A Secure Future in the Cloud

Threat Detection and Protection

About Speaker• Dr. Aditya K Sood, PhD

– Director of Security and Cloud Threat Labs, Blue Coat Systems– Regular Speaker at Industry Leading Security Conferences

• DEFCON | BlackHat | OWASP |ToorCon

– Author of book “Targeted Cyber Attacks”– Published Research in Magazines and Journals including:

• IEEE | Virus Bulletin | Elsevier | Crosstalk

Agenda• Understanding Threats in the Cloud• Understanding Threat Actors• Real world case studies including:

– Account Hijacking (phishing, botnets, vulnerabilities, etc..)– Malware Distribution (drive-by downloads, malware hosting, etc..)– Data Exfiltration ( document exposure, data thefts, etc. )

• Threat Overview and Response Techniques• Discussion: Finest 7 Threat Detection and Protection Techniques• CloudSOC: Mapping Finest 7 to the CloudSOC Platform• Q & As

Threats in Cloud Apps - Reality Check !

Why Threat Protection in the Cloud ?

Let’s First Talk About Threat Actors

Threat Actors

• Employees – Loose shares – set to “all company”

or shared “publicly” to save time

– Forgot shares still in place

– Inadvertent sharing – inherited file and folder permissions

– Use devices with unapproved security posture

Threat Actors

• Malicious Insiders– Share data hosted on cloud apps

intentionally

• Unauthorized data sharing

– Download data from cloud apps and exfiltrate using USB and other means

• Data exfiltration

– Modify sensitive data hosted on the cloud app

• Data fraud and destruction

Threat Actors

• Attackers– Steal cloud apps credentials through

malware

– Conduct Phishing attacks against users

– Exfiltrate data through cloud apps

– Implant and distribute malware (ransomware) on hijacked cloud apps

– Exploit vulnerabilities in platforms used to host cloud apps

Let’s Talk About Threats

Account Hijacking

Data Exfiltration and FraudMalware Distribution

Threat : Account Hijacking

• Response

–

Threat : Account Hijacking

• Response

–

Man-in-the-Browser – Hooking Browser Functions

Threat : Account Hijacking

• Response

–

Threat : Account Hijacking• Overview:

– Stealing of users’ credentials and ultimately account hijacking using:• Phishing attacks• Infecting end-user systems’ with

bots• Exploiting vulnerabilities' in cloud

application platforms

– End target is to access users’ cloud accounts for nefarious operations

• Response: – User behavior profiling for

detecting suspicious activity• Actions performed in the cloud

apps – time based mapping

• Geo-location analysis

• Cloud application usage and mapping

– To detect what happens in the cloud apps once the accounts are compromised

Threat : Malware Distribution

Petya ransomware

distribution via DropBox

https://www.elastica.net/dissecting-

petya-ransomware-distribution

Threat : Malware Distribution

Petya ransomware

distribution via DropBox

https://www.elastica.net/dissecting-

petya-ransomware-distribution

Threat : Malware Distribution• Overview:

– Conducting infections through drive-by download attacks using variety of techniques:• Hosting malware (exes) in the

cloud• Hosting malicious JavaScripts

code in the cloud storage apps which fetch the malware from 3rd

party domains

– End target is to infect users’ (cloud apps) systems with malware

• Response: – Suspicious content analysis

• Scanning files uploaded and downloaded by the users

• Sharing of suspicious files such as executables, JavaScripts, etc. to external users

• File camouflaging checks

– Correlating suspicious content analysis with user profiling

Threat : Data Exfiltration and Fraud

Threat : Data Exfiltration and Fraud

Threat : Data Exfiltration and Fraud

• Overview: – Exposing and stealing sensitive

data hosted on cloud apps:• Document exposure

• Data fraud via data destruction –altering files’ contents , replacing versions, etc.

– Document exposure and fraud could be the result of• Employees’ mistakes

• Malicious insiders or attackers doing it intentionally

• Response: – Detecting anomalies

• Files shared with external entities

• Excessive deletion of files

• Excessive downloading of files

– Correlating user profiling with document related anomalies

– Preventing leakage of sensitive data

Window of Exposure

• w(d) = Window of Detection• w(p) = Window of Prevention• w(e) = Window of Exposure

LEGEND

t = time when the sensitive document is exposed (Internet or unauthorized users)

p = time when the document is removed (or restricted or patched)

d = time when the document is detected as exposed

w(e) = w(d) + w(p)

w(d) = (d – t) → difference between detection time and exposure timew(p) = (p – d) → difference between prevention time and detection time

Window of Exposure - Risks

w(e) = Window of Exposure

time

DETECTEDEXPOSED PREVENTED

w(p) = Window of Preventionw(d) = Window of Detection

Vulnerable to Attackers Until Prevented

Reducing Window of Exposure

• Enterprises are more prone to risks if w(e) is high because…– either w(d) or w(p)

are high– both w(d) and

w(p) are high

Without Cloud Access Security Broker (CASB)

w(d) w(p)

w(e) is high w(e) is minimized

Cloud Access Security Broker (CASB)

Let’s Revisit the Crux !

Finest 7 : Threat Response Techniques Cloud Apps Threat (Attack) Detection and Protection Techniques

1. Attaining visibility into cloud apps traffic

2. User behavior profiling (threat profiling and scoring) : actions in the cloud apps

3. Inherent file scanning for potential analysis of malicious code

4. Data leakage detection and protection (PHI, PII, source code and other sensitive data )

5. Security policies enforcement through gateway / proxy components

6. File shares profiling – deeper look into file access permissions

7. Incident response using historical data

CloudSOC - Mapping the Finest 7 Threat Response Tactics

Cloud Apps Visibility

Data Leakage Prevention

File Shares Profiling

User Behavior Profiling

Policy Enforcement

Malware Scanning

Incident Response

Thanks!