UNDERSTANDING LOTC ATTACKS AND HOW TO PREVENT THEM – Etay Maor

Living Off the Cloud (LOTC) attack is a situation where hackers abuse the APIs of trusted cloud services and remotely control botnets which makes malicious traffic appear as trusted cloud traffic.

One advantage this attackers use is the fact that most of the cloud services applications are trusted by default and their traffics are unsuspecting, hence they hide under this guise to perpetrate their criminal activities.

MALWARE INFRASTRUCTURE COMPONENT

A Chief Security Strategies and founding member of Cyber Threats Research Lab (CTRL) Etay Maor gave a vivid description of this infrastructure components; according to him ‘‘the malware infrastructure components that guarantee infiltrations to a victim’s environment are through command and control attacks (C&C), and this can happen through phishing, credentials that are stolen, and unpatched software, etc. This malware infrastructure has three components which are;  Telemetry Channel that serves as a link between the malware and C&C server used by malware to update hackers about the information it can find on the victim’s environment, a Command Channel that serves as the link between the C&C server and the malware used to control the malware to execute certain tasks, and an Exfiltration Channel used by the malware to upload stolen data to a remote file server.’’

With this infrastructure, hackers appear undesignated or off the cloud. The malware is programmed to read a folder name and fetch a command and then reads a command and update the hackers by writing its findings or telemetry on another Google drive.

HOW ORGANIZATIONS SHOULD PROTECT THEMSELVES

One way to break the treat of this malware is to cut communications between the malware and the C&C. A cybersecurity expert/security strategies Etay Maor proposed some critical ways organizations can protect themselves from this malware, his proposals are as follows:

Zero Trust Network Access (ZTNA): LOTC attacks happen because of the inherent trust cloud services enjoy company wide. Adopting a zero-trust strategy instead, where only the least required access is provided to users and services to perform specific tasks. In other words, deploying security policies that allow or restrict specific users, specific applications, specific actions within these applications, and the movement of data in and out of the network. 

Sanctioned vs. Unsanctioned Apps: Not everyone in the company needs access to Google Drive, Dropbox or Trello. If companies have some way to control which accounts can or cannot access a specific cloud service, then this can reduce the risk of an attack. The cloud computing industry refers to this as “tenant restriction.”

Granular Cloud Activity Control: There needs to be a granular level of awareness of what cloud service is being accessed, by whom and what commands are being given. If files must be uploaded to Google Drive, ensure that only specific people, specific file types, and only up to a certain file size can be uploaded. A cloud access security broker (CASB) can help here. Organizations can also deploy API access control to allow only authorized users from accessing APIs.

Data Loss Prevention: DLP tools can help security teams create a policy that restricts cloud-based services from accessing certain types of data. It can look at uploaded files or downloaded files and inspect it to see if there is any sensitive data being exfiltrated. Most DLP systems can be configured to generate an alert and capture an audit log of data being transferred.

Cloud-native Security: Since most security controls are distinct and siloed, it is difficult to connect the dots and paint a full picture of attacker activity. A single-pass cloud security architecture like SASE which converges CASB, DLP, secure web gateway, SD-WAN, firewall as a service, and ZTNA can provide real-time visibility into attacker activity and deliver holistic control over the entire IT environment.

Change Mindset: Unfortunately, people keep blindly trusting any communication to any cloud service. Most organizations still don’t have TLS inspection on cloud services as well as no blocking of high-risk servers, domains, or ports by default. This mindset needs a reboot.

Awareness Training: LOTC attacks are multi-staged and usually the first stage (malware deployment) is a phishing attack or a compromise on account of poor passwords or poor software patching. Teach employees to follow security best practices and not respond to suspicious messages, click suspicious links or download suspicious attachments. LOTL and LOTC allow adversaries to exploit built-in and cloud-based tools to conduct malicious activities while evading detection. By taking a ZTNA approach along with the other measures listed here, organizations can gain visibility and control over their IT estate and significantly mitigate these risks.