Attackers Use Automation to Speed from Exploit to Compromise According to Lacework Labs Cloud Threat Report
New open source Cloud Hunter tool, developed through Lacework Labs research, helps customers get better visibility to reduce response times for incident investigations
October 13, 2022
San Jose, Calif., October 13, 2022 – Lacework®, the data-driven cloud security company, today released the fourth Lacework Labs Cloud Threat Report and subsequently launched a new, open source tool for cloud hunting and security efficacy testing. The new tool, known as Cloud Hunter, will help customers keep pace with ever-improving adversarial tradecraft through advanced environmental analysis and improved incident response time.
Developed in response to new types of sophisticated threat models uncovered through Lacework Labs’ research, Cloud Hunter utilizes the Lacework Query Language (LQL) to permit hunting across data within the Lacework platform by way of dynamically-created LQL queries. Customers can quickly and easily find data and develop queries for ongoing monitoring as they scale detections along with their organization’s cloud security program. Data is automatically analyzed while Cloud Hunter extracts information, further streamlining the capabilities and response times for incident investigations.
The Lacework Labs Cloud Threat Report examines the cloud security threat landscape over the past three months and unveils the new techniques and avenues cybercriminals are exploiting for profit at the expense of businesses. In this latest edition, the Lacework Labs team found a significantly more sophisticated attacker landscape, with an increase in attacks against core networking and virtualization software, and an unprecedented increase in the speed of attacks following a compromise. Key trends and threats identified include:
- Increased speed from exposure to compromise: Attackers are advancing to keep pace with cloud adoption and response time. Many classes of attacks are now fully automated to capitalize on timing. Additionally, one of the most common targets is credential leakage. In a specific example from the report, a leaked AWS access key was caught and flagged by AWS in record time. Despite the limited exposure, an unknown adversary was able to login and launch tens of GPU EC2 instances, underscoring just how quickly attackers can take advantage of a single simple mistake.
- Increased focus on infrastructure, specifically attacks against core networking and virtualization software: Commonly deployed core networking and related infrastructure consistently remains a key target for adversaries. Core flaws in infrastructure often appear suddenly and are shared openly online, creating opportunities for attackers of all kinds to exploit these potential targets.
- Continued Log4j reconnaissance and exploitation: Nearly a year after the initial exploit, the Lacework Labs team is still commonly observing vulnerable software targeted via OAST requests. Analysis of Project Discovery (interact.sh) activity revealed Cloudflare and DigitalOcean as the top originators.
“Creating an open source tool not only extends our capabilities as a research team and company, but also gives us a way to fully give back to and empower the developer community based on what we’re seeing from our threat research,” said James Condon, Director of Threat Research at Lacework. “As our research shows an increasingly more sophisticated attack landscape, this tool provides a more detailed analysis of an organization’s unique environment based on the new techniques being leveraged by attackers. Cloud Hunter is the first tool from Lacework to generate queries that can be directly converted into custom policies within a customer’s environment.”
The Lacework Labs team also examined issues around how “rogue accounts” are utilized by attackers for the reconnaissance and probing of S3 buckets as well as the growing popularity of cryptojacking and steganography. A full copy of the report and the executive summary can be found here.
Lacework is the data-driven security platform for the cloud. The Lacework Cloud Security Platform, powered by Polygraph, automates cloud security at scale so our customers can innovate with speed and safety. Only Lacework can collect, analyze, and accurately correlate data across an organization’s AWS, Azure, GCP, and Kubernetes environments, and narrow it down to the handful of security events that matter. Customers all over the globe depend on Lacework to drive revenue, bring products to market faster and safer and consolidate point security solutions into a single platform. Founded in 2015 and headquartered in San Jose, Calif., Lacework is backed by leading investors like Sutter Hill Ventures, Altimeter Capital, D1 Capital Partners, Tiger Global Management, Counterpoint Global (Morgan Stanley), Franklin Templeton, Durable Capital, General Catalyst, XN, Coatue, Dragoneer, Liberty Global Ventures, and Snowflake Ventures, among others. Get started at www.lacework.com.