Jul 30 2020
The Awful Consequences of Credential Cracking and Privilege Attacks
Office 365 admins hold the keys to the city, but too often give them away to tricky phishing schemes, ingenious social engineering attacks, or good old-fashioned privilege hacks.
Cybercriminals prize these O365 privileges, and work hard to get them, including phishing emails like the one below.
Because accessing higher level privileges such as admin rights give hackers free reign, these attacks are increasingly common, crafty, and sinister. So it’s no surprise credential cracking and theft is a growing issue. “One of the big lessons organizations should take away from this year’s report is that stolen credentials are becoming a bigger problem. There were many (stolen credentials incidents), including dumps of billions of stolen credentials across a number of different underground sites. It is important for organizations to monitor for stolen credentials, especially given the tendency of people to reuse passwords across personal and business accounts,” according to the Verizon 2019 Data Breach Investigations Report. “60% of attacks against web applications involved the compromise of cloud-based email accounts using stolen credentials,” the Verizon report concluded.
Also according to this report, 80% of all hacking-based breaches exploited weak or compromised credentials. Moreover, 29% of all breaches, including all attack types, relied on stolen credentials.
RBAC to the Rescue
Implementing a Role-Based Access Control (RBAC) system in your Office 365 environment can mitigate these risks, as well as prevent Shadow IT and malicious IT personnel misdeeds — but it is often not enough.
What exactly is privilege? “Privileged accounts are those granted privileges beyond everyday user accounts. Having access to privileged accounts provides a threat actor (or legitimate user) with access to additional systems and services. These are often among the first targets of external attackers or malicious insiders intending to cause financial loss, data loss and reputational damage,” explained the Verizon Insider Threat Report.
One of the best practices is to ensure that privileged accounts are used for administrative tasks only, without any active services that can be used as an attack vector. The problem is that it is not possible to monitor and enforce this easily with standard native Office 365 admin tools.
Reports That Show – and Fix – the Problem
In CoreView there is a dedicated report showing this identity protection problem that can be addressed with a targeted e-mail campaign to educate users, or with a workflow enforcing removal of services after notifications to end users and then a grace period.
So how does CoreView address the credential hacking issue both in terms of admin credentials – which is the biggest exposure because of the high-level access that they have – and end user credentials and privileges?
Admins, given their high-level privileges, are themselves a security threat through nefarious actions (not all admins are saints). Just as important, if admin credentials are cracked, hackers have the keys to the kingdom. Knowing what is happening with ALL admin accounts is critical. “IT should have a monthly report of everybody who has performed administrative access against non-owned information assets. IT needs to know when admins accessed somebody else’s mailbox. CoreView has a report for that. You can schedule that report, and you should review it on a monthly basis. If nothing else, when people know that you have the capability of watching and you are watching, they are more careful,” explained Matt Smith, CoreView solution architect.
CoreView also has reports for accounts with passwords that do not expire, and can see which administrative accounts are also used as user accounts. “That is not a best practice. You should separate out your administrative access from your user access,” Smith said. One solution is to grant temporary privileges for limited tasks. “CoreView has a workflow engine that can apply administrative access on the fly, which is similar to a Microsoft E5 feature. However, we can do it for any account,” Smith said. “With CoreView, you don’t need an E5 license to give admin rights ‘on the fly’ and we can do it in a highly granular way.”
Protect Your O365 Tenant With CoreView
Or sign up for a personalized CoreView demo.
Doug Barney was the founding editor of Redmond Magazine, Redmond Channel Partner, Redmond Developer News and Virtualization Review. Doug also served as Executive Editor of Network World, Editor in Chief of AmigaWorld, and Editor in Chief of Network Computing.