The use of cloud services has long been an integral part of the IT strategy for the majority of companies. The ability to access data anytime, anywhere brings numerous benefits, most notably improved flexibility and increased productivity. However, the increased popularity of these services has not gone unnoticed by malicious actors, spawning new types of cyberattacks. One tactic that has been increasingly used in recent years is the so-called “man-in-the-cloud” (MitC) attack.
The easiest way to access a token is via social engineering. Typically, this is done through malware distributed via email. Once executed on the victim’s device, this malware installs a new token belonging to an account created by the attacker. The malware moves the victim’s real token to the attacker’s cloud sync folder. The next time the victim’s device is synced, the victim’s data is synced with the attacker’s account. In the process, the real token from the victim’s account is revealed to the attacker. At this point, the malware can be used to copy the genuine account token back to the victim’s computer and delete the malicious one. This removes all traces of the security breach, but the attacker has full access to the victim’s account.
How do MitC attacks work?
This attack variant attempts to gain control of victims’ cloud accounts without the required credentials. To gain access to them, MitC attacks take advantage of tokens from the OAuth synchronization system used by cloud applications. Most popular cloud services such as Dropbox, Microsoft OneDrive or Google Drive store such a synchronization token on the user’s device after authentication. This is done for reasons of user-friendliness, because the OAuth token saves users from having to re-enter their password every time they access the application again – and in this way enables access from anywhere. The latter is an important detail, because: If an attacker manages to access and copy a token, they can remotely infiltrate the victim’s cloud. And in a way that appears legitimate, thus bypassing security measures.
Off to the cloud? For sure!
In recent years, cloud technology has not only changed the IT market, but also the world of business and work. In the course of digitization and networking of business processes, data security has also taken on a new significance. Legislators have also recognized this relevance and, in addition to existing industry-specific requirements, have created an instrument in the form of the GDPR that enables data protection to be enforced on a broad scale in the digital world as well. With this development, the effects of IT security incidents are now felt much more directly in economic terms, as data security breaches are accompanied by liability issues and can damage customer confidence. In view of the complex requirements, the move to the cloud is therefore viewed with great skepticism in many companies. In principle, data in the cloud is extremely secure. Risks for data loss or security incidents, on the other hand, arise from how the cloud is used. Theoretically, even minor carelessness on the part of users can result in massive data losses – which, moreover, may not be immediately detected by the company. This risk is exacerbated by the fact that cybercriminals have recognized this and have expanded their attack tactics to include vulnerabilities in usage.
The challenge for companies is therefore, on the one hand, to meet the legal requirements for data protection and, on the other hand, to ensure that the use of the cloud is as secure as possible. While each company brings individual prerequisites in this regard, in general the following five aspects are a suitable starting point:
1. Work closely with the cloud provider
As far as data security is concerned, there is a shared responsibility between provider and user in the cloud. The latter must be able to prove that it has taken the greatest care in selecting the provider. To this end, there should be clarity at the outset about the types of data for which cloud applications are to be used. If personal data is also involved, it must be clarified in terms of the GDPR whether the data will be processed, stored and secured exclusively within the EU area. Likewise, users should make sure that their provider has suitable malware protection and sufficient recovery mechanisms. If the provider works with subcontractors, it should be contractually stipulated that all agreements also apply to them.
It is also important for users to jointly agree on a procedure for dealing with security incidents and to adapt internal processes accordingly so that the legally applicable reporting deadlines can be met.
2. Deploy intelligent malware protection
With their multiple sharing capabilities, cloud applications carry a high risk of spreading malware, for example through infected documents. With the enormous volume of data and the speed of sharing, signature-based antivirus solutions are long outdated. An appropriate level of protection can be achieved with automated security solutions that scan all files in the cloud for malware in real time. Ideally, these should have machine learning capabilities that can use behavior-based analysis to flag previously unknown threats as suspicious and contain them accordingly.
This protection should not be limited exclusively to the cloud. After all, the endpoints that access these files also pose a risk. There, too, it should be possible to filter out potentially dangerous data before it makes its way to the cloud. Cloud malware protection should therefore be compatible with endpoint security tools or included in a solution.
3. Implement identity and access management
Enterprise IT is no longer confined exclusively to the corporate site. In principle, employees and sometimes external contractors can access cloud data from anywhere via their accounts. Access data alone does not provide suitable protection for this. With identity and access management (IAM), the level of security can be increased by including context-dependent factors. For example, policies can be created that define that access from certain countries or via unsecured WLAN is denied. In addition, access rights can be refined according to department, position, document types, location, end device or time periods.
4. Leverage data encryption and DLP
Complementing the elimination of environmental risks, the immediate protection of data in the cloud plays a key role. Encryption to the highest standard ensures that data is unusable by third parties in the event of loss. Additional data loss prevention (DLP) capabilities give IT a cross-application view of all data flows, associated user activity, and the ability to intervene in a controlling manner as needed.
5. Train company employees
In the connected world, people can also be a vulnerability to IT environments. Hackers now rely heavily on social engineering attack tactics because they tend to be more successful. With regular training on current fraud attempts, as well as the ability to report suspicious events with little effort, employees can be made aware of their important role and integrated into the IT defense strategy.
Bringing data security into focus
The need for all these security measures at different levels also highlight how data security requirements and the specifics of cloud technology interact. Companies need to ensure that the data they process is always secure – and this is not limited to the cloud storage location, but includes potential data loss risks that could arise from cloud use. Complementing the traditional protection of their own network, companies must also secure all transmission paths to the cloud. The best way to achieve complete protection is to develop appropriate security measures based on the data and its processing paths.
