According to lore, when asked why he robbed banks, the famous bank robber Willie Sutton once replied, "Because...
that's where the money is." Should it be any surprise then that we're seeing more attackers such as advanced persistent threat groups targeting cloud environments? After all, for many organizations, the cloud is where critical data, applications and infrastructure are contained. Data from RightScale's State of the Cloud Report found 93% of organizations are running IaaS, with 88% of organizations using public cloud. Does increasing use correlate to an increase in attacks? The data suggests it might. The 2015 AlertLogic Cloud Security Report cited a 45% increase in cloud deployment attacks; the report then goes on to describe cloud environments as a "fruit-bearing jackpot" from an attacker's point of view.
When enterprises utilize cloud services, these actors, be they APT groups,lone wolf attackers, fraudsters and other opportunists, will adapt their methods to account for that change. But there's another dimension at work when it comes to attacker activity in the cloud. Specifically, attackers are also using cloud as part of attack scenarios. It's important for security professionals to know about this -- so they can be alert to cloud attacks of this stripe within their enterprises, but also so they can adapt the countermeasures they already have in place to respond accordingly.
Attackers in the cloud
We're seeing attackers utilize cloud services in a few different ways. First, in recent months, we've seen cloud attacks like the "Inception framework" described by Blue Coat Systems that leverages cloud as a key element of the command-and-control mechanism. Specifically, the Inception framework -- named after the 2010 Christopher Nolan movie -- utilizes "traditional" malware techniques and methods, such as delivery of embedded malware through RTF files to gain a foothold in a target environment. But then it leverages WebDAV, an HTTP extension for file management, to store files at Swedish service provider CloudMe.com. It uses this channel to exfiltrate data for command-and-control purposes and to update itself or its configuration, as well as other functions.
The implications of this are significant. First, it makes the nefarious activity potentially harder to spot --an encrypted connection to an overseas "blackholed" IP might trigger an alert, while an HTTP stream to a legitimate cloud provider might be less likely to do so. It also means the bad guys are leveraging cloud services to make their operations more efficient, scalable and accessible, just like enterprises.
The Inception framework isn't the only example of this concept being used in recent history. Specifically, the Minidionis malware -- referred to in some places as CloudLook -- also utilizes cloud storage as part of its operation. In this case, the Minidionis malware utilizes the cloud as a storage location for malicious software; it gains an initial foothold on the system and then downloads the real nastiness from the cloud. It's not just cloud storage either; the HAMMERTOSS malware leverages commonly seen cloud services like Twitter and GitHub to hide command-and-control traffic in plain sight.
What can be done about cloud attacks?
As interesting as these cloud attacks are, what's probably of more pressing concern to practitioners is the pragmatic side of the equation: What can we do about them? As we've seen, attackers' use of cloud as an enabler of their attack as well as a distribution mechanism for command-and-control traffic and/or exfiltrated data presents a unique set of challenges for organizations. As usual, there are no panaceas, but there are a few things security professionals can do to help.
First and foremost, keeping security tools up to date can provide some value. Specifically, there are researchers out there looking for this type of malware -- much of the research cited above linked to security vendors -- particularly those that are in the business of selling detective controls like antimalware and intrusion detection systems. As vendors research these malware samples, they generally update their product set accordingly to locate the new malicious code. Enterprises should regularly update the products so they can avail themselves of this research on new, emerging threats.
However, having the ability to detect an issue is a long way from rendering it harmless. Additionally, keep in mind that there's a "gap" between when a given piece of malware is discovered and when the capability to find/remove it is available in many products. This means that having mechanisms to supplement specific detective controls and products is a good idea.
One measure that can help in that respect is to have some idea of what is "normative" cloud activity for your environment, as well as the ability to look for non-normative activity. Having an idea of what cloud usage organizations expect will give them a leg up in isolating usage that is abnormal -- assuming organizations have a way to see that usage through cloud monitoring or visibility services. For example, if an organization doesn't have an approved business need for and approved usage of the CloudMe service, then ascertaining that someone in the organization is using the service might prompt and investigation. Sometimes these investigations will just clue organizations into employee usage patterns that they didn't know were there, giving them the chance to document and evaluate them. But in the event that it is unauthorized shadow cloud usage -- or worse, malware -- organizations might be able to locate it when they wouldn't otherwise be able.
Again, there's no magic bullet for addressing these types of cloud attacks. It can be challenging to locate attacker activity when it intersects with the cloud environment. That said, knowing the threat is there can help.
Learn about cloud discovery and how to identify shadow cloud use in the enterprise
Discover why shadow cloud services are a growing threat