Lightning-fast cloud attacks: Attackers only need 10 minutes

According to the latest report from Sysdig, provider of runtime insights-based cloud security, the average time from detection to completion of an attack is just 10 minutes.

Using global honeynets for the 2023 Global Cloud Threat Report, the Sysdig Threat Research Team has made some startling discoveries: Attacks in the cloud are now happening so quickly that mere minutes dictate the line between detection and potentially serious damage. Cloud attackers are taking advantage of the very benefits that are driving organizations to the cloud in the first place. While defenders need to protect their entire software lifecycle, attackers only need to get it right once. Unfortunately, automation makes it even easier for them.

The main results

Cloud automation as a weapon.  Cloud attacks happen quickly. Reconnaissance and discovery are even faster. Automating these techniques allows attackers to act immediately when they discover a vulnerability in the target system. A recon alert is the first indication that something is wrong; a detection alert means the IT team is late.

10 minutes to damage.  Cloud attackers are fast and opportunistic, taking as little as 10 minutes to initiate an attack. According to Mandiant, the average dwell time in companies is 16 days, which underscores the speed of the cloud. 

A 90 percent secure supply chain is not secure enough.  10 percent of all advanced supply chain threats are invisible to standard tools. Using evasion techniques, attackers can hide malicious code until the image is deployed. The identification of this type ofMalware requires runtime analysis.

65 percent of cloud attacks target telcos and financial services providers. Telecom and financial companies are rich in valuable information and an opportunity to make a quick buck. Both industries are attractive targets for fraud attempts.

Comments on the Global Cloud Threat Report 2023

“The reality is attackers are good at exploiting the cloud. Not only are they able to create scripts for the reconnaissance and automatic delivery of cryptocurrencies and other malware, but they harness tools that harness the power of the cloud for good causes and turn them into weapons. An example of this is the abuse of infrastructure-as-code to circumvent protection policies,” said Michael Clark, director of threat research at Sysdig.

“Cloud-native attackers are ‘everything-as-code’ experts and automation enthusiasts, which significantly reduces the time to arrive at target systems and increases the potential blast radius. With open-source detection-as-code approaches like Falco, blue teams can stay ahead of the game in the cloud,” said Alessandro Brucato, Threat Research Engineer at Sysdig.


The Global Cloud Threat Report 2023 is based on data found via open source intelligence (OSINT) and Sysdig’s global data collection – including honeypot networks – as well as other publicly available information from the Falco open source community . Sysdig conducted surveys in Asia, Australia, the European Union, Japan, North and South America and the United Kingdom from October 2022 to June 2023.


(c) it-daily