[](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) [](https://www.paloaltonetworks.com/unit42?ts=markdown) [Report](#identity-management) [Findings](#hover-report) [Threat Actors](#cta-actors) [Archive](#report-archives) Get the report ### Cloud Threat Report Volume 6 IDENTItY AND ACCESS MANAGEMENT (IAM) The First Line of Defense === Get the report Identity and Access Management (IAM) has become increasingly critical and complex due to the pandemic-induced transition to cloud platforms. To understand how IAM policies affect cloud security posture, Unit 42 researchers analyzed 680,000 identities in 18,000 cloud accounts over 200 organizations. ## CAN YOU GUESS WHAT WAS DISCOVERED? Percentage of cloud users, roles, services, and resources granted permissions not being used 0% Percentage of organizations that have publicly exposed resources 0% Percentage of cloud accounts using weak IAM passwords 0% #### Uncover more staggering findings by downloading the report. ## WEAK IAM CAN BE A REAL BREACH Our findings came to the conclusion that most organizations have misconfigured or overly permissive identity access controls. Adversaries know this and are leveraging new tactics, techniques, and procedures (TTPs) to take advantage of the situation. Unit 42 researchers have defined a malicious attacker employing these new TTPs as a Cloud Threat Actor (CTA) --- an individual or group posing a threat to organizations through directed and sustained access to cloud platform resources, services, or embedded metadata. ### Scroll through to meet the top five CTAs: ![cta image](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/prisma/threat_report/cta-adept.gif) ## The Adept *** ** * ** *** **Team TNT** is the most well-known and sophisticated credential targeting group. ![cta image](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/prisma/threat_report/cta-thief.gif) ## The Thief *** ** * ** *** **WatchDog** is considered to be an opportunistic threat group that targets exposed cloud instances and applications. ![cta image](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/prisma/threat_report/cta-money-kinsing.gif) ## The Money *** ** * ** *** **Kinsing** is a financially motivated and opportunistic cloud threat actor with heavy potential for cloud credential collection. ![cta image](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/prisma/threat_report/cta-oldtimer-rocke.gif) ## The Old Timer *** ** * ** *** **Rocke** specializes in ransomware and cryptojacking operations within cloud environments. ![cta image](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/prisma/threat_report/cta-returned.gif) ## The Returned *** ** * ** *** **8220**, a Monero mining group, purportedly elevated their mining operations by exploiting Log4j in December 2021. *** ** * ** *** ## LOWER RISKS WITH MORE INSIGHTS Our team has created an industry-first Cloud Threat Actor Index, charting the operations performed by actor groups that target cloud infrastructure. INITIAL ACCESS Execution persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement TTPs These charts (included in the report) detail the TTPs of each cloud threat actor, allowing your security team and wider organization to evaluate your strategic defenses and build the proper monitoring, detection, alerting, and prevention mechanisms. ## Want to win the battle against Cloud Threat Actors? We recommend the following ways to defend your organization against threats that target the cloud: * Cloud Native Application Protection Platform (CNAPP) suite integration * Harden IAM permissions * Increase security automation ### Cloud Native Application Protection Platform (CNAPP) suite integration ### Harden IAM permissions ### Increase security automation Download our recommendations and 8-step best practices for hardening IAM permissions today ### For more details on our recommendations, as well as an eight-step best practices guide to hardening IAM permissions, download your copy of the Cloud Threat Report today. Get the report ## The Unit 42 Researchers Palo Alto Networks Unit 42 brings together world-renowned threat researchers with an elite team of security consultants to create an intelligence-driven, response-ready organization. As threats escalate, Unit 42 is available to advise organizations on the latest risks, assess their readiness and help them recover when the worst occurs. The Unit 42 Cloud Threat Report, published annually, is one of the industry's most anticipated and trusted examinations of the modern threat landscape. ## Keep Reading Threats don't go away - they evolve. Explore our Unit 42 Cloud Threat Report archive to see what was on our radar - and what remains in our sights. Research Report ### Unit 42 Cloud Threat Report, Vol. 1: Shared Responsibility Model: Cloudy with a Chance of Entropy [Read the full report](https://www.paloaltonetworks.com/resources/research/unit42-cloud-with-a-chance-of-entropy?ts=markdown) Research Report ### Unit 42 Cloud Threat Report, Vol. 2: Infrastructure as Code: Putting the Sec in DevOps [Read the full report](https://www.paloaltonetworks.com/resources/research/cloud-threat-report-spring-2020?ts=markdown) Research Report ### Unit 42 Cloud Threat Report, Vol. 3: Identity and Access Management: Never Trust, Always Verify [Read the full report](https://www.paloaltonetworks.com/resources/research/unit-42-cloud-threat-report-2h-2020?ts=markdown) Research Report ### Unit 42 Cloud Threat Report, Vol. 4: The COVID-19 Conundrum: Cloud Security Impact and Opportunity [Read the full report](https://www.paloaltonetworks.com/resources/research/unit42-cloud-threat-report-2021?ts=markdown) Research Report ### Unit 42 Cloud Threat Report, Vol. 5: Secure the Software Supply Chain to Secure the Cloud [Read the full report](https://www.paloaltonetworks.com/resources/research/unit-42-cloud-threat-report-2h-2021?ts=markdown) PreviousNext Get the report Vol. 6 cloudthreat report ![register brochure](https://www.paloaltonetworks.com/content/dam/pan/en_US/microsite/unit42-prisma-microsite/unit-42-cloud-threat-report-volume-3-form.png?imwidth=1366) IAM The First Line of Defense Cloud Threat Report Volume 6 Thanks for your interest. Please fill out this form to get your copy. First Name \* Last Name \* Email \* Company \* Job Level \*Job Level Job Function/Focus Area \*Job Function/Focus Area Phone \* Country \*Country StateState StateState Zip Code \* Email me exclusive invites, research, offers, and news By submitting this form, you agree to our [Terms](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown). View our [Privacy Statement.](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) Get the report ## Your guide is ready for download! We hope you find the report insightful as you implement cloud identity security controls. [Download the report](https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/unit42_cloud-threat-report-vol6.pdf?ts=markdown) ![guide brochure](https://www.paloaltonetworks.com/content/dam/pan/en_US/microsite/unit42-cloud-threat-research-2h21/thumbnail.png)