How to Track Attackers as They Move to Your Network from the Cloud

December 8, 2020
Vectra AI Security Research team
How to Track Attackers as They Move to Your Network from the Cloud

Wouldn't it be great if malicious actors all signed up for some kind of cyberwarfare Geneva Convention that set the rules of war and mandated that attacks must be performed against a single business unit in a company?

While we’re at it, here are a few more rules we could add:

  • Warning must be given to before any action—a declaration of cyberwarfare, if you will
  • The attacker must announce the venue of the attack at least 24 hours in advance
  • The defender may mark certain key infrastructure as off limits and may not be attacked

This would make life much simpler for blue teams!

Alas, this doesn't happen, which means that security teams need visibility into how users are interacting with their IT infrastructure across every medium.

Stay alert throughout the attack lifecycle

If you spot a malicious actor trying to exfiltrate important data from your production database, you aren't just going to shut that down, wipe your hands of the matter, and move onto the next task. You need to see how and where attackers infiltrated and shut off their access. You can't do this if you can't connect the dots between your cloud and your network infrastructure.

That's why security engineers at Vectra have created a groundbreaking solution that offers a unified view of accounts on your network and in the cloud.

If a user is spearphished on Office 365 such that stolen credentials are used to access critical infrastructure, we'll show this information in one merged account with full context on what the user did, when, and why you should worry about it.

If someone is making some dodgy Exchange operations on Office 365, we can quickly show what hosts this account has seen on the network, so you can see if there has been any suspicious activity on these hosts.

It’s clear from reviewing some recent attacks that attackers do not see the cloud network as even the slightest barrier in the progression of their attack.

Exploiting legitimate tools for malicious actions

Consider the actions taken by APT 33: attackers began their attack by brute forcing weak credentials and then leveraged email rules to pivot to the endpoint. Once on the endpoint, the same user’s credentials were leveraged to move laterally and progress the attack. If your network and cloud detection portfolios are unlinked, then the scale of the attack can be completely missed.

The Office 365 attack surface is not just limited to initial access. Attackers with Office 365 access can abuse SharePoint to corrupt shared folders and spread laterally to endpoints using DLL hijacking techniques, or by uploading malware. The same SharePoint functionality used to sync normal user files can be run on each endpoint to sync to a single share, thereby avoiding standard network collection techniques. An attack can then, with a few clicks, set up persistent exfiltration channels via Power Automate flows that can upload data from every infected endpoint on a daily basis. Opportunities like this are vast and growing.

You might see one issue on the cloud where an account’s credentials were brute forced followed by the creation of new email rules, which is bad, but not terrible. This is because you’ve also seen some lateral movement on your network, which is much more worrisome since you have no idea how the hackers got in. In Cognito, joining these views means analysts have early and complete visibility, allowing them to stop the attack before any data is moved or damage is done.

To find out how attackers are leveraging Office 365 read our latest spotlight report and learn how the Cognito Platform from Vectra enables you to integrate visibility to detect and respond to attackers in your networks and Office 365 deployments.