Max Heinemeyer is the Director of Threat Hunting at Darktrace
It’s no secret that collaboration is the bedrock of business. In fact, a Stanford University study demonstrated that merely priming employees to act in a collaborative fashion — without changing their environment or workflow — makes them more engaged, more persistent, more successful, and less fatigued.
To digitally optimize this biologically ingrained capacity for teamwork, businesses the world over have adopted Software as a Service (SaaS) applications that facilitate the sharing of information between multiple users. Run via centralised, cloud-hosted data center rather than on local hardware, such applications offer financial and technical benefits to companies of all sizes, from storage savings to reliable connectivity to support speed. Yet it is their collaborative nature that has positioned SaaS software at the heart of the modern enterprise.
At the same time, the interactivity of cloud services renders them an attractive target for advanced cyber-criminals, who can often leverage a single user’s SaaS credentials to compromise dozens of other accounts. And while leading SaaS vendors conform to high security standards, the cyber defenses they employ nonetheless have a common weakness: human error on the customer end. By launching sophisticated attacks like those in the case studies below, today’s threat actors are increasingly gaining access to cloud services through the front door, necessitating a fundamentally different security approach that can detect when credentialed users behave — ever so slightly — out of character.
Darktrace’s latest Cloud Threat Report looked at cloud-based cyber-attacks its customers experienced – and how they were stopped – over the past year, revealing the emerging threats modern workplaces need to be aware of.
Phishing Attack in Office 365
Perhaps the most difficult cloud-based attacks to counter are those that rely on social engineering, since they involve deceiving employees into handing over their credentials and other lucrative information voluntarily. In these cases, artificial intelligence (AI) anomaly detection is the optimal security strategy, as thwarting a social engineering threat before it’s too late means protecting employees from their own mistakes.
While many phishing attacks are launched as indiscriminate ‘drive by’ campaigns, many recent attacks have included targeted email-borne attacks with the markings of a coordinated and sophisticated cyber-crime. In one case, a threat actor had gotten hold of the address book of a US municipality, delivering an attack to recipients alphabetically. While each email was well-crafted and customized to the recipient, the messages all contained a malicious payload hiding behind a button that was variously disguised as a link to Netflix, Amazon, and other trusted services.
AI was able to analyse these hidden links in connection with all Office 365 email traffic and the normal ‘patterns of life’ of the intended recipients in the network. When the first email came through, the AI immediately recognized that neither the recipient nor anyone in his peer group or the rest of the city’s staff had visited that domain before. The AI then instantly raised a high-confidence alert, and suggested autonomously locking each link as it entered the network.
Disgruntled IT Manager
Unlike external threat actors, malicious insiders are often uniquely positioned to evade traditional controls given their privileged access and intimate knowledge of the network. Whether these controls rely on binary detection logic or merely monitor the perimeter, a disaffected employee can often easily bypass static defenses in the cloud and exfiltrate or manipulate critical data without triggering suspicion.
A retailer in the UK decided to restructure its IT department and let a number of employees go. One of the affected employees – an IT manager – downloaded contact details and credit card numbers from the customer database before leaving, secretly transferring them to a home server via one of the company’s regular data transfer services. The IT manager knew that this particular service was not only sanctioned by corporate policies but also cloud-based, and he assumed that the security team would have very limited visibility in this area.
While this subtle activity easily evaded the cloud provider’s native controls, AI detected the threatening behavior within seconds. By continuously learning ‘normal’ for every user and device, the system was able to intelligently correlate highly suspicious connections and downloads from the IT Manager’s device, even though the cloud service was regularly used for legitimate purposes by other employees.
The intelligent system then alerted the security team and provided detailed and precise information about the nature of the compromise, prompting them to revoke his credentials and quickly retrieve and secure the data.
Compromised Credentials in Office 365
Advanced cyber-criminals can steal corporate account credentials in a variety of ways, from social engineering attacks to ‘smart’ malware that combs through traffic and ephemeral cloud assets in search of passwords. And with stolen data readily available to buy and sell on the Dark Web, the frequency and severity of credential theft is increasing year on year.
In one international organisation, an Office 365 account was compromised by bypassing Azure Active Directory’s native controls. While the organisation had offices in every corner of the globe, AI identified a login from an IP address that was historically unusual for that user and her peer group and immediately alerted the security team. Darktrace then alerted to the fact that a new email processing rule, which deletes incoming emails, had been set up on the account. This indicated a clear sign of compromise and the security team was able to lock the account before the attacker could do damage.
When the security team investigated the incident further, they learned that the user had received a phishing email just hours before AI detected the threat. While the company had also deployed Microsoft’s Advanced Threat Protection (ATP) for Office 365, static defenses such as ATP can only spot phishing attacks by correlating links in emails with known malicious addresses, and the phishing link did not appear on the list. This demonstrated the clear limitations of a traditional, more signature-based approach in this area, and the organisation soon deployed autonomous response technology for additional protection in Office 365 given its ability to spot similarly threatening phishing emails without relying on blacklists.
Users remain the weakest link
From social engineering attacks to insider threats to stolen credentials, the risks inherent to SaaS are largely user-dependent. Human error and lack of expertise in organisations deploying cloud assets are the most critical vulnerabilities in the cloud security puzzle. What’s more, organisations are moving to the cloud faster than their capacity to secure them.
To make matters worse, attackers are innovating rapidly and we can expect attacks on the Cloud to get faster and more furious. Take Xbash for example, the recently discovered sophisticated malware family in the wild, which wreaks havoc on Windows and Linux systems with a combination of data destructive ransomware and malicious cryptomining. As the examples above illustrate, the threat is already outpacing human security teams. When it comes to securing the Cloud, this is an arena where we will have to give up control to AI systems, not take it back.
Max Heinemeyer is the Director of Threat Hunting at Darktrace.