AdaptTactics' Advisory: The Art of Cloud Sneakery
The document titled “cyber actors adapt tactics for initial cloud access” released by the National Security Agency (NSA) warns of use of cyber actors have adapted their tactics to gain initial access to cloud services, as opposed to exploiting on-premise network vulnerabilities.
This shift is in response to organizations modernizing their systems and moving to cloud-based infrastructure. The high-profile cyber campaigns like the SolarWinds supply chain compromise are now expanding to sectors such as aviation, education, law enforcement, local and state councils, government financial departments, and military organizations.
The stark reality is that to breach cloud-hosted networks, these actors need only to authenticate with the cloud provider, and if they succeed, the defenses are breached. The document highlights a particularly disconcerting aspect of cloud environments: the reduced network exposure compared to on-premises systems paradoxically makes initial access a more significant linchpin.
Over the past year, the TTPs observed have been alarmingly simple yet effective, with the cyber actors exploiting service and dormant accounts through brute force attacks. The document offers a cold comfort implies a race against time to fortify their defenses against these TTPs to prevent initial access.
Keypoints
📌Adaptation to Cloud Services: Cyber actors have shifted their focus from exploiting on-premises network vulnerabilities to directly targeting cloud services. This change is a response to the modernization of systems and the migration of organizational infrastructure to the cloud.
📌Authentication as a Key Step: To compromise cloud-hosted networks, cyber actors must first successfully authenticate with the cloud provider. Preventing this initial access is crucial for stopping from compromising the target.
📌Expansion of Targeting: Cyber actors have broadened their targeting to include sectors such as aviation, education, law enforcement, local and state councils, government financial departments, and military organizations. This expansion indicates a strategic diversification of targets for intelligence gathering.
📌Use of Service and Dormant Accounts: it highlights that cyber actors have been observed using brute force attacks to access service and dormant accounts over the last 12 months. This tactic allows to gain initial access to cloud environments.
📌Sophistication of cyber actors: The cyber actors can execute global supply chain compromises, such as the 2020 SolarWinds incident.
📌Defense through Cybersecurity Fundamentals: The advisory emphasizes that a strong baseline of cybersecurity fundamentals can defend against cyber actors. For organizations that have transitioned to cloud infrastructure, protecting against TTPs for initial access is presented as a first line of defense.