In order to prevent this type of abuse, technology companies are both working to better understand how and why their services are being abused and making it more difficult for threat actors to abuse them.
Many organizations monitor their platforms for anomalous behavior that could potentially be associated with malicious campaigns. Ryan Orsi, AWS’s global head of Cloud Foundational Partners for Security, said that everything stems back to patterns for user account behaviors.
“Once a legitimate use pattern emerges for a user, then higher-level patterns also emerge at the team, department, business unit, and ultimately company levels as well,” said Orsi. “Everything begins with the user identity. These legitimate usage and access patterns are based upon the user object and their legitimate identity which in turn determines access the user is granted to various IT and SaaS resources. Anomalous usage or access behavior of legitimate internet services can then be detected and surfaced for investigation or potentially immediate remediation including access removal.”
After detection, several triage measures are typically in place, and companies will usually suspend associated malicious accounts and alert impacted end users. Google’s cybercrime investigation group in 2021 announced it had made sweeping account disablements in order to disrupt malicious activity from the Glupteba botnet, for instance, terminating millions of Google Docs, as well as Google Accounts, Cloud Projects, and Google Ads accounts that were being misused as part of the botnet’s distribution. And Microsoft last year announced it had suspended 20 malicious OneDrive applications associated with an operational group based in Lebanon.
Organizations may take a number of related measures, like filing abuse reports with domain hosts, publishing indicators of compromise so that end users and security teams can have a better understanding of the malicious activity, and notifying the broader public about malicious activity. However, the level of triage comes down to the resources that a company has, said Orsi.
“It’s simply zero percent effective to detect these events if no action, either human or automation, takes place afterward,” said Orsi. “For some organizations, keeping up with responding to security events can outpace their security staffing levels depending on the company’s comfortability level with an automated response via codified runbooks.”