Anurag Kahol, CTO, Bitglass, offers his advice for businesses to take the right steps to ensure protection from MitC attacks.
The popularity of the cloud is undeniable and its usage is increasing every day. The International Data Corporation (IDC) recently forecast that worldwide public cloud spending will reach US$210 billion in 2019 – an increase over 23.8% from 2018. With growth like this however, it is unsurprising that malicious entities have taken note, giving rise to a new breed of cyberattack.
Man in the Cloud, or MitC, attacks have become more prevalent in recent years as the use of the cloud grows in popularity. This attack aims to access its victims’ accounts without the need to obtain compromised user credentials beforehand. But what is an MitC attack? How do I know if there is a man in my cloud? And how can I stop him from getting in?
MitC attacks take advantage of the OAuth synchronisation token system used by cloud applications to gain access to cloud accounts. Popular cloud services – Dropbox, Microsoft OneDrive, Google Drive and more – each save one of these tokens on a user’s device after initial authentication is completed. This is done to improve usability – users don’t have to enter their password every time they attempt to access an app if they have an OAuth token. However, the ‘anytime, anywhere’ nature of cloud services means that the same token can grant access from any device. As such, if an attacker can access and copy a token, he or she can infiltrate the victim’s cloud remotely – in a manner that appears genuine and bypasses security measures.
The research team that first discovered MitC attacks, Minerva, found that social engineering was the easiest way to get access to a token. This involves tricking the victim into running purpose-built malware tools, such as Switcher, that are usually distributed via email. Once executed on the victim’s device, this malware installs a new token (belonging to a new account that the attacker created) and moves the victim’s real token into a cloud sync folder. Then, when the victim’s device next syncs, it syncs the victim’s data to the attacker’s account instead of the victim’s. So how do you know when there is a man in your cloud?
Unfortunately, adding to the malicious intent of the attack, the original account token is revealed to the attacker. It is at this point of the attack that the Switcher can be used to copy the original account token back to the victim’s machine and erase the malicious one, removing all traces of the security breach and leaving the attacker with full access to the victim’s account on any device.
The nature of the MitC attack makes it very difficult to prevent with conventional security measures such as endpoint and perimeter protection. Businesses should instead prepare to significantly minimise (or even eliminate) the chance of having a man in its cloud in the first place.
Four steps to protect against MitC attacks:
1. Keep cloud data under lock and key with encryption
Encryption cannot prevent a business from being a victim of attack, however it can minimise the data breaches that could take place in the aftermath. That is provided the encryption keys are not also stored within the targeted cloud service, any data accessed through an MitC attack would remain encrypted to the attacker. This means that the stolen information would be indecipherable and unusable to the malicious party.
2. Nothing less than two-factor authentication
A simple but effective way to help minimise the threat of MitC attacks is multi-factor authentication (MFA). This is available with leading cloud services like Office 365, as well as specialised security solutions built to verify users’ identities across all of an organisation’s cloud-based resources. It adds an extra layer of security that can easily thwart an MitC attacker who doesn’t have the ability to authenticate beyond an OAuth token.
3. Hire a traffic warden (cloud access security broker)
Deploying a cloud access security broker (CASB) is one of the most comprehensive ways to protect against threats like MitC attacks. CASBs intermediate all traffic between an organisation’s cloud apps and endpoint devices – they automatically replace each app’s OAuth tokens with encrypted tokens before delivering them to endpoints. As a device attempts to access a cloud app, the unique, encrypted token is presented to the CASB, which decrypts it and passes it along it to the app. Consequently, if a user’s token were to be replaced with a hacker’s, then the malicious token would fail validation and decryption at the proxy, denying access to the intended victim’s account and nullifying the attack.
4. Consistent and regular security training
This is one of the most effective security measures – it is also one of the simplest and often overlooked. MitC attacks rely on social engineering to be successful. But a well-trained, security-vigilant employee is far less likely to click on a malicious link or a suspect attachment inside of a phishing email. Every organisation should be security conscious and conduct regular training sessions with its employees to ensure they know the tell-tale signs of an attempted attack.
Cloud usage in the workplace is only going to continue to grow as one of the preferred business services and like with so many technologies, security risks are inevitable. But it’s how you mitigate the risk that’s important. In the case of MitC attacks, they are designed to give the hacker access to sensitive information by exploiting the ‘anytime, anywhere’ data access provided by the cloud. Even though detecting MitC threats with conventional security tools is virtually impossible, the risk of these attacks should not put businesses off using cloud services – organisations are not defenceless. Regular employee trainings, when combined with security measures like encryption, two-factor authentication and CASBs, can provide an extremely robust defence against MitC attacks and countless other threats. In the modern business world, effective security isn’t a luxury – it’s a necessity. Any organisation that fails to remain prepared will inevitably suffer a breach.