The pandemic pushed companies to accelerate their adoption of cloud services, infrastructure, and workloads to support a growing remote workforce, but the shift has redefined who represents an insider threat — nearly anyone, and any workload, with a set of credentials.
No wonder, then, that attackers are increasingly taking aim at cloud services and infrastructure using credential stuffing, phishing, and other identity attacks. An estimated 85% of Web application attacks used stolen credentials in 2021, according to Verizon's annual "Data Breach Investigations Report," while Microsoft estimates that 70% of attacks start with phishing, another identity-focused attack.
These are not new tactics on the part of adversaries, but they show that they are making use of the growing attack surface area, says Carolyn Crandall, chief security advocate at Attivo Networks, an identity detection and response firm.
"With the move to a hybrid workforce and the migration to AWS and Azure environments, this has been very difficult for security teams to manage," she says. "It is not necessarily that the attacks are changing to take greater advantage of identities as much as it is that this is a new attack surface that is very large that has made the risks exponentially higher."
As companies' internal infrastructure quickly transitioned during the pandemic to externally accessible cloud services and infrastructure, the risk of credential-based attacks has increased. Cloud and remote-access accounts protected by a simple username and password became the focus of most attackers. Microsoft claims to have blocked almost 26 billion identity attacks attempts in 2021, while Akamai blocked 193 billion credential attacks in 2020, an increase of 310% from 2019.
Yet identity attacks go beyond credential stuffing and phishing. As companies move to adopt multiple cloud platforms for redundancy and resilience, attackers are "exploiting the seams between clouds" and looking for weaknesses presented by the massive surge in workload identities, says Alex Simons, corporate vice president, program management, for Microsoft's Identity division.
"The latest set of attacks that we are seeing is where the attackers are going after the identities that software uses to talk to other software," he says. "Companies don't realize that you have to manage a workload identity [as these are called] just as carefully as you manage and protect a human identity. Most of our customers have more workload identities than human identities and the workload identities are growing much faster."
Cloud as an Attack Surface
The concerns come as business are shifting much of the operations to the cloud, rely on remote management of cloud infrastructure and services, and continue to use more virtual machines and containers — that is, cloud "workloads" — to run their operations. More than nine in 10 businesses have committed to a multicloud strategy, according to "2021 State of the Cloud Report," released by cloud management firm Flexera last year.
The added complexity can lead to greater insecurity, if not handled correctly, says Microsoft's Simons.
"A lot of our customers have these very challenging configuration problems, where they had to Frankenstein together a solution to monitor what is going on in Azure, what is going on in AWS, what is going on with VMware on-premises, and what is going on with GCP," he says. "Trying to monitor that gigantic surface area is really challenging."
To make cloud environments even more complex, the identities and permissions of every virtual machine, container, and other cloud workload also has to be managed. Most companies have more machine identities than employees, yet they don't have good visibility into what those workloads are doing. Microsoft currently sees its customers' workload identities growing at twice the pace of humans.
Over-permissioned and Under-secured
The capabilities of those workloads are also not well managed. The vast majority of Amazon workloads — 90% — are using less than 2% of their granted privileges, which means that companies have to pay the machines at least equal attention as the humans, says Attivo Networks' Crandall.
"It is not about what is human anymore, but about identities, because you need to factor in human and non-human identities," she says. "We have to get people to not consider just authorization and authentication, or 'I have MFA, so I'm fine' — they have to go so much further than that."
The worries are not new. A 2009 study found that eliminating administrator rights reduced the severity of 92% of the critical Microsoft vulnerabilities from the previous year. A 2020 follow-up report suggested that the problem had waned, but certainly not disappeared, with 56% of critical vulnerabilities mitigated by removing administrator privileges.
In many cases, identity attacks start with phishing. In fact, in nearly 70% of attacks started with a phishing attack to gather credentials, which may be sold to access brokers, according to Microsoft's "2021 Digital Defense Report." Eventually, the credential are used to access corporate resources — which, if they belong to an overprivileged user, can be exploited to move laterally through a company's network.
Those represent two of the major issues today, overreliance on passwords and the overpermissioning of users, especially administrators, says Andras Cser, vice president and principal analyst for security and risk management at Forrester Research. "The password is useless, 100% useless — in fact, it's worse than useless because it presents a false sense of security," he says.
The first line of defense is focusing on doing the basics. Companies that are committed to basic security hygiene eliminate exposure to 98% of attacks, according to Microsoft's "2021 Digital Defense Report." Multifactor authentication should be rolled out everywhere within a company to protect users who reuse passwords or who have had their credentials stolen or phished.
The workload identity problem can be addressed along with human identities by continuously monitoring who, or what, is accessing company resources. "Companies need to assess access rights, and review of those rights," says Forrester's Cser. "You have to ruthlessly review everyone's access rights, and if someone does not need access to a resource, take it away and document that."
Finally, enterprises should remove backward compatibility with legacy authentication protocols because attackers will often attempt to downgrade to an older protocol, allowing them to exploit older vulnerabilities.
"The problem is that there is a lot of old infrastructure," Cser says, "and getting rid of it takes time, but companies are connecting it to the cloud even before its secure."