Blog Post

Cloudy With a Chance of Hacking

Over the past few years, there’s been a bit of a disruption in the infrastructure space. This new technology–cloud, they call it–has worked its way into just about every aspect of computing. What started as renting compute power from larger companies (with better economies of scale and seemingly infinite resources) has worked its way into pushing virtually (no pun intended) everything to “somebody else’s computer”. It’s gone so far, in fact, that I recently heard of a company’s administrator using a cloud desktop for their duties (talk about a critical asset)!

As per usual, enterprising adversaries have moved their efforts to the cloud as well. This is interesting to me for several reasons:

  1. It is extremely efficient and lightweight to set up your infrastructure
  2. Your infrastructure scales effortlessly with your campaign’s breadth and success
  3. What used to have an easily traceable public record is now obscured
  4. Approaches leveraging anomaly detection cause exceptionally dangerous false negatives

While the first two reasons are interesting, they’re a topic for another day. Today I’ll focus on the latter two reasons.

What used to have an easily traceable public record is now obscured

Put on your SOC analyst hat for a moment and think about how you work through determining if something is an incident. When we’re talking about communications to an external domain, there are several places where you can begin to look. You can leverage WHOIS records to discover all sorts of information about the domain, including when it was registered and updated, who owns it, registrars, nameservers, etc.

Even with GDPR and other privacy-focused regulations in place, there’s still a treasure trove of information that can be used to take your next step.

Beyond WHOIS, there are good old-fashioned Google searches to identify whether your domain has been known to be good or bad:

Of course, there’s much more that you can do with additional services and capabilities because there is something that sticks around and is easy to trace!

However, when we turn our attention to the malicious use of cloud infrastructure, the story gets cloudier (yes, pun intended!). Tracing the creation date of a cloud-based domain is much more complicated since it isn’t really stored anywhere public beyond the domain name:

Moreover, Googling information about it is much more hit-or-miss:

This gets even harder as attackers use less obvious and more quickly fluctuating cloud instances. Worse still–and unlike normal domain names–benign instances are just as transient!

Approaches leveraging anomaly detection cause exceptionally dangerous false negatives

Lately, all the rage has been about ML and AI in security, with one of the applications being anomaly detection typically using unsupervised learning. Beyond my general thoughts that anomaly detection in real networks–on its own–is not a reasonable solution, it really gets whooped in the cloud.

Naively, let’s say you begin your workflow by finding domains that are pretty uncommon in your environment. That will pretty quickly winnow down the number of possible domains to explore for malicious behavior to maybe a couple hundred. Difficult to manually analyze, sure, but with some script-fu it becomes quick work to identify a handful that are very likely the most interesting. Cloud analysis for uncommon domains, however, is virtually useless, because everybody in your network is using uncommon cloud services!

Multiply this by the various cloud providers, the lack of public information on the sites, the lack of information returned by Google, and the transient nature of both good and bad traffic, and you’re left with a pretty bad day at the office.

But there are better ways. Recently we came across a sample phishing email in our network that leveraged a cloud domain to convince the user into authenticating–note the attempt to look like a legitimate Office365 / Microsoft domain:

To find this kind of behavior, you need to look beyond simple anomaly detection, beyond public information, and beyond the last generation of security tools. Characterizing the full picture–the source device, the destination, and the traffic in between–is crucial. It’s time to evolve your defenses so that as the attackers move to the cloud, you’re ready to battle. Let us show you how. Schedule a demo today.

David Pearson
David Pearson

Principal Threat Researcher