Prioritizing Data Exfiltration and Identity Protection in 2025
The digital landscape is constantly shifting, and with it, the tactics of cyber threat actors. As we navigate the complexities of 2025, it's more important than ever for security professionals to stay ahead of the curve and prioritize the most significant risks to their cloud environments. The Google Cloud Threat Horizons Report is a key resource for understanding these threats, offering strategic intelligence and actionable mitigations for cloud security leaders and practitioners.
This report is informed by insights from Google Threat Intelligence Group (GTIG), Mandiant, Google Cloud’s Office of the CISO, Product Security Engineering, and various Google Cloud intelligence, security, and product teams. The goal of this report is to provide decision-makers with strategic intelligence on threats to not just Google Cloud, but all providers. By focusing on these recommendations, organizations can improve their overall cloud security posture.
This latest report provides crucial insights into the evolving threats and offers actionable strategies to enhance cloud data security. Let's dive deeper into the key findings and their implications.
Key Findings from the Report:
Overprivileged Service Accounts: A Critical Vulnerability: Threat actors are increasingly shifting their focus from user login information and misconfigurations to exploiting overprivileged service accounts. These are accounts that have more permissions than necessary, which allows threat actors to move laterally within an organization's systems with relative ease. In the second half of 2024, nearly half (46.4%) of all observed security alerts were related to overprivileged service accounts. This trend highlights a significant shift in attacker tactics, where they are focusing on internal access rather than just initial entry points. This is further compounded by the fact that 10.3% of alerts came from service account keys being used from unexpected locations, indicating potential breaches and requiring investigation. The data suggests that organizations need to be more diligent in managing and monitoring service account access to prevent exploitation.
Identity as the New Perimeter: With the expansion of cloud adoption, the traditional network perimeter is giving way to identity as the new security boundary. This means that compromised identities, both human and workload-related, have become a major attack vector. Threat actors are now adept at bypassing traditional authentication using methods such as intercepting or stealing post-authenticated tokens or cookies, SIM swapping, MFA fatigue, and sophisticated social engineering techniques to gain access. A single stolen credential can trigger a chain reaction, granting attackers access to both on-premises and cloud-based applications and data. This access can then be leveraged to compromise infrastructure through remote access services, manipulate MFA, establish persistence, and steal data, ultimately leading to extortion and other destructive activities.
Cloud Databases Under Relentless Attack: Databases, particularly those containing critical business data and Personally Identifiable Information (PII), are prime targets for threat actors attackers are actively exploiting vulnerabilities and weak credentials to gain access to sensitive information. They automate the process of scanning and identifying vulnerable databases, looking for open ports, weak passwords, and misconfigurations. Once inside, these threat actors can leverage compromised credentials to move laterally, gaining access to even more valuable data. In one notable incident, a group used Kinsing malware to target publicly exposed PostgreSQL databases, exploiting weak credentials to gain initial access. This is a common tactic among threat actors who are looking for the easiest path to high-value information.
The Evolution of Ransomware Tactics: Ransomware continues to be a significant threat, but the tactics of threat actors are constantly evolving. They are leveraging Ransomware-as-a-Service (RaaS) offerings, making it easier for less sophisticated actors to engage in these activities. Groups like UNC2165 are shifting to using well-known RaaS offerings like RANSOMHUB, which helps to hinder attribution efforts and increase the likelihood of receiving ransom payments. Data exfiltration is often prioritized over encryption, meaning organizations can face significant risks even if they manage to recover their encrypted data. The shift towards RaaS also allows threat actors to be more agile and adaptable in their approach. For example, UNC2165 shifted from using the HADES ransomware to LOCKBIT, then briefly leveraged CONTI, and finally settled on RANSOMHUB. This shift is likely due to the disruption of LOCKBIT and the cost-effectiveness of using well-known RaaS offerings.
Data Leak Sites (DLS) Fuel Extortion: Threat actors are increasingly turning to data leak sites (DLS) as a way to extort victims. By exposing stolen data on these sites, threat actors are amplifying pressure on victim organizations, regardless of whether they primarily rely on on-premises or cloud-based infrastructure. The number of victims posted on DLS continues to increase, making it a growing threat. Threat actors are also becoming more aggressive, using tactics such as contacting employees and their families to increase pressure on victims. For instance, groups like Storm-0501 have been actively using DLS to amplify their accomplishments after deploying ransomware and exfiltrating data. This data is not skewed, as it provides real-world insight into the most active operations during specific time frames.
Actionable Mitigations: A Layered Approach to Security
To effectively address these evolving threats, organizations must take a layered, proactive approach to security. Here are some key recommendations:
Strengthen Service Account Security: It is crucial to reduce the risk associated with service account keys. When keys cannot be removed, best practices for their management should be reviewed. This includes restricting service account key creation using organization policies and limiting the roles assigned to these accounts. Consider the use of IAM Recommender to help with proper permissioning.
Enhance Authentication Processes: Organizations should move towards a "positive identity transaction," which goes beyond relying on a single identity attribute like a password. This requires combining strong authentication, such as phishing-resistant MFA and passwordless options, with attribute-based validation. This can include geo-verification, identity risk reviews, time-based access enforcement, and device state review.
Modernize Identity Incident Response: In addition to strengthening authentication processes, organizations must modernize playbooks and processes for incident response. This includes enforcing MFA for all accounts, disabling and rotating credentials, revoking access tokens and cookies, and reviewing registered devices and applications. All of these steps should be clearly outlined in incident response playbooks to ensure swift action when a breach is detected.
Secure Cloud Databases: The security and integrity of managed databases is critical. Secure private connections by configuring authorized networks on the SQL instance to restrict access. Logging and monitoring is also important, using tools like Cloud Monitoring to track failed login attempts and using database audit logs within Cloud SQL and MySQL Audit Logs to track administrative access and system changes . You should also use robust IAM with tools like PostgreSQL auth proxy for secure authentication and authorization and proactively manage vulnerabilities with tools like Google Cloud SQL security recommenders.
Prioritize Data Exfiltration Protection: Prevent data exfiltration using Google Security Command Center (SCC) to detect data exfiltration events and Security Health Analytics to detect misconfigurations. You can also use Sensitive Data Protection (SDP) to classify data and monitor for unauthorized access. Implementing automation strategies and security awareness programs can also help prevent credential compromise.
Implement a Cloud Specific Backup Strategy: Disaster recovery testing should include configurations, templates, and full infrastructure redeployment. Backups should also be immutable, to ensure that they can not be deleted, modified, or encrypted by a threat actor.
Monitor for Unusual Spending Patterns: With Google Cloud, you can identify and manage unusual spending patterns across all projects linked to a billing account.
Conclusion:
The cloud threat landscape continues to evolve, requiring organizations to stay vigilant and proactive. By understanding the key trends identified in the Google Cloud Threat Horizons Report and implementing the recommended mitigations, organizations can better protect their cloud environments from these evolving threats. The key to success is moving beyond perimeter-based security strategies and focusing on identity and data protection. This is a continuous process and should be constantly reevaluated.
Contact CWX today to understand how we can help make sure your cloud environment is secure and can withstand the ever evolving threat landscape.
Comments