I remember where I was sitting when I read Mandiant’s first M-Trends report on the advanced persistent threat in 2010. I was a technical director at the National Security Agency in the office of Tailored Access Operations (TAO). At that time, my job was to build computer network exploitation (CNE) tools to collect foreign intelligence.
So a public threat report shining a light on advanced and persistent threats like this was a big deal. It was the first of its kind. And everything after the report changed. The cybersecurity industry was growing in its sophistication in counter-intelligence operations to identify and stop attacks. It was an important and symbolic moment. And it meant it would only get harder to conduct cyber operations under an increasingly focused microscope.
Fast forward 12 years, and I’m beyond excited for our first Global Threat Report from our Elastic Security Labs team and the active role we are taking to mitigate threats as we discover them. Some of our authors contributed to reports like the one I read in 2010. What a humbling experience it’s been to be a part of this team and their efforts! While our report continues the tradition started over a decade ago, we’re also trying something new by sharing more of our detections publicly with the community. We believe this open approach is critical to stopping attacks.
As our report notes, our team of incident responders, malware and intelligence analysts, security engineers, researchers, data scientists, and other experts have decades of combined collective experience in security. I’m proud of the team and our report. I can’t wait to get feedback on it from everyone in our community.
As I reflect upon the past 12 years, there are three observations in our report that stand out to me.
First, it’s remarkable to see just how consistently important credential access is to attackers then and now. This hasn’t changed. It remains a key part of an adversary’s playbook. But when it comes to an organization’s cloud workloads, credential theft is the main course. And attackers are feasting.
While it’s still possible an adversary will find and exploit a remote code execution vulnerability in an organization’s cloud service, it’s more likely an adversary will instead gain access to EC2 metadata to steal and reuse access tokens. It only takes one server-side request forgery (SSRF) vulnerability in your web application. And vulnerabilities like this are lower hanging fruit than remote code execution bugs. Understanding your cloud security posture and ensuring you’re following best practices, like least-privilege, is key to minimizing risks.
Second, creating and improving partnerships between defenders and the developers and site reliability engineers building and monitoring cloud infrastructure and workloads will be increasingly important in protecting cloud workloads from attack. This wasn’t obvious or needed 12 years ago. But today, the overlap between Observability and Security should motivate our people, products, and processes to work better and more effectively together across these two colliding use cases.
And finally, this report marks yet another step in our journey in open security. All of our detections, including those highlighted in this report, are open to you today. If we as security professionals can embrace and harness our untapped strength by working together as an open, transparent, and collaborative security community, then we increase our odds against even the most persistent and sophisticated attackers.
While a lot has changed in the past 12 years, it’s remarkable to see how some things never change — Rundll32.exe definitely deserves some kind of award for all of its cameo appearances in attacks since Windows 95. I’m eager to share this report with the community and welcome you to join us at Elastic Security Labs on our journey to protect the world’s data from attack.
Read the full 2022 Elastic Global Threat Report.