Jason Howells, VP, MSP International Sales at Barracuda, looks at the vital role of the MSP in the war on spear fishing
A specialised economy is emerging around email account takeovers, as cybercriminals adopt brand impersonation, improved social engineering techniques and spear phishing to hijack and monetise employee email accounts over a span of weeks or even months.
A study of 156 compromised accounts for Barracuda’s 2019 spear phishing report shows that once hackers have successfully accessed an account, they go on to monitor and track all activity, gaining a fly-on-the-wall insight into how the breached business operates, the email signatures used, how financial transactions are handled, and how they can launch intricate, targeted phishing attacks strengthened by harvested financial information and stolen login credentials.
Account takeovers often last for weeks or even months and, in many cases, multiple accounts – and even multiple cybercriminals – are involved.
In our research, attackers were active in over one third of the hijacked accounts for more than a week. In 31% of cases, accounts were compromised by one set of cyber-criminals, who would then sell account access to another group to monetise.
Researchers found that a significant proportion of compromises were caused by employees reusing passwords that had been stolen in a separate breach, rather than through phishing attacks. One fifth of compromised accounts appeared in at least one online password data breach, suggesting that cybercriminals are exploiting credential reuse across employees’ personal and business accounts.
Moreover, with 78% of attackers accessing no application other than email, it’s clear that this is the only breach they need to achieve their goals
As cybercriminals become ever more devious, it is up to MSPs to ensure their customers are informed about, and prepared for, this new threat. Organisations themselves must rise to the challenge by incorporating new ways to detect, defend against and respond to these attacks, under the guidance of their trusted MSP partner.
Defending against account takeover
To help customers create a robust managed security service, MSPs must focus on introducing four key tools to identify, mitigate and defend against spear phishing attacks: artificial intelligence (AI); monitoring and forensics; air-tight password management; and better education and training.
1 Artificial intelligence. Considering the many ways attackers can breach an account, be it phishing, password reuse or from another compromised account, AI-based detection of compromised accounts is a vital first step for businesses looking to batten down the hatches. An AI-based detection system will examine a wide range of indicators that could reveal an intrusion, including suspicious links, sender behaviour, IP login information and suspicious inbox-forwarding rules.
2 Monitoring and forensics. Because account takeovers often last for months at a time and happen at the hands of more than one cybercriminal, organisations will need monitoring and forensics to continuously monitor internal accounts for suspicious activity and remediate these attacks even after the initial compromise has occurred.
In addition, a remote monitoring and management (RMM) system will enable an MSP to boost its online security service offering with agent-based DNS and URL filtering, protect customers’ end-users from web-borne threats and offer at-a-glance visibility into threats prevented across all customers. MSPs should be prepared to provide a centralised view that can detect threats, such as malicious files, domains or URLs, across every device connected.
With so many accounts being compromised through information stolen in separate breaches, rather than direct phishing attacks, it’s important to consider multi-factor authentication, constant account monitoring and ready-to-deploy forensics in the case of a successful attack.
3 Password management. It’s equally (if not more) important to ensure all staff are trained on best practice in password creation, storage, review and management. Password management is not a panacea, as once attackers get into an organisation they can compromise additional accounts. However, it is still a fundamental part of protection against account-takeover attacks.
4 Education and training. In addition to password management, security teams should ensure their staff are educated when it comes to sharing confidential documents and other sensitive information through their accounts and other applications, such as Microsoft SharePoint.
Security sits at the top of the CIO’s agenda and is likely to stay there as IT teams and organisations adapt their working practices (and supporting security measures) to new, evolving remote working setups. As our most recent spear phishing findings make clear, they won’t be the only ones to react to new ways of working; cyber-criminals will also be looking for new vulnerabilities. It’s up to MSPs to bring their toolkit, expertise and knowledge to organisations suffering at the hands of account takeovers and demonstrate their value as a trusted partner.