Full Report
The Cloud Threat Landscape is a threat intelligence database that summarizes cloud incidents and offers insights into targeting patterns and initial access methods.
Analysis Summary
This provided text describes the *creation and purpose* of the Wiz Cloud Threat Landscape database, not a specific, detailed, past security incident. Therefore, the report will summarize the *scope and content* of the knowledge base itself, as that is the only "incident-related" information available.
# Incident Report: Summary of Wiz Cloud Threat Landscape Knowledge Base
## Executive Summary
Wiz Research has launched the Cloud Threat Landscape, a publicly accessible database documenting security incidents and campaigns targeting public cloud environments from 2019 onwards. This resource aggregates data on attacker techniques, targeted technologies, threat actors, and observed impact to enhance cloud security defenses and aid community threat modeling. The intent is to provide a focused, interconnected view of cloud-specific threats largely absent in general security databases.
## Incident Details
- Discovery Date: Ongoing (Database creation started "for a while now")
- Incident Date: Coverage spans 2019 to the present day.
- Affected Organization: Not applicable (This is a threat intelligence aggregation effort).
- Sector: All sectors utilizing public cloud environments.
- Geography: Global scope covered by the aggregated data.
## Timeline of Events
Since this is a report on a knowledge base, the timeline reflects its development:
### Initial Access (Information Gathering Phase)
- Date/Time: Ongoing since pre-2019 research culminated in the public release.
- Vector: Internal threat intelligence gathering and analysis of publicly disclosed cloud incidents.
- Details: Consolidating information on initial access methods, tools, and techniques used against cloud assets.
### Lateral Movement
- Details: The database includes analyzed patterns of how attackers move laterally within compromised cloud environments.
### Data Exfiltration/Impact
- Details: Records the types of data targeted and the observed impact across various documented campaigns.
### Detection & Response (Public Release)
- Detection: The knowledge gap in public domain data regarding holistic cloud threats prompted the curated release.
- Response Actions: Making the database publicly available via `threats.wiz.io` to inform the community.
## Attack Methodology
The database documents methodologies observed across numerous incidents, categorized by:
- Initial Access: Exploiting vulnerabilities or misconfigurations in cloud-native technologies.
- Persistence: Documented persistence mechanisms observed in compromised environments.
- Privilege Escalation: Documented techniques observed in cloud attacks.
- Defense Evasion: Techniques used to bypass cloud security controls.
- Credential Access: Documented methods for stealing cloud credentials.
- Discovery: Reconnaissance techniques targeting cloud service configurations.
- Lateral Movement: Techniques observed moving between cloud resources or accounts.
- Collection: Methods for gathering sensitive data stored in the cloud.
- Exfiltration: Methods used to move data out of the cloud infrastructure.
- Impact: Summarization of outcomes from various documented compromises.
## Impact Assessment
(Impact assessment cannot be detailed as this describes the intelligence aggregator, not one specific breach.)
- Financial: N/A (Aggregated from various sources).
- Data Breach: Coverage includes incidents resulting in various types of data compromises.
- Operational: Insights provided regarding operational disruption caused by cloud-focused threat actors.
- Reputational: Indirectly addressed by sharing knowledge to mitigate future reputational damage to victims.
## Indicators of Compromise
The database tracks observed Indicators of Compromise (IOCs) related to cloud threats, including:
- Network indicators: (To be referenced from the specific entries on `threats.wiz.io`)
- File indicators: Malware or tools associated with cloud exploits.
- Behavioral indicators: Observed threat actor behaviors mapped (partially) to MITRE ATT&CK and ATLAS.
## Response Actions
The knowledge base reflects documented responses from historical incidents, including (but not limited to):
- Containment measures: Strategies used to halt cloud breach progression.
- Eradication steps: Methods for removing attacker presence.
- Recovery actions: Steps taken to restore cloud services post-incident.
## Lessons Learned
- Hyper-Focus Required: General security databases often miss the nuances of cloud threats; specialized intelligence is crucial.
- Interconnectedness: Effective threat modeling requires a holistic view connecting actors, tools, techniques, and targeted technologies.
- Tool Inventory: Adversaries target known weaknesses in technologies frequently deployed in the cloud.
## Recommendations
- Continuously cross-reference internal security posture against documented cloud threat techniques.
- Prioritize remediation efforts on technologies frequently cited as initial access vectors in the threat landscape.
- Leverage structured threat intelligence (like ATT&CK/ATLAS mappings) for proactive defense construction in cloud environments.