Exposing the Latest Cloud Threats with Anna Belak
Anna Belak, Director of The Office of Cybersecurity Strategy at Sysdig, joins Corey on Screaming in the Cloud to discuss the findings in this year’s newly-released Sysdig Global Cloud Threat Report. Anna explains the challenges that teams face in ensuring their cloud is truly secure, including quantity of data versus quality, automation, and more. Corey and Anna also discuss how much faster attacks are able to occur, and Anna gives practical insights into what can be done to make your cloud environment more secure.
Anna has nearly ten years of experience researching and advising organizations on cloud adoption with a focus on security best practices. As a Gartner Analyst, Anna spent six years helping more than 500 enterprises with vulnerability management, security monitoring, and DevSecOps initiatives. Anna's research and talks have been used to transform organizations' IT strategies and her research agenda helped to shape markets. Anna is the Director of The Office of Cybersecurity Strategy at Sysdig, using her deep understanding of the security industry to help IT professionals succeed in their cloud-native journey.
Anna holds a PhD in Materials Engineering from the University of Michigan, where she developed computational methods to study solar cells and rechargeable batteries.
- Sysdig: https://sysdig.com/
- Sysdig Global Cloud Threat Report: https://www.sysdig.com/2023threatreport
- duckbillgroup.com: https://duckbillgroup.com
Announcer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.
Corey: Welcome to Screaming in the Cloud. I’m Corey Quinn. This promoted guest episode is brought to us by our friends over at Sysdig. And once again, I am pleased to welcome Anna Belak, whose title has changed since last we spoke to Director of the Office of Cybersecurity Strategy at Sysdig. Anna, welcome back, and congratulations on all the adjectives.
Anna: [laugh]. Thank you so much. It’s always a pleasure to hang out with you.
Corey: So, we are here today to talk about a thing that has been written. And we’re in that weird time thing where while we’re discussing it at the moment, it’s not yet public but will be when this releases. The Sysdig Global Cloud Threat Report, which I am a fan of. I like quite a bit the things it talks about and the ways it gets me thinking. There are things that I wind up agreeing with, there are things I wind up disagreeing with, and honestly, that makes it an awful lot of fun.
But let’s start with the whole, I guess, executive summary version of this. What is a Global Cloud Threat Report? Because to me, it seems like there’s an argument to be made for just putting all three of the big hyperscale clouds on it and calling it a day because they’re all threats to somebody.
Anna: To be fair, we didn’t think of the cloud providers themselves as the threats, but that’s a hot take.
Corey: Well, an even hotter one is what I’ve seen out of Azure lately with their complete lack of security issues, and the attackers somehow got a Microsoft signing key and the rest. I mean, at this point, I feel like Charlie Bell was brought in from Amazon to head cybersecurity and spent the last two years trapped in the executive washroom or something. But I can’t prove it, of course. No, you target the idea of threats in a different direction, towards what people more commonly think of as threats.
Anna: Yeah, the bad guys [laugh]. I mean, I would say that this is the reason you need a third-party security solution, buy my thing, blah, blah, blah, but [laugh], you know? Yeah, so we are—we have a threat research team like I think most self-respecting security vendors these days do. Ours, of course, is the best of them all, and they do all kinds of proactive and reactive research of what the bad guys are up to so that we can help our customers detect the bad guys, should they become their victims.
Corey: So, there was a previous version of this report, and then you’ve, in long-standing tradition, decided to go ahead and update it. Unlike many of the terrible professors I’ve had in years past, it’s not just slap a new version number, change the answers to some things, and force all the students to buy a new copy of the book every year because that’s your retirement plan, you actually have updated data. What are the big changes you’ve seen since the previous incarnation of this?
Anna: That is true. In fact, we start from scratch, more or less, every year, so all the data in this report is brand new. Obviously, it builds on our prior research. I’ll say one clearly connected piece of data is, last year, we did a supply chain story that talked about the bad stuff you can find in Docker Hub. This time we upleveled that and we actually looked deeper into the nature of said bad stuff and how one might identify that an image is bad.
And we found that 10% of the malware scary things inside images actually can’t be detected by most of your static tools. So, if you’re thinking, like, static analysis of any kind, SCA, vulnerability scanning, just, like, looking at the artifact itself before it’s deployed, you actually wouldn’t know it was bad. So, that’s a pretty cool change, I would say [laugh].
Corey: It is. And I’ll also say what’s going to probably sound like a throwaway joke, but I assure you it’s not, where you’re right, there is a lot of bad stuff on Docker Hub and part of the challenge is disambiguating malicious-bad and shitty-bad. But there are serious security concerns to code that is not intended to be awful, but it is anyway, and as a result, it leads to something that this report gets into a fair bit, which is the ideas of, effectively, lateralling from one vulnerability to another vulnerability to another vulnerability to the actual story. I mean, Capital One was a great example of this. They didn’t do anything that was outright negligent like leaving an S3 bucket open; it was a determined sophisticated attacker who went from one mistake to one mistake to one mistake to, boom, keys to the kingdom. And that at least is a little bit more understandable even if it’s not great when it’s your bank.
Anna: Yeah. I will point out that in the 10% that these things are really bad department, it was 10% of all things that were actually really bad. So, there were many things that were just shitty, but we had pared it down to the things that were definitely malicious, and then 10% of those things you could only identify if you had some sort of runtime analysis. Now, runtime analysis can be a lot of different things. It’s just that if you’re relying on preventive controls, you might have a bad time, like, one times out of ten, at least.
But to your point about, kind of, chaining things together, I think that’s actually the key, right? Like, that’s the most interesting moment is, like, which things can they grab onto, and then where can they pivot? Because it’s not like you barge in, open the door, like, you’ve won. Like, there’s multiple steps to this process that are sometimes actually quite nuanced. And I’ll call out that, like, one of the other findings we got this year that was pretty cool is that the time it takes to get through those steps is very short. There’s a data point from Mandiant that says that the average dwell time for an attacker is 16 days. So like, two weeks, maybe. And in our data, the average dwell time for the attacks we saw was more like ten minutes.
Corey: And that is going to be notable for folks. Like, there are times where I have—in years past; not recently, mind you—I have—oh, I’m trying to set something up, but I’m just going to open this port to the internet so I can access it from where I am right now and I’ll go back and shut it in a couple hours. There was a time that that was generally okay. These days, everything happens so rapidly. I mean, I’ve sat there with a stopwatch after intentionally committing AWS credentials to Gif-ub—yes, that’s how it’s pronounced—and 22 seconds until the first probing attempt started hitting, which was basically impressively fast. Like, the last thing in the entire sequence was, and then I got an alert from Amazon that something might have been up, at which point it is too late. But it’s a hard problem and I get it. People don’t really appreciate just how quickly some of these things can evolve.
Anna: Yeah. And I think the main reason, from at least what we see, is that the bad guys are into the cloud saying, right, like, we good guys love the automation, we love the programmability, we love the immutable infrastructure, like, all this stuff is awesome and it’s enabling us to deliver cool products faster to our customers and make more money, but the bad guys are using all the same benefits to perpetrate their evil crimes. So, they’re building automation, they’re stringing cool things together. Like, they have scripts that they run that basically just scan whatever’s out there to see what new things have shown up, and they also have scripts for reconnaissance that