robybret - Fotolia


How to detect and mitigate malicious content from the cloud

Malicious content hosted in the cloud is more common than you might think. Expert Ed Moyle looks at what enterprises need to know about cloud malware and how to stop it.

Many have predicted over the years that cloud would be transformative. We have seen this prediction borne out:...

Enterprises are now leveraging cloud to offer users more functionality faster and to reduce operational overhead to allow for increased focus on business enablement across the board. When viewed on the whole, this trend is overwhelmingly positive.

However, there is a potential downside, as well. Specifically, while cloud has been transformative to business generally, it has been equally transformative to those whose business involves less desirable activities, such as cybercrime, supplying malware to attackers or other nefarious activities. Just as legitimate organizations employ cloud to enable business, so too do the bad guys. And with that, we've seen a rise in sites that facilitate malicious activity as a service.

Cloud-borne malware -- i.e., malware that leverages the cloud to assist in distribution, command and control of compromised systems, or to circumvent existing security controls -- is not new.

However, a recent study by Georgia Institute of Technology researchers has systematically analyzed the cloud storage landscape and found that the problem is more pervasive than most people realize. Specifically, they found that about 10% of cloud storage repositories had been compromised in some way; this includes acting as a distribution point for malicious content; enabling rapid assembly of malware from component parts, so as to reduce the likelihood of detection; operating as a command-and-control vehicle; or otherwise facilitating nefarious activity. They outline their methods for determining this startling statistic in their paper, "Lurking Malice in the Cloud: Understanding and Detecting Cloud Repository as a Malicious Service."

Understanding and detecting malicious content in the cloud

Understanding this research is useful for a few reasons. First, for end-users -- such as organizations that might be on the business end of attacks leveraging cloud-borne malicious content -- understanding the use of cloud for malicious activity helps them understand the threat landscape in which they operate. This is a critical aspect of maintaining situational awareness and, as intelligence-driven security techniques gain prevalence, any information we can glean about adversary tradecraft is useful.

Moreover, understanding how attackers employ cloud services can assist in the development of detection or prevention controls to flag -- or, ideally, prevent -- the malicious activities potentially impacting the organization.

Secondly, it's helpful for cloud service providers. Not only is there a potential reputational impact to a cloud provider should they be a participant in malicious activity (however inadvertently they became so), but there is also a potential direct economic impact to them, as well.

For example, this could happen in situations when network bandwidth or storage that would otherwise service legitimate customers is siphoned off to service malicious usage instead. Even in situations when payment is being provided for resource use, stolen payment cards or other criminal activities could leave the service provider holding the bag down the road.

As they outline in their paper, the researchers examined in depth what they refer to as Bars (bad repositories) -- i.e., cloud repositories such as Amazon Simple Storage Service or Google Drive that contain malicious content. They located these repositories using a custom-developed scanning tool (BarFinder) that they developed as part of this research.

Specifically, they started by examining the differences between malicious and legitimate cloud storage repositories from a topological point of view. They did this by creating two sets of data: a Goodset (legitimate buckets of cloud storage containing nonmalicious content) and a Badset (a "set of confirmed malicious or compromised buckets"), and comparing the differences between them.

Based on the features of the malicious content, they were able to use an automated approach to determine whether content was legitimate or nefarious. For example, the presence or absence of redirection designed to evade discovery by a scanner (for example, using a proxy or gatekeeper) tended to support a conclusion of nefarious, while direct access to content tended to support the inference that content so accessible was legitimate. Automated scanning approaches (using BarFinder), as well as contextual and topographical analysis of the content, allowed further conclusions to be drawn.

Moreover, leveraging the scanning technique, they were able to conduct a more systematic examination of the sites in the nefarious group: for example, by revisiting those sites over time to observe the lifetime over which they remained operational (highlighting the providers' rate of discovery), as well as observing the effectiveness of the evasion techniques that allowed those sites to continue to operate.

Mitigation and remediation for malicious content

While the issues they highlighted are noteworthy in and of themselves, the more practical question for many practitioners is what end-user organizations can do to protect themselves. And, furthermore, what cloud service providers can do to find and remove this malicious content.

First and foremost, adaptation of the methods described in the paper can be a useful strategy for cloud service providers. This malicious content is a drain on service providers offering cloud storage in a few different ways. Therefore, their ability to discover problematic usage has a bottom-line impact to them economically.

Beyond this, the research team observed that one of the challenges that led them to the approach they used is the fact that they were not able (as a cloud service provider hosting this content might be) to do a deeper inspection of the content itself. Now that the prevalence of the problem has been observed and noted, service providers may wish to extend capabilities they already have to find and flag this content.

For end-user organizations, the direct actions are perhaps a bit less obvious. Certainly, the research can inform their understanding of the threat environment as outlined earlier. Additionally, the techniques used in the research to evaluate content could be adapted to countermeasure development.

However, the lowest effort actions are twofold: first, open a dialog with cloud service providers to implement mitigation steps for services the organization employs, and second, provide traction around strategies to control employee access to untrusted repositories, should the organization deem it appropriate.

Next Steps

Learn about signatureless malware detection

Discover the benefits of cloud-based, automated malware analysis tools

Find the best cloud malware analysis tools for your enterprise

Dig Deeper on Cloud Computing Security Issues: Incident Response - Data Breach Prevention