The Cloud Threat Landscape from Wiz

At Wiz Research, a core part of our job is studying threat activity targeting public cloud environments, to understand how adversaries do what they do. We use this knowledge to shape our product roadmap and build stronger defenses for our customers through preventive and detective security controls. To this end, for a while now we’ve been maintaining an internal threat intelligence database covering security incidents and campaigns where cloud environments were compromised or put at risk. Our database has reached a point where we think it might be useful to make it publicly available, so that’s what we’re doing today. 

The Wiz Cloud Threat Landscape (available at threats.wiz.io) is a curated public instance of our internal cloud threat intelligence database, summarizing information about publicly disclosed security incidents and campaigns, offering insights into targeting patterns, initial access methods, and effective impact. Our database also lists threat actors known to have targeted cloud environments in particular, as well as those we estimate to target the cloud opportunistically. For actors of special interest, we’ve included concise profiles of their activity — to shed light on their potential motivations and victimology and to aid cloud customers in risk assessment and threat modeling. 

Beyond threat actors and the incidents attributed to them, we regularly document the various tools in their arsenal (ranging from penetration testing utilities to bespoke malware), and techniques they’ve been observed using (mapped to MITRE ATT&CK and ATLAS tactics wherever possible). Additionally, we keep a record of the technologies that threat actors prefer to target for initial access or data exfiltration, often achieved by exploiting vulnerabilities or misconfigurations that affect them. We rank these technologies by how commonly they appear to be involved in cyber activity against the cloud, and measure how prevalent they are among cloud environments, while considering other factors such as whether they are affected by vulnerabilities included in CISA Known Exploited Vulnerabilities Catalog (KEV). All this contributes to providing a good picture of the effective attack surface of the cloud. 

As mentioned above, the main focus of our research is on threat activity known to impact public cloud environments, but we also analyze threats against CI/CD systems and source code management systems, and any potential threat to servers in general, since our adversaries don’t discriminate between self-hosted and cloud-hosted machines (so neither should we). 

The Cloud Threat Landscape is a work in progress (and always will be), and currently covers threat activity ranging between 2019 and the current day. However, we believe that it can already serve as a useful public resource in its current state, and we intend to continuously fill in the gaps in our knowledge, expand our coverage of historical incidents, and add more details to existing records. Moreover, we will incorporate our analysis of newly discovered threats as they emerge. 

In our view, the added value of the Cloud Threat Landscape for infosec practitioners lies in its hyper-focus on cloud threats, whereas other public databases are more general and don't necessarily cover all cloud threats. Furthermore, the database provides a holistic and interconnected view of the relationships between the various elements of threat activity, whereas other public databases usually provide an in-depth view of only one of these aspects. Every entry in the Cloud Threat Landscape is backed by references to our own public reporting as well as high-quality external sources of information such as breaches.cloud, Malpedia, hackingthe.cloud, MITRE ATT&CK, and many others. 

We hope this platform proves useful for other threat researchers and for the cloud security community at large. If you’d like to contact Wiz Research about this project, please don’t hesitate to reach out at threat.hunters@wiz.io.