According to Netskope Inc.'s February 2018 "Cloud Report," backdoors are the second most common type of malware detected during the last quarter of 2017, accounting for 33.6% of detections.
While that may be interesting as a barometer of cloud-intersecting attacker tradecraft, the more salient point for security practitioners in organizations that make extensive use of the cloud is the need to understand what exactly a cloud backdoor is -- and, more importantly, how a security team can detect and block it.
What is a cloud backdoor?
Defining this term -- at least with a high level of granularity and specificity -- is a little more complicated than it might seem on the surface. This is in part because the classification of malware -- both in the cloud and otherwise -- is a complicated and nuanced exercise.
There have been a number of attempts over the years to establish a naming standard for the unambiguous identification of malware between researchers, but the reality is that there's so much malware out there and it evolves so quickly that adhering to a uniform standard for naming, taxonomy and classification is non-trivial. This, in turn, means that while general categories and families are agreed upon by the research community, how a particular researcher categorizes a given sample from among the various strains and variants out there is largely up to the researcher.
As a general rule, backdoors are classified by what they are designed to do: to enable an attacker to control a victim resource -- such as a virtual or physical host or cloud resource. So, a cloud backdoor is exactly what it sounds like: a channel that gives an attacker some level of command and control over an organizational resource.
That's true of any backdoor, but what makes it specifically a cloud backdoor is that the channel is either facilitated by the cloud, uses an artifact in the cloud or uses cloud resources to propagate itself. The form that this can take varies by the cloud model.
In the case of an IaaS deployment, a cloud backdoor could refer to malware that enables access to a remote virtual environment hosted by an IaaS provider, such as a backdoor into a cloud environment.
In a SaaS context -- and probably more relevant to Netskope's findings -- it could refer to an artifact designed to establish a backdoor into an enterprise that gains access via the cloud, such as a cloud-hosted backdoor.
There are a few things to note about this. First, backdoors that originate in this way can be particularly challenging to detect. This is true in part because they use or affect resources that are outside the direct control of the end customer.
For example, an organization might have malware detection firmly entrenched for in-house collaboration tools or an on-premises data center. But, in a cloud context, analogous controls may be absent of shared operational responsibility with the service provider, or they may be monitored via a separate workflow. This is exacerbated by the move to increasingly fileless malware techniques -- that is, malware loaded into memory to avoid interacting with the file system to better remain undetected by file-scanning antimalware tools.
Second, cloud backdoors can bypass a subset of the other security controls an organization has in place. For example, an on-premises endpoint exfiltrating data may set off behavioral alarms, while the same behavior in a virtual IaaS environment might not.
How can an organization detect and prevent a cloud backdoor? The specifics of doing so depend on the type of cloud environment in question.
For an IaaS deployment, the process is similar to mitigating the same issues in an internal, on-premises deployment using malware prevention tools, SIEM tools, intrusion detection tools and so on. The implementation details might vary depending on the provider in use, the degree of control you have over the environment, and so forth. But, at the technical level, they operate fairly consistently with what is used elsewhere.
Nevertheless, it is useful to think these details through in a manner separate and distinct from on-premises implementations because there might be different teams supporting these environments and they may use different tools depending on usage specifics, as well as other factors.
SaaS is where it gets more complicated. There are, of course, tools in the marketplace -- notably within the cloud access security broker (CASB) category -- that address certain types of backdoor threats. Netskope is one such vendor. Other examples include Skyhigh Networks, CipherCloud and Symantec. These tools can help directly by finding and blocking malware, including backdoors. They can also help indirectly by monitoring cloud access and enforcing security policies in the cloud.
For those organizations that don't use a CASB, other strategies can be useful. Keep in mind that, for a backdoor to be useful to an attacker, it must enable the attacker to command and control a targeted resource. To the extent that what they're looking to backdoor into is an entity on a network, the internal defense strategies in place already -- such as exfiltration controls, behavioral monitoring and antimalware -- can help to detect and prevent this.
The broader concern would be access to those resources from devices that aren't directly managed by the organization, such as a personal or home device belonging to an employee. Because those devices could have access to corporate resources, having a plan to help mitigate this issue is also prudent.
The short answer is that organizations should evaluate, plan and defend against backdoors in the cloud the same way they would for internal threats. The actual mechanics of how they do this will depend on the tools available and the specific cloud usage in question, but thinking it through ahead of time -- particularly in light of the prevalence of backdoors as reflected in Netskope's research -- is time well spent.