Unused Credentials Key Culprits in Cloud Attacks, Study Says

It’s an eye-popping statistic: Nearly 99% of identity and access management (IAM) policies are overly permissive, according to a new report of security threats to cloud infrastructure.

The report, the latest from Unit 42, the threat research arm of Palo Alto Networks, defined cloud identities as too permissive if they granted permissions that went unused in the previous 60 days.

Just as startling is a data point that the researchers left out of their latest report: Less than 10% of permissions granted by these cloud accounts are ever used, according to Jay Chen, a principal researcher of public cloud at Palo Alto Networks and co-author of the latest “Cloud Threat Report.”

Such news is alarming, because those unused permissions can unnecessarily open up more attack vectors and increase the risk of lateral movement and privilege escalation in case of a security incident.

However, Chen suggested, “This allows an organization to immediately tighten up security by removing those 90-plus percent of granted permissions, without impacting your existing cloud workload functionalities.”

Prisma Cloud delivers the industry’s broadest security and compliance coverage—for applications, data, and the entire cloud native technology stack—throughout the development lifecycle and across multi- and hybrid-cloud environments.

Learn More

The latest from Prisma by Palo Alto Networks

Overly broad granting of permissions — most of which go unused — create tempting targets for cloud threat actors, the malicious hackers who have cost organizations an average of $4.24 million in data breaches in 2021, according to a report released in January by IBM and the Ponemon Institute.

The increasing use of multi- and hybrid cloud architecture, with its inherent complexity, as well as the difficulties in customizing the security policies of major public cloud providers, have also contributed to vulnerabilities, the report suggested.

The report offers some remedies, and the researchers cautioned against IT teams letting fear drive their decisions. The data, however, does show that for many organizations, achieving the goal of granting least privilege to users may “not be a realistic expectation,” Chen said.

He summarized the report’s findings, suggesting that they should inspire heightened alertness but not panic: “Everything is working, although we found that there’s a huge gap. But we still need to continue to improve it. We still need to move toward this expectation of least privilege.”

Weak and Re-Used Passwords

For “Cloud Threat Report, Volume 6,” Unit 42 researchers analyzed more than 680,000  identities across 18,000 cloud accounts and more than 200 different organizations.

Since the start of the Covid-19 pandemic, the percentage of organizations that host at least half of their workloads in the cloud has jumped; from an average of 31% in 2020 to 69% in 2022, according to Prisma Cloud by Palo Alto Network’s “2022 State of Cloud Native Security” report.

Misconfigurations — most often related to IAM policies — are responsible for 65% of known cloud security incidents, according to the Unit 42 study. Among the findings:

• Sixty-two percent of the organizations studied have cloud resources publicly exposed to the internet, which allows anyone to access them without authentication.
• Fifty-three percent of cloud accounts allow weak password usage (defined by the study as containing fewer than 14 characters)
• Forty-four percent allow password reuse.

The new report raises the use of multi- or hybrid cloud networks as one factor making systems more vulnerable, and the role that security policies managed by cloud service providers (CSPs) play in generating unnecessary and unused permissions.

Using more than one cloud host inherently introduces more complexity, the researchers noted.

Chen referred to the “credential sprawl” that can easily result. For instance, “for different applications you have one database credential, you have one virtual machine credential, you have one, like, AWS credential. And typically, when two clouds need to talk to each other, you need to create another credential in order to communicate.”

And typically, he noted, “there is no centralized identity and access management across multiple accounts, every provider, or across on-prem and cloud identities. Without that centralized credential management, that’s how the credentials become very, very distributed. And it causes a credential storage issue.”

CSP-Managed Security Policies

Public clouds are not inherently vulnerable, the researchers said, but they are designed for broad use by a variety of organizations and use cases. However, if their security policies are not tailored by the teams that use them, they can generate permissions too broadly, and open the door to hackers.

CSP-managed policies grant 2.5 times more permissions than customer-managed policies, according to the Unit 42 report.

The following table, with data taken from the report, shows the five most commonly granted permissions for Amazon Web Services (AWS) and Microsoft Azure. For AWS, “Administrator Access,” and for Azure, “Owner” access, grant full access to their attached identities — in other words, all permissions to every cloud and service.

“If you’re an administrator, you have all the keys to the kingdom, and you can do whatever you want,” noted Nathaniel Quist, a principal researcher of public cloud security at Palo Alto Networks and co-author of the Unit 42 report.

Customizing CSP-managed security policies isn’t simple for many organizations, Chen said. “To be fair, only the most advanced cloud users can create their own policies, because it’s a tedious, difficult problem.

A specific cloud service, Chen added, “usually comes with more than 100 different permissions. And you need to pick a specific subset of them for your application. It’s very hard. Manual is very hard, but there are tools that can help you automate this process.”

These challenges, Quist added, are part of the trade-off in using public cloud. “It’s not the cloud service providers’ fault. They’re just trying to make it usable and easy to use that service.”

Best Practices for Protecting Against Attack

The Unit 42 report lists a “Cloud Threat Actor Index,” detailing the key cloud and container TTPs used by each of the top five attackers. It also includes a section on potential cloud threat actors, issuing a warning about the impact the current war between Russia and Ukraine could have on cybersecurity.

“It is important to note that Russian nation-state operators have historically used cloud infrastructure to host malicious content for their offensive operations,” the report reads.

The report listed best practices for protecting all organizations against cloud threats. Among them:

Use Cloud Native Application Protection Platforms.

A Cloud Native Application Protection Platform (CNAPP) is an integrated set of security and compliance tools, which were previously segregated from each other — such as container scanning, and cloud security posture management — that are designed to help secure and protect cloud native applications throughout their lifecycle.

“If you’re only using one tool, such as Cloud Workload Protection, that’s only focused on containers, you’re not going to be able to see a credential being used in the larger cloud environment,” Quist said. “Or if you only have a Cloud Security Posture Management tool, you’re not gonna be able to see what the container is doing.

“Having a CNAPP bridges the two together, so you can have visibility over more, both granular and broad cloud platforms.”

Harden Identity and Access Management Permissions.

With unused permissions so plentiful for so many organizations, serving up such juicy targets for attackers, reducing the scope of permissions is crucial, the researchers said.

The report lists eight guidelines for locking things down:

1. Minimize the use of admin credentials, which are doled out too freely at most organizations.
2. Minimize the usage of long-term credentials, such as user password, access key, and service account key.
3. Enforce multi-factor authentication for permissions that modify business-critical resources such as database deletion.
4. Configure a strong password policy.  At least eight characters should be required for passwords, according to the National Institute of Standards and Technology (NIST).
5. Use federated identity management to centrally manage access control.
6. Follow the principle of least privilege. That means granting each identity only the necessary permissions for their jobs. Continuously audit all the identities in your cloud environments.
7. Monitor IAM activities. All major CSPs have services to do this and can help identify abnormal activities such as brute-force attacks and logging from unrecognized divides or locations.
8. Auto-remediate excessive privileges. Entitlement audits should not be done manually, as the workloads in cloud environments change rapidly and frequently.

“Manually creating these types of policies is almost impossible, you need a tool that can automate the policy creation process,” Chen said. “Typically, this type of tool will monitor in real time, what are the actions that your workload, your application actually needs?” And then, he said, the tool would create a policy specific for that application.

Overall, Quist advised, the takeaway is to “look at your cloud environment, your cloud applications, and then … custom create your policies.”

“If we could do that,” he added, “that will just completely shrink so much of the threat landscape that an attacker would have to use.”

Heather Joslyn is features editor of The New Stack, with a special interest in management and careers issues that are relevant to software developers and engineers. She previously worked as editor-in-chief of Container Solutions, a Cloud Native consulting company, and as...

Read more from Heather Joslyn