Elastic Global Threat Report Reveals Nearly 33% of Cyberattacks in the Cloud Leverage Credential Access
Elastic (NYSE: ESTC) released the 2022 Global Threat Report, highlighting the evolving challenges in cybersecurity and identifying key risks associated with cloud security, particularly human error and credential access. The report shows that 33% of cloud attacks exploit credential access, with AWS providing the majority of telemetry data. Notably, CobaltStrike was responsible for 35% of Windows detections, underscoring the use of defensive tools by malicious actors. The findings stress the need for improved security strategies to combat increasingly sophisticated attacks.
- Elastic's report provides crucial insights into cybersecurity threats, helping organizations enhance their security measures.
- The findings indicate a significant understanding of cloud security risks, such as user overconfidence and credential theft.
- 33% of attacks in cloud environments leverage credential access, indicating a vulnerability in user practices.
- CobaltStrike's widespread use as a malicious tool suggests a gap in existing security measures, directly impacting organizational safety.
Adversary success in identity theft indicates default cloud security controls are ineffective at preventing attacks
-
Human error poses the greatest risk to cloud security as users overestimate the security of their cloud deployments
-
Of the
33% of attacks in the cloud leveraging credential access, nearly41% of alerts represented attempts to steal application access tokens versus other credentialed materials.
-
Of the
-
Commercial software designed to help security teams is being used by threat actors to evade those same teams
-
CobaltStrike was the most widespread malicious binary or payload for Windows endpoints accounting for nearly
35% of all detections.
-
CobaltStrike was the most widespread malicious binary or payload for Windows endpoints accounting for nearly
-
Endpoint attacks are becoming more diverse in efforts to bypass defenses
-
A combined
74% of all defense evasion techniques consisted of masquerading (44% ) and system binary proxy execution (30% )—methods that adversaries use to make artifacts appear legitimate or trusted—indicating that in addition to bypassing security instrumentation, defense evasion techniques also bypass visibility, resulting in longer dwell times for threats.
-
A combined
Elastic (NYSE: ESTC), the company behind
The identified trends provide organizations with the operational intelligence needed to fortify their security technology and the strategies required to observe and protect mission-critical business systems against cyber threats. This report is produced by
Key trends covered in the report include:
Human error poses the greatest risk to cloud security as users overestimate the security of their cloud deployments
Nearly 1 in 3 (
Additional key cloud security findings:
-
Nearly
57% of cloud security telemetry came from AWS, followed by22% forGoogle Cloud and21% for Azure.-
AWS: More than
74% of alerts related to credential access, initial access, and persistence tactics, with nearly57% of techniques related to attempted application access token theft—one of the most common forms of credential theft in the cloud. -
Google Cloud: Nearly54% of alerts related to service account abuses, with52% of techniques leveraging account manipulation and indicating that service account compromise remains rampant when default account credentials aren’t changed. -
Microsoft Azure: More than
96% of alerts related to authentication events, with57% of authentication events attempting to retrieve OAUTH2 tokens.
-
AWS: More than
-
58% of initial access attempts used a combination of traditional brute-force attempts and previously-compromised password spraying.
Commercial software designed to help security teams is being used by threat actors to evade those same teams
While commercial adversary simulation software such as CobaltStrike is helpful to many teams’ defense of their environments, it is also being used as a malicious tool for mass-malware implants.
Additional key malware findings:
-
More than
54% of all global malware infections were detected on Windows endpoints, while more than39% were on Linux endpoints. -
Nearly
81% of malware observed globally are trojan-based, followed by cryptominers at11% . -
MacKeeper ranked as the highest threat for macOS at nearly
48% of all detections, with XCSSet in the second-place position at nearly17% .
Endpoint attacks are becoming more diverse in efforts to bypass defenses
More than 50 endpoint infiltration techniques are being utilized by threat actors, suggesting that endpoint security is working well, as its sophistication requires threat actors to continually find new or novel methods of attack to be successful.
Three MITRE ATT&CK® tactics represented
-
A combined
74% of all defense evasion techniques consisted of masquerading (44% ) and system binary proxy execution (30% ). This indicates that in addition to bypassing security instrumentation, defense evasion techniques also bypass visibility, resulting in longer dwell times for threats. -
59% of execution techniques related to command and native scripting interpreters, followed by40% attributed to Windows Management Instrumentation abuses, indicating that adversaries abuse PowerShell, Windows Script Host, and Windows shortcut files to execute commands, scripts, or binaries. -
Nearly
77% of all credential access techniques are attributed to OS credential dumping with commonly known utilities. This follows the trend of adversaries relying on valid accounts to draw less suspicion of administrators in hybrid-based deployment environments between on-premise hosting and Cloud Service Providers.
While credential access techniques have long been a priority for attackers, adversary investment in defense evasion techniques indicates a reaction to improvements in security technologies that have been impacting their success. When combined with execution techniques, attackers are able to bypass advanced endpoint controls while remaining undetected within organizations’ environments.
Supporting Quotes:
-
“To effectively prevent cybersecurity threats, organizations need more than just great security software—they need a program that extends to shared insights and best practices and a community focused on security data intelligence to extend the value of that product for customers,” said
Ken Exner , Chief Product Officer, Elastic. “The 2022 Elastic Global Threat Report is an important part of our holistic security program offering, and we are excited to share our visibility, capability, and expertise with the broader community.”
View the full findings of the 2022 Elastic Global Threat Report and read the blog.
About Elastic:
Elastic (NYSE: ESTC) is a leading platform for search-powered solutions. We help organizations, their employees, and their customers accelerate the results that matter. With solutions in Enterprise Search, Observability, and Security, we enhance customer and employee search experiences, keep mission-critical applications running smoothly, and protect against cyber threats. Delivered wherever data lives, in one cloud, across multiple clouds, or on-premise, Elastic enables 19,000+ customers and more than half of the Fortune 500, to achieve new levels of success at scale and on a single platform. Learn more at elastic.co.
Elastic and associated marks are trademarks or registered trademarks of
View source version on businesswire.com: https://www.businesswire.com/news/home/20221114006144/en/
Elastic Public Relations
PR-Team@elastic.co
Source:
FAQ
What are the main findings of the 2022 Elastic Global Threat Report?
How does human error affect cloud security according to Elastic's report?
What percentage of cloud security alerts comes from AWS?
What is the role of CobaltStrike in cybersecurity threats?