The Black Hat security conference is never short on big news. This year, the event lived up to its reputation with demonstrations of breaches on a number of mainstream devices and appliances including cars, rifles, and fingerprint readers. One news item, among the 15 Scariest Things at Black Hat 2015, that caught the attention of enterprises was the Man in the Cloud (MITC) attack discovered by cybersecurity firm Imperva. The vulnerability potentially allows hackers to access data from cloud storage applications such as Dropbox, Box, and OneDrive via their sync clients without requiring users’ login credentials.

Skyhigh’s most recent quarterly Cloud Adoption & Risk Report found that the average company now uses a mind-boggling 45 file sharing services and the average employee uses 3 file sharing applications at work. According to IDC, Enterprise File Sync and Share (EFSS) is now a billion dollar market and over half a billion dollars of net new spending for 2014 was captured by cloud vendors such as Box, Microsoft, and Dropbox. Given the massive adoption of EFSS services, attacks such as Man in the Cloud could severely impact companies of all sizes.

How it works

The MITC attack is based on gaining access to a device synchronization token. This token is stored in a file or the registry, on the device. It helps a device sync continuously without requiring a user to enter credentials repeatedly. The attacker gets the victim to execute code that will install the attacker’s synchronization token on the victim’s device and copies the victim’s synchronization token into the sync folder. The victim’s device syncs this synchronization token to the attacker’s device. The attacker now uses this token and resets the victim’s original synchronization token. From this time on, all of the victim’s data will be synced to the attacker’s device until the breach is remediated.

Protecting against Man in the Cloud Attacks

Skyhigh’s recent Cloud Adoption and Risk Report for Office 365 showed that the average company uploads 1.37 TB of data to Yammer, SharePoint Online, and OneDrive each month. In addition, 17.4% of the documents stored in OneDrive and SharePoint Online contain sensitive data such as personal information, protected health information, bank account, and card numbers. This serves as the basis for enterprises to be deeply concerned about protecting themselves against MITC attacks. With so much sensitive data residing in the cloud, companies are understandably worried that they may have already been a victim of an MITC breach and are just not aware! After all, the Sony breach that brought the company to its knees involved only 25 TB of data. Here are some ways in which companies can detect and protect themselves against an MITC attack.

Device Pinning – This is a security feature offered by leading EFSS solutions such as Box and OneDrive and closes the MITC vulnerability by allowing administrators to limit the number of devices per user that can sync data with the cloud service. If an administrator permits only 1 laptop to sync to the cloud, an MITC attacker will not be able to gain access to the user’s data. However, enterprises rarely enforce such a policy in the BYOD era. In addition this, enterprises need to invest in modern security platforms, like Skyhigh, to leverage the following capabilities and protect themselves in all scenarios, independent of end-user productivity policies.

Security Intelligence – A robust security intelligence platform that monitors cloud usage activity and generates alerts when it detects anomalous behavior is key to detecting and responding to an MITC attack. An MITC attack generates a number of anomalies associated with user devices, geographical location, time of use, etc. In addition to having the ability to mitigate known threats such as MITC, enterprises leveraging this intelligence are alerted to anomalous behavior pointing to potential new vulnerabilities that are yet to be discovered. All modern security vendors, including Skyhigh, have realized the importance of enabling their customers with this capability and are investing in big data and machine learning to ensure these solutions scale across millions of events generated daily.

Cloud Policy Controls – Working with Fortune 500 CIOs and CISOs has helped us learn that every enterprise’s security platform needs to be complemented by the ability to impose Data Loss Prevention (DLP) policies on enterprise cloud services. While many have invested in on-premises DLP solutions, few of these solutions have extended DLP controls to data in the cloud where attacks like MITC occur. By enforcing DLP policies and remediation on cloud storage solutions such as Box and OneDrive, companies prepare themselves to mitigate any breach of data from MITC or other potential threats in the future.

The Bigger Picture

Man in the Cloud attacks may be trending today in the cybersecurity world, but the larger takeaway from Black Hat is that attacks on data in the cloud (like any other data source) will continue to get more frequent and more creative. Any enterprise investing in cloud services will need to ensure that their security capabilities are ready for the cloud strategy. To ensure this, they need a robust cloud governance program that covers the entire lifecycle of adopting a cloud service and are increasingly calling upon Cloud Access Security Brokers (CASBs), such as Skyhigh, to drive strategy and key decisions across the following phases of cloud adoption-

Visibility & Service Usage – As companies adopt cloud services, one of the challenges is assessing the security controls offered by cloud providers when the IT team receives hundreds of requests each year. First, before organizations can assess the risk of cloud providers, they need to gain visibility into the cloud services currently used. Companies consider using CASBs such as Skyhigh because they provide visibility into all of the existing cloud services in use and also provide a large registry of cloud services that have already been assessed by an objective third party. Below is a screenshot of Skyhigh providing a list of cloud-based file sharing and collaboration services that provide device pinning and identity federation capabilities that are important to protect against MITC attacks.

blog image - mitc2


Risk Assessment & Standardization – Even after an organization standardizes on an enterprise-ready cloud service, there is a need to coach users who may be using other cloud services. Most enterprises already block some of these services, but are unaware of the vast majority of them. For instance Google Drive and Dropbox are well known and sometimes blocked by IT, but companies have seen far riskier file sharing services being used. Examples include Sendspace, Zippyshare, ShareBeast, and Rapidgato. According to Skyhigh, companies on average use 1,083 cloud services and the IT department is not aware of 90% or more of these. After seeing the early adopters of CASBs successfully driving a standardization strategy, enterprises now increasingly leverage CASBs for a comprehensive evaluation. CASBs, such as Skyhigh, analyze firewall logs to provide a list of all cloud services in use by the company along with a risk rating. Based on this rating, the company can either block the services or coach their employees towards a sanctioned alternative.

Service Attribution & Governance – With IT backing cloud services, the ease of access and service ensures high adoption. However, at this stage an increasingly large amount of sensitive corporate data starts residing on the cloud. Infosec teams are looking for a level of monitoring and threat detection they have come to expect from on-premises applications. Enterprise-grade cloud services such as Box and Office 365 provide usage logs via APIs that can be analyzed for risky activities. CASBs can connect to such sanctioned cloud services via API and reverse proxy and monitor usage activity to identify anomalies such as inappropriate privileged access by administrators, cross-region or excessive access, and data exfiltration. In addition, selected CASBs also employ machine learning to detect anomalous usage patterns that indicate threats from internal or external users and compromised accounts. These advanced intelligence based threat protection measures differentiate CASBs that are enterprise-grade and ready for Fortune 500 enterprises.

Remediation – Cloud services used to share data outside the company need to be guarded by DLP policies to comply with industry regulations and internal standards. An example of an EFSS DLP policy would be to allow only previews (and not downloads) of a file accessed from an unmanaged device. CASBs can not only enable cloud DLP for sanctioned services such as Box, Office 365, and Salesforce, but also provide pre-built templates that companies can use to comply with regulations such as PCI DSS and HIPAA. To help enterprises leverage existing investments and workflows, CASBs integrate with on-premises DLP solutions to extend policies to the cloud.

With the cloud here to stay, and cyber criminals increasingly focused on compromising the security of data stored in cloud services, Man in the Cloud attacks are just another reminder that the threat landscape is constantly evolving. These attacks expose many enterprises to the reality that while they have implemented a robust security stack to protect data on their network, they now need to invest in similar tools to secure their data in the cloud and on mobile. Companies that proactively invest in these security controls will minimize the risk of being showcased by a “Black Hat” at upcoming security events!

The Definitive Guide to Cloud Security

Get the complete 43-page ebook with detailed recommendations for cloud visibility, compliance, threat detection, and data security.

Download Now