A new type of attack called Man in the Cloud has been identified. It relies on common file synchronization services such as GoogleDrive and Dropbox. Imperva says that without using any exploits, they show how simple re-configuration of these services can turn them into a not-easily detectable attack tool. Security expert Tim Erlin gives his thoughts on the research and whether he is surprised by the findings.
Tim Erlin, Director of Security and Product Management at Tripwire :
Is this novel research? Are you surprised by their findings?
“There’s no doubt that the cloud is fundamentally changing the attack surface for information security. Services like these file synchronization apps are part of a new world for both enterprises and attackers alike. Researchers have considered that these tools might be used for data exfiltration before, but this research provides a clear proof of concept.
nCircle, now Tripwire, released application detection capabilities for so-called ‘data leakage’ applications back in 2012, including most of these. We didn’t do the proof of concept work, but were clearly thinking along these lines : Visit HERE”
They claim it’s nearly impossible to detect or defend against – would you agree/disagree?
“There are a number of ways to detect this type of attack. First, a successful MITC attack involves adjacent execution of code and possible exploit activity, which might be detected and prevented, but even the attack itself can be identified by monitoring your systems for specific changes. The MITC attack involves modification of “some specific files or registry keys.” Knowing what those keys and files are means that you can use existing tools to monitor them for changes.”
What’s your advice about the use of file sync services such as OneDrive, Dropbox, Google Drive, etc?
“Organizations should evaluate the risk of any application that transfers data to a third party, whether that’s file synchronization or other services. An organization that allows use of these application should ensure they can inventory where they are in use, and monitor those systems and applications for suspicious activity and changes.