Written by Anurag Kahol, CTO, Bitglass

Enterprise cloud adoption has grown exponentially in recent years. Bitglass' 2018 Cloud Adoption Report found that 81 percent of organizations around the world now use cloud apps, taking advantage of the improved productivity and flexibility that they provide. While businesses benefit greatly from using the cloud, they must also keep in mind that the cloud offers new avenues for malicious actors to launch cyberattacks.

‘Man in the Cloud' (MitC) attacks are one such threat that has risen to prominence on the heels of widespread cloud adoption. This tactic involves accessing victims' accounts without the need for compromised user credentials. The following paragraphs describe this dangerous, stealthy attack in detail, and offer practical advice for enterprises so that they can defend their data and cloud services against bad actors employing the tactic.

Defining MitC

MitC attacks leverage the OAuth synchronization token system used by cloud applications to allow anytime, anywhere data access. Services including Dropbox, Microsoft OneDrive, Google Drive and others all save one of these tokens on a user's device after initial authentication is completed. This is intended to be a convenience for users because, when they have an OAuth token from a cloud app, they don't have to enter a password every time they attempt to access said app. Additionally, a single token can grant access to a user from any device of her or his choosing. However, this also means that attackers who are successful in accessing and copying a token can infiltrate a victim's cloud remotely from their own devices. Because cloud access is intended to be convenient and to allow authorized users to work from any device, the malicious actions appear genuine and often go undetected by security measures.

The simplest way to get access to a token is through social engineering. With this tactic, the victim is tricked into running purpose-built malware tools (e.g. Switcher), which are typically distributed via email. After running on the victim's device, the malware installs a new token belonging to an account that the attacker created, and moves the victim's true token into a cloud sync folder. The next time the victim's device syncs, it will sync the victim's data to the attacker's account, and the victim's real account token will be revealed to the attacker. Armed with the victim's real token, the Switcher malware can be used to copy it back to the victim's device and erase the imposter token, deleting all traces of the security breach. The attacker is left with full access to the victim's account, on any device, and the victim likely has no idea that the events transpired at all.

Defending Against MitC

Conventional endpoint and perimeter protection security tools are not effective against MitC attacks. Operating in the cloud is a fundamentally different way of conducting business and, as such, requires different types of security measures. Fortunately, enterprises can take the following steps to thwart MitC attacks.

Because MitC attacks leverage social engineering to infect systems with malware, training employees to avoid cleverly-disguised malicious emails can be a very effective defensive tactic. Well-trained employees are far less likely to click on a malicious link or open an attachment from a phishing email. By conducting regular trainings with all employees, enterprises can ensure that security stays top of mind and that everyone in the company can recognize the signs of an attempted breach.

While encrypting data in the cloud will not necessarily prevent MitC attacks from taking place, it will prevent the breach of sensitive data that could occur as a result of a MitC attack. For this protective measure to be effective, it is critical that the encryption keys are not stored within the targeted cloud service. In other words, third-party encryption tools are a must. This way, any data accessed through a MitC attack will be indecipherable and unusable to the attacker.

Multi-factor authentication (MFA) is incredibly helpful for thwarting MitC attacks. MFA is available with leading cloud services such as Office 365, as well as advanced security solutions designed to verify users' identities across all of an enterprise's cloud-based resources. MFA adds another layer of security that will immediately stop any MitC attacker who lacks the ability to authenticate beyond an OAuth token. As an example, a hacker with an OAuth token will not have access to the hardware token that the rightful user physically carries.

A cloud access security broker (CASB) is one of the most comprehensive ways to defend against MitC and other cloud-specific attacks. CASBs serve as an intermediary of all traffic between an enterprise's cloud apps and endpoint devices, and automatically replace each app's OAuth tokens with encrypted tokens before delivering them to endpoints. When a device attempts to access a cloud app, this unique encrypted token is presented back to the CASB, which decrypts it and forwards it to the app. So, if a valid user's token were to be replaced with that of a hacker, the malicious token would fail validation and decryption at the CASB. As such, MitC attackers will be denied access to the intended victim's account, and all data will remain secure.

MitC attacks aim to take advantage of the anytime, anywhere data access that is growing in popularity among organizations around the world. Traditional security tools are ineffective in detecting and preventing these attacks, but that doesn't mean that enterprises are defenseless. Thorough and consistent employee trainings when paired with security tools like encryption, MFA, and CASBs, have proven more than capable of addressing the threat of MitC attacks. However, enterprises leave themselves vulnerable when they seek to enjoy the benefits of operating in the cloud but refuse to alter their approach to security. As always, improper data protection practices will inevitably lead to a breach.

##

About the Author

As Chief Technology Officer of Bitglass, Anurag Kahol expedites technology direction and architecture. Anurag was director of engineering in Juniper Networks' Security Business Unit before co-founding Bitglass. He received a global education, earning an M.S. in computer science from Colorado State University, and a B.S. in computer science from the Motilal Nehru National Institute of Technology.