In recent weeks we have observed an increase in the compromise of cloud based accounts followed by further malicious activity. In most cases, an organisation has the technology and processes in place to prevent this type of compromise. However, for the unequipped the impact can be catastrophic to organisations of all sizes. Many organisations …
In recent weeks we have observed an increase in the compromise of cloud based accounts followed by further malicious activity. In most cases, an organisation has the technology and processes in place to prevent this type of compromise. However, for the unequipped the impact can be catastrophic to organisations of all sizes.
Many organisations that outsource email, collaboration and content services to the cloud (e.g. Office365) are not equipped to detect these types of attacks. Benefits of outsourcing to cloud providers (amongst others) are reduced operational costs and ease of use, terms that are not usually associated with the deployment of protective security measures. Because of this, organisations are not able to detect the phases of an attack of this nature until real word effects are experienced.
In this article we will look at the phases of an attack of this nature, the steps an adversary takes to ensure success; and mitigation that organisations can put in place to prevent falling victim to this ever increasing threat.
During the reconnaissance phase of this type of attack, the adversary uses open source information gathering techniques to harvest email addresses and contact details for key members of staff of the target organisation. Any additional information or content that an attacker can gather during this phase aids in making a spear phishing email more convincing. Content such as a convincing email signature or a look-a-like domain makes the target user more likely to fall into the adversary’s trap.
Mitigating this phase of an attack can prove difficult. Services and communications channels that an organisation utilises for sales, marketing, advertising and brand awareness are commonly used by an adversary to conduct information gathering. Limiting the information freely available on the internet may be difficult, but efforts must be made to ensure that no sensitive information or contact details are not in the public domain.
The adversary will create a convincing looking webpage, mimicking the look and feel of a legitimate cloud service provider. Similar looking domains and graphics do not raise the suspicion of the target. Login pages will look convincing, but rather than logging in to the cloud service provider, credentials (usernames & passwords) will be sent to a staging area set up by the adversary.
Mitigation at this phase of the attack is not possible due to not being an interactive engagement between the adversary and the target organisation.
Once reconnaissance has been completed and a legitimate looking phishing site has been created, the adversary is ready to send the malicious email. Using the information gathered during the reconnaissance phase, the adversary crafts an email to look as legitimate as possible using brand artefacts (colour scheme, font, graphics and content) that will be sent to the target employee. The email entice the user to follow a link to the phishing site under the guise of an urgent account change, pending payment or more ironically to check account security settings.
Mitigating this phase of an attack prevents the successful delivery of the phishing email to the target organisation. The following protective measures can be applied to help mitigate this phase:
While not an exploit in the most common sense, the exploit phase of this attack scenario would be the successful harvesting of the target users credentials through the phishing webpage. Once the target user enters their credentials into the phishing page, they are transmitted to the adversary’s staging server and recorded for later use. It is not uncommon for target users to be forwarded to the legitimate login page of the service provider after entering credentials on a phishing page, this technique suppresses any suspicions of the target user.
Mitigation at this phase of the attack prevents the target user from visiting the phishing site and subsequently giving up credentials to the adversary. Training users to spot a suspicious email and being able to spot an illegitimate website is crucial to mitigating this phase of the attack. Utilising multi-factor authentication on cloud services can immediately mitigate the effects of this phase, even if the credential harvesting is successful. In the event that an adversary attempts to use the credentials of a multi-factor authentication enabled account they will also require the one time passphrase generated at login. One time passphrases are commonly communicated via SMS or via mobile applications, both of which an adversary would not have access to unless part of a very complex and planned attack.
Once an adversary has successfully harvested the credentials of a target employee, they have unfettered access to the features of and information stored within the cloud service tenancy. Further activities can include (but are not limited to):
Although the list of actions above are not exhaustive, there are a number of basic steps that can be taken by an organisation, regardless of size, to limit the effectiveness of phishing attacks and credential harvesting:
Multi-factor authentication is a mechanism that adds another layer of security over the legacy username and password approach. When a user logs in to a system that has multi-factor authentication enabled, they are first prompted for their username and password and once successful are then prompted for another form of authentication.
The most common and widely used form of multi-factor authentication is One Time Password/Pin (OTP). When using this form of multi-factor authentication, a user is provided with a one time password that is delivered via text message (SMS), email or via a specific mobile application.
This form of authentication requires the person logging in to be in possession of the credentials (something you know) and the multi-factor authentication mechanism (something you have). In the event that an attacker has compromised the credentials of a user, they still require the second authentication mechanism to access the user’s account.
Other forms of multifactor authentication are available, but will not be discussed at length in this article. Examples include:
To summarise, multi-factor authentication is a protection mechanism that any organisation should be able to implement and is a critical security measure when it comes to preventing unauthorised access to systems and applications.
Although employing this type of security measure does not make an application or system impenetrable, it drastically increases the chances of mitigating an attack on user credentials. As described earlier in the article, for an adversary to gain access to an application or system using stolen credentials they will also require the second authentication mechanism to ensure a successful compromise.
Most major application and software-as-a-service (SaaS) vendors offer multifactor support in different forms. Selecting a multifactor authentication method is a business decision and multiple considerations need to be made such as cost, convenience and overall acceptance by the user base.