Introduction: Orca Security, a leading cybersecurity company, has recently published its comprehensive 2023 Honeypotting in the Cloud Report. This highly informative report sheds light on the tactics and techniques employed by attackers in the cloud environment. By deploying honeypots across various cloud resources, Orca Security provides valuable insights into the vulnerabilities that attract potential attackers and offers recommendations to enhance cloud security measures. Let’s delve into the key findings of this insightful research.
Unveiling Key Findings:
- Rapid Discovery of Vulnerable Assets: Misconfigured and vulnerable assets were discovered within minutes, highlighting the urgency of implementing robust security measures. Notably, GitHub and HTTP honeypots were accessed within minutes, while S3 Buckets were targeted within an hour, and Elastic Container Registry experienced attacks over a span of four months.
- Variation in Time to Key Usage: Attackers exhibited different timelines in exploiting exposed keys. For instance, key usage on GitHub occurred within a mere two minutes, emphasizing the immediate compromise of exposed keys. On the other hand, it took eight hours for attackers to exploit S3 Buckets, while Elastic Container Registry witnessed key usage over a four-month period.
- Diverse Targeting of Cloud Assets: Attackers prioritize popular resources with easier accessibility, especially if they contain sensitive information. Assets like SSH are highly targeted for malware and cryptomining activities, highlighting the need for heightened defenses in these areas.
- Limitations of Automated Key Protection: The report reveals that automated key protection mechanisms are lacking in most resources except for GitHub. Immediate lockdown of exposed AWS key permissions was observed on GitHub, but similar automated protection measures were absent in other resources tested.
- Global Impact: The research findings indicate that no region is immune to cloud security risks. While 50% of exposed AWS key usage occurred in the US region, incidents were reported in various other regions, including Canada, APAC, Europe, and South America.
Insight into the Research Methodology: Orca Security conducted this research between January and May 2023. To create the honeypots and simulate misconfigured resources, the team intentionally broke established security best practices. They established repositories in different environments with public or easy access and placed secret AWS keys within the honeypots. The researchers then monitored and recorded attacker behavior once the honeypots were exposed.
Leveraging the Research Results: The study reaffirms the constant scanning of the internet by attackers in search of lucrative opportunities. The rapidity with which attackers discovered and utilized exposed keys in some cases was particularly surprising. The study emphasizes the importance of minimizing breadcrumbs for S3 Buckets to avoid accelerated access and key usage. By leveraging these research insights, organizations can strengthen their defenses and proactively protect their cloud assets.
Conclusion: The 2023 Honeypotting in the Cloud Report by Orca Security serves as a vital resource for understanding the evolving cloud security landscape. The findings highlight the need for organizations to implement robust security measures and best practices to safeguard their cloud environments effectively. With the invaluable insights provided in this report, businesses can bolster their defenses and stay one step ahead of potential attackers in the ever-changing realm of cloud security.