Jason Howells, VP, MSP International Sales at Barracuda, looks at what organisations can do to prevent cybercriminals hijacking and monetising employee email accounts
Such is the shock of a successful security breach that affected organisations might be excused for viewing one as a bolt from the blue. In fact, they are often the culmination of months of covert activity by different groups of cyber criminals following an account take-over.
A study of 156 compromised accounts for Barracuda’s 2019 Spear Phishing Report shows that once hackers have successfully accessed an account, they go on to monitor and track all activity, gaining a fly-on-the-wall insight into how the breached business operates, the email signatures used, how financial transactions are handled, and how they can launch intricate, targeted phishing attacks strengthened by harvested financial information and stolen login credentials.
Account takeovers often last for weeks or even months and, in many cases, multiple accounts – and even multiple cybercriminals – are involved.
In our research, attackers were active in over one third of the hijacked accounts analysed for more than a week. In 31% of cases, accounts were compromised by one set of cyber-criminals, who would then sell account access to another group to monetise.
Researchers found that a significant proportion of compromises were caused by employees reusing passwords that had been stolen in a separate breach, rather than through phishing attacks. One fifth of compromised accounts appeared in at least one online password data breach, suggesting that cybercriminals are exploiting credential reuse across employees’ personal and business accounts.
Moreover, with 78% of attackers accessing no application other than email, it’s clear that this is the only breach they need to achieve their goals.
As cybercriminals become ever more devious, organisations must rise to the challenge by incorporating new ways to detect, defend against and respond to these attacks, ideally under the guidance of a trusted MSP partner.
Defending against account takeover
As well as making sure customers are aware of, and prepared for, evolving cyber threats, MSPs that partner with Barracuda MSP are able to offer a robust managed security service based on the company’s enterprise-grade, cloud-ready solutions for email protection, application and cloud security, network security and data protection.
Its offering includes four key tools for identifying, mitigating and defending against account breaches, whether via phishing, password reuse or through another compromised account. These are: artificial intelligence (AI); monitoring and forensics; better education and training; and air-tight password management.
AI-based detection of compromised accounts is a vital first step. An AI-based detection system will examine a wide range of factors that could indicate an intrusion has taken place, including dubious links, sender behaviour, IP login information and suspicious inbox-forwarding rules.
Given that account takeovers often last for months and can be carried out by more than one cybercriminal, the MSP should continuously monitor internal accounts for suspicious activity, even after the initial compromise has occurred, and use forensics to remediate attacks.
MSPs with a good remote monitoring and management (RMM) system can boost their online security service with agent-based DNS and URL filtering, to protect end-users from web-borne threats, and gain a centralised view of threats, such as malicious files, domains or URLs, across every connected device.
Considering how many accounts are compromised with information stolen in other breaches, rather than a direct phishing attack, it’s important to consider multi-factor authentication, constant account monitoring and ready-to-deploy forensics in the event of a successful attack.
Applying best practice
It is just as important, if not more so, for businesses and their MSP to make sure that all staff are trained on best practice in password creation, storage, review and management. Password management is not a panacea, as once attackers get into an organisation they can compromise additional accounts, but it is still a fundamental part of protecting against account-takeover.
In addition to password management, security teams should ensure staff are informed about the risks of sharing confidential documents and other sensitive information through their accounts and other applications, such as Microsoft SharePoint.
Security sits at the top of the CIO agenda, where it is likely to remain as organisations continue to modify working practices and security measures to support increased remote working. With so many already struggling to protect themselves from cyber-criminals, as our spear phishing report makes clear, it makes sense for them to enlist the help of MSPs with the toolkits, expertise, knowledge and supervision needed to prevent account takeovers.