Cloud attacks start within 10 minutes of credential theft: report

Threat actors use cloud automation to reduce the time between phishing and attacking

Threat actors typically initiate attacks on cloud-based systems within 10 minutes of obtaining credentials, according to a report by security vendor Sysdig.

"Attackers in the cloud operate at different time scales than on‐premises for the same reasons we do," Sysdig researchers say in the company's 2023 Global Cloud Threat Report.

"Whether targeted or opportunistic, attacks are even faster, thanks to the weaponisation of automation. Opportunistic attacks average under two minutes to find a publicly exposed credential and 21 minutes from credential discovery to attack initiation.

"Targeted cloud attacks specifically occur on average within 10 minutes of credential discovery (five minutes of which are dwell time), and it takes only hours for an attacker to find a worthy target, although this can vary greatly depending on their motives and visibility."

The report also found that 65% of cloud attacks target telecoms and financial organisations, due to their holding valuable customer data with a high resale potential.

Cyber actors make use of the complex array of cloud services to evade detection and abuse systems like virtual private clouds and AWS CloudFormation to enable privilege escalation, said Michael Clark, director of threat research at Sysdig.

"The reality is, attackers are good at exploiting the cloud. It's not just that they can script recon and autodeploy cryptominers and other malware, but they take the tools that unleash the power of the cloud for good and turn them into weapons. Abusing infrastructure-as-code to bypass protective policies is one example."

Attackers also frequently target software supply chains via open source repositories, with 10% of Docker container images analysed found to contain malware completely invisible to static analysis tools or vulnerability scanners, thanks to advanced evasion techniques.

The report outlines several measures organisations should consider, to protect against these types of automated rapid attacks on cloud resources.

They include real-time monitoring for abnormal behaviour, managing keys and credentials by storing them securely and separate from repositories and other resources, and adopting a least-privilege approach - excessive permissions being the cause of many security incidents in the cloud.

Protections should be put in place to guard against lateral movements between systems, and organisations developing software should add static and runtime security checks during automated builds, as well as securing the software supply chain and validating third-party code with static and runtime analysis and patching known vulnerabilities quickly.

Cloud security will be a topic of debate at Computing 's online Deskflix: Cloud Automation event in September. Register today