Cloud vs. on-premises: Unraveling the mystery of the dwell time disparity
In the ever-evolving realm of the cloud, dwell times are now measured in moments, not days. Whereas Mandiant’s 2023 M-Trends report highlighted a global median dwell time of 16 days for on-premises environments, the Sysdig Threat Research Team (TRT) recently reported in their 2023 Global Cloud Threat Report that cloud dwell time is five minutes.
To better understand the stark difference between defenders' abilities to find attackers in the cloud and on-premises, I sat down with the Sysdig TRT to discuss their findings. They circled around four distinct, but closely related reasons.
Dwell Time Defined
In cybersecurity, dwell time is the amount of time an attacker has access to a victim's environment, from initial access until the compromise is identified. The longer the dwell time, the greater the risk of damage due to the attacker's unabated access to the network. Best case scenario, an organization identifies a potential attack immediately upon initial access to their environment and eradicates the attacker before malware is uploaded or data is stolen. However, that doesn't always happen -- perhaps the intrusion wasn’t identified by the tools in place, the alert was ignored, etc.. Whatever the case, having a continuous and proactive threat detection program improves an organization’s chances of catching it.
During the Sysdig TRT’s recent cloud attack research, they witnessed attacks on S3 buckets being launched only 10 minutes after the attackers found a publicly exposed credential. The team began receiving detection analytic alerts for attacker actions at a median time of five minutes following credential access. Sixteen days seems like a lot compared to the five minutes of dwell time in the cloud.
Sysdig Staff Threat Research Engineer Daniele Linguaglossa believes attackers are well aware that an operation in an on-premises environment will be time-consuming: "Covering tracks during data exfiltration becomes a crucial step to evade detection while they work through their steps. Furthermore, if the payloads are not carefully crafted, EDRs could hinder their progress."
He went on to describe a different set of challenges for cloud attackers: "Cloud vulnerabilities, in combination with the presence of centralized APIs handling various managed services, make it easier for attackers to either exploit a single misconfiguration or chain multiple low-level privileges together to escalate their access and gain control over sensitive information."
To that end, let’s dig into the four reasons for the dwell time discrepancy between on-premises and cloud.
Reason 1: Centralization
The team unilaterally agrees that the interconnectivity of the cloud and cloud accounts makes it faster and easier for attackers to move laterally through a cloud environment. Alessandro Brucato, Senior Threat Research Engineer at Sysdig, describes cloud environments as heterogeneous and agrees that on-premises attacks take longer to execute because they usually require more information gathering before an attack.
According to the Director of Threat Research, Mike Clark, "On-premises environments lack a lot of the centralization and automation that Cloud Service Providers (CSPs) offer, so they require a lot more work on the attacker’s part to get from where they start to where they need to go to accomplish their goal."
Likewise, the nearly full visibility and detections provided by CSPs aid users in being able to detect cloud attacks faster.
Reason 2: APIs
APIs are what make the cloud wonderfully fast to use and easy to integrate with a variety of tools and services. Unfortunately, attackers see the benefit too.
According to Sysdig TRT Technical Lead Manager Stefano Chierici, "Everything in the cloud is fast because the cloud has well-known, well-documented public API calls. An attacker only needs a credential or token to be able to call those APIs whereas an on-premises environment is segmented with different technologies."
Chierici explained that companies have different firewall solutions, and the API for a Fortinet firewall is very different from say Sonicwall for on-premises environments. Similarly, virtualization software may not have an API at all and these products vary greatly across vendors. All of this segmentation and varied products make it more complicated for attackers to proceed through the cyber kill chain on-premises.
Cloud APIs can be tested offline and tools can be developed for those APIs, simplifying and supercharging an attacker’s efforts. Chierici added, "Cloud attackers taking advantage of the same API calls, applications, and services used by defenders adds elements of both simplicity and complexity to threat detection. On one hand, you know what APIs threat actors are going to use -- on the other hand, your organization needs to differentiate their actions from normal network activity."
Reason 3: Public Exposure
The cloud is meant to be fast and easy for organizations to implement and end users to navigate. Cloud services are reachable by anyone, anywhere. If you also consider how widespread cloud services have become in recent years, it is becoming easier and faster with the tools available today for attackers to search for poorly configured cloud services, such as widely accessible buckets or exposed endpoints.
Threat Research Engineer Alberto Pellitteri said, "Attackers are devoting more effort to targeting the misuse of cloud services rather than meticulously searching and probing on-premises infrastructures, especially when they are not intending to target specific victims. Scouring cloud platforms for vulnerable targets has become significantly simpler and quicker, resulting in concrete gains within a short term."
Threat Detection Engineer Biagio Dipalma also noted the ease of access to the cloud with services being exposed to the internet: "It’s easier for attackers to find potential targets with automated scanning of CSPs’ public IPs than scanning a public IP owned by a company." The similarities and lack of secrecy across cloud environments should encourage organizations to share their security findings and detection analytics with one another.
Reason 4: User and Resource Management
CSPs take charge to ensure well-known vulnerabilities are patched, but an organization’s security program of course cannot rely solely on that. Too many organizations mistakenly entrust their cloud security to their CSP and though it is a good start, much more effort is needed beyond the security they provide.
The approach to user management is completely different between on-premises and cloud environments. Dipalma explained, "In an on-premises environment, there is a clear distinction between service accounts and regular users. Companies in these environments need to deal with dormant accounts that are still active and clean up unused accounts to avoid unauthorized access."
In a cloud environment such as AWS, users and roles are attached to various entities (e.g., lambdas, EC2, DBs) which can be easily retrieved with an API call. Dipalma believes that this level of granularity can lead to undesired privilege escalations.
In short, CSPs define how users are managed, while on-premises environments offer various solutions, including customization, making enumeration and escalation more challenging. Since user management and related capabilities for the cloud are public knowledge, it becomes easier for attackers to automate and exploit vulnerabilities.
With regards to resource management, Dipalma said, "if a cryptominer targets a cloud environment and scales up a machine or creates a new one, it can be easily detected using monitoring solutions. Even if the miner uses an existing instance without creating new ones, the increased resource usage is reflected in the bills. Monitoring solutions are more oriented towards performance analysis in cloud environments than on-premises environments, so an alert is prompted regarding resource usage."
Conversely, in on-premises environments, the performance of instances is monitored primarily to ensure applications run as expected, without issues. If an attacker compromises a server in a data center and uses the right amount of memory and CPU for their miner, they can fly under these radars and go undetected for months.
Conclusion
Cloud detection capabilities are getting really good, but attackers are getting better too. There are several awe-inspiring takes on cloud attacker capabilities in the Sysdig TRT’s threat report this year, but much of the response has been in reaction to their speed.
To defend against attackers taking advantage of a cloud environment’s wonderful capabilities, you need to know your environment’s baseline activity and respond quickly to abnormalities. Cloud providers offer a comprehensive, detailed, and granular logging experience where every action, change, deletion, or creation performed by any type of user is logged. Thanks to this, you can establish a baseline of typical behaviors for your organization and trigger detections on outliers. These log records can be enriched with other data in SIEM solutions to provide high-confidence alerting, allowing you to find the attackers trying to blend in with the employees much faster.
Image credit: Oleksiy Mark / Shutterstock
Crystal Morin is a cybersecurity strategist at Sysdig tasked with bridging the gap between business and security through cloud and container-focused webinars and papers for everyone from executives to technical practitioners. She was originally a threat research engineer on the Sysdig Threat Research Team, where Crystal spent her time discovering and analyzing cyber threat actors who took advantage of the cloud. Crystal started her career as a linguist and intelligence analyst in the United States Air Force. Prior to joining Sysdig, she spent four years as a contractor for Booz Allen Hamilton, researching and reporting on terrorism and cyber threats.