Don’t Get Into Cloud with Just Anybody

The first users to embrace and benefit from cloud computing were malicious botnet operators.  Consider some of the cloud innovations attributed to botnet implementers:

  • Created controls to keep an inventory of their computing resources, including system type, location, processing speed, network bandwidth, storage, and status applications.
  • Created methods to manage applications on machines both singularly and in large numbers. Early versions of this command and control utilized Internet Relay Chat (IRC) as the means of communicating this information. The technology has continued to advance and complex P2P protocols and HTTP-based means are also used.
  • Made use of multiple protocols, servers, and techniques to help manage a variety of attributes including robustness from take-down efforts, traceability, and forensic investigation.
  • Created numerous methods to rapidly add new computing resources. Unfortunately, this is done by promulgating malware that steals access to computer and network resources.  Methods such as network exploits (a la worms), application exploits (a la browser and reader exploits), and deception (malware links in emails) are used.
  • Created methods to run applications in the background. Often, these applications are not only imperceptible to the co-host (i.e. legitimate owner) of the infected computer, but the malware often goes undetected by anti-virus tools.
  • Created numerous methods of monetizing these resources through illegal acts such as DDoS attack extortion, the flooding of email accounts with spam advertisements, identity theft, bank fraud, sale and distribution of pirated media content, and even the leasing of botnet/computing resources to third parties.

Botnet operators were also early adopters in terms of purchasing cloud computing resources.  Early providers of leased computing services on the Internet have been attractive to botnet operators for their command and control functions for a while.  More advanced attackers use drop servers to help hide the ultimate destination of stolen data.  Key attributes that botnet operators seek are agility (the ability to set-up server functions quickly and to move them around the Internet) and anonymity (the ability to pay for resources without significant interaction). This helps them evade detection and maintain robustness in their command and control with minimal interference and traceability.

A cloud services provider may be perfectly legitimate and may have security protections that detect viruses and enforce security policy. But these measures are primarily to protect you from common external attacks or assure you that you’re not infected. The primary means of protecting against sharing public cloud computing with the “bad guys” is accountability. It‘s important that the cloud provider know who it’s selling to and ensure there is a means to seek retribution if any customers are adversely affected.

Here are some questions to consider when choosing a public cloud provider:

  • Does the cloud provider ensure that they know exactly who is paying them for services and that credit card purchases are not being made using stolen credit card information?
  • Does the cloud provider maintain sufficient validation to ensure that the contact information of its customers–including phone numbers and street addresses—are accurate and current?
  • Does the cloud provider perform a reputation check on purchasing organizations to ensure they don’t have a reputation for malicious or suspect behavior?
  • Does the cloud provider have a good relationship with its network service provider? One that ensures that reported abuse issues are addressed promptly?
  • Does the cloud provider cooperate with law enforcement when and if abuses are discovered?

(Hybrid cloud computing and private cloud computing provide additional protections to those furnished by public cloud computing, but they almost always do so at a higher cost.)

Given that you run a legitimate business or are a consumer in good standing, you may wonder why this is important to you. I’ll tell you why: If your cloud provider does not provide proper checks to certify the legitimacy of its customers, you may find yourself sharing cloud infrastructure with criminals. Most likely, the infrastructure will include a common ISP and network equipment.  You may also end up sharing common server hardware and an IP address. A malicious co-resident may be interested in finding ways to get to your information. Additionally, if a co-resident user is discovered performing malicious activities on the Internet, network providers may take action by blocking activity to and from the IP address—your IP address. The one you’re unknowingly sharing with a criminal.

Recently, there’s been a concerted effort to encourage ISPs to take action against botnets, and it’s been suggested that offending customers be disconnected from the Internet. We think it’s best to avoid disrupting service to customers, so AT&T is researching more surgical methods to detect, and thus minimize, malicious behavior on the Internet. However, choosing a cloud provider that avoids hosting bad actors will help ensure that your cloud services continue to work for you.

Brian Rexroad Executive Director of Threat Analytics AT&T About Brian