Man in the Cloud (MITC) Attacks

• Man in the Cloud (MITC) Attacks

These MITC attacks rely on common file synchronization services (such as GoogleDrive and Dropbox) as their infrastructure for command and control (C&C), data exfiltration, and remote access. Without using any exploits, we show how simple re-configuration of these services can turn them into a devastating attack tool that is not easily detected by common security measures
In the MITC attacks, the attacker gets access to the victim’s account without compromising the victim’s user name or password. As we show in this report, this type of compromise is very hard to detect (contrary to attacks that involve compromising password

For the first part of the mitigation strategy, we urge organizations to use a Cloud Access Security Broker (CASB) solution that monitors access and usage of enterprise cloud services by the enterprise users. We believe CASB solutions can effectively detect, in a timely manner, anomalies in the way an account for a file synchronization service is used and access. The more effective CASB solutions (such as those deployed virtually online) can also make mitigation easier by blocking access of unrecognized devices to the data.
The second part requires that organizations deploy controls such as DAM and FAM around their business data resources, and identify abnormal and abusive access to the data. Again, the better solutions are also capable of quickly mitigating the threat and containing the compromised device or account by restricting further access to all enterprise data or to the sensitive part of it.
https://www.imperva.com/docs/HII_Man_In_The_Cloud_Attacks.pdf

• Database Activity Monitoring (DAM)

 Database activity monitoring (DAM, a.k.a Enterprise database auditing and Real-time protection is a database security technology for monitoring and analyzing database activity that operates independently of the database management system (DBMS) and does not rely on any form of native (DBMS-resident) auditing or native logs such as trace or transaction logs. DAM is typically performed continuously and in real-time.
https://en.wikipedia.org/wiki/Database_activity_monitoring

• File Activity Monitoring (FAM)

File Activity Monitoring discovers the sensitive data on your servers; classifies content using pre-defined or user defined definitions; configures rules and policies about data access, and actions to be taken when rules are met.
File activity monitoring consists of the following capabilities:
    Discovery includes collecting metadata and entitlements for files and folders.
    Classification uses decision plans to identify potentially sensitive data in the files, such as credit card information or personally identifiable information.
    Monitoring and collection of audit information and policy rules, and real time alerts or blocking of suspicious users or connections.
https://www.ibm.com/support/knowledgecenter/en/SSMPHH_10.6.0/com.ibm.guardium.doc/getstart/getting_started_fam.html