External threats targeting cloud services increase 630%

Reported by: |Updated: April 23, 2021

Hitherto, WFH, or work from home, was confined to a small percentage of employees working remotely, but the pandemic has turned this upside down. One fallout of WFH is its impact on the use of cloud services. According to data shared by Microsoft, its cloud service has seen a high 775% growth in usage during the time when corporates adopted WFH on a large scale.

Internet security services provider McAfee carried out an anonymous study of cloud usage by more than 30 million of its cloud users worldwide between January and April 2020. The study revealed that overall enterprise use of cloud services spiked by 50% with manufacturing and financial services companies increasing the most; collaboration services saw an increase of up to 600% in usage with education driving this increase, while government and financial services closely following; and external attacks on cloud accounts increased 630%, with transportation, government and manufacturing verticals most affected.

The study found that cloud traffic from unmanaged devices doubled across all verticals, which presents an increased source of risk stemming from these devices accessing cloud services from outside corporate managed networks. There is no way to recover sensitive data from an unmanaged device, says the study, so this increased access could result in data loss events if security teams are not controlling cloud access by device type.

The McAfee study found that the amount of threats from external actors targeting cloud services increased 630% with the greatest concentration on collaboration services like Microsoft 365. The study divides the external threats into 2 categories – excessive usage from anomalous location and suspicious superhuman – and maintains that both typically involve use of stolen credentials. in the case of the former, it begins with a login and a location that has not been previously detected and is anomalous to the user’s organization.

The threat actor then initiates high-volume data access and /or privileged access activity. In the case of the latter it is a longin attempt from more than one geographically distant location, impossible to travel to within a given period of time.

Another finding of the study is the fact that internal or insider threat categories have remained the same, indicating that employees do not go rouge and attempt to steal more data because they are working from home. Most of the attacks seen are external, cloud-native threats targeting cloud accounts directly.

The study analyzed external cloud threats further and found that the percentage increase of cloud threats by vertical during January-April 2020 was highest in the case of transportation and logistics (1350%), followed by education (1114%), government, (773%), manufacturing (679%) financial services (571%) and energy and utilities (472%). And the top 10 source IP geolocations for external attacks on cloud accounts are Thailand, USA, China, India, Brazil, Russian Federation, Laos, Mexico, New Caledonia and Vietnam. It is a noticeable fact that none of the countries in the top 10 belonged to Europe, which now has very strong data protection regulations.

Says the report further: “Looking here at a view of common source locations for targeted attacks, we see Financial Services experiencing the highest attack volume of any industry and also the most organizations affected.”

Noting that securing a remote workforce shifts the major security control points to the device and the cloud, the study says a cloud-native approach to delivering security will provide the most complete coverage, capable of reaching devices off-network and connecting to cloud services directly.

McAfee suggests the following measures:

  • Implementing a cloud-based secure web gateway so that corporate devices can be protected against web-based threats without routing through VPN.
  • Allowing employees to connect to sanctioned cloud services from their corporate devices without using their VPN, protecting data with a cloud access security broker (CASB).
  • Setting policy in CASB so that cloud services have device checks, data controls and are protected against attackers who can access SaaS accounts over the internet.
  • Implementing multi-factor authentication for sanctioned cloud services where applicable to reduce the risk of stolen credentials being used to access accounts.
  • Letting employees use their personal devices to access corporate SaaS applications to maintain productivity, with conditional access to sensitive data in the cloud.

[email protected]