Four steps are all it takes for threat actors to penetrate and compromise 94% of organizations’ critical cloud assets after an initial breach. XM Cyber’s first Attack Path Management Impact Report leverages data collated throughout 2021 to shed light on how vulnerable organizations become once attackers get past network defenses.
The cloud security company discovered that poor cybersecurity practices are prevalent in on-premise and multi-cloud implementations, especially in hybrid cloud environments. So much so that 75% of organizations’ critical assets could have been compromised in their then-current security state.
Poor hybrid cloud practices possibly stem from the lack of a clearly defined strategy for migrating to a hybrid cloud environment. Hybrid clouds are complex enough, add to that disjointed business units leveraging individual strategies, and it becomes a recipe for disaster.
â€œOrganizations have a disconnect between the cloud and on-prem networks â€“ in many cases you have devops teams that manage X, while the enterprise team that manages Y, but no context to connect between them â€“ these attacks reveal the hidden connections between them as they are sight unseen,â€ XM Cyber stated.
â€œOnly by seeing the attack path across hybrid networks can teams collaborate and understand how to close gaps efficiently.â€ An attack path involves multiple attack vectors (vulnerabilities, misconfigurations, user privileges, human errors, etc.) that, in turn, are made up of several attack techniques that a hacker can use to move laterally through the network.
The most-threatening attack technique facing critical assets in either on-premise, multi or hybrid cloud environments is the use of stolen credentials. The Israeli company calls credentials â€œthe Achilles heel of cloud,â€ given that mismanagement of credentials enables 73% of top attack techniques used by hackers.
Additionally, 30% of an attacker’s techniques abuse misconfigurations and credentials to compromise and breach the organization.
This shows how even a fully patched system that limits the possibility of known vulnerability exploitation can become host to malice. â€œNot only should we focus on vulnerabilities, it is a misconception that patching CVEs will fix everything and stop lateral movement.â€
XM Cyber broke down attack techniques by vendors and discovered that 64% of top attack techniques against AWS involve mismanaged or stolen credentials. This number is 100% in Azure.
As the initial entry point, credentials offer a way into a network. Attackers further need to leverage a combination of attack techniques to form an attack vector. The use of multiple attack vectors defines the hacker’s attack path.
The attack complexity encompasses certain prerequisites. These include the access needed and the time and the number of steps necessary to access an organization’s critical assets. XM Cyber discovered that to get to 94% of organizations’ critical assets from the breach point, a hacker needs to make four hops, each at a choke point involving a different attack technique to bypass.
Source: XM CyberOpens a new window
The attack path thus depends on several attack techniques and the use of advanced persistent threats (APTs). XM Cyber categorized all attack techniques into three: cloud techniques, remote code execution (RCE), and a combination of the two.
Cloud Attack Techniques | Source: XM Cyber
Basically, the focus needs to be on understanding attack paths and vectors. XM Cyber demonstrated how Active Directory could be compromised using just four hops as part of the attack path:
Attack Path for Active Directory Compromise | Source: XM Cyber
After compromising a Windows machine (which is the initial breach point, 1), this is where the attacker steals domain credentials (2). The access tokens from this compromised endpoint are used to authenticate the Azure tenant (3). The attacker thus gains the ability to execute commands on the on-premise system.
Highlighting how vulnerable organizations can quickly become, XM Cyber noted the following:
- 75% of organizations have an external facing EC2 machine posing a risk to critical assets
- 37% of organizations contain Users or Roles with cross-account permissions between accounts
- 69% of organizations have AWS Users or Roles which can perform IAM privilege escalations
- 23% of organizations have an external facing Azure VM that poses a risk to critical assets
- 38% of organizations had critical assets impacted by third-party applications
- 54% of organizations have users that can escalate privileges
As such, a hacker may not need to do much to exploit excessive access permissions or privileges to compromise critical assets.
Note: XM Cyber’s Attack Path Management Impact Report: 2021 Year in Review report is based on an analysis of 2 million entities (endpoint, cloud resource, file, folder) under Attack Path Management between January 1, 2021, to December 31, 2021.