Man-in-the-Cloud Attacks: Defend the Data Itself

On the first day of Black Hat 2015, the security teams from Imperva revealed a new method that would allow an attacker to capture private corporate data from cloud synchronization tools. This new exploit highlights just how important it is to adopt data-centric security in addition to traditional perimeter- and endpoint-based approaches.

This is an interesting attack, and like many others it relies heavily upon social engineering. The attacker can compromise a cloud service through the endpoint device, a common vector for attacks. Sara Peters at Dark Reading reports that the entrance point is through the user’s sync client, rendering many sync-based services like Dropbox, Google Drive, Syncplicity, and Box potentially vulnerable.

On the surface, this sounds like a massive risk, as hundreds of millions of devices globally have these sync clients installed and actively in use. However, the exploit does require action taken by the end user (thus the dependency on social engineering to take advantage).

Imperva’s researchers developed a tool called Switcher, which an attacker would have to trick a target into running on their computer. Switcher’s primary purpose is to take over the user’s sync client by duplicating the authenticating synchronization token and moving it to an attacker-controlled machine.

The exploit is notable in that it’s very hard to detect, a trait of most social hacks. In practice, we don’t expect to see this impact too many organizations, but it does highlight a major trend in modern enterprise security: moving security down to the level of the data.

There are many advantages to this approach, but when targeted by a man-in-the-middle or man-in-the-cloud attack, moving security to the data removes permissions management and encryption keys from the device. This is the approach Vera takes – regardless of where your data is stored in the cloud or on premises, we secure individual files with strong encryption and manage access by policy. This means that even if an attacker manages to compromise a sync client, end user device, or email account, security teams can prevent any unauthorized access to the information inside. Even better, by moving security from the device to the data, security teams can monitor and track when sensitive data is moved outside of their control.

I believe one of the big ideas coming out of Black Hat this year will be this concept of moving security away from porous perimeters, device management, and other overly trusting models. With more granular, data-level security, we can address many of these traditional limitations and at the same time give people the confidence to collaborate more freely with customer and partners.

Written on August 6, 2015
by Grant Shirk
  • Industry, 
  • Security