As an administrator, how can you standardize healthy account management at your organization and reduce the risk of account compromise? What configurations and settings point to the presence of a hacker? In this blog, we identify the most common indicators of compromised accounts and recommend short-term and long-term solutions to protecting the integrity of accounts and the data therein.
SaaS credentials have become as valuable as banking credentials because of the access they provide to other applications and data. Moreover, hackers have changed their mentality, shifting from the short-con to the long-con, extracting as much data as possible as quietly as possible before the inevitable detection.
To combat this, attackers tend to log in once and keep the connection alive to avoid multiple login events that might raise suspicion. But depending on the SaaS, existing logins might stay open to the hacker even if they are discovered and the password is changed. Identifying these compromised accounts has become increasingly difficult, and also increasingly vital.
The average person has more accounts than they know what to do with.
With how entwined collaboration and communication have become, it is important to be aware of all the accounts in use at your organization and how they’re set up. Assuming that keeping up with every account—their integrations with other apps, the inevitable permission-granting, and the security surrounding all of that (from actual passwords to multi-factor authentications that protect them)—is really difficult, how can you know if an account is compromised?
Although it is good practice to monitor for things like failed login attempts on new devices, these alerts can get lost in the noise of daily events—like the alerts that Google emails you when you login on a different device than usual, but one you still trust. Even watching for remote international connections has become less effective, now that many attacks proxy their attempts via free VPNs in your geography.
Hacking SaaS accounts is a low-commitment, high-reward operation.
Hackers know that most people constantly feel really busy, and that they have absolutely no idea what total number of accounts they’ve spawned in the world. That’s why finding their way into cloud applications has become a hacker’s priority: experimenting from home, they see what each account looks like on the front and back ends, and can make a coordinated, calculated attack on your coworker, who is sitting in an open floor-plan eating a Kind bar from the office fridge. But beyond being easy, hacking cloud apps just makes sense; the fabric of society—data from businesses, civilians, and the government—is stored in the cloud.
For the sake of this blog, let’s assume that one of your employees has been compromised. One of their fifteen-plus accounts (with all its permissions, auxiliary apps, and integrations) is within the hands of the hacker. Undoubtedly, they have access to company data, some personal information, and maybe even banking credentials. They have adjusted the settings and permissions of the compromised account, potentially affecting other employees higher up the ladder.
What are the signs of a compromised account?
Here are the telltale signs of account compromise, most of which can be found in the settings of the account in question:
1. Notifications for unusual logins.
Logins from new devices, locations, or browsers could indicate a compromised account. If the details associated with the event are unusual, such as a login during sleeping hours, you can immediately assume the account is compromised. It should be a priority for you to have a system that notifies you of unusual logins, rather than relying on users to report.
2. Inability to access the account.
Failed login and password reset messages indicate that an attacker might have reset the password of the account. If this is the case, double check to see if MFA is enabled. Many attackers immediately disable MFA to silence the event notifications indicating their suspicious activity. (By now, it ought to be widely accepted that MFA should always be enforced.)
3. Insecure configurations and permissions.
Attackers cover their tracks by altering email settings, of which there are too many to keep track. Assuming that a hacker has access to an employee’s Office 365 credentials, they can adjust email forwarding rules to send mail to an external address, or mute their activity by deleting all incoming mail.
They can create new folders with inconspicuous names like “Reminders” to use as their new inbox within the compromised account—what we call the Alternate Inbox attack method. Even if the compromised employee noticed the new folder in their account, they might infer that the folder was added in one of many overnight updates.
4. Unusual inbox activity.
For email account compromise, be alert for suspicious internal emails with multiple recipients in the trash folder and sent folder, or emails that seem out of character. Hackers may be sending emails with a comically long list of employees in the BCC field to better their odds of compromising another inbox. This attack signature is usually accompanied by changes in contact groupings, such as emails with a high BCC count, groups with mixed roles, and conversations between people of who usually do not communicate.
5. Shadow IT.
Once a hacker has accessed an account, they can connect other applications to extend the reach of their attack. To combat this, create a known list of approved applications, monitor their permissions, and receive notifications for each time a user installs. A lone Shadow IT app could expose your organization to threats (and potentially further compromise.)
If you want to prevent account compromise, encourage your organization to develop a sense of “accountability.”
As a general rule, make sure that the following symptoms of insecure accounts are treated:
Excessive permissions for app integrations
Unnecessary or out-of-use accounts
Insecure inbox configurations
Risky data access rules in apps
Password redundancies in different accounts
To reduce the risk of account compromise, explore settings in each app, starting with the current password. Review the settings of every account and configure each based on how frequently it is used and for what.
For daily checks, make sure IP addresses match up. In Gmail, for example, click "Details" beneath at “last account activity:” at the bottom of the inbox for a report of recent logins and their corresponding IP address. They should all come from a familiar location at reasonable hours on known devices and browsers.
A more convenient way to foster accountability, password managers like LastPass store, monitor, create, and replace account passwords. They go as far as to gamify mindful account ownership with a Security Challenge. It reveals weak and duplicate passwords, then attempts to identify sites in use that have been recently compromised.
These short-term solutions will foster a culture of security mindfulness at your organization. For more in-depth defense against the many vectors of account compromise, automatic remediation, event workflows, and user alerts should be part of your long-term approach, which we discuss below.
Avanan can identify compromised accounts for you, because we see more.
We recommend being mindful about what accounts are in use, however mindfulness isn’t enough to mitigate the risk of account compromise. The best approach is the zero-trust security philosophy, which assumes accounts at your organization or trusted partners have already been compromised, and responds with machine-learning, API-powered threat detection.
Avanan connects to the native API of your SaaS accounts, providing you with real-time and historical information about every user, file, event, and policy. Avanan builds a baseline of normal behavior for each user, investigating their applications, who they interact with inside and outside the organization, and where and how they login. When users deviate from these standard behaviors, Avanan flags their actions as anomalous. In addition to this, we scan emails and identify cloud applications connected to their accounts. Any unauthorized applications will be flagged to the administrator.
A multi-layered security strategy provides lasting, informed defense against the increasing vectors of account compromise.