Poor identity and privilege access controls are causing problems across SaaS environments. They allow users more access than they need, especially with applications such as Office 365. For attackers, this is good news. It means that once they compromise one user, they can move laterally through an organisation. Additionally, they are taking advantage of other tools to live off the land and remain difficult to detect. These are just some of the findings in the latest Vectra AI report titled: The 2020 Spotlight Report on Office 365 (registration required).
What makes Office 365 attractive to cybercriminals is that it is a single gateway from multiple applications. Organisations use it to create, manage and store data and enable collaboration between employees and partners.
According to Chris Morales, head of security analytics at Vectra: “Within the new work-from-home paradigm, user account takeover in Office 365 is the most effective way for an attacker to move laterally inside an organisation’s network.
“We expect this trend to magnify in the months ahead. Attackers will continue to exploit human behaviours, social engineering, and identity theft to establish a foothold and to steal data in every type of organisation.”
Some key numbers from the report
The report is fairly short and draws on an examination of over 4 million Office 365 accounts. It contains numbers that will worry CISOs and CIOs. For example:
- 96% had signs of lateral movement behaviour
- 73% showed evidence of data exfiltration
- 71% exhibited suspicious Office 365 Power Automate behaviours
- 69% had Office 365 redundant account creation
- 58% showed signs of suspicious SharePoint operations
- 56% of customers exhibited evidence of reconnaissance
- 56% of customers exhibited evidence of eDiscovery
Vectra also mapped the behaviours it detected to the MITRE ATT&CK framework. The result was 12 different hits. These included lateral movement to reconnaissance, data exfiltration to command & control. All of this reinforces the issues and should raise red flags to anyone with a large Office 365 environment.
What did Vectra have to say about the report?
To get a deeper understanding of what Vectra discovered, Enterprise Times talked to Matt Walmsley, Head of EMEA Marketing at Vectra. We began by asking why Vectra was looking at Office 365?
Walmsley replied: “Given the unsurprising pivot to increase remote working, we’re seeing people connecting to their productivity tools like Office 365 directly. They are not coming in via the network anymore. For advanced attackers, trying not only to penetrate an organisation but actually move laterally, it’s really hard.
“If you’re a home worker and I compromise your laptop, it’s really hard for me to pivot from your laptop to one of your colleagues because you’re not on the network. You’re a remote worker. However, you are all connecting to share productivity tools like Office 365.”
How are they compromising organisations?
“They’re trying to do that through identities in Office 365. When people where in the office, we knew people were trying to fish and compromise then to get in. Now they are doing internal phishing, to do lateral movement privilege escalation and reconnaissance behaviours.”
Lateral movement is not a new problem nor is the use of shared repositories be that Box, Dropbox, OneDrive, SharePoint or anything else. If users upload an infected document, it becomes available to everyone and becomes trusted because it is seen as an internal document. The assumption is that it is safe and free from malware. Did you see an increase in infected documents as the source for some of this?
Walmsley commented: “The methodology is right. We use shared repositories, identity becomes a proxy for trust, I trust you, I know you, and therefore I trust it. We can’t tell you the point of infection or if they did it as you described.
“What we can say is that behaviour observed once they’re inside Office 365 and that’s what we picked out as risky. People are logging into Exchange using legitimate admin rights to change mail-forwarding rules. People are doing eDiscovery searches on SharePoint and OneDrive to find out what documents were in there.
“We’re not saying Office 365 is the only place where lateral movement happens. What we’re saying is we’ve found evidence of lateral movement happening to a high degree side.”
How are they doing this?
“They are setting up some pretty creative automation in terms of attack. They’re using the legitimate tools that are available when you log into Office 365. Client tools like power automate, which used to be called Microsoft Flow. It’s a scripting language tool that allows users to automate what they do.
“We found that behaviour because three months ago, we launched Cognito Detect for Office 365. With SaaS products, what we see is identity and what those identities are doing in terms of using services. That’s what Cognito Detect looks for. This report is the result of the first 90 days and looking at around 4 million accounts.”
If they are using stolen credentials, why is this not being spotted? If users were in the office and connecting randomly to servers or connecting out of hours, we’d pick up that behaviour. Can we not provide fixed IP addresses to users at home? Are customers looking to tie users down to that they can get some of that visibility back?
Walmsley said: “I’ve not seen people in our customer base looking at trying to tie down static IP addresses for remote workers as a way of trying to lock down their identity. When this started, we did see this big pivot to using VPN. The problem was not just licencing but also pure bandwidth. Customers have seen 10 times, 50 times increase in their VPN bandwidth and have turned on split tunnelling to reduce that.”
Mapping to the MITRE ATT&CK framework
The report maps the behaviours to the MITRE ATT&CK framework. For large organisations with well-trained security teams, this makes sense. How do you put that in terms that smaller businesses would understand?
Walmsley commented: “For every detection behaviour, like risky Exchange operations, we map to a chart with MITRE in our product. You click on Exchange operations, and it tells you what the detection fired on. It tells you the possible causes to investigate and the possible techniques to how you might remediate it.
“We’re putting everything in Simple English. We are also starting to put little Spanner videos in here as we add a new capability. It will provide more information and make it easier to see what to do.”
Enterprise Times: What does this mean
With employees at home using computers, technology and even software not owned by the business, security teams are losing visibility. Even where organisations are standardising on software, understanding who is using it and how is becoming obscured. The problem with obscurity is that it helps the cybercriminal. They can use it to hide, to develop attacks and, ultimately, to steal information.
What is of real concern here is that the attacks are often using tools you would expect to see. eDiscovery, automation, PowerShell and other workflow tools are growing in use. Users are taking advantage of what they offer, but so are the cybercriminals. It means that security teams have to develop new ways of detecting and remediating attacks. Walmsley believes that this is only going to happen through the use of better identity and behaviour management.
For now, IT departments need to pay much more attention to what is going on in collaborative spaces. Is there lateral movement? Are new accounts being created without details on why it was created and who created it? Deploy least privilege to reduce the risk of an attacker getting admin rights. Make credential attacks harder by having sensible retry options for passwords and deploy multi-factor authentication.