Microsoft’s DART team has outlined five basic steps for Office 365 users to minimize their exposure to APT attackers
As more companies across the world are adopting Office 365 for team productivity, there is a greater risk of data leakage, compromised credentials, compliance exposure and other security threats. Until recently, most IT and security leaders complained that the typical Office 365 security settings had been very low, despite its commercial monthly active users being pegged at 200 million. Also Microsoft’s name wouldn’t probably come to the top of the mind when one thinks of cybersecurity. But now, Microsoft’s Detection and Response Team (DART) team is helping CIO/CISOs solve some of their most complex cyber troubles.
The company launched DART in March 2019 as part of CEO Satya Nadella’s $1bn-a-year push into enterprise cybersecurity as announced by in 2017. Since then, the vendor has been solving CISOs’ mitigate both internal and external threats pertaining to Office 365 and other productivity tools, as it claimed in its blog detailing regular updates on DART’s activities.
Minimizing exposure to APT attackers
Very recently, the team detailed the case of a large customer with six threat actors simultaneously on its network. “It revealed a possible compromise of sensitive information – pertaining to client’s customers – stored in Office 365 mailboxes and 243 days after the initial compromise, DART was then brought in to work alongside the incident-response vendor and the company’s in-house teams,” Microsoft says.
The report details an advanced persistent threat (APT) attacker that stole administrator credentials to penetrate the target’s network and steal sensitive data and emails.
Notably, the customer was not using multi-factor authentication (MFA), which could have prevented the breach. Microsoft revealed last week that 99.9% of compromised accounts didn’t use MFA, and only 11% of enterprise accounts use MFA.
DART was brought in after the customer failed to kick one APT attacker off its network after 243 days, despite having engaged an incident response vendor seven months earlier. In this case, the main attacker used a password-spraying attack to grab the customer’s Office 365 admin credentials and from there searched mailboxes to find more credentials shared among employees in emails. DART found the attacker was looking for intellectual property in certain markets. The attacker even used the customer’s e-discovery and compliance tools to automate the search for relevant emails.
The company in the first month of the attack tried to handle the compromised Office 365 account itself, and then brought in an incident-response vendor to lead what turned out to be a lengthy investigation, the blog mentions.
The DART team has outlined five basic steps for Office 365 users to minimize their exposure to APT attackers, including enabling MFA, removing legacy authentication, adequately training first responders, properly logging events with a security, information and event management product, and recognizing that attackers do use legitimate administrative and security tools to probe targets.
Mitigating insider threats
CISO can even spot certain suspicious insider behavior. Say, for example, an employee who recently gave two weeks’ notice starts downloading large numbers of files from the company network and copying them to a thumb drive. It is entirely possible that he or she has no malicious intent and could be saving innocuous files related to their employment record but, in some cases, the employee could be attempting to take confidential product designs, sensitive legal information, private employee data or trade secrets with them to a rival company.
The DART team can help IT and security teams offer new perspectives within Microsoft 365 that uses machine learning to intelligently detect potentially risky behavior within a company. It also quickly identifies which activities are most likely to pose real security threats, even inadvertently.
Bret Arsenault, Microsoft corporate vice president and chief information security officer explains in a video interview, how he tasked engineers from his security team and Microsoft 365 with creating a solution that leverages machine learning to intelligently detect and prevent internal security breaches, and to eventually turn that into a solution for customers. (Watch the YouTube video here)
“The Insider Risk Management solution combines the massive array of signals from Microsoft 365 productivity tools, Windows operating systems and Azure cloud services with machine learning algorithms that can identify anomalous and potentially risky behavior from people using those products. To start, you’re looking at people who already have access to company assets as part of their jobs, so it’s harder to detect,” she said.
But security concerns remain
Kakavas, a research and tech network company based in Greece, discovered a security vulnerability in MS Office 365’s protocols when it used cross-domain authentication for bypassing federated domains. Also, the unauthorized administrator access in Office 365 is a security threat that has the ability to give access to the most sensitive and critical data.
Hence, when migrating to Office 365, the IT team needs to ensure data security with more protection layers and fortified information security protocols, the researcher warns.
To address these concerns, your organization should implement a comprehensive strategy to mitigate as much vulnerability as possible. As the CISO of a big logistics firm mentions his organization implements a cloud access security broker to gain deep visibility into the cloud environment, manage access to certain clouds and data sources, prevent against possible threats, and ensure data loss protection.