Now, all hope is not lost. It\u2019s not as if we just let Thanos live in the Garden peacefully (in other words, walking away without consequences). While we can\u2019t rewind time by taking the infinity stones for ourselves, we can change our approach to cloud security with a prevention-first security strategy.<\/p>\n
<\/p>\n
<\/h2>\nFirst Things First: Learn Who Targets Cloud Native Infrastructure<\/h2>\n
Malicious actors who threaten your organization\u2019s cybersecurity have historically done so by compromising systems and devices within an organization\u2019s physical location. With the rise of hosting infrastructure within cloud service platforms (CSPs) and cloud native container platforms, attackers are modifying their tactics, techniques and procedures (TTPs) in order to compromise cloud infrastructure.<\/p>\n
As a result, a new classification of threat actors has emerged, labeled by Unit 42 as \u201ccloud threat actors.\u201d Unit 42 defines a cloud threat actor as an individual or group posing a threat to organizations through directed and sustained access to their cloud platform resources, services or embedded metadata<\/em>.<\/p>\n While cloud threat actors follow the same overall operational workflow as traditional threat actors, cloud threat actors have evolved their TTPs to a level of sophistication that enables them to potentially modify, create or delete cloud environment resources. Let\u2019s dive into some of the details of who these cloud threat actors are and what they have in common with each other.<\/p>\n <\/p>\n To assist in defending against the growing threat of cloud threat actors, Unit 42 researchers created an industry-first Cloud Threat Actor Index, which charts the specific operations performed by threat groups who target cloud infrastructure.<\/p>\n The data found in the Cloud Threat Actor Index follows the MITRE ATT&CK\u00ae cloud<\/a> and container<\/a> matrices, giving security professionals a common framework around which to communicate and discuss the TTPs employed by these threat actors. The Cloud Threat Actor Index also employs the Unit 42 ATOM<\/a> service to provide security professionals with all of the known indicators of compromise (IoCs) used by the cloud threat actors packaged within the industry standard STIX\/TAXII format. This format allows for easy integration with cloud security tools and platforms.<\/p>\n The groups highlighted in the Cloud Threat Actor Index all directly target cloud service platforms. Going a step further, once they bypass traditional security defenses, they are able to gain an initial foothold within the compromised organization\u2019s cloud infrastructure.<\/p>\n In the following section, we will explore one of the top five cloud threat actors targeting the cloud (this cloud threat actor can also be found in the index). We will then follow that example by explaining how these groups could be prevented from being able to execute at least two of their TTPs.<\/p>\n <\/p>\n A description of WatchDog<\/a> and their TTPs from the Cloud Threat Actor Index can be found below:<\/p>\n \u201cWatchDog is a cloud-focused threat group that has a history of cryptojacking<\/a> operations as well as cloud service platform credential scraping. They were first known to operate on Jan. 27, 2019. They use a variety of custom-built Go Scripts as well as repurposed cryptojacking scripts from other groups, including TeamTNT. They are currently considered to be an opportunistic threat group that targets exposed cloud instances and applications.\u201d<\/p>\n In the chart above, the red background denotes TTPs specific to cloud platforms, whereas the green background denotes TTPs that are container-platform specific. TTPs in red font denote operations that can lead to the wider compromise of cloud infrastructure.<\/p>\n As shown in the chart, there are several TTPs WatchDog employs that are container-specific and even allow for the possibility of container escape<\/a>. Interestingly, these techniques can occur across any stage of the operational workflow \u2013 from execution all the way through to discovery.<\/p>\n <\/p>\n Dr. Strange only saw one possible outcome to defeating Thanos once and for all, which involved Iron Man sacrificing his own life; similarly we see one way (and only one) to ensure that cloud threat actors are unable to perform container-specific and container escape\/resource-specific TTPs. And that one way would be through container security. Luckily, proper container security can be achieved through best practices \u2013 no heroes need sacrifice their lives.<\/p>\n By ensuring that your organization has purpose-built security that addresses vulnerability management, compliance, runtime protection and network security requirements for containerized applications, you are putting into place a prevention strategy that keeps you protected all the way from build to runtime and everything in between.<\/p>\n If you\u2019re curious what to look for, this informational article provides insight into what a full lifecycle container security solution<\/a> should have.<\/p>\n <\/p>\n So Dr. Strange and Iron Man have helped make sure your containers can\u2019t be targeted by Thanos, but what about all those other TTPs just waiting to be put to malicious use to infiltrate your cloud infrastructure some other way? That\u2019s where the rest of the Avengers come in, and we all know that the team together is more powerful than any hero working alone.<\/p>\n When all the Marvel heroes work together: from Dr. Strange and Iron Man, to Captain America and Spider Man, to Black Widow and Hawkeye and the rest of the Avengers, Thanos doesn\u2019t stand a chance. In the same way, when your organization deploys full lifecycle cloud security, neither does WatchDog or any other cloud threat actor<\/a>.<\/p>\n For that reason, it is essential to assemble your own arsenal of defenses against these cloud threat actor groups, who are looking for any way to infiltrate your organization and take control of it. The best way to do that would be to employ a cloud native application protection platform (CNAPP)<\/a>.<\/p>\n With a CNAPP, you have the equivalent of every infinity stone and Avenger on your side: cloud code security, cloud security posture management (CSPM), cloud workload protection (CWPP), cloud network security (CNS) and cloud identity security. Sure, all of these capabilities are powerful on their own, but when your organization brings them together, cloud threat actors will be rendered powerless.<\/p>\n <\/p>\n In Unit 42\u2019s latest Cloud Threat Report, \u201cIAM The First Line of Defense<\/a>,\u201d cloud threat researchers provide five cloud threat actor TTPs charts. They also dive into how proper identity and access management can be your first line of defense in protecting against being targeted by cloud threat actors. Finally, Unit 42 researchers provide in-depth recommendations for getting started on protecting your organization today, including how to deploy CNAPP suite integration, how to harden IAM permissions and how to increase security automation.<\/p>\n<\/h2>\n
Unit 42\u2019s Industry-First Cloud Threat Actor Index<\/h2>\n
<\/h2>\n
<\/a>WatchDog: The Stealer<\/h2>\n
![\"WatchDog](\"https:\/\/www.paloaltonetworks.com\/blog\/wp-content\/uploads\/2022\/06\/word-image-12.png\")
<\/span><\/div><\/h2>\n
Container Security: The Iron Man to a Modern Thanos<\/h2>\n
<\/h2>\n
Why You Need a Cloud Native Application Protection Platform (Cue the Avengers Theme Song)<\/h2>\n
<\/h2>\n
Get Your Copy of Unit 42\u2019s Cloud Threat Actor Index<\/h2>\n