Account Takeover (ATO) is a thorn in the side of enterprise security teams which Juniper Research has estimated will cost companies worldwide $25bn in 2020.
What is Account Takeover?
Securing digital information with passwords has always been flawed. In fact, the first-ever computer to use passwords also ironically went on to become the target of not one, but two breaches.
Account Takeover is when attackers abuse the inherent weaknesses in passwords to hijack an account for their own malicious ends. In an enterprise setting, it can be applied to everything from commandeering email accounts to illicitly accessing collaborative working tools or other SaaS services. The result can be anything from locking users out of accounts, to vast data breaches.
The Anatomy of Account Takeover
Get practical tips to protect your organisation in our on-demand webinar
In fact, the rush to put everything in the cloud has only magnified the problem, with vast volumes of critical information and vital processes now behind a remotely accessed login. The attack surface has fragmented and moved outside the perimeter.
The most commonly sought credentials by cybercriminals are for cloud email services such as Microsoft 365. Compromising these allows an attacker a strong foothold for collecting intelligence, socially engineering employees or stealing critical IP emailed to the hijacked account.
The upshot is that Account Takeover can have a variety of real-world impacts. If part of a data-stealing operation, the resultant brand impact and financial losses from breaches are obviously sizeable – not to mention the associated regulatory issues.
What to watch out for
Typically, security teams protecting against Account Takeover need to be aware of three main attack vectors, all aimed at compromising passwords in some way:
Phishing: The aim is for malicious actors to convince users to hand over their username and password to enable ATO. Typically, the higher-profile the target, the more tailored the phish. For prime targets, such as government or financial organisations, an attacker may spend significant time researching their mark by collecting information to personalise the approach.
Credential stuffing: This sees attackers using a database of stolen usernames and passwords to try and log-in to a variety of different accounts. Success rates increase significantly when using a freshly stolen database.
Brute-force attacks: A form of password cracking, this is where large lists of possible passwords are rapidly tried against the target system or application. Often, this will be launched from varying IP addresses to remain below the radar of automated detection systems.
How to protect yourself from Account Takeover
As with any strong security posture, layered security is the watchword. A mesh of complimentary countermeasures always provides the best defence. Multi-Factor Authentication in particular can be applied to protect user accounts with more than just a password. Even if an attacker obtains account credentials they are unable to access the account – or mailbox.
Reduce impact of large scale data breaches by protecting user accounts with more than just passwords.
This is especially true in a world which has just, all of a sudden, embraced mass remote working. With large numbers of employees being forced to work at home, adding MFA as standard to applications such as Microsoft 365 should now be considered mandatory. Security teams can make this less burdensome by tiering rollout – starting with the most at-risk targets, such as admins and senior management.
This should be overlaid onto strong, integrated email and web security solutions and combined with ongoing employee training to help cut phishing off as a route to stolen credentials. This is crucial to making a dent in ATO attacks targeted at your organisation in particular.
As part of ongoing hygiene, security teams should also keep abreast of breached credentials databases to ensure their users don’t unknowingly become a risk. In addition, unusual login activity and other anomalous patterns of behaviour, such as attempts to access from irregular geos, should also be flagged across all SaaS applications.
Defence365 Vlog: How do I protect my organization from account takeover in Office 365?