Cloud-based malware is a real and present danger – and it can spread through an organisation like wildfire. But it is not always on the radar of security teams, and without strong protocols in place, there are many possible routes to infection. It’s time for those organisations which don’t have strong protection against cloud-based malware to wake up to the dangers, and protect themselves.
The same – but different
Cloud-based malware is in many ways no different to more ‘traditional’ types which might break in through routes like an infected file drawn off a USB stick, or a compromised web page. It can have similar payloads – ransomware, industrial espionage, and so on. But the cloud offers two important distribution advantages: there are many more routes to infection, and cloud allows malware to spread with alarming rapidity.
Alex Hinchliffe, threat intelligence analyst at Unit 42, told Cloud Pro that cloud-based malware spreads in rather familiar ways to physical infections.
“Adversaries who may have compromised systems in the cloud may attempt to move laterally to other hosts in the cloud, using typical methods as they go, such as gaining credentials through key-logging, brute-forcing, or even additional spear-phishing attacks on employees or using password-stealing tools on infected systems,” says Hinchliffe.
The lure of cloud-based services
Thanks to the growth and development of software-as-a-service (SaaS), we are becoming more and more reliant on the cloud for the majority of our everyday computing needs.
We can share information with other people easily, no matter where they are. We can whiteboard ideas, have group conversations in virtual space, create, edit and amend content of all kinds, manage projects and teams, and so on.
SaaS allows IT teams to offer a range of capabilities they might struggle to deliver through in-house tech, and to access new services and new ways of working much more quickly than they could through in-house implementation. It helps them improve efficiency and productivity, and to punch above their weight.
Many of us have settled into a mindset where cloud apps are the norm. It isn’t a big leap from there to step outside the services sanctioned by the IT team and strike out alone, setting up accounts with web-based services that will help with a particular project. It is highly possible that the IT team only knows about a fraction of the cloud services in use at any one time.
The problem for the IT team is policing all the cloud services used to help keep internal systems safe. All it takes is a single malicious file, shared through a service that operates in your IT departments blind spot, to bring down a network.
When strengths become weaknesses
We shouldn’t be under any illusions about the danger of cloud-based malware. New research from Bitglass scanned tens of millions of files and found on average one in three corporate instances of SaaS apps contained malware.
Of the four major SaaS applications – OneDrive, Google Drive, Box, and Dropbox – Microsoft OneDrive had the highest rate of infection at 55%. Google Drive came in at 43%, while Dropbox and Box were at 33% each.
New research from Palo Alto Networks also found that 68% of cybersecurity professionals working in large organisations in the UK say the rush to the cloud is not taking full account of the security risks. Just 15% of UK security professionals said they were able to maintain consistent, enterprise-class cyber security across their cloud networks and endpoints, according to the research.
Taking control of the situation
Arguably the most appropriate strategy for getting ahead of the threat of cloud-based malware is to have effective endpoint solutions – i.e. to use trusted third-party solutions that will monitor laptop and desktop computers, tablets and phones.
This can be more complex than it seems. We’ve already noted that there will likely be many more cloud apps in play than the IT team is aware of, and the endpoint solution will need to keep an eye on all file uploads and downloads.
Of course, that’s on top of the burden of monitoring every piece of kit used by employees. This will need to include those provided by the organisation, sanctioned BYOD devices, and, inevitably, BYOD devices that are not sanctioned.
There also needs to be an effective backstop layer of protection that will come into play when an infection gets through so that it doesn’t spread into the organisation’s own cloud applications.
Strong protection is the only way to defend against infection. And this is becoming more and more necessary. While the immediate threat of Wannacry may have passed, the 300,000 computer systems infected around the world, including those within the NHS, speak volumes to the potential damage a similar outbreak could wreak.
This should be especially concerning given the NHS’ recent commitment to moving its systems to a cloud-based model, and reports that its systems have yet to reach a standard capable of warding off a similar attack in the future.
The threat from ransomware isn’t going away anytime soon, and that, along with industrial espionage and other exploits, needs to be paid serious attention.
Image: Shutterstock