The IEEE International Conference on Malicious and Unwanted Software (MalCon) seeks to bring together people in industry, academia, and government to “understand, anticipate, and create defenses against emerging threats and novel attacks.” The conference, which was held this year at the Nantucket Hotel and Resort, is in its 14th year. This year’s schedule featured 28 papers along with a keynote talk and a CISO panel discussion.
Netskope’s paper, linked here, covered the history and trends of malware which uses the cloud. This research is closely tied to saasy_boi and previous blogs detailing ways that malware can use the cloud for command and control.
The presentation sought to answer two questions:
- Why are attackers moving to the cloud instead of using other methods of obfuscation for command and control?
- How can we stop these command and control channels?
To the first question, we point to our paper, where we have detailed possible reasons, including the ease of use for many of the APIs associated with cloud services; the scalability and low cost of the resources; and the ability to blend in with trusted network traffic.
In terms of how these threats can be stopped, we specifically discussed data loss prevention use cases, the detection and blocking of unsanctioned SaaS app instances, and the blocking of applications that are not specifically authorized in the enterprise.
[Full disclosure: the author of this blog is currently a member of the program committee for MalCon though he was not at the time of attendance]