Dive Brief:
- More than 86,600 newly-registered domain names (NRD) are considered "risky" or "malicious," according to analysis of 1.2 million NRDs between March 9 and April 26 by Palo Alto Networks' Unit 42. Unit 42 estimates nearly 2,000 COVID-19-themed domains are created daily.
- More than 56,200 NRDs were hosted by Amazon Web Services, Google Cloud Platform, Microsoft Azure and Alibaba. AWS hosted the most, accounting for about 70% of malicious NRDs.
- Unit 42 found some domains "resolve to multiple IP addresses," resulting in "many-to-many mapping." Content delivery networks used in cloud environments enable the mapping, which can render IP-based firewalls "ineffective," according to the research.
Dive Insight:
The cloud forced organizations to reevaluate the firewalls of yesteryear. But during the coronavirus pandemic, malicious actors are taking advantage of reliance on the cloud and security loopholes.
Only the "next-gen" firewalls have the ability to adequately "ingest" threat intelligence and react accordingly, Jay Chen, senior cloud vulnerability and exploit researcher for Unit 42 at Palo Alto Networks, told CIO Dive.
Security in the cloud is shared between the service provider and the customers, but there are inherent limitations. And if an incident occurs, short of a bad actor accessing a vendor's infrastructure, the responsibility falls on the customer.
"Users just want their cloud application to work but don't have much time and knowledge to secure the applications," according to Chen.
Unit 42 only found 5% of malicious NRDs on the public cloud, an indication that cloud providers are "doing a lot already" to mitigate threats, said Chen. If cloud providers are performing sufficient monitoring and screening, bad actors are "less willing to host malicious domains in public."
The threat of NRDs is amplified by a remote workforce, depending on whether or not an employee is using a company device or accessing data.
"If, for instance, someone was to try and purchase face masks for their remote employees with a corporate credit card on a malicious site, attackers would have all the details of that corporate card," said Chen.
There are fewer security controls in an employee's home compared to an office. "The protection from the enterprise firewall and active directory group will no longer work at home," according to Chen. Cloud-enabled security measures extend to remote workers.
If a company, for whatever reason, doesn't have cloud security they should implement alterative measures, including:
-
Least privilege access
-
Frequent updates to logging and patches