By Jack M. Germain
May 19, 2021 5:19 AM PT
New research by a threat detection and response firm shows that the most common threats to corporate networks remain consistent throughout all companies — no matter their size.
Vectra AI on Wednesday released its 2021 Q2 Spotlight Report, “Vision and Visibility: Top 10 Threat Detections for Microsoft Azure AD and Office 365.” These top threat detections found across Microsoft Azure AD and Office 365 allow security teams to detect infrequent behavior that is abnormal or unsafe across their environments.
Researchers calculated the relative frequency of threat detections that were triggered during a three-month span based on customer size (small, medium and large). The results detail the top 10 threat detections that customers receive by relative frequency.
Regardless of company size, Office 365 risky exchange operation detection was at or near the top of the list of detections seen by all Vectra customers. Vectra cloud security users get alerts on abnormal behavior in their cloud environments to help ratify attacks.
“Deploying meaningful artificial intelligence (AI) as a core pillar when extracting informative data from your network, both on-premises and off, is critical in obtaining an advantage against malicious adversaries,” said Matt Pieklik, senior consulting analyst at Vectra. “Security teams must be armed with full visibility to detect potentially dangerous activity across applications, in real time, from the endpoint to the network and cloud.”
Microsoft Office 365 has also piqued the interest of looming cybercriminals due to the platform’s large audience. In fact, during a recent global survey of 1,112 security professionals, Vectra uncovered how criminals are regularly bypassing security controls including multi-factor authentication (MFA), proving that determined attackers are still able to gain access.
Vectra’s report maps these behaviors to a recent supply chain attack to demonstrate how actors can evade preventative controls like network sandboxes, endpoint, and multifactor authentication (MFA). This information can be vital to safeguarding cloud data storage.
The cloud continues to change everything about security, leaving the legacy approach to protecting assets obsolete. However, collecting the right data and having meaningful artificial intelligence can help pinpoint the ins and outs of attacks.
That knowledge allows security teams to focus on the threats that actually require attention. It is a better response than spending valuable cycles on benign alerts, according to Vectra.
Threat detection and response is easiest when adversaries take actions that are obviously malicious. But today’s reality is that adversaries increasingly find that such overt action is unnecessary when existing services and access used throughout an organization can simply be co-opted, misused, and abused.
It is critical that modern network defenders address two concerns in efforts to detect and protect against these attacks, noted the report. One, they must understand the intersection that may exist between the types of actions an adversary would need to take to progress towards their objectives. Two, they must recognize behaviors routinely taken by authorized users across the enterprise.
Where these behaviors intersect, the key factors in distinguishing the adversary and insider threat from a benign user is intent, context, and authorization. Meaningful AI can provide through constant analysis of how users access, use, and configure their cloud apps.
Knowing how your hosts, accounts, and workloads are being accessed can make all the difference.
To fully protect cloud and SaaS data, security teams need to have ongoing visibility of the internal and external users who have access to data, including which third-party applications are connected to their cloud and SaaS environments, noted Tim Bach, vice president of engineering at AppOmni.
“In short, organizations should augment their cloud access security brokers (CASB) with a tool or process that can discover and monitor non-network data access,” he told TechNewsWorld.
Findings Differ From Previous Detection Activity
The most significant revelations seen in this year’s research is how much opportunity attackers have to move into, though, or out of Office 365 towards their ultimate objectives, according to Tim Wade, technical director of the CTO Team at Vectra AI. Office 365 may be a beachhead used to pivot down into a traditional on-network asset, or house valuable data targeted for theft.
“As more organizations increasingly shift from traditional on-premises Active Directory to Azure AD, suspicious behaviors in Azure AD increasingly become important for security pros to maintain visibility into,” he told TechNewsWorld.
Intrusions are making more headlines this year. Some of this results from more public awareness. Some of it is the impact of successful intrusions, and some of this is the byproduct of attackers increasingly finding novel means of monetizing their attacks, he added.
The Top 10 Threat Detections
1. Risky Exchange Operation. These actions may indicate an attacker is manipulating Exchange to gain access to specific data or further attack progression.
2. Azure AD Suspicious Operation. These actions may indicate attackers are escalating privileges and performing admin-level operations after regular account takeover.
3. Suspicious Download Activity. An account was seen downloading an unusual number of objects which may indicate an attacker is using SharePoint or OneDrive download functions to exfiltrate data.
4. Suspicious Sharing Activity. An account was seen sharing files and/or folders at a volume that is higher than normal which may indicate an attacker is utilizing SharePoint to exfiltrate data or maintain access after initial access has been remediated.
5. Azure AD Redundant Access Creation. Administrative privileges have been assigned to an entity which may indicate redundant access is being created by the attacker to guard against remediation.
6. External Teams Access. An external account has been added to a team in Teams which may indicate an adversary has added an account under their control.
7. Suspicious Power Automate Flow Creation. An abnormal Power Automate Flow creation has been observed which may indicate an attacker is configuring a persistence mechanism.
8. Suspicious Mail Forwarding. Mail forwarding which may be used as a collection or exfiltration channel without the need to maintain persistence.
9. Unusual eDiscovery Search. A user is creating or updating an eDiscovery search which may indicate an attacker has gained access to eDiscovery capabilities and is now performing reconnaissance.
10. Suspicious SharePoint Operation. Abnormal administrative SharePoint operations that may be associated with malicious activities.
Solving for the challenges organizations continue to see from cybercriminals involves understanding the behaviors adversaries are motivated to take. This means having the ability to collect and aggregate the data that uncovers these behaviors in a way that can be operationalized by security staff, noted Pietlik.
Vectra says its Cognito Detect for Office 365 and Azure AD automatically detect and respond to hidden cyberattacker behaviors. This solution accelerates incident investigations and enables proactive threat hunting. The application offers visibility into Power Automate, Teams, eDiscovery, Compliance Search, Azure AD backend, Exchange, SharePoint, and third-party SaaS providers.
Cloud security posture management (CSPM) is an important action item, suggested Vishal Jain, co-founder and CTO at Valtix. Once enterprises know their security gaps, they need to set up control points and security policies automatically and at appropriate places to improve their cloud security posture further.
“It is very desirable that this two-step process be automated in a single workflow,” he told TechNewsWorld.