Fighting malware in the cloud
Cloud adoption continues its march, but this also brings new cyber threats
The growth in cloud usage has meant that criminals are also exploiting the cloud to spread malware faster and further than ever before.
Criminals can use cloud to spread malware in a number of ways, including hosting the command & control (C2) infrastructure on cloud compute/VM resources; using cloud storage to actually host malware; and hosting the supporting infrastructure such as fake login sites, payment back-ends, and others on cloud resources.
Fernando Montenegro, senior analyst on the information security team at 451 Research, says it's important to note that criminals get to these resources both by doing fraudulent sign-ups as well as taking over legitimate accounts.
He says that the price of having fantastic cloud resources at our disposal and their benefits is doing the eternal vigilance of securing those resources. "It goes back to the shared responsibility model where cloud providers are responsible for a part of the technology stack, and their customers are responsible for the rest," he says.
Dedicated protection
Montenegro says that major cloud providers have long recognised security for cloud workloads is essential and have been doing a good job of managing what they can. It's a combination of fraud detection on signups, monitoring for misuse, and cooperating with other organisations to take down the inevitable attackers when they crop up.
"Another area they have been very clear on is that security in the cloud is a shared responsibility, and have provided lots of resources for companies to understand their role in securing cloud workloads, using the tools offered by the cloud providers or third party tools," he adds.
So are cloud providers doing enough to offer protection against malware in the cloud? Anurag Kahol, CTO at cloud security software firm Bitglass, says no.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
"A worryingly low number of cloud service providers offer dedicated protection against malware in the cloud," he says. "While Office 365, G Suite, and Azure do have the ability to identify common 'known' malware, when it comes to defending against zero-day attacks, most cloud apps come up short. Today, there is a shortage of proactive cloud malware solutions, even amongst industry-leading cloud app vendors."
Cloud providers have to tread a careful path between providing flexible and innovative services at significant scale versus behaving as a good net-citizen, according to Wayne Stallwood, infrastructure consultant at KCOM.
"In terms of intentional malware hosting, cloud providers need to protect their service and the reputation of the IP net-blocks they are provided on," he says.
"So, they all proactively respond to deliberate misuse or abuse of the hosting services they provide. More frequently, however, the malware will be hosted unintentionally where a compromised service, managed by a consumer of cloud services or stolen cloud service credentials, has allowed malware distributors or developers to gain control of an account."
He adds that cloud providers and a growing list of ISVs offer an extensive array of technical controls to monitor and prevent this, but those controls must be operated by well-developed management policies within the organisations consuming cloud services for them to be effective.
Key areas to secure in the cloud
One of the key areas to consider when implementing security for cloud is ensuring the capacity and availability of the service, according to Mike Smart, product director at Forcepoint.
"Using security that isn't conscious of the cloud environment it's operating in can really impact availability in terms of drastically reducing performance and capacity. Malware is forever getting more evasive. It's therefore also important to keep updated with the latest technology for detection and monitoring -- technology that can accommodate multiple tricks that malware uses to evade detection," he says.
He adds that wrongly assuming the cloud provider's security controls are adequate for your needs, or not fully understanding whether additional security is needed, is still a big area of weakness that organisations might need to face up to.
When it comes to fighting malware, the cloud offers a great advantage, says Montenegro.
"Many large vendors have developed architectures where they use the cloud to share information between their components, meaning that the moment unknown malware is detected in one system, that information is quickly passed to every other system, making the entire network more resilient. This is not perfect, of course, but it gives us an opportunity to severely limit the impact of specific strains of malware," he says.
Steven Murdoch, security architect at the VASCO Innovation Center, Cambridge, says the challenge of mitigating the risk of malware in a cloud environment is in many ways the same as it would be in a self-hosted environment.
The key difference, he says, is that in the cloud, applications share infrastructure with other, potentially malicious, customers and so depend entirely on the cloud platforms' isolation measures for protection from malware.
"These measures are good but every so often flaws are discovered so customers of cloud providers need to be aware of the risk and have mitigations and recovery plans ready should there be a compromise. Customers may also choose to adopt cloud products in which infrastructure sharing is either restricted or not used at all," he adds.
Fighting malware in the future
As enterprises move more of their apps into the cloud, we're already seeing new ways in which bad actors will seek to abuse and attack those organisations, according to Matt Walmsley, EMEA director of Vectra.
"Many of those new workloads will be federated apps, built on API calls to cloud services outside the direct control of the developer and operator," he says. "Attacks leveraging cloud Platform-as-a-Service components (PaaS) such as storage, backup and serverless compute, will nullify traditional approaches brought over from datacentres."
Smart says users and their cloud credentials will also continue to play a bigger part in cyberattacks. "It's much easier to use stolen credentials to get access to a cloud service, than to develop custom malware and attack a network," he says.
Montenegro also sees more opportunities for criminals to hijack unsuspecting accounts for their own nefarious purposes.
"In aggregate, as everyone starts to leverage more cloud services, we see increased importance in understanding and adopting the shared responsibility practices. In more tactical terms, we see increased adoption of cloud-based infrastructure to manage security solutions," he says.
Main image credit: Bigstock
Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.