How to Track Attackers as They Move to Your Network from the Cloud

How to Track Attackers as They Move to Your Network from the Cloud

How to Track Attackers as They Move to Your Network from the Cloud

How to Track Attackers

as They Move to Your

Network from the Cloud

How to Track Attackers

as They Move to Your

Network from the Cloud

By:
投稿者:
Matt Walmsley
December 8, 2020

Wouldn't it be great if malicious actors all signed up for some kind of cyberwarfare Geneva Convention that set the rules of war and mandated that attacks must be performed against a single business unit in a company?

While we’re at it, here are a few more rules we could add:

  • Warning must be given to before any action—a declaration of cyberwarfare, if you will
  • The attacker must announce the venue of the attack at least 24 hours in advance
  • The defender may mark certain key infrastructure as off limits and may not be attacked

This would make life much simpler for blue teams!

Alas, this doesn't happen, which means that security teams need visibility into how users are interacting with their IT infrastructure across every medium.

Stay alert throughout the attack lifecycle

If you spot a malicious actor trying to exfiltrate important data from your production database, you aren't just going to shut that down, wipe your hands of the matter, and move onto the next task. You need to see how and where attackers infiltrated and shut off their access. You can't do this if you can't connect the dots between your cloud and your network infrastructure.

That's why security engineers at Vectra have created a groundbreaking solution that offers a unified view of accounts on your network and in the cloud.

If a user is spearphished on Office 365 such that stolen credentials are used to access critical infrastructure, we'll show this information in one merged account with full context on what the user did, when, and why you should worry about it.

If someone is making some dodgy Exchange operations on Office 365, we can quickly show what hosts this account has seen on the network, so you can see if there has been any suspicious activity on these hosts.

It’s clear from reviewing some recent attacks that attackers do not see the cloud network as even the slightest barrier in the progression of their attack.

Exploiting legitimate tools for malicious actions

Consider the actions taken by APT 33: attackers began their attack by brute forcing weak credentials and then leveraged email rules to pivot to the endpoint. Once on the endpoint, the same user’s credentials were leveraged to move laterally and progress the attack. If your network and cloud detection portfolios are unlinked, then the scale of the attack can be completely missed.

The Office 365 attack surface is not just limited to initial access. Attackers with Office 365 access can abuse SharePoint to corrupt shared folders and spread laterally to endpoints using DLL hijacking techniques, or by uploading malware. The same SharePoint functionality used to sync normal user files can be run on each endpoint to sync to a single share, thereby avoiding standard network collection techniques. An attack can then, with a few clicks, set up persistent exfiltration channels via Power Automate flows that can upload data from every infected endpoint on a daily basis. Opportunities like this are vast and growing.

You might see one issue on the cloud where an account’s credentials were brute forced followed by the creation of new email rules, which is bad, but not terrible. This is because you’ve also seen some lateral movement on your network, which is much more worrisome since you have no idea how the hackers got in. In Cognito, joining these views means analysts have early and complete visibility, allowing them to stop the attack before any data is moved or damage is done.

To find out how attackers are leveraging Office 365 read our latest spotlight report and learn how the Cognito Network Detection and Response platform from Vectra enables you to integrate visibility to detect and respond to attackers in your networks and Office 365 deployments.

About the author

Matt Walmsley

Matt Walmsley is Director Enterprise Market Development Vectra AI. Matt is a senior technology industry marketer with extensive international experience in IT security, networking and communications markets. Before joining Vectra, he was an EMEA Marketing Lead at Emulex. Prior to Emulex, he was an EMEA Regional Marketing Leader at Hewlett-Packard where he managed a team responsible for marketing communications & lead generation activities to the service provider, enterprise, small & medium business (SMB) and security market  segments across EMEA. He received a diploma in business management and a masters of business administration (MBA) in performance &change, strategy, finance, and marketing from The Open University Business School.

Author profile and blog posts

Most recent blog posts from the same author

Industry

A Tale of Two Attacks: Shining a Security Spotlight on Microsoft Office 365

October 26, 2020
Read blog post
Security operations

Expertise That Unlocks the Potential within Your Security Operations

July 21, 2020
Read blog post
Threat detection

How to Track Attackers as They Move to Your Network from the Cloud

December 8, 2020
Read blog post