Did you know that the average organization has over 540 unique user-enabled, third-party, OAuth-connected cloud applications active within their environment? These are applications granted access through OAuth tokens to programmatic interfaces in your applications. For example, a user grants access to an application with their Google credentials that allows the application to access their corporate Google account.
Oftentimes these apps have excessive access scopes, including permissions to view, edit, delete, and externalize corporate data. There's also potential to open the door to potentially malicious apps, providing hackers with unfettered access to your corporate environment. I'm not talking about all third party apps, but rather those apps that look legitimate yet are actually malware, entering an organization through a backdoor.
As we saw with the Sony hack, it only took one breached account to compromise the entire environment and damage the company’s reputation. Cybercriminals are creating, in essence, a malware-as-a-service industry built on the same premises that legitimate organizations use to move to the cloud: increased speed and agility; economies of scale; security; and always available, infinite compute power. Cloud malware isn't a new threat, but exists outside the enterprise network, beyond the firewall. Cybercriminals know this and leverage various sophisticated tactics to gain access.
Connected cloud apps can be both inherently malicious or become malicious and as a result organizations can be exposed to cloud malware in a number of ways. One way is that users can unknowingly install apps specifically created to gain access to corporate data and another way is that an attacker can compromise a legitimate application and then take advantage of that application’s privileges to access users’ accounts. This presents a challenge to security teams as they must adjust their approach to identifying and evaluating breaches in this new environment.
Figuring end users into the equation
Let’s go back to the earlier example of a user granting a third-party app OAuth connected access with his or her Google credentials. When the application is authorized, it essentially grants the app permission to access our identities and then our data in the cloud.
What organizations must realize is when we authorize these applications to access our identities in the cloud or the data in the cloud apps, a connection is established between the user, a third-party entity, and your corporate environment. Effectively that third-party security is now your security, because through this connection, you have possibly granted access to your emails, the ability to view and manage your files, and perform operations even while you’re not using the application. According to a recent report, of all applications banned, 30% are classified as high-risk due to their excessive access scopes.
For the most part, the app is likely innocuous and performs its specified function for productivity or business operations. However, for the small number of apps that are malicious, a bad actor can easily deliver a malware through such a third-party app and gain access to users’ data/environment instantaneously. It’s interesting how something so pervasive, yet undetectable to the untrained eye, can affect an entire system.
Another often overlooked dimension for distribution of cloud-native malware is machine-to-machine or app-to-app traffic that occurs without human intervention. An attacker can compromise a legitimate application and then take advantage of that application’s privileges to access users’ accounts. For example, Salesforce syncing data to Marketo: This type of communication uses valid user credentials in an automated manner, accessing certain tools instantaneously in perpetuity. This method of communication is more prone to malware due to the fact that the software the app leverages could be used maliciously if it’s modified in a certain way.
Over the past couple years, one of the most prominent developments in malware is criminals using cloud applications to disguise a malware attack as normal, everyday, app-to-app communication/traffic. Basically, cybercriminals leverage cloud applications -- the same cloud apps used by your typical enterprise -- and sometimes their servers to host the malware. Criminals also might use those servers to host their command-and-control operations, guiding the malware with detailed instructions on how to infect systems to exfiltrate data. To a security team, the traffic looks like nothing out of the ordinary. What is actually happening, however, is something much more malicious and if an unknowing user opens the file containing the malware, it’s game over.
Reducing cloud malware threats
Protecting the enterprise from cloud-based malware involves gaining visibility into all cloud traffic. Most customers I talk to say they think they can see across their SaaS applications, but they forget cybercriminals reach far beyond to your IaaS, PaaS, and IDaaS applications as well. There is sensitive data and operations residing across a multi-cloud environment to be exploited.
For instance, what would happen if malware took hold inside your PaaS or IaaS environment? What damage could be done? You need to be able to view all traffic in order to benchmark normal activity and get a baseline for typical traffic volume. It’s no different than an institutional investor testing to find a pattern in market activity that it can apply to current market situations.
Second, know what third-party apps your users have enabled, as well as those your admins have enabled. I talk with a lot of security professionals who stress that their admins are not allowed to install third-party applications using their admin corporate account to connect via OAuth. However, more often than not, that isn’t the case. In fact, in the average organization, 2% of all third-party app installs are performed by admins.
Finally, in this transition period where organizations maintain both on-premises and multi-cloud components, it’s imperative to consider a new approach that can enables visibility by implementing security orchestration across your environments. This approach provides a wealth of security intelligence, if done correctly and in a non-invasive way. The last thing you want to do is disrupt the user experience, inhibit productivity or raise the level of shadow IT in your organization.
As CTO, Ron is responsible for CloudLock’s overall technology and continuous innovation. Prior to founding CloudLock, Ron was director of product management at Interwise (acquired by AT&T), and held varied engineering management positions in private and military sectors including the Israeli Air Force Software Development unit, where he worked on the development of mission-critical intelligence systems. Ron has more than 20 years of experience building complex software systems and product platforms. He has a BA in computer science from the Academic College of Tel Aviv-Jaffa and is a graduate of MAMRAM.