Top 6 Cloud Security Threats in 2023

Even if cloud computing as we know it has been around for nearly two decades now, cloud adoption continues to grow. Respondents in Flexera’s 2022 State of the Cloud Report indicated that while 50% of their workloads and 48% of their data were already in public clouds, they still looked to increase the amount by 6% and 7% respectively over the next year. Those are just their short term goals.

That said, as organizations migrate more valuable assets to the cloud, cloud environments increasingly become a viable target for cyber attacks. You’ll be better equipped at countering these adversaries if you know what they are. In this post, we’d like to share with you what we believe are the top 6 cloud security threats you need to lookout for in the next 12 months and perhaps beyond.

1. Cloud Service Provider (CSP) compromise

As we’ve learned from the SolarWinds supply chain attack, threat actors can also get to you through your suppliers and other business partners. In the 2022 Data Breach Investigations Report, 39% of breaches were attributed to business partners. For cloud environments, CSPs play the role of a business partner. Consequently, if your cloud provider’s systems are somehow compromised, your cloud resources on that provider’s platform can also be at risk. 

A threat actor can move laterally and attack cloud customers’ resources once it has established a beachhead at a CSP’s platform. With the SolarWinds attack having already given cybercriminals a taste of a supply chain attack’s multiplier effect, it won’t be surprising if a CSP attack designed to reach cloud customers is already in the works. 

2. Ransomware

Ransomware attacks are notorious for bringing business operations to a standstill and causing financial and data loss. In the 2022 Cost of a Data Breach report, ransomware-related data breaches recorded a 41% growth rate from the previous year. We believe ransomware incidents will continue to grow and remain a serious threat to businesses. Although ransomware attacks on cloud environments are quite rare, the threat does exist. In fact, leading public cloud provider AWS has published multiple pieces of content that offer guidance on ransomware risk mitigation for cloud resources.

Cloud-native systems might be immune to ransomware designed for on-premises systems. However, not all systems are built natively in the cloud. Some are just the same virtual servers used on prem but migrated to the cloud as is using “lift-and-shift” methods. These systems can still be infected by traditional malware like, say, if you inadvertently upload or transfer infected files to them. Many organizations adopt a hybrid cloud strategy wherein cloud-based systems are integrated with on-premises-based systems, so that scenario isn’t so far fetched. 

3. Insider threats

According to the 2022 Data Breach Investigations Report (DBIR), breaches involving malicious insiders aren’t as prevalent as those involving external threat actors. However, the same report also shows that when such breaches do occur, they usually affect a much larger number of records. Specifically, the median number of compromised records for breaches involving insiders outnumbered those involving external threat actors more than 10 to one.

Indeed, while external threat actors still need to carry out (often multiple) privilege escalation attacks to acquire the right access credentials, many insider threats already have privileged access right off the bat. Insider threats can cause even greater damage in cloud environments because of the centralized nature of the cloud’s administrative interface. An attacker that manages to take over a single privileged account can already have instant access to multiple virtual servers, storage accounts, and other cloud resources.  

4. Use of stolen credentials

In the previous section, we implied that breaches involving external threat actors were more prevalent than those involving internal ones. To be more specific, the 2022 DBIR declared that almost 3 out of 4 breaches were externally-initiated. One of the methods external threat actors employ to reach their targets is using stolen credentials, which can be acquired through tactics like phishing and credential stuffing. 

I’m sure you’re familiar with the former. Credential stuffing, on the other hand, is a cyber attack tactic that capitalizes on the common user practice of recycling the same login credentials across multiple sites. If those credentials are compromised in a data breach, they’ll likely end up in hacking forums. There, they’re purchased by other cybercriminals, who then use those credentials to break into other sites and cloud services in what are known as credential stuffing attacks. There have been numerous breaches in the past couple of years. So if you’re using the same passwords across multiple cloud applications, those stolen passwords can come back to haunt you. 

5. Cloud misconfiguration exploitation

Exploitation of cloud misconfigurations was the 3rd most common initial attack vector in 2022, comprising 15% of breaches. This was revealed in the 2022 Cost of a Data Breach Report. The report also added that when this attack vector was used, the ensuing breaches cost an average of $4.14 million USD. Cloud misconfigurations range from poorly restricted access in cloud storage services, lack of encryption, and inadequate access controls, to open ports and unpatched software.

These misconfigurations are mostly due to human lapses and can be minimized through constant user education and reminders. That said, we expect cloud misconfiguration issues to worsen as organizations shift to more sophisticated cloud architectures like multi-cloud and hybrid cloud. According to Flexera’s 2022 State of the Cloud Report, 89% of respondents already employed a multi-cloud strategy (multiple public, multiple private, or multiple public AND private clouds a.k.a. hybrid clouds), with 80% of them using hybrid clouds. 

6. Distributed Denial of Service (DDoS) attacks

DDoS attacks haven’t only gotten bigger, they’ve also gotten way longer. While 2022 was relatively tamer than 2021 from a throughput and packet rate standpoint—as far as we know, the DDoS attack on an Azure customer that reached a maximum throughput of 3.45 Tbps and a packet rate of 430 million PPS still holds the record—many DDoS attacks last year lasted longer.

Last year, the average duration of a DDoS attack was a mind-boggling 50 hours. The previous year, the average was only 30 minutes. What’s scary is that this means the operators behind these attacks now have much larger resources. It’s very expensive to sustain a DDoS attack, let alone one that runs for more than 2 days. DDoS attacks have gotten worse practically every year, so we don’t expect 2023 to be any different.

Final words

There are certainly many other threats to cloud environments out there, but we believe these are the top 6 to lookout for this year. That said, rest assured we’ll cover other serious threats as the year progresses.

Many threats to cloud environments involve inbound/outbound connections from/to malicious sites. One way to counter these threats is by employing Intrusion’s cloud network security solution, Shield Cloud. Shield Cloud employs reputation and behavior-based techniques to identify and automatically block malicious connections.

Shield Cloud supports multi-cloud and hybrid cloud (in conjunction with our on-premise network protection solution, Shield On-Premise) environments. It integrates with other existing cybersecurity solutions to help you implement a multi-layered Zero-Trust strategy. We also offer threat hunting and consulting services that can help you proactively find vulnerabilities in your cloud environment. 

Not sure if Shield is right for your cloud environment? Let’s talk. Our security experts will be happy to help you determine that.