There’s a lot of reasons to think the cloud is more secure than on-prem servers, from better data durability to more consistent patch management — but even so, there are many threats to cloud security businesses should address. Cloud-based malware is one of them.
Indeed, while cloud environments are generally more resilient to cyberthreats than on-prem infrastructure, malware delivered over the cloud increased by 68% in early 2021 — opening the door for a variety of different cyber attacks.
But you might be asking yourself: Doesn’t my cloud provider take care of all of that cloud-based malware? Yes and no.
Your cloud provider will protect your cloud infrastructure in some areas, but under the shared responsibility model, your business is responsible for handling many security threats, incidents, responses, and more. That means, in the case of a cloud-based malware attack, you need to have a game plan ready.
In this post, we’ll cover four ways you can help secure your business against cloud-based malware.
What ways can malware enter the cloud?
One of the main known ways the malware can enter the cloud is through a malware injection attack. In a malware injection attack, a hacker attempts to inject malicious service, code, or even virtual machines into the cloud system.
The two most common malware injection attacks are SQL injection attacks, which target vulnerable SQL servers in the cloud infrastructure, and cross-site scripting attacks, which execute malicious scripts on victim web browsers. Both attacks can be used to steal data or eavesdrop in the cloud.
Malware can also get into the cloud through file-upload.
Most cloud storage providers today feature file-syncing, which is when files on your local devices are automatically uploaded to the cloud as they’re modified. So, if you download a malicious file on your local device, there’s a route from there to your business’ cloud — where it can access, infect, and encrypt company data.
In fact, malware delivered through cloud storage apps such as Microsoft OneDrive, Google Drive, and Box accounted for 69% of cloud malware downloads in 2021.
Four best practices to prevent cloud-based malware
1. Fix the holes in your cloud security
As we covered in our post on cloud data breaches, there are multiple weak points that hackers use to infiltrate cloud environments — and once they find a way into your cloud, they can drop cloud-based malware such as cryptominers and ransomware.
Fixing the holes in your cloud security should be considered one of your first lines of defense against cloud-based malware. Here are three best practices:
- Have strong identity and access management (IAM) policies: IAM misconfigurations cause 65% of detected cloud data breaches.
- Properly configure your public APIs: Researchers have found that two-thirds of cloud data breaches were caused by misconfigured APIs.
- Set up your cloud storagecorrectly: This is relevant if your cloud storage is provided as Infrastructure-as-a service (like Google Cloud Storage or Microsoft Azure Cloud Storage). By not correctly setting up your cloud storage, you risk becoming one of many companies who suffer a cloud data breach due to a misconfiguration.
2. Protect your endpoints to detect and remediate malware before it can enter the cloud
Let’s say you’re the average small to mid-sized company with up to 750 total endpoints (including all company servers, employee computers, and mobile devices). Let’s also say that a good chunk of these endpoints are connected to the cloud in some way — via Microsoft OneDrive, for example.
At any time, any one of these hundreds of endpoints can become infected with malware. And if you can’t detect and remediate the malware as soon as an endpoint gets infected, there’s a chance it can sync to OneDrive — where it can infect more files.
This is why endpoint detection and response is a great “second line of defense” against cloud-based malware.
Three features of endpoint detection and response that can can help track and get rid of malware include:
- Suspicious activity monitoring: EDR constantly monitors endpoints, creating a “haystack of data“ that can be analyzed to pinpoint any Indicators of Compromises (IoCs).
- Attack isolation:EDR prevents lateral movement of an attack by allowing isolation of a network segment, of a single device, or of a process on the device.
- Incident response: EDR can map system changes associated with the malware, thoroughly remove the infection, and return the endpoints to a healthy state.
3. Use a second-opinion cloud storage scanner to detect cloud-based malware
Even if you have fixed all the holes in your cloud security and use a top-notch EDR product, the reality is that malware can still make it through to the cloud — and that’s why regular cloud storage scanning is so important.
No matter what cloud storage service you use you likely store a lot of data: a mid-sized company can easily have over 40TB of data stored in the form of millions of files.
Needless to say, it can be difficult to monitor and control all the activity in and out of cloud storage repositories, making it easy for malware to hide in the noise as it makes its way to the cloud. That’s where cloud storage scanning comes in.
Learn more about Malwarebytes Cloud Storage scanning
Cloud storage scanning is exactly what it sounds like: it’s a way to scan for malware in cloud storage apps like Box, Google Drive, and OneDrive. And while most cloud storage apps have malware-scanning capabilities, it’s important to have a second-opinion scanner as well.
A second-opinion cloud storage scanner is a great second line of defense for cloud storage because it’s very possible that your main scanner will fail to detect a cloud-based malware infection that your second-opinion one catches.
4. Have a data backup strategy in place
The worst case scenario: You’ve properly configured your cloud, secured all your endpoints, and regularly scan your cloud storage — yet cloud-based malware still manages to slip past your defenses and encrypt all your files.
You should have a data backup strategy in place for exactly this kind of ransomware scenario.
When it comes to ransomware attacks in the cloud — which can cause businesses to lose critical or sensitive data — a data backup strategy is your best chance at recovering the lost files.
There are several important things to consider when implementing a data backup strategy, according to Cybersecurity and Infrastructure Security Agency (CISA) recommendations. In particular, CISA recommends using the 3-2-1 strategy.
The 3-2-1 strategy means that, for every file, keep:
- One on a workstation, stored locally for editing or on a local server, for ease of access.
- One stored on a cloud backup solution.
- One stored on a long-term storage such as a drive array, replicated offsite, or even an old school tape drive.
Prevent cloud-based malware from getting a hold on your organization
Cloud-based malware is one of many threats to cloud security that businesses should address, and since cloud providers operate under a shared responsibility model, you need to have a game plan ready in the case of a cloud-based malware attack. In this article, we outlined how malware can enter the cloud and four things you can do to better secure your business against it.
Interested in reading about real-life examples of cloud-based malware? Read the case study of how a business used Malwarebytes to help eliminate cloud-based threats.