Over the last two years, digital transformation projects have accelerated and cloud-based collaboration platforms, such as Office 365 and Slack, have been adopted even more rapidly (no doubt accelerated by the pandemic and increased accessibility via smart phones and reliable internet access). Regardless of which tools your organization uses, communication and workflow apps are an essential element of every organization’s communication toolkit.
Office 365 and Slack help teams collaborate efficiently — regardless of geography — something that will continue as companies capitalize on remote employees to fill roles and find talent in new places. As the number of users has increased, reliance on these platforms for core communications has also increased considerably.
A new target for attackers
Like any other platform where written communication takes place, these platforms are increasingly attractive targets for cyber attackers, who are now diverting more of their efforts and resources towards them. That approach is not new either; attacks on written communications are nearly as old as written communication itself. Communications often hold sensitive information that is valuable to the attacker and therefore a target for theft. Messages often convey orders and instructions, so an attacker who intercepts them can use the messages to misdirect the intended recipients. Importantly, written communication also makes it easier to impersonate someone – so an attacker can pose as a trusted individual.
Modern collaboration platforms have a similar appeal. Attackers have gotten savvier, crafting messages that are harder to spot: their links look (almost) right or contain a hard-to-see redirection in the URL. The email addresses even seem legitimate, and the messages are well crafted. And most organizations have tools that find and flag spam and potential phishing emails, protecting their employees from many of these compromise attempts. We have been trained and retrained to look carefully at email messages, particularly links and attachments, but we are not yet concerned about the validity of a message from a colleague in Slack or Teams.
Expect more attacks on collaboration platforms
The shift to cloud-based collaboration platforms, the amount of sensitive data that is now stored and communicated on those platforms, and the level of trust that people put into communication on those platforms have an inevitable conclusion: we are going to see more attacks on those platforms. Attackers are likely to start by compromising a single account, most likely through a phishing attack, a brute-force attack, or by buying compromised credentials. The cyberattacker will then use the compromised account to gain access to other resources, perhaps by asking the IT team over Slack to help them reset the password for another company resource. They may also use the compromised user account to trick colleagues, asking for information or help accessing other resources, even requesting secret keys and other credentials.
The expansion of shared resources, including group chat channels, also means that a considerable amount of information is communicated and stored on these collaboration platforms. Today, people often use Office 365 and Slack to share sensitive information within an organization. Unfortunately, these channels often have minimal permissions restrictions, so many users have access to sensitive data, including compromised accounts.
Further increasing the risk of attack, these platforms offer many third-party applications and integrations. Those integrations, if allowed to proliferate without security oversight, extend the potential attack surface. This growth, in turn, increases the potential breach impact if an attack occurs.
5 tips to help you prepare for a collaboration platform attack
Take advantage of advanced security features – Office365 and Slack both offer robust security features, such as Multi Factor Authentication, encryption, and advanced threat detection. Some of these features require you to pay for higher tiered plans — but can reduce the likelihood of your organization being attacked.
Back up your data – Backups are an important weapon if your organization is targeted with a ransomware attack. Backing up your data is particularly important with Slack because it has no built-in data retention (once the data is gone, you cannot retrieve it unless you have backups). Sophisticated attackers will be able to override retention capabilities in other platforms as well.
Review and enforce permission policies – Everyone has heard the term “principle of least privilege” by now, but that does not mean it is not important. Indeed, on collaboration platforms users typically create the content and are in control of the related permissions, which means that managing permission policies is critically important. A new Slack group is public by default, so sensitive information is all too easy to share in public groups in Slack. Creating an expectation and culture in your organization that limits the use of public groups and emphasizes the importance of managing members and permissions is vitally important. Educate your users on how and why they need to limit access, then monitor and enforce the platform permissions policies.
Third-party app and integration reviews – Software as a Service platforms supply many plugins and marketplace apps and offer other integrations to increase ease of use and keep users on the platform. That also introduces substantial potential risk. Develop a policy to evaluate each integration, then limit the integration and permissions levels based on the value it offers and the potential risk. Users should not be able to add any integration they want, any time they want. This type of policy will help you ensure that no new third-party apps or integrations are introduced without review.
Continuous forensic data collection – When a critical incident occurs, the most valuable tool that incident response teams have for responding to it is forensic data. The response is based on the evidence and information gathered through the investigation of forensic data. Frequently, vendors restrict both the availability of forensic data as well as how long that data is retained. One striking example is Office 365 logs, which are stored for just 90 days. When you try to retrieve those logs, you will discover significant limitations due to throttling. It takes longer than a minute to download a minute of data, so you will be hard pressed to collect the data you need for an investigation. And unfortunately, Slack logs are only available for organizations that buy the Enterprise license. To get ahead of these issues, you need to collect and keep forensic data on an ongoing basis. Then, when an incident occurs, you can use that data to investigate and respond at once, rather than waiting for the vendor to allow you access to the data that is available.
Prepare for and minimize the impact of a Slack of O365 breach
Cloud-based communication platforms have been adopted almost universally, allowing us to communicate instantly with people around the world. This offers us incredible value and flexibility, but these benefits do not come without risks. Being aware of the potential risks and why these platforms are an increasingly attractive platform for attackers will help you prepare for a potential breach and minimize the impact. If an attack does happen, the steps outlined above can help you reduce the impact of a breach and keep your business running smoothly.