A man-in-the-cloud (MITC) attack can quietly co-opt common file synchronisation services such as Google Drive and Dropbox, to turn them into devastating attack tools not easily detected by common security measures, according to the Imperva Application Defense Center.
“Our research has revealed just how easy it is for cyber criminals to coopt cloud synchronisation accounts, and how difficult it is to detect and recover from this new kind of attack,” said Amichai Shulman, CTO of Imperva. “Since we have found evidence of MITC in the wild, organisations who rely on protecting against infection through malicious code detection or command and control (C&C) communication detection are at a serious risk, as man in the cloud attacks use the in-place Enterprise File Synch and Share (EFSS) infrastructure for C&C and exfiltration.”
Imperva recommends two methods of protecting against MITC attacks.
Organisations should use a cloud access security broker (CASB) solution that monitors access and usages of enterprise cloud services.
They should also deploy controls such as data activity monitoring (DAM) and file activity monitoring (FAM) solutions to identify abnormal and abusive access to business critical data.
Key findings from the report include:
- Cloud synchronisation services, such as Box, Dropbox, Google Drive and Microsoft OneDrive, can be easily coopted and turned into an infrastructure for end point compromise, providing a channel for C&C, data exfiltration and remote access.
- Attacks based on the above architecture have been witnessed in the wild.
- End point and perimeter security measures are insufficient at detecting and mitigating this threat as no malicious code persists on the end point and no abnormal outbound traffic channels are observed on the wire.
- Organisations must invest more effort in monitoring and protecting their business critical enterprise data resources both in the cloud and on-premises.
- By detecting abusive access patterns to such resources, enterprises can protect against this next generation of breaches.
“The Imperva research is new to me, and I'm surprised by these findings,” said Mark Edge, UK country manager at Brainloop in an email to SCMagazineUK.com. “From a security standpoint I don't understand why these authentication tokens are not better secured. They should be bound to the device via a hash, for example, or at least the user should receive a message about new devices. To have just one token covering all devices is highly insecure.”
He agreed that it is almost impossible to detect this attack as it is not visible to the user. “Automatic tools like firewalls or even highly sophisticated systems like Zscaler will not be able to detect this attack, because the file sync is normally an ‘allowed' operation and the attacker does not change this. No security system is able to distinguish bad traffic from good,” Edge said.
“It's innovative thinking by the team and does pose a risk to those companies using these services for commercially sensitive data,” said Brian Chappell, director of technical services EMEAI, BeyondTrust in an email to SC. However, he added: “We need to remember that the hacker still needs to have code executed on the target machine to start the whole process.”
Norman Shaw, founder and CEO of ExactTrak, told SC: “The only way to protect data and applications at source is to disconnect from the cloud but that has huge implications, bad ones, for the mobile environment which is crucial to businesses today. Instead of an either/or approach, looking at source or endpoint protection, businesses need to think in joined up terms and recognise the importance of protecting data at both ends and in transmission – that's what's needed to secure enterprise data.”
Paul Donovan, EMEA sales director for Pulse Secure, said: “In our view it always make good sense to always use a VPN or Per-App VPN connection from client devices when accessing corporate data. This is true even when this corporate data is on a cloud application. This particular exploit appears to rely on compromising a client device so that it runs ‘switcher' code. While running a VPN the client is better protected from ‘open' networks where the ‘switcher' could be deployed. The VPN solution should be configured to require endpoint state monitoring for vital security functionality such as AV, Malware and IPS on the client. This means no connection would be allowed until the endpoint gets a clean bill of health.”
Eduard Meelhuysen, VP EMEA at Netskope, said its research found that there are 483 cloud apps in the average enterprise of which 28 are cloud storage. Some 89 percent of apps are not enterprise-ready when judged against industry-standard security criteria.
Meelhuysen said: “Whilst it's technically possible to block access to cloud apps, such an approach would be draconian and, ultimately, ineffective. It would kill productivity in a big way and would cause no end of problems for employees who are just trying to do their jobs in the most efficient way. That said, it's clear that firms will need to take some additional security measures if they want to continue using cloud apps.”