Cybercriminals find cover in the cloud

Netskope has released the February 2020 Netskope Cloud and Threat Report, which analyses the most interesting trends on enterprise cloud service and app usage, web and cloud-enabled threats, and cloud data migrations and transfers. Based on anonymised data from millions of global users, the report found that 44% of malicious threats are cloud enabled, meaning that cybercriminals see the cloud as an effective method for subverting detection.

  • Wednesday, 19th February 2020 Posted 4 years ago in by Phil Alsop
“We are seeing increasingly complex threat techniques being used across cloud applications, spanning from cloud phishing and malware delivery, to cloud command and control and ultimately cloud data exfiltration,” said Ray Canzanese, Threat Research Director at Netskope.  “Our research shows the sophistication and scale of the cloud enabled kill chain increasing, requiring security defences that understand thousands of cloud apps to keep pace with attackers and block cloud threats. For these reasons, any enterprise using the cloud needs to quickly modernise and extend their security architectures.”

 

Key Findings

 

Based on aggregated, anonymised data collected from the Netskope Security Platform across millions of users from August 1 through December 31, 2019, key findings of the report include:

 

The overwhelming majority (89%) of enterprise users are in the cloud, actively using at least one cloud app every day. Cloud storage, collaboration, and webmail apps are among the most popular in use. Enterprises also use a variety of apps in those categories - 142 on average - indicating that while enterprises may officially sanction a handful of apps, users tend to gravitate toward a much wider set in their day-to-day activities. Overall, the average enterprise uses over 2,400 distinct cloud services and apps.

 

Top 5 Cloud App Categories 

  1. Cloud storage
  2. Collaboration
  3. Webmail
  4. Consumer
  5. Social media

 

Top 10 Most Popular Cloud Apps

  1. Google Drive
  2. YouTube
  3. Microsoft Office 365 for Business
  4. Facebook
  5. Google Gmail
  6. Microsoft Office 365 SharePoint
  7. Microsoft Office 365 Outlook.com
  8. Twitter
  9. Amazon S3
  10. LinkedIn

 

Nearly half (44%) of threats are cloud-based. Attackers are moving to the cloud to blend in, increase success rates and evade detections. Attackers launch attacks through cloud services and apps using familiar techniques including scams, phishing, malware delivery, command and control, formjacking, chatbots, and data exfiltration. Of these, the two most popular cloud threat techniques are phishing and malware delivery. The top threat techniques in the cloud are phishing and malware delivery.

 

Top 5 Targeted Cloud Apps

  1. Microsoft Office 365 for Business
  2. Box
  3. Google Drive
  4. Microsoft Azure
  5. Github

 

Over 50% of data policy violations come from cloud storage, collaboration, and webmail apps, and the types of data being detected are primarily DLP rules and policies related to privacy, healthcare, and finance. This shows that users are moving sensitive data across multiple dimensions among a wide variety of cloud services and apps, including personal instances and unmanaged apps in violation of organizational policies.

 

One-fifth (20%) of users move data laterally between cloud apps, such as copying a document from OneDrive to Google Drive or sharing it via Slack. More importantly, the data crosses many boundaries: moving between cloud app suites, between managed and unmanaged apps, between app categories, and between app risk levels (Netskope Cloud Confidence Levels). Moreover, 37 per cent of the data that users move across cloud apps is sensitive. In total, Netskope has tracked lateral data movement among 2,481 different cloud services and apps, indicating the scale and the variety of cloud use across which sensitive information is being dispersed.

 

One-third (33%) of enterprise users work remotely on any given day, across more than eight locations on average, accessing both public and private apps in the cloud. This trend has contributed to the inversion of the traditional network, with users, data, and apps now on the outside. It also shows increasing demand on legacy VPNs and questions the availability of defences to protect remote workers.