Research Exposes 10 Common Threats Vexing Cloud Customers
Research Exposes 10 Common Threats Vexing Cloud Customers
According to new research conducted by a threat detection and response firm, the most common threats to corporate networks are consistent across all businesses, regardless of their size.
Vectra AI released its 2021 Q2 Spotlight Report, "Vision and Visibility: Top 10 Threat Detections for Microsoft Azure AD and Office 365," on Wednesday. These top threat detections for Microsoft Azure AD and Office 365 enable security teams to identify unusual or unsafe behavior across their environments.
The researchers calculated the relative frequency of threat detections that occurred over a three-month period based on the size of the customer (small, medium and large). The results summarize the top ten threat detections that customers encounter on a relative basis.
Regardless of company size, Office 365 risky exchange operation detections were at or near the top of all Vectra customers' list of detected threats. Vectra cloud security users receive alerts when their cloud environments exhibit abnormal behavior, which assists in ratifying attacks.
"Using meaningful artificial intelligence (AI) as a foundational pillar when extracting informative data from your network, both on-premises and off-premises, is critical for gaining an advantage over malicious adversaries," said Matt Pieklik, Vectra's senior consulting analyst. "Security teams must have complete visibility into all applications in order to detect potentially dangerous activity in real time, from the endpoint to the network and cloud."
Due to the platform's large user base, Microsoft Office 365 has also piqued the interest of looming cybercriminals. Indeed, Vectra discovered how criminals routinely circumvent security controls such as multi-factor authentication (MFA) in a recent global survey of 1,112 security professionals, demonstrating that determined attackers can still gain access.
Report Details
Vectra's report uses a recent supply chain attack to illustrate how actors can circumvent preventative controls such as network sandboxing, endpoint protection, and multifactor authentication (MFA). This information is critical for cloud data storage security.
The cloud continues to transform everything about security, rendering the traditional approach to asset protection obsolete. However, gathering the necessary data and developing meaningful artificial intelligence can assist in determining the ins and outs of attacks.
This knowledge enables security teams to concentrate their efforts on the threats that require immediate attention. According to Vectra, this is a more appropriate response than wasting valuable cycles on benign alerts.
It is much easier to detect and respond to threats when adversaries engage in overtly malicious behavior. However, the reality of today's adversaries is that such overt action is increasingly unnecessary when existing services and access used throughout an organization can simply be co-opted, misused, and abused.
The report noted that it is critical for modern network defenders to address two concerns in order to detect and protect against these attacks. To begin, they must comprehend the overlap that may exist between the types of actions an adversary would need to take to accomplish their objectives. Two, they must be able to recognize the routine actions taken by authorized users throughout the enterprise.
Where these behaviors intersect, the intent, context, and authorization of the adversary or insider threat are critical factors in distinguishing an adversary or insider threat from a benign user. Meaningful AI can be provided by continuously analyzing how users access, use, and configure cloud applications.
It makes a world of difference to understand how your hosts, accounts, and workloads are accessed.
To protect cloud and SaaS data completely, security teams must maintain visibility into the internal and external users who have access to data, as well as the third-party applications that are connected to their cloud and SaaS environments, according to Tim Bach, vice president of engineering at AppOmni.
"In short, organizations should augment their cloud access security brokers (CASB) with a tool or process that can discover and monitor data access outside of the network," he told TechNewsWorld.
Findings Differ From Previous Detection Activity
According to Tim Wade, technical director of Vectra AI's CTO Team, the most significant revelation in this year's research is how much opportunity attackers have to move into or out of Office 365 in order to accomplish their ultimate objectives. Office 365 may be used as a beachhead to pivot down into a traditional on-network asset or to house valuable data targeted for theft.
"As more organizations migrate from traditional on-premises Active Directory to Azure AD, visibility into suspicious Azure AD behaviors becomes increasingly important for security professionals," he told TechNewsWorld.
This year, intrusions have garnered more attention. Some of this is due to increased public awareness. Some of it is the result of successful intrusions, while some is the result of attackers increasingly devising novel ways to profit from their attacks, he added.
The Top 10 Threat Detections
1. Risky Exchange Operation. These actions could indicate that an attacker is manipulating Exchange in order to gain access to specific data or to progress the attack.
2. Azure AD Suspicious Operation. These behaviors may indicate that attackers are escalating privileges and performing administrator-level operations following a successful account takeover.
3. Suspicious Download Activity. A user was observed downloading an unusually large number of objects, which could indicate that an attacker is utilizing the SharePoint or OneDrive download functions to exfiltrate data.
4. Suspicious Sharing Activity. An account was observed sharing files and/or folders at a higher-than-normal rate, which could indicate that an attacker is utilizing SharePoint to exfiltrate data or maintain access after the initial access was remediated.
5. Azure AD Redundant Access Creation. Administrative privileges have been assigned to an entity, which may indicate that the attacker is establishing redundant access in order to evade remediation.
6. External Teams Access. In Teams, an external account was added to a team, which could indicate that an adversary added an account under their control.
7. Suspicious Power Automate Flow Creation. A Power Automate Flow was created in an abnormal manner, which could indicate that an attacker is configuring a persistence mechanism.
8. Suspicious Mail Forwarding. Mail forwarding that can be used for collection or exfiltration without requiring persistence.
9. Unusual eDiscovery Search. A user is creating or updating an electronic discovery search, which could indicate that an attacker has gained access to electronic discovery capabilities and is now conducting reconnaissance.
10. Suspicious SharePoint Operation. Anomalies in the administration of SharePoint that may be associated with malicious activity.
Mitigation Steps
Solving the challenges that organizations continue to face from cybercriminals requires an understanding of the motivations of adversaries. This requires the ability to collect and aggregate data that reveals these behaviors in a way that security personnel can operationalize, Pietlik explained.
Cognito Detect for Office 365 and Azure AD, according to Vectra, automatically detects and responds to hidden cyberattacker behaviors. This solution enables proactive threat hunting and expedites incident investigations. Power Automate, Teams, eDiscovery, Compliance Search, the Azure Active Directory backend, Exchange, SharePoint, and third-party SaaS providers are all visible through the application.
Cloud security posture management (CSPM) is a critical action item, according to Vishal Jain, co-founder and chief technology officer of Valtix. Once enterprises identify security gaps, they must automate the establishment of control points and security policies in the appropriate locations to further strengthen their cloud security posture.
"It is very desirable that this two-step process be automated in a single workflow," he told TechNewsWorld.
