Man in the Cloud file synchronization service attack: Interview with Imperva CTO Amichai Shulman

Man-in-the-Cloud

The Imperva Application Defense Center, a premier research organization for security analysis, vulnerability discovery, and compliance expertise, today unveiled its August Hacker Intelligence Initiative Report at Black Hat USA 2015: “Man in the Cloud Attacks.” This new report uncovers how a new type of attack, “Man in the Cloud”, can quietly reconfigure common file synchronization services, such as Google Drive and Dropbox, to turn them into devastating attack tools not easily detected by common security measures.

Below is an interview with Imperva CTO and report co-author, Amichai Shulman, on the key findings of the report.

Who is the audience for this paper?

Everyone who has responsibility for enterprise security and conscious individuals who care about their own data should take a look at this new research.

Why should they care about the report’s findings?

The research in this paper clearly marks the limitations of classic end-point and perimeter security solutions which unfortunately most organizations still rely on to protect their data. It shows how attackers are able to inherently defeat these legacy approaches using simple available methods.

This isn’t a new security concern is it? What new insights has the research added to the topic?

The topic of bypassing existing controls is constantly being discussed. What’s new is that Imperva is the first to show that there are inherent limitations to all the technologies currently being used for end-point and perimeter approaches, and that such limitations can be easily exploited using common tools and techniques.

What are the top three things you want someone to remember once they’re done reading this report?  What actions can the reader can take to put the findings from this report into action?

  1. This reports adds even more fuel to the fire, proving that end point and perimeter security will not protect your data.
  2. Formal and informal IT practices (such as the use of cloud synchronization services) inherently put the data at risk.
  3. Organizations that rely on preventing infection through malicious code detection or command and control (C&C) communication detection are at a serious risk, as man in the cloud attacks use the in-place Enterprise File Synch and Share (EFSS) infrastructure for C&C and exfiltration.

What single piece of advice do you offer our readers from the findings of this report?

Organizations should consider protecting themselves from MITC attacks with a two-phased approach. First, use a cloud access security broker (CASB) solution that monitors access and usage of your enterprise cloud services. Second, deploy controls such as data activity monitoring (DAM) and file activity monitoring (FAM) solutions around business data resources to identify abnormal and abusive access to business critical data.

Check out the paper here.