As we think about what Cloud Native security will look like in 2023, we can’t avoid thinking about the old cat-and-mouse game cliché of cyber security. Every year new attacks emerge while new security solutions are created and old security fixes are upgraded. Threat actors constantly append new methods to the old ones, using them as part of their ever-growing toolbox. With this in mind, we asked Aqua Nautilus – our security research team – to share their thoughts on what to expect in the coming year in terms of new attack vectors in cloud native environments.
Increase in Bypassing Volume Scanning Solutions
Many organizations have been moving towards agentless security models that utilize volume scanning to identify threats. Some have been using these solutions to detect threats in runtime as well. But agentless solutions don’t detect certain attacks such as memory-resident malware. We strongly believe that in 2023 threat actors will continue this trend and append new techniques that bypass agentless solutions to their arsenal. Vendors will need to adopt supporting agent solutions to detect and block these runtime attacks.
Attempts of Bypassing eBPF-Based Solutions
Over the past couple of years, we have seen many publications about the advantages of eBPF-based technology for runtime protection, leading to greater interest and wider adoption of agent-based solution technology. We have seen multiple methods that seek to bypass eBPF technology and believe that in 2023 threat actors will be looking for more creative ways to circumvent these solutions and avoid detection. Strong up-to-date security research that analyzes campaigns in the wild will soon be able to detect these threats, update the agents, and block such bypass attempts.
A Darker Side of BPF
With the expanding adoption of eBPF technology, we have seen an exponential growth in the use of BPF and eBPF malware in the wild. In particular examples we’ve observed how state-sponsored threat actors have been using this technology to bypass security solutions and avoid detection. In fact, we’ve seen several new eBPF based rootkits emerge on GitHub as proofs of concept. In 2023, we expect to see an increase in publications. As eBPF-based technology is further adopted, it can also help to detect these elusive threats. Additionally, threat actors will likely use these open-source proof of concept tools to launch attacks in the wild, requiring advanced security solutions that have the capability to detect them. You can learn more about eBPF malware and how we detect it from this presentation, Hunting Kernel Rootkits with eBPF, at BSidesTLV.
Emerging Severe Vulnerabilities Will Be Weaponized Even Faster
Recently, we have seen an increase in the number of severe zero-day vulnerabilities. Some have been conducted through Remote Code Execution (RCE), including log4shell, Confluence, Zimbra, and Zabbix among others. Over the past year, we’ve seen that large botnets (such as Kinsing, Mirai, Dreambus, etc.) were able to quickly append these new vulnerabilities on top of their existing infrastructure, effectively both decreasing the time it takes to weaponize new zero days and increasing the reach of these new attacks. We believe that this trend will not only continue but even increase in 2023. Vendors will face the challenge of rapidly updating threat intelligence feeds and solutions accordingly.
Attackers Shift-left – A New Generation of Attackers
Attackers often invest significant time and resources to detect new vulnerabilities in applications and the infrastructure on which it runs. Meanwhile, security practitioners utilize a range of solutions in various locations throughout their development lifecycle to detect and mitigate vulnerabilities including source code management security solutions, container image scanning, CI/CD security tools, and runtime controls. Simultaneously, threat actors are now aggressively innovating themselves, adopting new or emerging technologies themselves. In 2023, we believe that these threat actors will adopt similar approaches to improve and even optimize their campaigns. Attackers will begin to leverage offensive security tools such as code scanning to detect security issues in your code and infrastructure, especially if you’re developing open-source software.
More of the Same – Staying Ahead of the Bad Guys
Though some of these key predictions we expect to see in the coming year are troubling, the good news is that while we are constantly monitoring growing trends, we are likewise developing sophisticated tactics to maintain our edge in this cat-and-mouse game. Whether you are a security researcher or practitioner, we believe that taking these forecasts into account can help you stay one step ahead of bad actors for a brighter 2023.
In Part Two, please join us again as we share some security market and business predictions from our management team.