CASB: The New Generation of Security and Threat Protection

Paolo Passeri

Solutions Architect

ppasseri@netskope.com

Yesterday

2018 © Netskope confidential. All rights reserved.

Today

There are 25,000+ enterprise

cloud services today

2018 © Netskope confidential. All rights reserved.

1,000+ Cloud Services Per Enterprise – How Do They Get In?

42018 © Netskope. All rights reserved.

2%

78%

20%

2018 © Netskope confidential. All rights reserved.

Data

New Technology Challenges, New Risks

2018 © Netskope confidential. All rights reserved.

Disrupt

Destroy

Extort

Exposure

Access

Theft

INTERNAL RISK EXTERNAL RISK

Sensitive data

shared publicly

Download to

personal device

Exfiltration via

unsanctioned cloud

Malware upload to

sanctioned cloud

Ransomware

via cloud

Cloud account

hijacking

Cloud Security Use Cases

1 Understand which cloud applications are being used and their risk

Web

Proxy

aLOG DATA

ApplicationUploaded

Data

Enterprise

Readiness

Salesforce 950GB High

PDF

Converter450MB Poor

Microsoft

Office 365300MB High

LinkedIn 200MB Medium

Facebook 20MB Low

2018 © Netskope confidential. All rights reserved.

2 Sanctioned or Approved cloud applications storing or sharing the sensitive data

Access using a Microsoft Office365 API

2018 © Netskope confidential. All rights reserved.

3 Sanctioned or Approved cloud applications allowing data to escape to

unmanaged devices

2018 © Netskope confidential. All rights reserved.

4 Exfiltration of company data to Unsanctioned cloud

applications Important notice

Access to this cloud application is

restricted by company policy

Important notice

Your attempt to upload files to

this application has been

blocked

Important notice

You are not permitted to upload files

to personal OneDrive accounts

2018 © Netskope confidential. All rights reserved.

Cloud Threats

Conceived to Bypass Traditional Web Security…

• Files shared in cloud CRM services have implicit trust among its users which leads to an increase in malware attack surface posing new challenges for enterprise IT.

• Attack begins with a malicious file getting uploaded into the enterprise service accounts either from a managed or unmanaged device.

• The file gets delivered to unsuspecting users via the implicit CRM workflows and collaboration features.

• Three major payloads were observed namely, Pony botnet, Pain Logger and Word files with malicious macros.

• Infection through these payloads can result in data exfiltration, credentials stealing and network compromise.

https://resources.netskope.com/h/i/327390732-cloud-crm-services-as-a-malware-attack-vector

Highly Maintained CloudPhishing Attack Kits

2018 © Netskope confidential. All rights reserved.

CloudSquirrel

Uses multiple cloud services for payload delivery and for command and control

• Uses a variety of cloud services to download its

main payload.

• Uses DropBox for its C&C (command and

control) server.

• Infects users by downloading malicious payloads

(32 bit and 64 bit executables) that collects

information about the victim’s machines including

the victim’s email account credentials configured

in native email clients.https://www.netskope.com/blog/netskope-threat-research-labs-technical-

analysis-cloudsquirrel-malware-2/

2018 © Netskope confidential. All rights reserved.

Hybrid Cloud and Web Threats

1. Malware infects user device via phishing

email, compromised website, cloud service

with infected file, etc.

2. Once malware is downloaded, it calls to

various services like websites, cloud storage

services, or even IaaS servers to download

fragments of malicious code.

3. Malicious fragments are downloaded onto

device with security solutions seeing these

downloads as innocuous as they haven’t

been pieced together yet.

4. Initial malware decrypts and compiles the

downloaded fragments to start an attack or

whatever functions the malicious code is

supposed to perform.

2018 © Netskope confidential. All rights reserved.

• A ransomware blended threat package includes malware such as credential stealers, backdoors, or revenue generation malware in addition to a ransomware payload.

• The purpose is to provide a second means of attack and revenue

• Example: Locky Ransomware coupled with Kovter

• Kovter is a fileless, persistent click fraud malware

Blended Threat: Ransomware + Click Fraud

https://www.netskope.com/blog/ransomware-click-fraud-new-blended-

attack/

2018 © Netskope confidential. All rights reserved.

Virlock and the Cloud Malware Fan-Out Effect

• Virlock not only encrypts files but converts them into apolymorphic file infector. Each of these encrypted files isagain a file infector and can infect other benign users.

• The Virlock file infector can become a dangerousweapon in the cloud context especially due to inadvertentspreading of infected files through cloud sync and sharevia cloud storage and collaboration apps.

• Rapidly the entire peer network is infected

• Many collaborative files are infected and encrypted manytimes.

• Many ransoms to be paid, perhaps a bulk discount canbe negotiated?https://www.netskope.com/blog/cloud-malware-fan-virlock-ransomware/

2018 © Netskope confidential. All rights reserved.

Cloud Services as a Crypto Miner’s Paradise: ZminerCryptocurrency Mining Malware Hosted in Amazon S3 Bucket

1. The kill chain begins with the delivery of a drive-

by download Zminer executable via an exploit

Kit.

2. The executable downloads two payloads from

an Amazon S3 cloud storage to the victim’s

machine.

3. Once the required components are downloaded

and installed in the victim’s machine, Zminer

begins the mining operation.

4. Several details of the victim’s machine are

uploaded to a C&C server also hosted on

Amazon S3

1

2

3

4

https://www.netskope.com/blog/coin-mining-malware-heads-cloud-zminer/

2018 © Netskope confidential. All rights reserved.

Cloud Services as a Crypto Miner’s Paradise: CoinHiveCryptocurrency Mining Browser Plugin Hosted in Office 365

1. Coinhive is a JavaScript library that allows a website to use the

client computer to mine Monero cryptocurrency.

2. The Coinhive miner was installed as a plugin in an SSL

website.

3. The tutorial webpage hosted on the website was saved to the

cloud and shared within an organization.

4. As the mining is performed without users’ consent, the Coinhive

plugin is carrying out a cryptojacking operation

5. The browser miners can also be abused by malware authors to

exploit victims computing power and resources.

https://www.netskope.com/blog/modern-gold-mine-rush-office-365-as-a-

crypto-miners-paradise/

2018 © Netskope confidential. All rights reserved.

Threat Protection

Lack of visibility into

cloud activity

Why Threat Protection for the Cloud?

Increasing cloud usageCloud apps are attractive

to attackers

For companies that inspect cloud services for

malware, 57% find malware (Ponemon Institute)

Threat protection one of four pillars of CASB

functionality (Gartner Market Guide for CASBs)

>50% of cloud usage from

outside corporate network

>50% of cloud access from

sync clients and apps, not

browsers

85% of companies allow

cloud access from

unmanaged devices

51% of employees using

cloud services for work

33% of business data in the

cloud

977 apps on average, with

95% unknown to IT

New cloud threats discovered

by Netskope researchers

Cloud accelerates spread of

malware and amplifies effects

Increased click-through on

links to familiar cloud apps

2018 © Netskope confidential. All rights reserved.

Why is Cloud Attractive to Attackers?Attackers exploiting inherent user trust in familiar cloud apps

2018 © Netskope confidential. All rights reserved.

41.6%Is related to generic

types of malware (Flash

exploits, worms, etc.)

Microsoft Office Macros

account for

8.6%during the last quarter

Source: Netskope Cloud Report February 2018

The Rise of Cloud Threats

Netskope Threat Research Labs

12 Years of Average Experience in Threat Research

Dedicated Team of Experts

Threat Intelligence

Creation

Malware, Threat

Research & Analysis

Zero Day

Vulnerability Research

Threat

Hunting

Botnet

Research

Machine

Learning

Reverse

Engineering

Threat Actor

Attribution

With broad experience & skillsets, enabling threat coverage ahead of leading vendors

Leveraging Solid Security Research and Incident Response Background

EPS 0-Day Mole Ransomware

QKG Ransomware Cobalt Threat Actor

URSNIF Data Stealer Comnie Backdoor

Zyklon Campaign Orcus RAT

From FEB’17

From APR’17

From NOV’17

From NOV’17

From APR’17

From AUG’17

From NOV’17

From NOV’17

*Examples of threats coverage ahead of leading vendors

2018 © Netskope confidential. All rights reserved.

Netskope Threat Research - Highlights from 2017

JAN-17 FEB-17 MAR-17 APR-17 MAY-17 JUN-17 JUL-17 AUG-17 SEP-17 OCT-17 NOV-17 DEC-17

2018 © Netskope confidential. All rights reserved.

Netskope threat Protection – Key Components

Heuristics

• Accepts all files.

• Automated Static Analysis.

• Signature-less detection.

• 3,000+ threat indicators.

• Fully-dissects internal contents of

files without execution, detect

attacks, determine threat level and

expose vital information for

remediation.

• Remove archive and anti-forensic

layers, de-obfuscate, and extract

indicators.

Sandbox

• Identify previously unknown threats.

• Evasion resistant (Monitoring

embedded in CPU virtualization

extension).

• Agentless (no monitoring driver).

• Real windows images.

• Accepts files from Heuristics, PDF,

and Office pre-filters.

• Dynamic analysis of malware

execution to detect/verdict

suspicious/malicious behavior.

Ransomware Engine

• ML driven detection of Ransomware

activity in supported cloud storage

applications.

• Supervised Model: Set of features

(currently 70 “dimensions”)

extracted from encrypted file and

compared to the clean version of

same file.

• 350 unique families of ransomware

tracked and adding more all the

time.

Detections are fed into ATP Blacklist (BL) within <5m, all ATP customers within 1hr, and into GoSkope global BL within 24hrs

2018 © Netskope confidential. All rights reserved.

Multi-Layered Threat Protection for Cloud-based Threats

Proxy (inline, TLS decryption at scale)

API (out-of-band)

Static

Anti-Virus

• Signature-based

detection using

multiple AV engines

• Efficient protection

against known

malware

Threat

Intelligence

• Identifies malicious

URLs / IPs

• Provides collective

protection with

constantly updated

global blacklist

• Supports tenant-level

blacklist / whitelist

Heuristic

Analysis

• Advanced detection of

new threats

• Identifies threat

indicators using

signature-less, pre-

execution analysis of

binary files

Sandbox

Analysis

• Detonates files and

analyzes behavior in

isolated sandbox to

detect zero-day threats

• Also supports third

party sandbox

integrations

Ransomware

Detection

• Proprietary machine

learning analyzes file

operations and data

transformation across

70+ dimensions

• Validated against 300+

ransomware variants

2018 © Netskope confidential. All rights reserved.

Call to Action: Get your Cloud Risk Assessment

Cloud Risk Assessment Report

• Cloud usage

summary

• Three areas of risk

(observations and

recommendations)– Cloud threats

– Data loss

– Non-compliance

• Cloud security

maturity model

SUMMARY

COMPROMISED

CREDENTIALS

UNMONIOTRED CLOUD

STORAGE

WEBMAIL USAGE

RISKY PDF APPS

CONNECTIONS TO

NON-U.S. APPS

UNMONITORED

REGULATED DATA

2018 © Netskope confidential. All rights reserved.

Thank you!