Overview
Volume 22 of the Microsoft Security Intelligence Report includes some interesting insights regarding attacks on cloud apps, including the highlights below:
-
Microsoft reported a 300% increase in the company’s cloud-based user accounts being attacked year-over-year as of 1Q2017 vs. 1Q2016
-
The number of account sign-ins attempted from malicious IP addresses increased by 44% year-over-year in 1Q, and over two-thirds of incoming attacks on Azure services in 1Q came from IP addresses in China and the US.
-
Ransomware encounter rates are the highest in Europe vs. rest of the world in 1Q2017.
These findings highlight the need to stay vigilant in pursuing comprehensive security solutions for your cloud activity. As you’re well aware, bad guys will follow the money; so when sensitive corporate content moves to the cloud, attacks will follow. Microsoft’s research findings seem to confirm this adage.
Here we will demonstrate how Symantec CloudSOC helps subvert the cloud attacks highlighted in the recent Microsoft report. Let’s take a look into the threats and supported detection controls provided by CloudSOC.
Ransomware Infections
Recently, hackers have begun using cloud apps to distribute ransomware to end-users. Two attack variations have been encountered. First, ransomware is uploaded to the cloud storage app and a direct URL is distributed to end-users for download. Second, the malware specific URL (referencing the ransomware uploaded to the cloud) is used in conjunction with additional malicious code (iframe code, JavaScript, etc.) to trigger stealth drive-by download attacks. The Cloud Threat Labs research team has previously covered the spreading of petya ransomware via dropbox and cerber ransomware via Office 365.
Symantec CloudSOC has built-in capabilities to detect threats in files uploaded to cloud storage apps. The detection mechanism scans the files to unveil malicious code that may exist within. For example, when a user uploads a file to the cloud app, it is scanned for potential threats and an associated report is shown in CloudSOC. The administrator can configure additional policies to restrict the sharing of the malicious file with other users and prevent the distribution of malware. In addition, the end-user has an associated threat score profile that highlights the risk associated with the end-user who uploaded the malicious file to the cloud app. The malicious file can be ransomware or an other type of malware, but at the end, the malicious files will be flagged. As a result of successful detection of ransomware, the infections can be controlled or prevented upfront. CloudSOC is equipped with a content inspection feature that detects the malicious files and alerts upfront.
Figure 1: Office 365 Securlet Detecting the File as Malicious
Brute-force Attacks and Account Takeovers
Cloud apps are being used by hackers to take over user accounts. One of the primary attack vectors is the brute-force / dictionary attack in which multiple login requests are sent over a period of time with different sets of credentials. The attack is driven with a motivation to hijack the user account by launching a robust automated attack. The attackers can use the intelligence from the previous set of attacks.
To deploy detection controls upfront, CloudSOC provides an inherent capability to configure alerts for detecting automated attacks launched against Office 365 accounts. The alerts will trigger when thresholds are hit. Importantly, administrators can configure the settings as the screenshot below using organizationally approved policies.
Figure 2: CloudSOC Threat Tree for Alerts Related to Brute-force Login Attempts in Office 365
Account Access from Suspicious IPs / Locations
As highlighted in the Microsoft Threat Research report, Office 365 was frequently accessed from malicious IPs over a period of time. This could reflect the two scenarios: First, the attacker has compromised a users’ credentials and then used them to access the application. Second, the attacker was trying to obtain the users’ credentials by launching automated attacks in a distributed manner from wide variety of IP addresses belonging to different geographic locations on the Internet. It is very important and essential part of the threat intelligence process to determine how, when, and from where users’ accounts are accessed. CloudSOC provides detection control to define alert settings for checking account access from the suspicious locations.
Figure 3: CloudSOC Threat Tree for Alerts Related to Suspicious Locations Access Attempts in Office 365
Apart from detecting the threats above, Symantec CloudSOC has the most robust solution for protecting Microsoft environments, including:
- Support for both API and Gateway for complete coverage of both corporate and personal accounts, in-line detection/prevention, and cloud-to-cloud protection.
- Comprehensive coverage of the Office 365 suite:not just OneDrive, but also Exchange Email, Sharepoint Sites, Yammer, and other key components of the O365 ecosystem.
- Monitoring and protection of Azure environments (IaaS), including auditing of administrative user activity and policy enforcement.
- Robust Cloud DLP to analyze and restrict uploading, downloading, and sharing of sensitive content.
- Advanced user behavior analytics that analyzes each and every user account to accurately detect suspicious activity, and trigger actions such as alert, quarantine or block.
- Compliance reporting and monitoring for Microsoft environments to ensure users are appropriately leveraging cloud apps and services.
- Extensive integrations with core security technologies, such as Symantec DLP, Symantec ATP, Symantec ICE, Symantec ProxySG/WSS, Symantec VIP, Symantec Endpoint Protection (SEP), and Symantec MSS to ensure comprehensive coverage for cloud content.