Malware in the Cloud 101
By Todd Clarke
Companies have underestimated the scope of cloud adoption by nearly 10x. Its rapid rise has created a new effect: a “cloud attack fan-out.” With so many devices now connected to the cloud, this has increased the attack surface. Sync and share activities have increased data velocity in the cloud, so now the propensity for and the severity of malware attacks have intensified.
If you work in cybersecurity, this likely is not news. But with all the hype surrounding cloud security, how concerned should we be about malware aimed at public, private and hybrid clouds?
And, of course, there’s ransomware, droppers and plenty of others.
Netskope reported nearly 44 percent of malware in enterprise cloud apps delivered ransomware. And, 56 percent of malware-infected files in cloud apps are shared with internal or external users, or shared publicly.
Enterprise users allow access to files each day while doing their work, not thinking about the security implications downstream. This is how we work in this day and age of the cloud. And attackers exploit this.
As much as 77 percent of the cloud storage apps we use every day are not yet “enterprise ready.” It’s even worse for other types of cloud services. Cloud providers are often pressured to meet the minimum requirements to “get in the door” and start collecting revenue. Then, they add security as they further develop the product.
Easy to see how security holes develop, right?
We’ve created an ecosystem users love. Attackers, too.
Sure, most cloud providers are quick to respond to incidents and emerging threats by removing malicious files and closing down accounts. But, this becomes a scalability issue. There’s only so much a limited amount of support people and resources can do. More automation needed?. Absolutely. But it’s still about more to do than we can currently handle.
The role of Shadow IT
While many security professionals have been anti-shadow IT, most now see this as an opportunity to leverage employees to improve enterprise security.
- Shadow IT is at least 10 times the size of known cloud usage
- 72 percent of companies don’t know how prevalent shadow IT is in their company
- The average organization uses 1427 different cloud services
- 57 different file sharing services
- The average employee uses 30 cloud services
- Only 8.1 percent of more than 17,500 cloud services used in enterprises meet strict data security and privacy requirements
- 80 percent of workers admit to using SaaS applications at work, approved or not
With cloud usage growing four times faster that IT staffing (at an annual growth rate of 27 percent, compared to 6.7 percent for IT), IT is not equipped to handle the shadow IT spike in use.
IT is no longer able to best manage the physical infrastructure of apps either. Yet, IT is still responsible for ensuring security and compliance for the corporate data employees upload to the cloud.
Many IT shops block cloud apps, at least the ones they know about, The big hurt here: people will find, and use, other lesser-known, potential riskier apps in its place. Ouch.
Consider these questions to help you plan for a more secure cloud services solution:
- Which services are your people using?
- What are the categories for those services (e.g. file sharing, social media, collaboration)?
- Which services are becoming popular and, thus, should be considered for enterprise-wide adoption?
- How effective are your firewalls and proxies at identifying cloud services and enforcing acceptable policies?
- Which redundant services should be eliminated?
- How can you quantify risks and compare to industry peers?
- What are the security capabilities for services storing sensitive data?
The usual suspects
Ransomware: Ransomware is certainly the news darling these days. It seems primed to continue to be the biggest malware player for a while. It took in a billion dollars in 2016. With that kind of payoff, you can bet they’ll be more of these cyber criminals getting into the game.
Ransomware is a sophisticated piece of malware that blocks the victim’s access to their files. The only way to regain access to the files is to pay a ransom. Encryptors block system files. Lockers lock the victim out of the operating system, making it impossible to access their own desktop, apps and files.
This malware is most intrusive when it lives on servers and cloud-based file-sharing systems, going deep into a business’s core. Businesses, financial institutions, government agencies, academic institutions, healthcare organizations and other organizations can and have been infected with ransomware. This destroys sensitive or proprietary information, disrupts daily operations and, of course, inflicts financial losses. They can also harm an organization’s reputation or, in the case of healthcare, harm lives. Attackers aim at targeted files, databases, CAD files and financial data.
Easy to understand why this is such a lucrative business model.
Droppers: Droppers are a Trojan type of malware. Droppers gain a foothold on a computer, to exploit known vulnerabilities, then delivers a second-stage payload to inflict damage. Learn and adapt. You can think of a dropper as a malware package.
Email: Email is still a major attack target for businesses. Cybercriminals use spam email to infect end users with information-stealing malware, file-encrypting ransomware, and credential-stealing phishing attacks. Email-borne attacks are still highly profitable. The attacks require little effort and criminals are able to bypass security controls by targeting end users.
How do ransomware hackers collect?
They use Bitcoin or another type of cryptocurrency.
Bitcoin is a secured, distributed payment system. Most ransomware attackers display the amount of the fee in Bitcoins. Victims transfer the money from account A into account B, which anyone can see. But no one knows who belongs to those accounts or to the traffic between those accounts. Bitcoin breaks the original payment into several parts, then sends them on to different accounts, using multiple transfers. This makes catching any attackers nearly impossible.
A decade ago, malicious hackers may have enjoyed creating corporate havoc, just for the fun of it. Today, it’s big business.
Andrew Hay, CTO at LEO Cyber Security, suggests information security professionals step back to look at your security program as a whole:
- Do you have coverage for the prominent data theft occurring these days?
- Do you have backups for critical systems?
- Can you restore those backups?
- Have you tested those backups?
In other words: Can you maintain business continuity in the face of an attack?
Often, only the most mature organizations have robust plans in place. Even then, many of those companies have allowed their plans to become stale. Now’s the time to go through your policies, plans, procedures and guidelines to determine if you are measuring the right things for the success of your security programs.
Perhaps it’s time to analyze and rewrite your cloud security plans?
Ben Eu, a partner within the infrastructure and endpoint security practice at IBM, places an emphasis on endpoints and a zero-trust architecture. More than ever, workers use laptops and other portable devices outside of the corporate network. Therefore, we could better understand and optimize the data flow between these endpoints. Cyber threat modeling can help develop a list of the different types of attacks, learn how attackers gained access, then determine how to remove this threat type.
Heat maps also help. Use these to show areas having coverage (including multiple coverage) and areas with no coverage. Consider appropriate software apps to help cover any holes or perhaps a new security stack altogether.
- Identify your sensitive data before investing in security controls. Once done, make the data classification useful … and simple.
- Map how you’re sensitive data flows across the network and between users.
- Architect your network to see how transactions flow and how users and applications access toxic data. Identify areas to optimize, such as physical vs virtual gateways, for example.
- Automate rules to enforce access control and limit access on a need-to-know basis.
- Continuously monitor to log and inspect all traffic for malicious activity and areas of improvement. Internal traffic to be help to the same standard as external traffic.
Todd Clarke is a freelance writer based in Seattle, Wash. This is his first article for Cloud Security Insights.