As we look at the remainder of 2025 and beyond, the pace and sophistication of cyber attacks targeting the financial sector show no signs of slowing. In fact, based on research from Check Point’s Q2 Ransomware Report, the financial cybersecurity threat landscape is only intensifying. Gone are the days when the average hacker was a..
Alan reflects on a turbulent year in DevSecOps, highlighting the rise of AI-driven security, the maturing of hybrid work culture, the growing influence of platform engineering, and the incredible strength of the DevSecOps community — while calling out the talent crunch, tool sprawl and security theater the industry must still overcome.
통신 네트워크는 이제 어디에나 있다. 데이터 관리부터 비즈니스 구동, 대륙을 가로지르는 사람 연결까지 세상을 움직이는 기반이 됐다. 오랫동안 이 분야의 보안 방식은 비교적 단순했다. 벽을 세우고, 위협은 밖에 두고, 내부는 전부 신뢰하는 방식이었다. 네트워크가 폐쇄적으로 잠겨 있을 때는 이런 방식이면 충분했다.
하지만 그런 시대는 끝났다. 이제 워크로드는 하이브리드 클라우드 전역으로 퍼지고 엣지 기기는 폭발적으로 늘고, 수많은 서드파티 솔루션 업체가 통신망에 연결된다. 예전의 경계선 개념은 사실상 사라졌다.
그래서 제로 트러스트가 필요해졌다. 그저 최신 유행어에 그치는 것이 아니라 생존을 위한 필수 도구가 됐다. 많은 기업이 제로 트러스트를 마치 사서 도입할 수 있는 제품 정도로 오해한다는 점이다. 제로 트러스트는 그런 방식으로 작동하지 않는다.
통신을 발목 잡는 오해
통신 업계를 보면 어느 곳에서나 제로 트러스트라는 단어가 나온다. 이사회, 전략 문서, 솔루션 업체 프레젠테이션 등 어디에나 등장한다. 그런 과정에서 제로 트러스트의 본래 의미가 많이 희석됐다. 많은 경영진이 제로 트러스트를 규제 준수 체크리스트 한 줄, 또는 또 하나의 소프트웨어 구축 사업 정도로 여긴다.
현실은 훨씬 냉정하다. 제로 트러스트는 사고방식이다. 가정을 버리고 끊임없이 검증하는 쪽으로 전환하는 관점이다. 이런 사고방식이 조직 문화에 스며들어야 보안이 ‘해야 하는 일’ 수준을 벗어나 실제 운영 방식으로 자리 잡는다. 하지만 대부분 통신사는 이런 인식 전환에 아직 이르지 못했다. 표면적인 안전만 믿고 있고, 공격자는 이런 허점을 정교하게 파고든다.
피해가 연결되는 IT와 OT
요즘 OT(운영기술) 환경을 노리는 공격은 대부분 IT 환경에서 출발한다. 공격자가 관리자 계정을 탈취하거나 허술한 인터페이스를 찾으면, 네트워크 장비나 기지국 컨트롤러 같은 핵심 설비 쪽으로 바로 이동할 수 있다.
IT와 OT의 간극을 줄이는 해법은 조직도를 바꾸는 일이 아니다. 모든 것을 한눈에 보고, 단일한 규칙 집합으로 다루는 일이다. 접근 권한 정책을 공유하고 패치 우선순위를 명확히 정하고, 위협 탐지를 통합해야 한다. 이런 요소가 하나로 맞물려 돌아갈 때 비로소 제로 트러스트가 현실적인 보안 모델로 구현된다.
진짜 적 : 집요함과 인내심
통신 사업자는 이제 개인 해커나 랜섬웨어 범죄조직만 상대하지 않는다. 오늘날 가장 큰 위협은 충분한 자금과 인력을 갖춘 집요한 공격 그룹이다. 국가 차원의 공격 조직이 보이지 않게 잠복하는 방식이다. 솔트 타이푼(Salt Typhoon)과 같은 공격 사례는 이런 그룹이 통신망 안에 몇 달씩 머무르며 민감한 데이터를 빼내고, 그 결과가 실제 지정학적 위험으로 이어질 수 있음을 보여줬다.
미국 사이버보안·인프라보안국(CISA)은 2021년 이후 전 세계 통신 사업자를 침투한 공격 사례와 관련해 볼트 타이푼(Volt Typhoon)을 포함한 중국 연계 그룹의 위험을 공식 경고했다.
없는 신뢰를 새로 쌓는 방법
제로 트러스트는 단순한 기술 업그레이드가 아니라 습관의 문제다. 그 중에서도 세 가지 습관이 핵심이다. 항상 검증하고, 필요한 만큼만 권한을 주고, 문제가 퍼지지 못하게 막는 일이다.
항상 검증하기. 로그인 절차가 검증의 끝이 아니다. 사람, 기기, 시스템 모두에 대해 접속 위치, 수행하는 작업, 평소와 다른 점이 있는지 계속 살펴야 한다.
최소 권한 부여. 사람이나 시스템이 가질 수 있는 권한을 최소화할수록 문제가 생겼을 때 피해 범위가 줄어든다. 권한만 잘 죄어도 별도의 화려한 신규 도구 없이도 위험을 크게 낮출 수 있다.
네트워크 분리. 문제 확산을 차단하는 일이다. 네트워크를 작고 고립된 영역으로 잘게 나누는 마이크로 세그먼트 구조를 만든다. 이렇게 분리된 네트워크에서는 침해 사고가 발생해도 피해를 최소화할 수 있다.
외면하기 어려운 존재, 레거시 기술
솔직히 말해 레거시 인프라는 사라지지 않는다. 수십 년 전에 구축한 네트워크 하드웨어가 지금도 통신망을 지탱한다. 당시 장비는 24시간 가동과 내부 자동 신뢰를 전제로 설계됐다. 전부 새 장비로 교체하는 일은 위험 부담이 크고 비용도 막대하다. 그대로 두는 선택지가 조금 더 위험할 뿐이다.
현실적인 해법은 기존 시스템을 현대적인 ‘보안 셸’로 감싸는 일이다. 보안 게이트웨이, 중앙집중형 인증, 세션 모니터링 같은 계층을 덧씌우는 방식이다. 이런 계층을 추가하면 대규모 교체로 인한 서비스 중단 위험 없이도 지금 당장 보안 수준을 끌어올릴 수 있다.
제로 트러스트의 목표는 완벽한 이상향을 좇는 일이 아니다. 전체 보안 수준을 한 단계씩 끌어올리는 과정이다. 매 연결을 검증하고, 하나씩 워크로드를 분리할 때마다 네트워크는 조금씩 더 단단해진다.
국경을 넘나드는 실질적 컴플라이언스
제로 트러스트는 기존 컴플라이언스 규정을 무시하는 개념이 아니다. 그런 규정을 토대로 쌓아 올리는 전략이다. ISO 27001, 미국 국립표준기술연구소의 사이버보안 프레임워크(NIST Cybersecurity Framework), 유럽연합의 NIS2 지침(EU NIS2 Directive), 각국 통신 규제 등 어떤 규제를 적용하더라도 핵심은 같다. 위험을 계속 점검하고, 누가 들어오는지 통제하고, 관리 상태를 증명하는 일이다.
제로 트러스트 관점을 이런 프레임워크에 녹여 넣으면 컴플라이언스는 골칫거리가 되지 않는다. 단순히 요건을 채우는 작업이 아니라 일상적인 보안 활동의 일부가 된다. 위협 양상이 바뀌면 보호 체계도 함께 바뀐다. 네트워크가 어디에 위치하든 점검을 받기에 충분한 준비 상태를 유지할 수 있다.
성과가 보이는 전환 : 첫 180일 동안 확인할 6가지 KPI
경영진은 막연한 약속이 아니라 증거를 원한다. 제로 트러스트를 도입해 처음 6개월 동안 실제로 살펴봐야 할 지표는 다음과 같다.
필요 이상으로 남아 있던 고급 권한 계정 수가 줄어든다.
이상 징후를 포착하는 속도가 빨라진다.
접근 승인 절차가 지연되지 않고, 거버넌스가 비즈니스 속도에 맞춰 움직인다.
더 많은 엔드포인트와 워크로드가 모니터링 대상에 올라간다.
네트워크 내부를 몰래 돌아다니는 침입 행위가 줄어든다.
IT와 OT 팀이 공동 대응 훈련을 실제로 수행한다.
이들 지표는 보여주기용 수치가 아니다. 제로 트러스트가 유행어를 넘어 실제로 효과를 내고 있음을 증명하는 지표다. 이후 전략을 계속 고도화할 수 있는 기반이 된다.
유행어에서 기본 원칙으로
제로 트러스트는 더 이상 말뿐인 개념이 아니다. 네트워크 보안 수준을 평가하는 기준으로 자리 잡았다. 통신 산업에서 제로 트러스트 도입은 이미지 관리가 아니라 생존 전략이다.
시장조사기관 가트너는 2027년까지 기업의 70%가 보안 전략 수립을 제로 트러스트 관점에서 시작할 것으로 전망한다. 현재 수치는 20%에도 못 미친다.
여전히 낡은 경계 방어에 매달리면 과거 전쟁을 치르는 셈이다. 선도 사업자는 제로 트러스트를 여정으로 받아들이고 있다. 이 기업이 앞으로 모두가 의존하게 될 통신 네트워크를 차근차근 구축하고 있다. dl-ciokorea@foundryco.com
When it comes to AI, trust used to mean one thing — accuracy. Does the model predict correctly? Then we started asking harder questions about bias, transparency and whether we could explain the AI’s reasoning. Agentic AI changes the equation entirely. When a system doesn’t just analyze or recommend, but actually takes action, trust shifts from “Do I believe this answer?” to “Am I still in full control of what this system does?”
In the agentic era, trust must evolve from ensuring accurate results to building systems that can ensure continuous control and reliability of AI agents. As a result, trust is now the foundational architecture that separates organizations capable of deploying autonomous agents from those perpetually managing the consequences of systems they cannot safely control. My question for enterprise leaders is: Are you building that infrastructure now or will you spend next several years explaining why you didn’t?
Traditional security was built on static trust: verify identity at the gate, then assume good behavior inside the walls. Agentic AI demands we go further. Unlike traditional applications, AI agents adapt autonomously, modify their own behavior and operate at machine speed across enterprise systems; this means yesterday’s trusted agent could potentially be today’s compromised threat that immediately reverts to normal behavior to evade detection.
Trust cannot be established and maintained just at the perimeter; our focus must shift to inside the walls as well. Securing these dynamic actors requires treating them less like software and more like a workforce, with continuous identity verification, behavioral monitoring and adaptive governance frameworks.
Successful trust architecture rests on three foundational pillars, each addressing distinct operational requirements while integrating into a cohesive security posture.
Pillar 1: Verifiable identity
Every AI agent requires cryptographic identity verification comparable to employee credentials. Industry leaders recognize this imperative: Microsoft developed Entra Agent ID for agent authentication, while Okta’s acquisition of Axiom and Palo Alto Networks’ $25 billion CyberArk purchase signal market recognition that agent identity management is critical.
Organizations must register agents in configuration management databases with the same rigor applied to employee vetting and physical infrastructure, establishing clear accountability for every autonomous actor operating within enterprise boundaries.
Pillar 2: Comprehensive visibility and continuous monitoring
Traditional security tools monitor network perimeters and user behavior but lack mechanisms to detect anomalous agent activity. Effective trust infrastructure requires purpose-built observability platforms capable of tracking API call patterns, execution frequencies and behavioral deviations in real time.
Gartner predicts guardian agents, which are AI systems specifically designed to monitor other AI systems, will capture 10% to 15% of the agentic AI market by 2030, underscoring the necessity of layered oversight mechanisms.
Pillar 3: Governance as executable architecture
Effective governance transforms policies from static documents into executable specifications that define autonomy boundaries, such as which actions agents can execute independently, which operations require human approval and which capabilities remain permanently restricted. Organizations with mature responsible AI frameworks achieve 42% efficiency gains, according to McKinsey, demonstrating that governance enables innovation rather than constraining it — provided the governance operates as an architectural principle rather than a compliance afterthought.
In sum, trust infrastructure isn’t defensive. It’s the prerequisite for deploying AI agents in high-value workflows where competitive advantage actually resides, separating organizations capable of strategic deployment from those perpetually constrained by risks they cannot adequately manage.
The 2027 divide
Gartner predicts 40% of agentic AI projects will be canceled by 2027, citing inadequate risk controls as a main factor. By then, there will be a clear divide between organizations that can safely deploy ambitious agentic use cases and those that cannot afford to. The former will have built trust as infrastructure; the latter will be retrofitting security onto systems already deployed and discovering problems through costly incidents.
Trust can’t be borrowed from consultants or bought from vendors. Unlike traditional currencies that flow freely, trust in the age of agentic AI must be earned through verifiable governance, transparent operations and systems designed with security as a core principle, not an afterthought. As the gap between those who have it and those who don’t widens, the architectural decisions you make today will determine which side of the divide you’re on.
This article is published as part of the Foundry Expert Contributor Network. Want to join?
Cyber adversaries aren’t standing still, and our defenses can’t either. In an environment where government networks face relentless, increasingly sophisticated attacks, it’s evident that perimeter-based security models belong in the past. A zero trust framework redefines the approach: Every user, device, and connection is treated as unverified until proven otherwise, or “trust but verify.” By assuming breach, zero trust delivers what today’s government missions demand: speed, resilience and the ability to contain damage before it spreads.
To truly operationalize zero trust, agencies must look beyond theory and embrace emerging technologies. Many federal organizations are already turning to artificial intelligence and digital twins to get there. A digital twin — a software-based replica of a real-world network — creates an invaluable proving ground. Rather than waiting for an adversary to strike live systems, agencies can safely simulate cyberattacks, test and refine policies, and validate updates before deployment. In my view, this marks a fundamental shift: Digital twins aren’t just a tool, they represent the future of proactive cyber defense, where learning, adaptation and resilience happen before a crisis, not after.
This approach doesn’t just strengthen agency defenses; it also streamlines operations. Instead of maintaining expensive, outdated physical labs, agencies can rely on digital twins to keep pace with evolving cyber threats. Most recently, a large government agency demonstrated the power of this approach by overcoming years of technical debt, rapidly reconfiguring critical systems, and building a testing environment that delivered greater speed, precision and efficiency that advanced their mission and operational goals.
Strategies for anticipating compromise while ensuring operational resilience
Digital twins offer significant potential for enhancing cybersecurity, yet their widespread adoption remains nascent due to several challenges, including budget constraints and agency inertia. Agencies can reference established frameworks such as the National Institute of Standards and Technology SP 800-207 and the Cybersecurity Infrastructure and Security Agency Zero Trust Maturity Model, to guide their zero trust journeys. However, with various legacy systems, cloud services and devices, agencies require zero trust capabilities for their specific needs. The core challenge for government then becomes how to proactively implement effective zero trust strategies that anticipate compromises while ensuring continued operations.
To address these challenges and effectively implement zero trust, here are key actions for agency leaders to consider that include people, process and tools:
People
Embrace change management
Zero trust implementation is as much about people and process as it is about technology. To foster cross-team buy-in, agencies must clearly articulate the “why” behind zero trust. Instead of just a technical mandate, zero trust should be framed as a strategy to improve security and efficiency. This involves creating a shared understanding of the framework’s benefits and how it impacts each team member.
Quantify and communicate value
Measuring the ROI of zero trust is complex, as preventing incidents yields invisible benefits. How will you define success: reduced risk, faster compliance, operational consistency? Agencies should set milestones for measuring security posture improvements and regulatory progress while recognizing the limitations of conventional ROI calculations.
Process
Adopt zero trust as a damage-limitation strategy
Rather than asking, “How do we stop every breach?” agencies should take steps to shift from prevention-only thinking to dynamic containment and defense, such as:
Developing an incident response plan that outlines roles, responsibilities and communication protocols for cyberattack stages.
Conducting regular tabletop exercises and simulations to test the plan’s effectiveness and find improvement areas.
Automating security workflows to accelerate response times and reduce human error.
Be thorough with zero trust planning
According to public sector best practices, projects with 90% planning and 10% execution are far more likely to succeed. Agency technology and information leaders should take an active role in driving zero trust transformation, ensuring comprehensive planning, stakeholder engagement, and organizational buy-in are prioritized from the outset.
Tools
Leverage digital twins
Agencies are turning to emerging technology, including AI and digital twins, to keep pace with threat actors. Government IT and SecOps teams can deploy digital twins to simulate attacks, validate controls and reduce costly physical testing environments. Digital twins should also be considered a safe space for agencies to experiment, identify vulnerabilities, and optimize policies before deployment — an invaluable asset for agencies navigating mixed legacy and cloud ecosystems. Moreover, model-based systems engineering and agile approaches, paired with digital twins, can empower agencies to “rehearse” security incidents and fine-tune architectures.
Tackle tool sprawl using informed consolidation
The sheer volume of disparate vendors and tools can undermine even the best zero trust architecture. Utilizing digital twins to map and simulate your IT environment allows for thoughtful consolidation without sacrificing security or compliance. Lastly, agencies should identify where they are duplicating capabilities and envision a streamlined, mission-focused toolset.
Accelerating zero trust at scale
To address the pace and complexity of future threats, government agencies must act boldly by embracing zero trust not only as a framework but also as a fundamental mindset for continual adaptation and resilience.
By harnessing the power of technologies like AI and digital twins, modernizing planning and response strategies, and committing to cross-team collaboration, agencies can outmaneuver adversaries and protect their most critical missions.
The path forward is clear: Operational resilience is achieved by investing today in future-ready strategies that anticipate compromise, ensure continuity and empower every stakeholder to play a proactive role in defense.
John Fair is vice president of Air Force sales and account management at Akima.
Serverless architectures have fundamentally altered the cybersecurity landscape, creating attack vectors that traditional security models cannot address. After…
Varun Uppal, founder and CEO of Shinobi Security Over the weekend, airports across Europe were thrown into chaos after a cyber-attack on one of their technology suppliers rippled through airline...
Reinventing Browser Security for the Enterprise The Browser: Enterprise’s Biggest Blind Spot On any given day, the humble web browser is where business happens – email, SaaS apps, file sharing,...
AI agents use the same networking infrastructure as users and apps. So security solutions like zero trust should evolve to protect agentic AI communications.
Zero Trust: The Unsung Hero of Cybersecurity Cybersecurity professionals are drowning in complexity. Acronyms fly like digital confetti, vendors promise silver bullets, and CISOs find themselves perpetually playing catch-up with...
The Silent Threat: Why Your AI Could Be Your Biggest Security Vulnerability Imagine a digital Trojan horse sitting right in the heart of your organization’s most valuable asset – your...
Cisco Secure Workload is foundational for organizations seeking to implement an effective microsegmentation strategy. It empowers orgs to safeguard assets.
Phishing isn’t what it used to be. It’s no longer fake emails with bad grammar and sketchy links. With AI, modern phishing attacks have become slicker, more convincing, and dangerously...
Black Hat USA 2025 was nothing short of groundbreaking. The show floor and conference tracks were buzzing with innovation, but one theme stood above all others – the rapid advancement...
Organizations must grapple with challenges from various market forces. Digital transformation, cloud adoption, hybrid work environments and geopolitical and economic challenges all have a part to play. These forces have especially manifested in more significant security threats to expanding IT attack surfaces.
Breach containment is essential, and zero trust security principles can be applied to curtail attacks across IT environments, minimizing business disruption proactively. Microsegmentation has emerged as a viable solution through its continuous visualization of workload and device communications and policy creation to define what communications are permitted. In effect, microsegmentation restricts lateral movement, isolates breaches and thwarts attacks.
Given the spotlight on breaches and their impact across industries and geographies, how can segmentation address the changing security landscape and client challenges? IBM and its partners can help in this space.
Breach Landscape and Impact of Ransomware
Historically, security solutions have focused on the data center, but new attack targets have emerged with enterprises moving to the cloud and introducing technologies like containerization and serverless computing. Not only are breaches occurring and attack surfaces expanding, but also it has become easier for breaches to spread. Traditional prevention and detection tools provided surface-level visibility into traffic flow that connected applications, systems and devices communicating across the network. However, they were not intended to contain and stop the spread of breaches.
Ransomware is particularly challenging, as it presents a significant threat to cyber resilience and financial stability. A successful attack can take a company’s network down for days or longer and lead to the loss of valuable data to nefarious actors. The Cost of a Data Breach 2022 report, conducted by the Ponemon Institute and sponsored by IBM Security, cites $4.54 million as the average ransomware attack cost, not including the ransom itself.
In addition, a recent IDC study highlights that ransomware attacks are evolving in sophistication and value. Sensitive data is being exfiltrated at a higher rate as attackers go after the most valuable targets for their time and money. Ultimately, the cost of a ransomware attack can be significant, leading to reputational damage, loss of productivity and regulatory compliance implications.
Organizations Want Visibility, Control and Consistency
With a focus on breach containment and prevention, hybrid cloud infrastructure and application security, security teams are expressing their concerns. Three objectives have emerged as vital for them.
First, organizations want visibility. Gaining visibility empowers teams to understand their applications and data flows regardless of the underlying network and compute architecture.
Second, organizations want consistency. Fragmented and inconsistent segmentation approaches create complexity, risk and cost. Consistent policy creation and strategy help align teams across heterogeneous environments and facilitate the move to the cloud with minimal re-writing of security policy.
Finally, organizations want control. Solutions that help teams target and protect their most critical assets deliver the greatest return. Organizations want to control communications through selectively enforced policies that can expand and improve as their security posture matures towards zero trust security.
Microsegmentation Restricts Lateral Movement to Mitigate Threats
Microsegmentation (or simply segmentation) combines practices, enforced policies and software that provide user access where required and deny access everywhere else. Segmentation contains the spread of breaches across the hybrid attack surface by continually visualizing how workloads and devices communicate. In this way, it creates granular policies that only allow necessary communication and isolate breaches by proactively restricting lateral movement during an attack.
The National Institute of Standards and Technology (NIST) highlights microsegmentation as one of three key technologies needed to build a zero trust architecture, a framework for an evolving set of cybersecurity paradigms that move defense from static, network-based perimeters to users, assets and resources.
Suppose existing detection solutions fail and security teams lack granular segmentation. In that case, malicious software can enter their environment, move laterally, reach high-value applications and exfiltrate critical data, leading to catastrophic outcomes.
Ultimately, segmentation helps clients respond by applying zero trust principles like ‘assume a breach,’ helping them prepare in the wake of the inevitable.
IBM Launches Segmentation Security Services
In response to growing interest in segmentation solutions, IBM has expanded its security services portfolio with IBM Security Application Visibility and Segmentation Services (AVS). AVS is an end-to-end solution combining software with IBM consulting and managed services to meet organizations’ segmentation needs. Regardless of where applications, data and users reside across the enterprise, AVS is designed to give clients visibility into their application network and the ability to contain ransomware and protect their high-value assets.
AVS will walk you through a guided experience to align your stakeholders on strategy and objectives, define the schema to visualize desired workloads and devices and build the segmentation policies to govern network communications and ring-fence critical applications from unauthorized access. Once the segmentation policies are defined and solutions deployed, clients can consume steady-state services for ongoing management of their environment’s workloads and applications. This includes health and maintenance, policy and configuration management, service governance and vendor management.
IBM has partnered with Illumio, an industry leader in zero trust segmentation, to deliver this solution. Illumio’s software platform provides attack surface visibility, enabling you to see all communication and traffic between workloads and devices across the entire hybrid attack surface. In addition, it allows security teams to set automated, granular and flexible segmentation policies that control communications between workloads and devices, only allowing what is necessary to traverse the network. Ultimately, this helps organizations to quickly isolate compromised systems and high-value assets, stopping the spread of an active attack.
With AVS, clients can harden compute nodes across their data center, cloud and edge environments and protect their critical enterprise assets.
While cloud computing and its many forms (private, public, hybrid cloud or multi-cloud environments) have become ubiquitous with innovation and growth over the past decade, cybercriminals have closely watched the migration and introduced innovations of their own to exploit the platforms. Most of these exploits are based on poor configurations and human error. New IBM Security X-Force data reveals that many cloud-adopting businesses are falling behind on basic security best practices, introducing more risk to their organizations.
Shedding light on the “cracked doors” that cybercriminals are using to compromise cloud environments, the 2022 X-Force Cloud Threat Landscape Report uncovers that vulnerability exploitation, a tried-and-true infection method, remains the most common way to achieve cloud compromise. Gathering insights from X-Force Threat Intelligence data, hundreds of X-Force Red penetration tests, X-Force Incident Response (IR) engagements and data provided by report contributor Intezer, between July 2021 and June 2022, some of the key highlights stemming from the report include:
Cloud Vulnerabilities are on the Rise — Amid a sixfold increase in new cloud vulnerabilities over the past six years, 26% of cloud compromises that X-Force responded to were caused by attackers exploiting unpatched vulnerabilities, becoming the most common entry point observed.
More Access, More Problems — In 99% of pentesting engagements, X-Force Red was able to compromise client cloud environments through users’ excess privileges and permissions. This type of access could allow attackers to pivot and move laterally across a victim environment, increasing the level of impact in the event of an attack.
Cloud Account Sales Gain Grounds in Dark Web Marketplaces — X-Force observed a 200% increase in cloud accounts now being advertised on the dark web, with remote desktop protocol and compromised credentials being the most popular cloud account sales making rounds on illicit marketplaces.
As the rise of IoT devices drives more and more connections to cloud environments, the larger the potential attack surface becomes introducing critical challenges that many businesses are experiencing like proper vulnerability management. Case in point — the report found that more than a quarter of studied cloud incidents were caused due to known, unpatched vulnerabilities being exploited. While the Log4j vulnerability and a vulnerability in VMware Cloud Director were two of the more commonly leveraged vulnerabilities observed in X-Force engagements, most vulnerabilities observed that were exploited primarily affected the on-premises version of applications, sparing the cloud instances.
As suspected, cloud-related vulnerabilities are increasing at a steady rate, with X-Force observing a 28% rise in new cloud vulnerabilities over the last year alone. With over 3,200 cloud-related vulnerabilities disclosed in total to date, businesses face an uphill battle when it comes to keeping up with the need to update and patch an increasing volume of vulnerable software. In addition to the growing number of cloud-related vulnerabilities, their severity is also rising, made apparent by the uptick in vulnerabilities capable of providing attackers with access to more sensitive and critical data as well as opportunities to carry out more damaging attacks.
These ongoing challenges point to the need for businesses to pressure test their environments and not only identify weaknesses in their environment, like unpatched, exploitable vulnerabilities, but prioritize them based on their severity, to ensure the most efficient risk mitigation.
Excessive Cloud Privileges Aid in Bad Actors’ Lateral Movement
The report also shines a light on another worrisome trend across cloud environments — poor access controls, with 99% of pentesting engagements that X-Force Red conducted succeeding due to users’ excess privileges and permissions. Businesses are allowing users unnecessary levels of access to various applications across their networks, inadvertently creating a stepping stone for attackers to gain a deeper foothold into the victim’s cloud environment.
The trend underlines the need for businesses to shift to zero trust strategies, further mitigating the risk that overly trusting user behaviors introduce. Zero trust strategies enable businesses to put in place appropriate policies and controls to scrutinize connections to the network, whether an application or a user, and iteratively verify their legitimacy. In addition, as organizations evolve their business models to innovate at speed and adapt with ease, it’s essential that they’re properly securing their hybrid, multi-cloud environments. Central to this is modernizing their architectures: not all data requires the same level of control and oversight, so determining the right workloads, to put in the right place for the right reason is important. Not only can this help businesses effectively manage their data, but it enables them to place efficient security controls around it, supported by proper security technologies and resources.
Dark Web Marketplaces Lean Heavier into Cloud Account Sales
With the rise of the cloud comes the rise of cloud accounts being sold on the Dark Web, verified by X-Force observing a 200% rise in the last year alone. Specifically, X-Force identified over 100,000 cloud account ads across Dark Web marketplaces, with some account types being more popular than others. Seventy-six percent of cloud account sales identified were Remote Desktop Protocol (RDP) access accounts, a slight uptick from the year prior. Compromised cloud credentials were also up for sale, accounting for 19% of cloud accounts advertised in the marketplaces X-Force analyzed.
The going price for this type of access is significantly low making these accounts easily attainable to the average bidder. The price for RDP access and compromised credentials average $7.98 and $11.74 respectively. Compromised credentials’ 47% higher selling price is likely due to their ease of use, as well as the fact that postings advertising credentials often include multiple sets of login data, potentially from other services that were stolen along with the cloud credentials, yielding a higher ROI for cybercriminals.
As more compromised cloud accounts pop up across these illicit marketplaces for malicious actors to exploit, it’s important that organizations work toward enforcing more stringent password policies by urging users to regularly update their passwords, as well as implement multifactor authentication (MFA). Businesses should also be leveraging Identity and Access Management tools to reduce reliance on username and password combinations and combat threat actor credential theft.
To read our comprehensive findings and learn about detailed actions organizations can take to protect their cloud environments, review our 2022 X-Force Cloud Security Threat Landscape here.
If you’re interested in signing up for the “Step Inside a Cloud Breach: Threat Intelligence and Best Practices”webinar on Wednesday, September 21, 2022, at 11:00 a.m. ET you can register here.
As cybercriminals remain steadfast in their pursuit of unsuspecting ways to infiltrate today’s businesses, a new report by IBM Security X-Force highlights the top tactics of cybercriminals, the open doors users are leaving for them and the burgeoning marketplace for stolen cloud resources on the dark web. The big takeaway from the data is businesses still control their own destiny when it comes to cloud security. Misconfigurations across applications, databases and policies could have stopped two-thirds of breached cloud environments observed by IBM in this year’s report.
IBM’s 2021 X-Force Cloud Security Threat Landscape Report has expanded from the 2020 report with new and more robust data, spanning Q2 2020 through Q2 2021. Data sets we used include dark web analysis, IBM Security X-Force Red penetration testing data, IBM Security Services metrics, X-Force Incident Response analysis and X-Force Threat Intelligence research. This expanded dataset gave us an unprecedented view across the whole technology estate to make connections for improving security. Here are some quick highlights:
Configure it Out — Two out of three breached cloud environments studied were caused by improperly configured Application Programming Interface (APIs). X-Force incident responders also observed virtual machines with default security settings that were erroneously exposed to the Internet, including misconfigured platforms and insufficiently enforced network controls.
Rulebreakers Lead to Compromise — X-Force Red found password and policy violations in the vast majority of cloud penetration tests conducted over the past year. The team also observed a significant growth in the severity of vulnerabilities in cloud-deployed applications, while the number of disclosed vulnerabilities in cloud-deployed applications rocketed 150% over the last five years.
Automatic for the Cybercriminals — With nearly 30,000 compromised cloud accounts for sale at bargain prices on dark web marketplaces and Remote Desktop Protocol accounting for 70% of cloud resources for sale, cybercriminals have turnkey options to further automate their access to cloud environments.
All Eyes on Ransomware & Cryptomining — Cryptominers and ransomware remain the top dropped malware into cloud environments, accounting for over 50% of detected system compromises, based on the data analyzed.
More and more businesses are recognizing the business value of hybrid cloud and distributing their data across a diverse infrastructure. In fact, the 2021 Cost of a Data Breach Report revealed that breached organizations implementing a primarily public or private cloud approach suffered approximately $1 million more in breach costs than organizations with a hybrid cloud approach.
With businesses seeking heterogeneous environments to distribute their workloads and better control where their most critical data is stored, modernization of those applications is becoming a point of control for security. The report is putting a spotlight on security policies that don’t encompass the cloud, increasing the security risks businesses are facing in disconnected environments. Here are a few examples:
The Perfect Pivot — As enterprises struggle to monitor and detect cloud threats, cloud environments today. This has contributed to threat actors pivoting from on-premise into cloud environments, making this one of the most frequently observed infection vectors targeting cloud environments — accounting for 23% of incidents IBM responded to in 2020.
API Exposure — Another top infection vector we identified was improperly configured assets. Two-thirds of studied incidents involved improperly configured APIs. APIs lacking authentication controls can allow anyone, including threat actors, access to potentially sensitive information. On the other side, APIs being granted access to too much data can also result in inadvertent disclosures.
Many businesses don’t have the same level of confidence and expertise when configuring security controls in cloud computing environments compared to on-premise, which leads to a fragmented and more complex security environment that is tough to manage. Organizations need to manage their distributed infrastructure as one single environment to eliminate complexity and achieve better network visibility from cloud to edge and back. By modernizing their mission critical workloads, not only will security teams achieve speedier data recovery, but they will also gain a vastly more holistic pool of insights around threats to their organization that can inform and accelerate their response.
Trust That Attackers Will Succeed & Hold the Line
Evidence is mounting every day that the perimeter has been obliterated and the findings in the report just add to that corpus of data. That is why taking a zero trust approach is growing in popularity and urgency. It removes the element of surprise and allows security teams to get ahead of any lack of preparedness to respond. By applying this framework, organizations can better protect their hybrid cloud infrastructure, enabling them to control all access to their environments and to monitor cloud activity and proper configurations. This way organizations can go on offense with their defense, uncovering risky behaviors and enforcing privacy regulation controls and least privilege access. Here’s some of the evidence derived from the report:
Powerless Policy — Our research suggests that two-thirds of studied breaches into cloud environments would have likely been prevented by more robust hardening of systems, such as properly implementing security policies and patching.
Lurking in the Shadows — “Shadow IT”, cloud instances or resources that have not gone through an organization’s official channels, indicate that many organizations aren’t meeting today’s baseline security standards. In fact, X-Force estimates the use of shadow IT contributed to over 50% of studied data exposures.
Password is “admin 1” — The report illustrates X-Force Red data accumulated over the last year, revealing that the vast majority of the team’s penetration tests into various cloud environments found issues with either passwords or policy adherence.
The recycling use of these attack vectors emphasizes that threat actors are repetitively relying on human error for a way into the organization. It’s imperative that businesses and security teams operate with the assumption of compromise to hold the line.
Dark Web Flea Markets Selling Cloud Access
Cloud resources are providing an excess of corporate footholds to cyber actors, drawing attention to the tens of thousands of cloud accounts available for sale on illicit marketplaces at a bargain. The report reveals that nearly 30,000 compromised cloud accounts are on display on the dark web, with sales offers that range from a few dollars to over $15,000 (depending on geography, amount of credit on the account and level of account access) and enticing refund policies to sway buyers’ purchasing power.
But that’s not the only cloud “tool” for sale on dark web markets with our analysis highlighting that Remote Desktop Protocol (RDP) accounts for more than 70% of cloud resources for sale — a remote access method that greatly exceeds any other vector being marketed. While illicit marketplaces are the optimal shopping grounds for threat actors in need of cloud hacks, concerning us the most is a persistent pattern in which weak security controls and protocols — preventable forms of vulnerability — are repeatedly exploited for illicit access.
Login
