Connect with us

Expert Speak

Office 365 Threats and Inversion of the Corporate Network

Published

on

Written by Oliver Tavakoli, CTO, Vectra AI

2020 presented a tidal wave of challenges for businesses in every sector — from healthcare to hospitality to aviation. Every organization was forced to adopt some aspect of its strategy, whether by reducing spending, cutting staff, madly hiring, or changing operating models.

While the impact the 2020 COVID-19 pandemic had on the technology industry lags in comparison to other sectors, there was still a significant amount of change. Many organizations were forced to implement and accelerate digital transformation initiatives to cater to a rapidly deployed remote workforce.

Organizations that had invested heavily in developing and creating robust on-premises security architectures had to significantly transform and update their security strategy to protect against threats on assets used outside of office walls. In fact, one of the biggest security realizations and lessons learned in 2020 is that the security of protecting an employee’s device, interaction with the internet, and access to corporate applications must be able to travel with them, independent of where they happen to be at a given point in time.

As a direct result of accelerated work-from-home initiatives, the adoption and daily use of cloud and SaaS (software-as-a-service) applications surged in 2020, presenting many new threats. Attacks that target SaaS and cloud user accounts were among the fastest-growing and most prevalent problems for organizations, even before COVID-19 forced the vast and rapid shift to remote work.

With organizations having increased their cloud software usage, applications such as Office 365 dominated the productivity space. The Office 365 platform experienced more than 250 million active users each month and became the foundation of enterprise data sharing, storage, and communication – also making it an incredibly rich treasure trove for attackers.

It was no surprise then that Office 365 became the focus of attackers in 2020, leading to some massive financial and reputational losses, despite the increased adoption of multifactor authentication and other security controls intended to serve as roadblocks to attackers. Among the breaches involving Office 365, account takeovers were the fastest growing and most prevalent attacker technique.

Attackers now focus on account takeovers rather than email compromise to gain initial access in an environment. According to a recent study, lateral movement is the most common category of suspicious behavior inside Office 365 environments, closely followed by attempts to establish command-and-control communication. Two Office 365 tools that have emerged as valuable to attackers are Power Automate and eDiscovery Compliance Search.

Microsoft Power Automate, formerly Microsoft Flow, automates day-to-day user tasks in both Office 365 and Azure and is enabled by default in all Office 365 tenants. It can reduce time and effort to accomplish certain tasks for users – but similar to PowerShell, attackers tend to want to automate tasks as well. With over 350 application connectors available, the options for cyberattackers who use Power Automate are vast. Office 365 eDiscovery Compliance Search enables the search for information across all Office 365 content using one simple command. All these techniques are actively used now, and they are frequently used together across the attack lifecycle.

The number of threats targeted towards Office 365 users and other similar platforms will undoubtedly continue to grow in 2021. Identifying user access misuse has traditionally been tackled using prevention-based, policy-centric approaches or have relied on alerts that identified potential threats as they occur, leaving little time to respond appropriately. These legacy approaches will continue to fail as they only show that an approved account is being used to access resources and do not provide any deeper insight into how or why resources are being utilized and whether the observed behavior might be useful to an attacker.

In 2021, security teams must focus on implementing measures that provide a more detailed overview of how their users utilize privileged actions — known as an observed privilege — within SaaS applications like Office 365. This translates into understanding how users access Office 365 resources and from where. It is about understanding the usage patterns and behaviors, not defining static access policies.

The importance of keeping a watchful eye on the misuse of user access to SaaS data cannot be overstated, given its prevalence in real-world attacks. SaaS platforms are a haven for attacker lateral movement, making it paramount to monitor users’ access to accounts and services.

As we look ahead to 2021, what are some of the other security considerations organizations should prepare for? The inversion of the corporate network will remain predominant as many enterprises around the world focus on adopting a more permanent hybrid or completely remote work structure to increase productivity, reduce overhead, and provide employees with better flexibility. It is no longer the case that highly sensitive and confidential data is only kept on-premises, where a small number of exceptions are made in the protective firewall policies to allow for outbound communication.

In 2021, de-perimeterization of the organization’s networks will finally be accepted as the norm, something which has been anticipated for years and that the pandemic has accelerated. One of the leading indicators for this is companies who are ditching Active Directory (on-premises legacy architecture) and moving all their identities to Azure AD (a modern cloud-enabled technology).

One of the best things an organization can do to prepare for security challenges in 2021 is investing in network detection and response (NDR) and deliver user access via a Zero Trust architecture. Enterprises should think about where their most important data is located (most likely in the cloud and SaaS applications) and determine how efficient their security team is at ferreting out attackers from all these places before they do any substantial harm.

Artificial Intelligence

How AI is Reinventing Cybersecurity for the Automotive Industry

Published

on

Written by Alain Penel, VP of Middle East, CIS & Turkey at Fortinet (more…)

Continue Reading

Cyber Security

Positive Technologies Study Reveals Successful Cyberattacks Nett 5X Profits

Published

on

Positive Technologies has released a study on the dark web market, analysing prices for illegal cybersecurity services and products, as well as the costs incurred by cybercriminals to carry out attacks. The most expensive type of malware is ransomware, with a median cost of $7,500. Zero-day exploits are particularly valuable, often being sold for millions of dollars. However, the net profit from a successful cyberattack can be five times the cost of organizing it.

Experts estimate that performing a popular phishing attack involving ransomware costs novice cybercriminals at least $20,000. First, hackers rent dedicated servers, subscribe to VPN services, and acquire other tools to build a secure and anonymous IT infrastructure to manage the attack. Attackers also need to acquire the source code of malicious software or subscribe to ready-to-use malware, as well as tools for infiltrating the victim’s system and evading detection by security measures. Moreover, cybercriminals can consult with seasoned experts, purchase access to targeted infrastructures and company data, and escalate privileges within a compromised system. Products and tools are readily available for purchase on the dark web, catering to beginners. The darknet also offers leaked malware along with detailed instructions, making it easier for novice cybercriminals to carry out attacks.

Malware is one of the primary tools in a hacker’s arsenal, with 53% of malware-related ads focused on sales. In 19% of all posts, infostealers designed to steal data are offered. Crypters and code obfuscation tools, used to help attackers hide malware from security tools, are featured in 17% of cases. Additionally, loaders are mentioned in 16% of ads. The median cost of these types of malware stands at $400, $70, and $500, respectively. The most expensive malware is ransomware: its median cost is $7,500, with some offers reaching up to $320,000. Ransomware is primarily distributed through affiliate programs, known as Ransomware-as-a-Service (RaaS), where participants in an attack typically receive 70–90% of the ransom. To become a partner, a criminal must make a contribution of 0.05 Bitcoin (approximately $5,000) and have a solid reputation on the dark web.

Another popular attack tool is exploits: 69% of exploit-related ads focus on sales, with zero-day vulnerability posts accounting for 32% of them. In 31% of cases, the cost of exploits exceeds $20,000 and can reach several million dollars. Access to corporate networks is relatively inexpensive, with 72% of such ads focused on sales, and 62% of them priced at under a thousand dollars. Among cybercriminal services, hacks are the most popular option, accounting for 49% of reports. For example, the price for compromising a personal email account starts at $100, while the cost for a corporate account begins at $200.

Dmitry Streltsov, Threat Analyst at Positive Technologies, says, “On dark web marketplaces, prices are typically determined in one of two ways: either sellers set a fixed price, or auctions are held. Auctions are often used for exclusive items, such as zero-day exploits. The platforms facilitating these deals also generate revenue, often through their own escrow services, which hold the buyer’s funds temporarily until the product or service is confirmed as delivered. On many platforms, these escrow services are managed by either administrators or trusted users with strong reputations. In return, they earn at least 4% of the transaction amount, with the forums setting the rates.”

Considering the cost of tools and services on the dark web, along with the median ransom amount, cybercriminals can achieve a net profit of $100,000–$130,000 from a successful attack—five times the cost of their preparation. For a company, such an incident can result not only in ransom costs but also in massive financial losses due to disrupted business processes. For example, in 2024, due to a ransomware attack, servers of CDK Global were down for two weeks. The company paid cybercriminals $25 million, while the financial losses of dealers due to system downtime exceeded $600 million.

Continue Reading

Expert Speak

What the Bybit Hack Reveals About the Future of Crypto Security

Published

on

Written by Oded Vanunu, Chief Technologist & Head of Product Vulnerability Research at Check Point (more…)

Continue Reading
Advertisement

Follow Us

Trending

Copyright © 2021 Security Review Magazine. Rysha Media LLC. All Rights Reserved.