Alto Networks | Cloud Threat Report, Spring 2020 | Executive Summary 1

Over the last 18 months, we’ve witnessed a radical shift in how DevOps teams are building their cloud infrastructure. Organizations are rapidly adopting IaC as they attempt to automate more of their build processes in the cloud. When teams move to IaC, they are avoiding the manual creation and configuration of infrastructure in favor of writing code. Although IaC is not new, many organizations are adopting it for the first time, which means new risks.

Our research indicates that while infrastructure as code (IaC) offers security teams a systematic way to enforce security standards, this powerful capability remains largely unharnessed.

Summary of Key Findings

Why It Matters

It only takes one misconfiguration to compromise an entire cloud environment. Just like when you forget to lock your car or leave a window open, attackers use misconfigurations to weave around defenses. Without secure IaC templates from the start, clouds are ripe for attack.

Why It Matters

Unencrypted data is like having a house with glass walls. Encryption prevents attackers from seeing and reading stored information. It’s also a requirement for many compliance standards. Vistaprint and MoviePass highlight the impor-tance of encrypting databases.

Why It Matters

When storage logging is disabled, malicious actors from CloudHopper to FancyBear could enter the stor-age system, and no one would ever know. Storage logging is critical when attempting to determine the scale of the damage in cloud incidents such as the US voter records leak or the National Credit Federation data leak.

Why It Matters

Cyber crime groups are using the cloud for “cryptojacking”. Adversary groups likely associated with China, including Rocke, 8220 Mining Group and Pacha, are stealing cloud resources. They are mining for Monero, likely through public mining pools or their own pools.

Executive Summary:Unit 42 Cloud Threat ReportPutting the Sec in DevOps

of Pacha cryptocurrency traffic is destined for China

93%43%

of cloud databasesare not encrypted

60%

of cloud storage serviceshave logging disabled

200Kinsecure templates in use

Nearly

3000 Tannery WaySanta Clara, CA 95054

Main: +1.408.753.4000Sales: +1.866.320.4788Support: +1.866.898.9087

www.paloaltonetworks.com

© 2020 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at https://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies. unit-42-cloud-threat-report-spring-2020-es-020420

In our previous report, we noted that organizations need to do a better job of centrally monitoring and enforcing cloud configurations. Outside of IaC templates, in the months since our last report, we observed that organizations have been slow to make improvements. In fact, it would appear that many are unfortunately moving in the wrong direction.

Biggest Changes Since Our Last Report

Why It Matters

Exposing SSH servers to the entire internet is a risky practice. Attackers actively target SSH services as they provide remote access to cloud environments. Security teams should focus on moving away from trust-based access models like accounts and passwords. “Never trust, always verify” embodies a Zero Trust-based approach. It’s concerning that this service’s exposure is on an upward trend.

Why It Matters

Pick your poison: RDP or SSH. When publicly exposed, either of these services allows attackers to knock on your front door when they shouldn’t even know it’s there. Researchers recommend strongly against directly exposing RDP to the public internet. Many alternatives now exist, such as Azure® Bastion, a PaaS service offered by Microsoft. The alarming upward trend is something to watch closely between reports.

Why It Matters

TLS v1.1 was abandoned in 2008 due to increased vulnerability to attacks. In addition to violating compliance requirements such as PCI DSS, organizations are putting their customers’ data at risk. Having this number on a downward trend is good news for customer security and privacy.

Get and MaintainMulti-Cloud Visibility

It is very difficult to secure what is not visible or known. Security teams must take the lead in advocating for cloud native security platforms (CNSPs), which provide visibility across public and private clouds in addition to containers, serverless, and CI/CD pipelines.

Enforce Standards

Cloud-scale security requires strict enforcement of standards across public, private, and hybrid cloud environments. If your organization does not yet have a cloud security standard, check out the benchmarks created by the Center for Internet Security (CIS).

Cloud Security Best Practices

Shift-Left

Shift-left security is about moving security to the earliest possible point in the development process. Work with DevOps teams to get your security standards embedded in IaC templates. This is a win-win for DevOps and security teams.

Download the full report

➜

of organizationsexpose SSH (port 22)

76%

20%of organizations

expose RDP (port 3389)

69%

➜

30%of organizations use outdated versions

of Transport Layer Security (TLS)

27%➜

34%