In the year 2023, the landscape of cloud security began to shift as both attackers and defenders adapted to new strategies. Gone were the days of simple attacks targeting single services and stealing data from S3 buckets. Instead, advanced threat actor groups, such as LUCR-3 (Scattered Spider), showcased their ability to breach the environments of major companies like MGM, Caesars, and Clorox through masterful reconnaissance in SaaS environments.
As 2024 approaches, experts are predicting that advanced threat actors will continue to evolve their tactics and target new vulnerabilities in cloud security. In particular, there are several key trends that security professionals should be prepared for in the coming year.
One of the primary areas of concern is the continued targeting of identity providers in cloud environments. Companies like Okta, Microsoft Entra ID (Azure AD), and JumpCloud all experienced breaches in 2023, highlighting the significant risk posed by compromised identity providers. With centralized authentication, if a threat actor gains access to a victim’s IdP instance, they can potentially access all of the applications that utilize that IdP, multiplying the impact of the breach.
In addition to targeting identity providers, threat actors are expected to focus on compromising SaaS providers that have delegated access into customer environments. By breaching these vendors, threat actors can gain access to all of the customer tenants they manage, potentially exposing sensitive data and compromising code signing certificates.
Furthermore, the risk associated with cloud supply chain attacks is expected to increase as threat actors target downstream customers of these vulnerable vendors. Many SaaS infrastructure tools rely on access delegation, and threat actors have found opportunities to exploit this vulnerability, particularly given that these vendors are historically overprivileged.
Even major cloud service providers like AWS, Azure, and GCP are not immune to the risk associated with support entities and third-party contractors. While these providers invest heavily in securing their platforms, they remain vulnerable to supply chain attacks, making the potential downstream impact catastrophic.
Another area of concern is the reliance on multi-factor authentication (MFA) as a security measure. Advanced threat actor groups have found ways to bypass MFA, particularly when it is based on SMS as a second factor. As a result, more companies are expected to move away from SMS-based authentication and transition to biometric or hardware-based MFA solutions.
However, threat actors are likely to adapt to these changes and continue to leverage AI for malicious purposes, including the creation of deepfakes for social engineering attacks. Deepfake assets will enable threat actors to orchestrate sophisticated impersonation, making it more difficult for organizations to detect and prevent social engineering attacks.
As a response to these evolving threats, it is essential for security teams to remain vigilant and adapt their policies and plans to address the changing tactics, techniques, and procedures (TTPs) of advanced threat actor groups. It is critical for organizations to prioritize risk management and implement robust security measures to mitigate the impact of potential breaches.
In conclusion, the year 2024 is likely to see a continuation of the sophisticated attack patterns observed in 2023, with modern cloud threat actors gravitating towards more lucrative endeavors such as ransomware and extortion. Security teams must prepare for the evolving tactics of threat actors and take proactive measures to safeguard their cloud environments.
This news article was written by Jason Martin, Co-founder and Co-CEO at Permiso Security, who possesses over 25 years of experience in cybersecurity and is actively involved in conference organizing, investing, and industry leadership. For more information, you can reach Jason Martin on LinkedIn or visit the Permiso Security website at permiso.io.