SBN

Google Cybersecurity Action Team Threat Horizons Report #3 Is Out!

This is my completely informal, uncertified, unreviewed and otherwise completely unofficial blog inspired by my reading of our third Threat Horizons Report (full version) that we just released (the official blog for #1 report, my unofficial blog for #2).

My favorite quotes from the report follow below:

  • “Another common tactic that continues to be observed is when bad actors actively impersonate legitimate sounding organizations (especially in journalism or education) with the objective of interacting with the target in a trusted manner before launching an attack. ” [A.C. — to me, this is interesting as this pushes us further into “unbeatable” phishing territory where humans basically engage other humans and convince them to act in the way they want]
  • “We are following up with an assessment of how attackers are getting in to install cryptominers, and our recommendations for mitigation. […] one of the most common attack vectors used across cloud providers was brute force of cloud services that are exposed to the internet and have a weak or default password. ” [A.C. — this is really sad for me since it reminds us that in many cases “cloud threats” are your 1980s threats aimed at cloud assets, not anything unique, magical and truly cloud native]
(source: Google Threat Horizons Report #3)
  • “The most common technique [A.C. — for “ransomware” in the cloud] observed was where attackers were seen brute forcing SQL databases, cloning a database table into a new table, encrypting the data, and proceeding to drop the original table. ” [A.C. — cloud ransomware isn’t really ‘a ware’, but a RansomOp where humans — not malware — do bad stuff to your systems in order to profit from it]
  • “These attacks were most commonly observed in developer and proof of concept (POC) instances. In many instances, these were targeted due to fewer security controls being placed in non-production environments due to their perceived lower risk.” [A.C. — this is another gem for me as your security posture may still be solely focused on “critical” assets and data loss, and hence miss the theft of cloud services that you pay for]
  • “In 2022, actors have attempted to commit cloud network resources to mine cryptocurrencies that require network bandwidth. [A.C. — this is really cool and new, as cryptocurrency ‘entrepreneurs’ innovate, the criminals innovate to rob them … thus defenders need to innovate to detect and stop them]
  • Deeper mitigation section: “One of the most common questions Cloud customers ask us is “What should I be doing operationally, day to day, to address security risk?”” [A.C. — the report now has a much deeper ‘threat-informed’ mitigations section, take a look]
  • Here is one fun recommendation focused on logging, for example: “Having security champions embedded in your SWE teams can help reinforce consistent practices in both logging critical security events, and assuring that privacy of your data is protected by not over-logging sensitive fields (consider a DLP product to detect any sensitive data leaking into logs). “

Now, go and read the report!

Related posts:


Google Cybersecurity Action Team Threat Horizons Report #3 Is Out! was originally published in Anton on Security on Medium, where people are continuing the conversation by highlighting and responding to this story.

*** This is a Security Bloggers Network syndicated blog from Stories by Anton Chuvakin on Medium authored by Anton Chuvakin. Read the original post at: https://medium.com/anton-on-security/google-cybersecurity-action-team-threat-horizons-report-3-is-out-5661f250bc2c?source=rss-11065c9e943e------2