Cybersecurity is never boring. Not just because of the criticality of what you’re protecting and the inherent urgency of your actions — but because the threats you face are constantly evolving. Threat actors are always finding new ways as digital infrastructure evolves and cybersecurity tools advance. The scary part is that some of the biggest risks (and biggest breaches in history) stem from threats at the very leading edge of that threat evolution — before everyone is familiar with a vulnerability or attack pattern and before we all have tools and best practices to defend against them.

I’ve been focused on this leading edge of threats for most of my career. It was part of what we called “Offensive Security” at Salesforce. I’m constantly talking with leading threat analysts about what they’re seeing and where they worry about emerging risk. Part of what makes Oleria so exciting to me is that the Trustfusion Platform gives us unique visibility across the enterprise IT estate — helping to uncover new risks and vulnerabilities, as well as giving us a forensic lens on how new types of attacks or threats spread across users and across systems and tools. 

So, where do I see the biggest emerging threats to enterprise cybersecurity? I’m going to share my insights on four areas of risk I’m most concerned about:

• Identity-based attacks
• API attacks
• Cloud environment risks
• Cloud container risks

Shift to cloud (and SaaS apps) elevates identity-based attacks

The shift to cloud environments has brought new risks and vulnerabilities — and that’s also changed the TTPs. In particular, with organizations using a huge number of SaaS apps, those apps have become top targets. Common exploits include cross-site scripting (XSS), cross-site request forgery (CSRF), and XML external entity (XXE) injection, which allow attackers to hijack application functionality or access sensitive data.

But more broadly, the expanding adoption of SaaS apps and other decentralized systems and tools has made identity compromise the most common manner of breaching systems and data.

Focusing on these identity-based attacks, here’s how I categorize the key TTPs:

• Account credentials: Threat actors use stolen credentials to authenticate to a system and/or user account. They obtain these stolen credentials either directly (for example, using information stealers or exploiting unmanaged edge devices) or by purchasing them.
• API keys and secrets: Threat actors use stolen API keys and secrets to access protected resources and/or steal sensitive data. Unless the API keys and secrets are changed, the adversary could maintain indefinite access.
• Session cookies and tokens: Threat actors steal session cookies and tokens to masquerade as the legitimate user and authenticate to an application.
• One-time passwords (OTPs): By stealing an OTP, the threat actor can bypass multi-factor authentication (MFA) by SIM swapping, SS7 attacks, socially engineering the victim, or via email compromise.
• Kerberos and Kerberos tickets: By stealing or forging Kerberos tickets, threat actors can gain access to encrypted credentials, which can then be cracked offline. CrowdStrike CAO recorded a 583% increase in Kerberoasting attacks in 2023. 

API attacks: the new frontier

APIs have become a focal point for attackers due to their critical role in modern applications. Recent trends highlight the growing risk:

• Significant increase in attacks: In the first month of 2024, attempts to attack Web APIs impacted 1 in every 5 organizations worldwide — every week. That’s a 20% increase compared to January 2023, highlighting the growing risk associated with API vulnerabilities.
• Industry-wide impact: Cloud-based organizational networks saw a 34% rise in attacks compared to the same period last year — overtaking on-prem organizational networks in terms of the most common type of attacks, underscoring the evolving cloud threat landscape.
• Notable vulnerabilities and incidents: We’ve also seen more and more API attacks in the headlines. The Fortinet Authentication Bypass and Ivanti’s zero-day vulnerabilities have had widespread impacts, with the latter involving unauthorized data access and the spread of crypto-miner malware, demonstrating the critical nature of securing APIs against emerging threats.

Top 10 cloud environment risks

Cloud-based SaaS apps and their APIs are increasingly popular targets. But the cloud environment itself also presents a number of risks, due to the complex configurations (and misconfigurations) and easily overlooked security practices. Here’s what I see as the top 10 cloud environment risks:

1. Hunting leaked IAM keys and gaining persistence with federation tokens: Attackers frequently search public repositories, forums, and code-sharing platforms for exposed AWS IAM keys. Once found, these keys can grant unauthorized access to cloud environments. This is increasingly common due to developers accidentally exposing keys while coding, debugging, or during CI/CD processes.
2. Hunting for public S3 buckets: Publicly accessible S3 buckets are easily discoverable and often contain sensitive data like customer records or internal documents. Misconfigurations and lax access controls make these buckets prime targets, as organizations often default to permissive settings that favor usability over security.
3. Privilege escalation through IAM permissions: Since we know 90% of cloud permissions are unused, attackers exploit overly broad IAM roles and permissions to escalate their access within cloud environments. This risk is prevalent because organizations often assign more permissions than necessary, violating the principle of least privilege and leaving unused permissions vulnerable.
4. Stealing EC2 metadata via SSRF (Server-Side Request Forgery): SSRF vulnerabilities allow attackers to access EC2 metadata services, extracting sensitive information like credentials. This threat is common due to the widespread presence of SSRF vulnerabilities in poorly secured web applications, coupled with unprotected EC2 metadata services.
5. Hijacking public EBS snapshots: Public EBS snapshots can be hijacked by attackers who clone the data for unauthorized access. These snapshots often contain critical information, and exposure typically results from careless settings during data sharing or backup processes.
6. Compromising EC2 via instance user data: EC2 instances use user data scripts for initialization, and attackers can manipulate these scripts to execute malicious code. This occurs due to insufficient validation of user inputs or weak security controls during the setup process.
7. Privilege escalation via IAM ,misconfiguration: The IAM:PassRole permission, when misconfigured, allows attackers to assume roles with elevated privileges. This risk is common as organizations frequently misconfigure role-passing policies, granting excessive access that attackers can exploit.
8. Discovering and stealing data from public SNS and SQS queues: Misconfigured SNS and SQS queues can expose sensitive message data, allowing attackers to intercept communications. This issue arises from inadequate access controls and poor visibility into the configuration of these services.
9. Exploiting Lambda execution roles: Lambda functions often run with overly permissive execution roles, which attackers can leverage to access unauthorized AWS resources. This is a frequent issue because developers commonly grant broad permissions to avoid operational errors, inadvertently creating security vulnerabilities.
10.  Subdomain takeover in S3: Subdomain takeover occurs when attackers claim unclaimed or expired DNS records pointing to S3 buckets, allowing them to host malicious content. This risk often results from poor DNS record management and insufficient oversight of S3 bucket permissions, making it a recurring problem in larger cloud deployments.

Growing cloud container risks

Cloud containers are one specific area of cloud risk worth diving into further. Containers are appealing because of their inherent efficiency and scalability benefits, but those same strengths can also be exploited as weaknesses.

Here are what I see as the biggest container risks in cloud environments like Amazon EKS (Elastic Kubernetes Service) and the like:

• Container escape: Attackers exploit vulnerabilities within the container to break out and gain access to the host system. Once they escape, they can interact with the broader infrastructure, potentially compromising the entire environment. This risk is amplified by insecure or outdated container images and poorly managed security policies.
• Container misconfiguration: Poorly configured containers can lead to unauthorized access, resource hijacking, or exposure of sensitive data. For example, containers that run with excessive privileges or open ports can become entry points for attackers. Misconfigurations often allow resource hijacking, such as cryptomining, where attackers use computing power for their gain.
• Resource hijacking (cryptomining): Attackers exploit container environments, particularly those with poor resource controls, to perform cryptomining operations. This unauthorized use of resources can degrade performance, increase costs, and expose other security vulnerabilities in the environment.
• EKS-specific risks: Kubernetes-based environments like Amazon EKS are prone to several specific risks, including internal API server misconfiguration, improper IAM role configurations, unsecured load balancers, poor secrets management (i.e., API keys, passwords and certificates), and lack of network segregation.
• Default settings and privilege misuse: Many containers are deployed with default settings that include running as root or with high privileges, which significantly increases the risk of unauthorized access or exploitation. These default privileges can lead to severe security incidents if not properly managed.

So, what now? Focus on the fundamentals

The irony of the rapidly evolving threat landscape is that while the risks and TTPs change constantly, the answer to, “So, what now?” largely remains the same: Focus on the fundamentals.

• Zero Trust architecture: Zero Trust is a decades-old concept at this point, yet many organizations still struggle to fully implement it. Zero Trust is only becoming more essential as traditional network perimeters dissolve. Continuous validation of users, devices, and traffic is a fundamental security measure that helps prevent unauthorized access and reduces the attack surface.
• Least privilege access: Another of the most fundamental security controls — “Don’t hand out keys to people that don’t need them.” — least privilege access is commonly overshadowed by the push to onboard new users and deploy new tools as quickly as possible. Granting only the necessary permissions to each role or service dramatically reduces the risk of misuse and exploitation. Organizations need to refocus on tightening permissions, as overly broad access is a frequent point of failure that attackers readily exploit.
• Microsegmentation: A similarly classic concept — organizations need to microsegment or isolate assets and workloads to limit lateral movement. Attackers continue to exploit unsegmented networks to escalate their access. Recommitting to microsegmentation ensures that even if an attacker gains a foothold, their ability to move within the environment is severely restricted, protecting critical assets.
• Enforce mTLS (Mutual TLS): Mutual TLS is a proven defense mechanism — particularly against man-in-the-middle attacks — that requires both parties to authenticate each other. But, in my experience, it’s widely underutilized. Organizations must prioritize mTLS to secure communication within their cloud environments, ensuring that services are protected against unauthorized access.
• Advanced threat detection and continuous scanning: Regular scanning and advanced threat detection are critical in keeping up with the rapid pace of change in cloud environments. Organizations often deprioritize continuous monitoring due to resource constraints, but recommitting to proactive identification of vulnerabilities and suspicious activities is essential to staying ahead of threats.
• Container signing and runtime security: Ensuring the integrity of container images through signing and implementing runtime security to monitor operations are basic yet crucial practices. These steps prevent unauthorized software from running and help detect abnormal behavior. Organizations must revisit and strengthen these measures to maintain control over their containerized environments.
• Avoiding root access: Running containers with root or high privileges continues to be a widespread issue, despite its well-known risks. Avoiding root-level access is a simple yet powerful way to minimize the impact of a breach. Organizations need to enforce policies that prevent high-privilege operations within containers, reducing the potential damage from compromised components.

Identity visibility must be at the core

To restate the obvious, none of these defense strategies are groundbreaking. Most have been around for a decade or two (or three). It’s applying them to the unique risks, vulnerabilities and TTPs of the expanding enterprise cloud environment that presents the new and nuanced challenge.

Moreover, one of the key missing links in many of these foundational strategies is just having the simple visibility to see and understand what’s happening in your cloud environment (and across your entire IT estate).

Whether it’s Zero Trust, least privilege, or threat detection, security teams need to have a clear view of users — their digital identities, the access those identities have across your expanding number of systems and tools, and what those identities are doing with that access.

This identity visibility is instrumental in closing risky open doors, enforcing least privilege principles, and implementing Zero Trust. It’s also essential in identifying anomalous actions, investigating incidents, and remediating effectively.

That’s exactly what Oleria is delivering to CISOs and their teams today. It’s why Oleria is such a uniquely powerful tool to someone like me, who has spent his entire career tracking where the next threats will pop out — and how to stop them.