Lifting the Fog from the Public Cloud: Using Cloud Activity Logs and Decoys to Secure Cloud-Resident Data
Businesses are moving data to the cloud faster than they can secure it, creating significant security risks. This presentation will show how cloud data loss risk monitoring and deception technology can close the security gaps in public file sharing clouds.Introduction:
The asymmetry of attacker and defender in cybersecurity is well known. This is exacerbated by enterprise digital transformation initiatives, pushing volumes of corporate data into public clouds faster than businesses can protect them. According to a new report by ESG, almost one-quarter (24%) of respondents said that more than 40% of their corporate data resides on public cloud services today. This is expected to more than double to 58% of organizations within 24 months. But this quest to reap the benefits of the cloud -- productivity, better collaboration, and lower costs -- has come at a great price, lack of visibility and control, and hence, increased risk in losing sensitive corporate data.
More than 40% of data stored in public clouds is considered “Sensitive.” Yet, three-quarters of respondents to ESG’s survey believe that at least 20% of their public cloud data is insufficiently secured, and 50% of all respondents said they have lost cloud-resident data. Protecting digitally-stored and shared data, revealing attackers and uncovering identities remain vexing problems for security teams. Cloud data loss risk monitoring and deception techniques are uniquely positioned for the task of increasing visibility and regaining control.
How We Got Here:
This presentation will explore the three major contributing factors driving the loss of data from a public cloud share (Microsoft OneDrive, Google Drive, etc.), and share some real-world examples of these types of data losses, as well as the impact on a company’s bottom line when sensitive data is stolen or leaked. These three contributors are:
Security policy violations
Stolen or “borrowed” access credentials (Masqueraders)
BYOD/Shadow IT
Next, we will walk through the security risks that are specific to sharing data in the cloud, even with legitimate users, such as link sharing, misconfiguration of security settings, etc. The very act of sharing links to files stored in a public cloud puts them at risk. Just recently, data from more than 90 companies was exposed through Box accounts due to employees sharing web links. Some of the companies whose data was exposed included Apple, the Discovery Channel, Herbalife, Schneider Electric, and even Box itself.
Decoys and Document Behavior Monitoring
The inability to detect and understand modern attacker-type breaches has created new interest in deception technology. This presentation will provide a clearer definition of deception technology: what it is, and what it is not. Deception technology is not “hacking back.”
The use of strategically distributed decoys enables organizations to leverage counterfeit resources for the attacker to find, setting alluring traps by placing beacons in phony but highly convincing documents. These documents offer the benefit of low false positives (legitimate users have no reason to be in contact with decoys), and because they are in-line, they take up very little bandwidth. When a decoy is breached, the security team can choose to let the attacker continue while they watch, which aids in the development of intelligence about specific attack vectors, and attackers’ ultimate goals. The goal is to create enough doubt within the hacker that they’ve stolen anything of real value, that they decide to back out of the cloud environment and move on. This is very different from the “eye for an eye” mentality many associate with “hacking back.” No systems are penetrated or destroyed; instead, the purpose is to gather information on the intruder to turn over to law enforcement.
Deception technology in the form of decoys can aid forensics and response investigations and mitigation capabilities, allowing organizations to actively defend their infrastructure within their own environment and making it easier to investigate, contain, and engage with intruders.
How do cloud activity logs and decoys work together? It’s a two-pronged approach:
Monitoring and tracking documents. By applying a layer of security at the document level to files stored in the public cloud, security operations teams can know, in real time, when documents have been opened, modified, downloaded, and shared to other users – and even the physical locations of the recipients of these shared documents can usually be determined. Defenders can analyze cloud activity logs to determine the extent of the problem. Cloud log analytics can alert personnel to possibly misconfigured cloud share access controls, or user security violations.
Active defense decoys. Using highly realistic but fake documents, security professionals can “set traps” for would-be cybercriminals (both internal and external). Strategically placing decoy documents within the public cloud share uses proven techniques to detect adversaries earlier in the lifecycle of an attack. By staging decoys within the operational network, security professionals gain the same benefits of honeynets, but without the hassle of managing and deploying phony networks.
Decoys strategically placed within the operational networks avoids the risk that attackers will not penetrate a honeynet.
When executed properly, an active defense strategy changes the asymmetry of cybersecurity, giving defenders the advantage.
Real-world examples of active defense decoys:
Ransomware Attacker Revealed. A large telecom company experienced a ransomware attack that seemingly utilized portions of the NSA leaked malware. Post-attack forensics determined that the adversary had penetrated the organization through a vulnerable set-top box, which then allowed the attacker to riffle through the organization’s folders and directories and encrypt the data on a corporate server. Identifying this attacker, thwarting the attack in its final stages and not paying the ransom became a top priority. In order to receive the ransom in bitcoin, communication between attacker and target was conducted via the Tor chat protocol. The telecom company claimed that it had paid the bitcoin ransom, but in actuality it had not. Instead, the company’s CISO used a decoy document disguised as a bitcoin payment page. The attacker received the confirmation page over Tor and proceeded to open and review the document on his phone. The decoy triggered an alert upon opening, and conveyed geofencing and telemetry insights that allowed the security team to reveal the attacker via his phone service provider.
A Greedy Insider’s Plans Are Foiled. A large enterprise experienced a stock-tampering case that demonstrated a financial fraud attack. The company was suspicious that a rogue insider had been accessing confidential files about the company’s financial performance, and illegally benefiting from inside knowledge of an impending acquisition. It was clear that the insider was leaking and manipulating news about the target company to affect its market valuation. Decoy documents containing compelling information about the target company were strategically placed in file shares. One of the documents was later opened externally at the home of the alleged inside attacker, triggering an alert, surfacing his identity and providing proof for law enforcement. The FBI then did its duty.
