Yesterday, Imperva, Inc. (NYSE:IMPV) released its August Hacker Intelligence Initiative Report (HII Report) at Black Hat USA 2015: “Man in the Cloud Attacks.”
This new report uncovers how a new type of attack, “Man in the Cloud” (MITC), can quietly coopt common file synchronisation services, such as Google Drive and Dropbox, to turn them into devastating attack tools not easily detected by common security measures. The report notes that this next-generation attack does not require compromising the user’s cloud account username or password.
“Our research has revealed just how easy it is for cyber criminals to coopt cloud synchronisation accounts, and how difficult it is to detect and recover from this new kind of attack,” said Amichai Shulman, CTO of Imperva. “Since we have found evidence of MITC in the wild, organisations who rely on protecting against infection through malicious code detection or command and control (C&C) communication detection are at a serious risk, as man in the cloud attacks use the in-place Enterprise File Synch and Share (EFSS) infrastructure for C&C and exfiltration.”
With the increased usage of mobile devices, tablets, VPNs, remote desktop access and SaaS applications, data is moving to the cloud and expanding beyond traditionally-defined corporate boundaries. File synchronization services are a good example of this move to the cloud on both the individual and business level. The use of Box, Dropbox, Google Drive, and Microsoft OneDrive in the workplace highlights the importance of the results of this study.
Organizations should consider protecting themselves from MITC attacks with a two-phased approach. First, organisations should use a cloud access security broker (CASB) solution that monitors access and usage of its enterprise cloud services. Second, organisations should deploy controls such as data activity monitoring (DAM) and file activity monitoring (FAM) solutions around business data resources to identify abnormal and abusive access to business critical data.
Key findings from the report include:
- Cloud synchronisation services, such as Box, Dropbox, Google Drive and Microsoft OneDrive, can be easily coopted and turned into an infrastructure for end point compromise, providing a channel for C&C, data exfiltration and remote access.
- Attacks based on the above architecture have been witnessed in the wild.
- End point and perimeter security measures are insufficient at detecting and mitigating this threat as no malicious code persists on the end point and no abnormal outbound traffic channels are observed on the wire.
- Organizations must invest more effort in monitoring and protecting their business critical enterprise data resources both in the cloud and on-premises.
- By detecting abusive access patterns to such resources, enterprises can protect against this next generation of breaches.
A full version of the August HII report is available here