The Account Take Over Threat: The Chain

Mark Niemi, Vice President of Cybersecurity Services

The Problem:

It’s been said that a business’s greatest assets are its people. It’s well known that these “assets” are the last layer of defense when it comes to cyber attacks and well…the truth is, people make mistakes and will continue to make mistakes.

These errors in judgment don’t always lead to a full-scale data breach where alarms are tripped, the CEO is up at 4 am calling in the National Guard, with digital forensics turning the joint inside out, and employees come in the next day wondering who did it and are just relieved it wasn’t them.

Instead, these lapses in judgement often lead to smaller, silent takeovers that may be used to abuse others with emails to internal staff, external vendors or other business partners to keep reeling in other “phish”. As these attacks spread, they continue to create links like a chain where each new account takeover is used to produce the next.

Why does this work?

Each new chain link becomes trusted as the legitimate account compromised is used to take over the next unsuspecting target.  The red flags are there; unexpected emails with attachments, links to secure “portals,” or downloads to fake invoices where victims are prompted to login.  However, what makes these attacks different from a normal phishing email is the sender is using the real email account, flowing through whitelists, Bayesian analysis, and other antispam mechanisms. They use the account’s sent items and contact lists to fire off to the next wave of recipients for compromise. 

Typically, as a group, we see one or two of these attacks occur before someone catches on and spreads the word. We get a flood from a burst of emails to multiple people in our organization, and someone usually recognizes this isn’t coming from the “real” person. Then, that person or an executive reports the compromised account, and shortly after, the company releases information to inform all recipients, “Hey, we had an issue with that last email. Don’t open it. It’s bad.” But for every organization that makes this announcement, we also have another that likely opened the message and, after being informed, hopes that somehow a potential attack making a new “link” in the chain was stopped. 

Breaking the Chain

The controls we put in place for “breaking the chain” depend on capabilities within our identity management systems (aka, M365, Google, etc.) We need to have security in place that will help prevent or alert whenever a recipient has a “lapse” in judgement and let us know something is happening.

Currently, most businesses will be monitoring for failed logins and use strong passwords with Multi-Factor Authentication (MFA), but this doesn’t cover it anymore. 

MFA can be bypassed and when an account is taken over, it’s usually successful in the logs. If we’re only monitoring for failures…it’s missed. It is due to this approach that we need a change that focuses more on identity boundaries to provide authentication and authorization along a path rather than monitoring a failed knock at the door. 

To help with strengthening this approach, here are some simple controls to layer the path with:

  • Multi-Factor Authentication (MFA)—Provides a major layer of security. It’s a preventative measure that is the staple of identity access control. However, this control can be bypassed easily by logging to an attack-owned site or by clicking a link that replays or steals the authenticated session.
  • Conditional Access Policies (CAP) – Conditional access adds another layer of protection with zero trust in mind. It’s a logical control that is preventative. Think “If-Then” statements. If my account is accessed outside of the US, then deny the login. If I use my work computer at work, then I can sign in. If I use my home computer at work, then deny the login. You get the picture.
  • Risk-Based Access Controls (RBAC) – another preventive control that works much like a CAP. However, this control evaluates location, device security compliance and behavioral characteristics that deem the login low or high risk. The risk factor would permit the login and create an audit trail of why it was high risk or low risk. In some cases, RBAC can trigger a corrective action by locking out high risk sign in events (based on conditions of course).
  • Impossible Travel Flags – Impossible travel is as simple as it sounds. An employee cannot log in from California and immediately log in from Floria with the same device. Having this detective control (alerts) will make you more aware of access attempts and to use towards a RBAC.
  • Security Operations Center Monitoring (SOC Monitoring) – Login events are difficult for the organization to monitor as is. Using an outsourced or insourced SOC to review security events is another detective control. Based on alerts, the SOC can help you understand normal vs abnormal activity and identify trends.

Training

The last piece we’ll end on is a call to action for training.  The controls listed above will help in most scenarios. Yes, there are more tools, tricks, and other controls available out there that I likely didn’t cover. However, the number one most important tool to train your “assets” with is a solid foundation in spotting phishing. This training matters most if all controls fail and a new chain is starting to form that your employees can spot it quicker and report it faster.  For example, if we didn’t report phishing in the scenario above, the chain would be endless. So, make sure you highlight the importance of reporting as well as preventing.

Lastly, if you need help starting training or coming up with a focused training plan, please reach out to Lasco today to let us help you break the chain. Call Lasco at 800-800-6197 or email our Cybersecurity department at cysec@lascoinc. com. 

You're Leaving Our Site

Are you sure you want to leave?

You are being redirected to https://www.facebook.com/LascoInc/

You're Leaving Our Site

Are you sure you want to leave?

You are being redirected to
https://www.linkedin.com/company/lasco-inc-

You're Leaving Our Site

Are you sure you want to leave?

You are being redirected to https://maccreditcomp.com/