Hackers, like security vendors, are embracing the cloud; can you?

Large-volume hackers have become cloud pioneers

Trend Micro CTO, Raimund Genes

Trend Micro CTO, Raimund Genes

Large-volume hackers have become cloud pioneers, utilising public infrastructure to threaten companies that often effect ambitious but poorly-considered cloud-computing strategies, a security industry technologist has warned.

Noting the growing reliance on virtualisation and the increasing trend towards pushing virtual machines into public cloud services to cut infrastructure costs, Raimund Genes, global chief technology officer with security firm Trend Micro, warned that too many companies are just moving their security and reliability problems from one infrastructure to another.

Redundancy, for example, must be catered for: while cloud services from Amazon, Microsoft and others allow servers to be spread across servers in multiple geographies to minimise downtime, many companies simply move their existing systems into cloud-hosted virtual machines. This leaves them vulnerable to data and systems loss in the event of even a partial cloud collapse.

Online streaming-video giant Netflix has worked around this issue by spreading its assets across many parts of the Amazon Web Services (AWS) cloud — and using purpose-built code called Chaos Monkey to randomly disable parts of its infrastructure. If it can’t survive the monkey’s depredations, the architecture won’t survive a real attack either.

Failure to rearchitect applications is also restricting the flexibility to effect bring-your-own-computing (BYOC) policies that increasingly require companies to deliver cloud-hosted applications and services to a broad range of devices. “I have seen some companies that have failed badly because they just took their current applications and processes and put them into the cloud,” Genes explains. “You really have to do an assessment on your applications to see if they’re cloud ready.”

Such assessments need to consider not only redundancy, but architectural choices often made many years ago. Each carries its own limits on user access and its own security implications, Genes warns: “If you’re still using ActiveX or still rely on .NET for Web services, forget about it; you need to be ready to deliver on the iPad, BlackBerry, and any other device. You just can’t avoid it anymore.”

Yet supporting such devices brings its own risks: the reported explosion in Android malware, for example, opens up the very real possibility that users could inadvertently bring malware into the enterprise, from which it can work to its nefarious ends under cover of the network. With new app stores blossoming and offering customers direct access to potentially malware-ridden apps, companies must be particularly vigilant in monitoring mobile devices.

Without taking a broad-brush approach to security and business availability, this is likely to spell disaster for more than a few companies that fail to devote enough thought and resources to security.

“A lot of companies do the sums, then do the bare minimum” to protect themselves, Genes says.

“If something happens they have unlimited budget to fix it, but by then it’s too late. Think about what happened to [hacked two-factor authentication provider] RSA; would you ever buy a token from RSA again?”

Avoiding such hacks, and the reputational damage they can cause in an instant, requires rejection of the notion — often perpetuated through marketing materials of some vendors — that it’s possible to get 100 percent security protection just through software. Conventional malware filtering approaches are “just not working anymore, and we have to accept that,” Genes explains. “The original concept was to filter as much as possible before it gets to the desktop. But if they want to get in, they get in.”

From the inside out. Even when companies install strong border-protection systems and they repeatedly pass proactive pen testing, some are finding that installed spyware or other malware is sending data out from the company. Many firms, however, spend all their effort monitoring incoming traffic and have no way to notice large volumes of data leaving their company — which a classic hallmark of a data breach.

“It’s all been outside-in protection, but nobody ever thought of inside-out protection,” says Genes, noting that the signatures are often quite obvious to those who are looking for them.

“It’s often easier to recognise data getting out of the company than getting in.”

Genes cited the example of Sony, whose online gaming services were hacked and 100 million user identities stolen earlier this year. That attack would have taken a significant amount of time, Genes said — so why didn’t anybody at Sony notice the flood of outgoing data?

“This was going on for weeks,” he explains.

“You need a system that learns normal behaviour and then detects anomalies. You’re moving from outside-in protection, to a more inside-out, data-centric approach.”

One local Trend Micro customer, Genes says, felt its regular pen testing was enough to ensure it had an adequate security perimeter. But when the company went in and analysed its outgoing connections, it was revealed that its outgoing link was 80 percent saturated on a regular basis. Not only had the company not known this, but it didn’t know what the traffic was.

Regular searches for new destination IP addresses on outgoing packets is one way to spot anomalies, particularly when large numbers of packets are being sent to them on a regular basis. This, ironically, is both a strength and a weakness of a cloud-computing model that Genes says is outpacing conventional cloud-based models — including Trend Micro’s own attack analysis cloud infrastructure, which handles 71 billion requests per day using a highly-scalable cloud environment.

“To get code into a company, hackers test it against all the analysers and target it against a company or person,” he explains.

“But once it’s going outwards, it needs a reliable connection to a command and control server; interestingly enough, the bad guys are using the same infrastructure over and over again. They rely on constant communications.”

Ironically, this has made hackers pioneers in cloud computing, Genes warns: like legitimate corporate customers, hacker groups are renting virtual server space from AWS and others, then using it to build up command and control architectures from which they can launch massive distributed denial of service (DDoS) and other attacks.

“They’re moving data around all the time so law enforcement can’t keep up,” Genes laughs. “They’re building reliable and resilient networks; these guys have perfected cloud computing and they’ve known how to do it for years.”

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

Tags Raimund Geneshackerstrend microsecurityCloudcloud securityvirtualisation

More about Amazon Web ServicesBlackBerryetworkMicrosoftNetflixRSASonyTrend Micro Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts