My first report for this week’s ‘Too Long; Did Read’ is titled “Identity Access Management: The First Line of Defense” by Unit 42 and Prisma Cloud. The report is moderate in length at 19 pages, with significant intelligence scattered throughout. Technical readers who want more information about how cloud identities are being exploited will gain a lot from reading it, though it requires significant concentration to find the gems.
RegWall: Yes, https://www.paloaltonetworks.com/prisma/unit42-cloud-threat-research-volume-six
Length/Read time: 19 pages in length, I suggest setting aside 60-90+ minutes to read in its entirety. I spent 2.5 hours reading the report and taking several pages of notes.
Overall Impression: Palo Alto Networks’ report is a solid contribution to the security knowledge base, but requires a significant effort to read and understand. The technical details don’t surface until the sixth page of the report, but come on strong until the conclusion. I enjoyed seeing links to external resources scattered throughout, allowing the reader to follow up on topics of interest. The target reader is a technical audience looking to learn more about Identity and Access Management (IAM), with language accessible to a much larger audience.
Like almost every report, there are things I’d change with the execution of this report. My primary criticisms are two fold. First, the report has too much text. I don’t think most readers have the time to sift through thousands of words to find the gems in the report. Second, the report lacks focus, a common criticism of mine. Reading the Foreword, Executive Summary, and Who’s Attacking the Cloud? sections don’t tell me what I, the reader, will gain by spending time deep in the report.
Once through the background and introduction of this report, it has a lot to offer. Start on page 6, read through page 16, skip the intro and conclusion. I give this volume of the Cloud Threat Report a grade of B+ overall.
The Good: I love the fact that this report links to external resources for the reader. There are multiple links to other research by the same team, a plus in my view, but it’s the link to MITRE, NIST, etc. that add weight to the already good analysis.
There are a pair of diagrams that show the methodology used in attacks, well supported by the text. The remaining visualizations are simple, but useful. I’ll take a simple plot I can read at a glance over a complex plot I have to examine at length to understand. I also like the ‘Key Takeaway’ listed for each of the threat actors later in the report. The tables of TTPs associated with each of the threat actors is a mixed bag, mostly because the tables span more than one page.
This report also contains two things I always look for, a methodology section and credits listing the contributors and researchers by name. The methodolgy section isn’t expansive, but it shouldn’t have to be. Explaining the details of where the data comes from tells a reader a lot about how the conclusions were reached. I see too many reports that draw conclusions from very small data sets. Crediting the authors helps them build their own reputation, which is valuble for their careers. It shows support for the individual and a name to reach out to if you disagree with the analysis as a reader. Or am I the only one who does that?
The Bad: The report is too text heavy and lacks a clear understanding of what it’s trying to communicate to the reader. As an example, the Foreword is the first thing a reader sees, and it spends nearly half its text talking about a former report. The Executive Summary is not a summary and doesn’t accurately portray the contents. In the first of the four ‘summations’, I would have written “Cloud identities are too permissive – 99% of the cloud users, roles, services, and resources were granted excessive permissions.” Leave that big, bold and simple, leave the exposition to the relevant section of the report.
On a related note, I think the report misses an opportunity by burying an important statistic deep in the report. “62% of organizations have cloud resources publicly exposed.” Coupled with the previous point about excessive permissions, this would help create a story a reporter could run with. Maybe getting press coverage isn’t one of the priorities for the report, but telling a reader a compelling story always should be.
The Conclusion and Recommendations section is weak. Pulling most of a segment from an external resource detracts from the research. In this case, why lean on Gartner language and suggestions when there is more strength on showing your own analysis? I would have dropped the first and last conclusions, linking the ‘Focus on Hardening IAM Permissions’, which is more in line with the majority of the contents.
My criticism are meant to point to how future reports could be made more impactful and more readable. The burden on the reader to wade through the report means a significant portion of readers may never read past the first few pages. Which means they’ll never get to the juicy stuff in the middle and end of the research. It’s a good report overall, but lacks focus and clarity on what’s being communicated to a reader, hence a B+ rating.