Thursday, September 21, 2023

Security Boulevard Logo

Security Boulevard

The Home of the Security Bloggers Network

Community Chats Webinars Library
  • Home
    • Cybersecurity News
    • Features
    • Industry Spotlight
    • News Releases
  • Security Bloggers Network
    • Latest Posts
    • Contributors
    • Syndicate Your Blog
    • Write for Security Boulevard
  • Webinars
    • Upcoming Webinars
    • Calendar View
    • On-Demand Webinars
  • Events
    • Upcoming Events
    • On-Demand Events
  • Sponsored Content
  • Chat
    • Security Boulevard Chat
    • Marketing InSecurity Podcast
    • Techstrong.tv Podcast
    • TechstrongTV - Twitch
  • Library
  • Related Sites
    • Techstrong Group
    • Cloud Native Now
    • DevOps.com
    • Security Boulevard
    • Techstrong Research
    • Techstrong TV
    • Techstrong.tv Podcast
    • Techstrong.tv - Twitch
    • Devops Chat
    • DevOps Dozen
    • DevOps TV
  • Media Kit
  • About
  • Sponsor

  • Analytics
  • AppSec
  • CISO
  • Cloud
  • DevOps
  • GRC
  • Identity
  • Incident Response
  • IoT / ICS
  • Threats / Breaches
  • More
    • Blockchain / Digital Currencies
    • Careers
    • Cyberlaw
    • Mobile
    • Social Engineering
  • Humor
Hot Topics
  • How Threat Hunting can Strengthen Your Cybersecurity Posture
  • GitLab Releases Urgent Security Updates for Critical Flaw
  • Move to the Cloud with Confidence: 6 Key Risks & Mitigation Techniques — Part 2
  • What is an Authenticated Security Scan, And Why Is It Important?
  • Orchestration Kitchen Workshop on Migrating CIAM from Keycloak to Amazon Cognito
Security Bloggers Network 

Home » Security Bloggers Network » 5 Ways To Detect A Cloud Account Takeover

SBN

5 Ways To Detect A Cloud Account Takeover

by Katie Fritchen on October 17, 2019

Detect and protect your data from a cloud account takeover by knowing these 5 indicators

Account takeovers are a growing concern for security and system admins in organizations of all types and sizes. A cloud account takeover impacts organizations that are using cloud applications, such as Google G Suite and Microsoft Office 365.

Cloud account takeovers are popular because hackers know how difficult it is for IT security teams to detect and defend against them. In the perimeter-less world of cloud computing, account takeovers are easier to accomplish and can have a much greater impact on an organization’s information systems. Criminals can quickly gain access to more accounts and information than they could with software and on-premise servers protected by firewalls and MTAs.

AWS Builder Community Hub

What is a Cloud Account Takeover?

The basic mechanics and intent of a cloud account takeover is the same as an account takeover that occurs on-premise. A criminal gains access to an internal account, through any of a variety of means, and uses it to gain access to more accounts and more information they can use for their own purposes.

The ways that an account takeover can happen in the cloud can vary. The impact that it has in the cloud can also be a bit different. Perhaps the biggest differences are in an organization’s ability to detect a cloud account takeover, find out what the takeover impacted, and fix the issue.

Many organizations that were quick to adopt cloud computing have been slow to adopt cloud computing security. There are 2 misconceptions contributing to this issue. First, admins think that their existing, network-based cybersecurity infrastructure is sufficient to protect cloud applications. Second, they tend to believe that the app providers are responsible for securing customer data.

Knowing what abnormal behavior looks like is an important first step in account takeover prevention. This knowledge helps you detect a cloud account takeover (or a takeover attempt), and then take the steps required to remediate it.

1. Login Location

cloud account takeover detection login analyzer ManagedMethods cloud security platformUsing login location to detect a possible cloud account takeover is simple and works well for most organizations. Analyzing login locations lets you see if there are login attempts originating outside of where you would normally expect to see them. Then, you can set cloud security policies against allowing logins and other activity from these locations.

For example, most school districts in the United States don’t have students or employees physically located outside of the country. If you suddenly see a spike in login attempts originating in China, you have a pretty good sense that this account is under attack.

Of course, people do go on vacation and forgein exchange programs, so that is something to consider. You may need to put policies in place that informs the IT staff when a specific users needs to access the school’s cloud environment from outside of the country. Best security practices tell us to err on the side of caution. Keep it locked down and let a legitimate user contact you to let you know if it needs to be unlocked.

2. Failed Login Attempts

According to a study by Signal Sciences, any given external application can expect to experience a login failure rate of about 30%. They happen. People forget their passwords, or enter them incorrectly, and sometimes the app server fails.

But many failed attempts over a short period of time is a good indication that a cloud account is under attack. A hacker may be using a bot to try out all the most common passwords, or different variations of a known password, to gain authorized access to the app.

A good idea is to set up policies that limit the number of failed login attempts before an account is locked out. Most will limit failed logins to 3 to 5. After that, the user needs to contact the app administrator to unlock the account and reset the password. You should also consider setting up an alert for the system admin in charge of applications and/or security, so they receive a notification when there have been multiple login attempt failures. This kind of visibility allows the admin to take proactive action to determine if the attempts are legitimate or malicious.

3. Lateral Phishing Emails

The first two are good ways to detect if someone is attempting an account takeover. The rest are how to detect a cloud account takeover that has already occurred. Monitoring your organization’s applications for abnormal behavior is the best way to detect cloud account takeovers.

Lateral phishing emails originate from an account that has already been compromised. Because emails are sent from an internal account, lateral phishing is difficult to detect using traditional phishing filters. Lateral phishing attacks are relatively new and are gaining in popularity because they get around most organization’s phishing filters and can impact many accounts.

A recent study found that 1 in 7 organizations experienced at least one lateral phishing attack in a span of 7 months. In total, researchers found 154 hijacked accounts that sent lateral phishing emails to over 100,000 unique recipients. The report goes on to identify that about 40% of the recipients were fellow employees, while the remaining were a variety of account types including personal, customer, partner, and vendor recipients.

Traditional mail transfer agents (MTAs) and phishing filters operate at the perimeter of an organization’s network. But what happens when a user isn’t in the network? Or if an account takeover has already occured? These security tools don’t have the capability to detect further phishing attacks from within. If you are using a cloud security solution that scans emails and files for phishing links and malware inside email and shared drive accounts, your ability to detect such emails is much higher.

4. Malicious OAuth Connections

cloud account takeover risks - ManagedMethods cloud security platform

Connecting SaaS applications to the cloud environment through OAuth is now a common occurrence. Connecting to malicious apps is a behavior that can occur accidentally or on purpose. You won’t usually be able to tell the intent of a malicious OAuth connection, but it’s one indicator that a cloud account takeover has occurred. It’s best to err on the side of caution when you detect a risky or malicious OAuth connection and take a deeper look into an account’s other activity to try to determine if it’s indeed compromised or if it was simply an unsuspecting employee.

How are malicious apps used by cyber criminals? There are several ways, but the most common is to help them send lateral phishing emails. A hacker can create an application that requires read, write, and send permissions for a user’s Gmail or Outlook 365 account. Once granted that permission through OAuth, they can then send emails containing phishing links directly through the users account. Without ever needing to login to the account they’ve hijacked! And, again, these types of emails go completely undetected by traditional phishing filters and MTAs that your organization is already using.

If you do detect a risky or malicious OAuth connection in your cloud environment, the best first step is to remove the connection. Then, you should get in contact with the person whose account it was connected to to ask if they’d added the app. If they didn’t add it themselves, you should initiate a password reset on the account immediately and run an audit to see if any files or other accounts have been compromised.

5. Abnormal File Sharing & Downloading

Sometimes, when a cloud account takeover occurs, the objective is to get as much information as possible. This is particularly true for accounts that have been granted access to sensitive or proprietary information. This type of information can include social security numbers, names, addresses, and phone numbers, health information, financial information, and intellectual property.

If your cloud security platform detects that an account is sharing sensitive information outside of the organization’s domain (or attempting to) or that it’s downloading that information, it could be an indication of a compromised account. You will want to immediately lock that account down, and then force a password reset and audit the rest of your environment to see what was impacted and if any other accounts may be compromised.

Cloud account takeovers are difficult to detect for admins using traditional security tools to solve cloud security issues. Using a cloud security platform to monitor, detect, and automate responses to these five account takeover indicators makes life much easier. And it makes data stored in the cloud far more secure. If your organization is using cloud applications for email, file sharing, storage, etc. it’s time to start taking your cloud data security more seriously.

Cloud Application Security Checklist Blog CTA XXL

The post 5 Ways To Detect A Cloud Account Takeover appeared first on ManagedMethods.


Recent Articles By Author
  • In the News | Creating a Comprehensive Cybersecurity Awareness Program for a K-12 School
  • In the News | How to Leverage Technology to Promote Cybersecurity Awareness
  • In the News | 15 Advanced Cybersecurity & Web 3.0 Executives
More from Katie Fritchen

*** This is a Security Bloggers Network syndicated blog from ManagedMethods authored by Katie Fritchen. Read the original post at: https://managedmethods.com/blog/5-ways-to-detect-a-cloud-account-takeover/

October 17, 2019October 17, 2019 Katie Fritchen account takeover
  • ← The NIST Cybersecurity Framework Implementation Tiers Explained
  • Using Machine Learning to Detect IP Hijacking →

Techstrong TV – Live

Click full-screen to enable volume control
Watch latest episodes and shows

Upcoming Webinars

Thu 21

Holistic AppSec and Software Supply Chain Security

September 21 @ 11:00 am - 12:30 pm
Thu 21

What AI Doesn’t Know About Kubernetes in Production

September 21 @ 12:00 pm - 1:00 pm
Fri 22

Cloud Security Turbocharged: A Wild Ride of Innovation, Threats and Staying Ahead

September 22 @ 11:00 am - 12:00 pm
Mon 25

Cloud Security

September 25 @ 1:00 pm - 2:00 pm
Thu 28

A Guide to Smart Dependency Management

September 28 @ 12:00 pm - 1:00 pm
Oct 03

Way Too Vulnerable: Uncovering the State of the Identity Attack Surface

October 3 @ 11:00 am - 12:00 pm
Oct 11

ASPM: Leveling the AppSec Playing Field

October 11 @ 1:00 pm - 2:00 pm
Oct 16

Shadow Access: Where IAM Meets Cloud Security

October 16 @ 3:00 pm - 4:00 pm
Oct 17

Securing Cloud-Native Applications Across the Software Development Life Cycle

October 17 @ 11:00 am - 12:00 pm
Oct 18

Live Workshop on ‘SCA 2.0’: Using Runtime Analysis to Find High-Risk SCA Vulnerabilities

October 18 @ 12:00 pm - 1:30 pm

More Webinars

Subscribe to our Newsletters

TSTV Podcast

Most Read on the Boulevard

Group Allegedly Behind MGM, Caesars Attacks is Fairly New to Ransomware
LockBit Affiliates Use RMM Software in Ransomware Attacks
CrowdStrike Extends Scope of Managed Cybersecurity Services
Pillars of Cloud Security
Leveraging Wargaming Principles for Cyberdefense Exercises
How to secure payments from checkout to chargeback: Pairing Sift Payment Protection and Dispute Management
Understanding the Cyber Kill Chain: A Comprehensive Guide to Cybersecurity
Cyber Week 2023 & The Israel National Cyber Directorate Presents – FraudCON In-Person
Automated Vulnerability Detection: Mitigate Fraud and Strengthen Your Cybersecurity Defense
The Importance of ESG Metrics in Driving Sustainable Business Practices

Download Free eBook

Managing the AppSec Toolstack

Industry Spotlight

Google: Chromebooks Will Get 10 Years of Software, Security Updates
Application Security Cybersecurity Data Security Endpoint Featured Industry Spotlight Malware Mobile Security Network Security News Security Boulevard (Original) Spotlight 

Google: Chromebooks Will Get 10 Years of Software, Security Updates

September 19, 2023 Jeffrey Burt | 1 day ago 0
Group Allegedly Behind MGM, Caesars Attacks is Fairly New to Ransomware
Cloud Security Cybersecurity Data Security Featured Identity & Access Industry Spotlight Malware Mobile Security Network Security News Security Awareness Security Boulevard (Original) Social Engineering Spotlight Threats & Breaches 

Group Allegedly Behind MGM, Caesars Attacks is Fairly New to Ransomware

September 18, 2023 Jeffrey Burt | 2 days ago 0
DoD Turns to Stronger Alliances to Combat Cyberthreats
Cybersecurity Data Privacy Featured Industry Spotlight Malware Network Security News Security Awareness Security Boulevard (Original) Spotlight 

DoD Turns to Stronger Alliances to Combat Cyberthreats

September 14, 2023 Jeffrey Burt | Sep 14 0

Top Stories

GitLab Releases Urgent Security Updates for Critical Flaw
Application Security Cloud Security Cybersecurity Data Security DevOps Featured Identity & Access News Security Boulevard (Original) Spotlight Threat Intelligence Vulnerabilities 

GitLab Releases Urgent Security Updates for Critical Flaw

September 21, 2023 Jeffrey Burt | 39 minutes ago 0
Barracuda Networks Issues Email Inbox Rules Manipulation Warning
Analytics & Intelligence Cybersecurity Data Security Featured Governance, Risk & Compliance Incident Response Malware Network Security News Security Boulevard (Original) Social Engineering Spotlight Threat Intelligence Threats & Breaches Vulnerabilities 

Barracuda Networks Issues Email Inbox Rules Manipulation Warning

September 20, 2023 Michael Vizard | Yesterday 0
Coalition Report Reveals Ransomware Resurgence
Analytics & Intelligence Cybersecurity Data Security Featured Governance, Risk & Compliance Incident Response Malware News Security Boulevard (Original) Spotlight Threat Intelligence 

Coalition Report Reveals Ransomware Resurgence

September 20, 2023 Michael Vizard | Yesterday 0

Security Humor

Randall Munroe’s XKCD ‘Haunted House’

Randall Munroe’s XKCD ‘Haunted House’

Security Boulevard Logo White

DMCA

Join the Community

  • Add your blog to Security Bloggers Network
  • Write for Security Boulevard
  • Bloggers Meetup and Awards
  • Ask a Question
  • Email: [email protected]

Useful Links

  • About
  • Media Kit
  • Sponsor Info
  • Copyright
  • TOS
  • DMCA Compliance Statement
  • Privacy Policy

Related Sites

  • Techstrong Group
  • Cloud Native Now
  • DevOps.com
  • Digital CxO
  • Techstrong Research
  • Techstrong TV
  • Techstrong.tv Podcast
  • DevOps Chat
  • DevOps Dozen
  • DevOps TV
Powered by Techstrong Group
Copyright © 2023 Techstrong Group Inc. All rights reserved.