Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
A Secure Future in the Cloud
Threat Detection and Protection
About Speaker• Dr. Aditya K Sood, PhD
– Director of Security and Cloud Threat Labs, Blue Coat Systems– Regular Speaker at Industry Leading Security Conferences
• DEFCON | BlackHat | OWASP |ToorCon
– Author of book “Targeted Cyber Attacks”– Published Research in Magazines and Journals including:
• IEEE | Virus Bulletin | Elsevier | Crosstalk
Agenda• Understanding Threats in the Cloud• Understanding Threat Actors• Real world case studies including:
– Account Hijacking (phishing, botnets, vulnerabilities, etc..)– Malware Distribution (drive-by downloads, malware hosting, etc..)– Data Exfiltration ( document exposure, data thefts, etc. )
• Threat Overview and Response Techniques• Discussion: Finest 7 Threat Detection and Protection Techniques• CloudSOC: Mapping Finest 7 to the CloudSOC Platform• Q & As
Threats in Cloud Apps - Reality Check !
Why Threat Protection in the Cloud ?
Let’s First Talk About Threat Actors
Threat Actors
• Employees – Loose shares – set to “all company”
or shared “publicly” to save time
– Forgot shares still in place
– Inadvertent sharing – inherited file and folder permissions
– Use devices with unapproved security posture
Threat Actors
• Malicious Insiders– Share data hosted on cloud apps
intentionally
• Unauthorized data sharing
– Download data from cloud apps and exfiltrate using USB and other means
• Data exfiltration
– Modify sensitive data hosted on the cloud app
• Data fraud and destruction
Threat Actors
• Attackers– Steal cloud apps credentials through
malware
– Conduct Phishing attacks against users
– Exfiltrate data through cloud apps
– Implant and distribute malware (ransomware) on hijacked cloud apps
– Exploit vulnerabilities in platforms used to host cloud apps
Let’s Talk About Threats
Account Hijacking
Data Exfiltration and FraudMalware Distribution
Threat : Account Hijacking
• Response
–
Threat : Account Hijacking
• Response
–
Man-in-the-Browser – Hooking Browser Functions
Threat : Account Hijacking
• Response
–
Threat : Account Hijacking• Overview:
– Stealing of users’ credentials and ultimately account hijacking using:• Phishing attacks• Infecting end-user systems’ with
bots• Exploiting vulnerabilities' in cloud
application platforms
– End target is to access users’ cloud accounts for nefarious operations
• Response: – User behavior profiling for
detecting suspicious activity• Actions performed in the cloud
apps – time based mapping
• Geo-location analysis
• Cloud application usage and mapping
– To detect what happens in the cloud apps once the accounts are compromised
Threat : Malware Distribution
Petya ransomware
distribution via DropBox
https://www.elastica.net/dissecting-
petya-ransomware-distribution
Threat : Malware Distribution
Petya ransomware
distribution via DropBox
https://www.elastica.net/dissecting-
petya-ransomware-distribution
Threat : Malware Distribution• Overview:
– Conducting infections through drive-by download attacks using variety of techniques:• Hosting malware (exes) in the
cloud• Hosting malicious JavaScripts
code in the cloud storage apps which fetch the malware from 3rd
party domains
– End target is to infect users’ (cloud apps) systems with malware
• Response: – Suspicious content analysis
• Scanning files uploaded and downloaded by the users
• Sharing of suspicious files such as executables, JavaScripts, etc. to external users
• File camouflaging checks
– Correlating suspicious content analysis with user profiling
Threat : Data Exfiltration and Fraud
Threat : Data Exfiltration and Fraud
Threat : Data Exfiltration and Fraud
• Overview: – Exposing and stealing sensitive
data hosted on cloud apps:• Document exposure
• Data fraud via data destruction –altering files’ contents , replacing versions, etc.
– Document exposure and fraud could be the result of• Employees’ mistakes
• Malicious insiders or attackers doing it intentionally
• Response: – Detecting anomalies
• Files shared with external entities
• Excessive deletion of files
• Excessive downloading of files
– Correlating user profiling with document related anomalies
– Preventing leakage of sensitive data
Window of Exposure
• w(d) = Window of Detection• w(p) = Window of Prevention• w(e) = Window of Exposure
LEGEND
t = time when the sensitive document is exposed (Internet or unauthorized users)
p = time when the document is removed (or restricted or patched)
d = time when the document is detected as exposed
w(e) = w(d) + w(p)
w(d) = (d – t) → difference between detection time and exposure timew(p) = (p – d) → difference between prevention time and detection time
Window of Exposure - Risks
w(e) = Window of Exposure
time
DETECTEDEXPOSED PREVENTED
w(p) = Window of Preventionw(d) = Window of Detection
Vulnerable to Attackers Until Prevented
Reducing Window of Exposure
• Enterprises are more prone to risks if w(e) is high because…– either w(d) or w(p)
are high– both w(d) and
w(p) are high
Without Cloud Access Security Broker (CASB)
w(d) w(p)
w(e) is high w(e) is minimized
Cloud Access Security Broker (CASB)
Let’s Revisit the Crux !
Finest 7 : Threat Response Techniques Cloud Apps Threat (Attack) Detection and Protection Techniques
1. Attaining visibility into cloud apps traffic
2. User behavior profiling (threat profiling and scoring) : actions in the cloud apps
3. Inherent file scanning for potential analysis of malicious code
4. Data leakage detection and protection (PHI, PII, source code and other sensitive data )
5. Security policies enforcement through gateway / proxy components
6. File shares profiling – deeper look into file access permissions
7. Incident response using historical data
CloudSOC - Mapping the Finest 7 Threat Response Tactics
Cloud Apps Visibility
Data Leakage Prevention
File Shares Profiling
User Behavior Profiling
Policy Enforcement
Malware Scanning
Incident Response
Thanks!