While it is still far from clear that remote working is going to be the new work model moving forward, the pandemic and the need to collaborate remotely is clearly changing the kinds of tools workers are using and how they are using them.
The rise of remote work due to the COVID pandemic significantly affected the use of workplace social networks like Slack, Discord, Teams and Yammer and video conferencing tools like Zoom and Google Hangouts. While the tools may be relatively new, the problems they create are not.
A recent assessment by Cisco Talos, the security threat research team for networking technology giant Cisco Systems, indicates that attackers are now using these tools to steal data, commit financial fraud and take over control of communications.
A Rising Security Threat
The results of the research, which appears in a blog post appropriately titled "Sowing Discord: Reaping the Benefits of Collaboration App Abuse," points out that as new platforms and applications gain in popularity, attackers often develop ways to use them to achieve their objectives. Communications platforms like Telegram, Signal, WhatsApp and others have been abused over the past several years to spread malware.
The report also pointed out that, as telework has become the norm, attackers are modifying their tactics to use platforms such as Discord and Slack. The researchers identify four main conclusions:
- Attackers are modifying their tactics to take advantage of changes to employee workflows.
- Attackers are using collaboration platforms to stay under the radar and evade organizational defenses.
- Collaboration platforms enable attackers to conduct campaigns using legitimate infrastructure that may not be blocked in many network environments.
- RATs (Regression Analysis of Time Series), information stealers, internet of things malware and other threats are leveraging collaboration platforms for delivery, component retrieval and command and control communications.
The research concludes: “As chat apps like Discord, Slack and many others rise in popularity, organizations need to assess how these applications can be abused by adversaries and how many of them should be allowed to operate inside your enterprise."
Related Article: Is Your Business Data Safe in Slack and Microsoft Teams?
Treat Collaboration Software Like Other Business Utilities
The use of collaboration software opens organizations to new avenues of attack, even if the attacks themselves remain unchanged, said Jacob Ansari, chief information security officer at Tampa, Fla.-based Schellman & Company. Organizations that use public functions, such as the free versions of Slack or Discord, or who cannot or do not limit use to internal users, increase the probability that attackers will target their users with phishing or hostile links, attachments or plug-ins.
Organizations that want to protect themselves should consider selecting a particular collaboration set of tools, identify the security functions they need, determine their policies for usage, and treat it like any other employee-facing technology. This means requiring strong authentication, configuring it to limit access to outsiders from the organization wherever possible (or using something like a meeting password when specifically working with customers or other parties), allowing only specific plug-ins or add-on functionality, and training users on appropriate usage and how to avoid malware.
“These tools present new attack vectors for already troublesome problems like phishing, RATs or ransomware, but treating usage of Slack or Discord or similar tools as actual business utilities with security requirements will go a long way in preventing or stopping attacks,” Ansari said.
By the time malware hits a Slack/Discord platform, the first stage of the intrusion has already happened. The second stage is the download. Slack and Discord platforms are yet another channel that allow malware to hide its downloads and exfiltration between corporate flows, making it harder to detect, said Pascal Geenens, director of threat intelligence for Mahwah, NNJ-based Radware.
If an organization is using Slack or Discord, they will not immediately notice anomalous behavior and encrypted communications will not allow detection of indicators of compromise (IOCs) without breaking open the encryption. This is again, Geenens said, another step that makes it harder for organizations to secure their users and infrastructure.
Related Article: So Many Breaches, So Little Proactive Action
How to Protect Against New Attacks
It is to be expected that as the world digitizes, opportunities for cyberattacks will continue to increase. The move to cloud computing opened all kinds of possibilities for information workers and developers to work, collaborate and share ideas long before COVID, said Gavin Ashton, security strategist at Hawthorne, NJ-based Stealthbits. What the pandemic has done is force the migration towards these modern platforms and attackers are responding in kind.
Organizations around the world are adopting Azure AD and other cloud-based identity providers to ensure that access to such platforms is protected through a centrally managed directory and policy enforcement. But this does not stop employees and contractors from using other SaaS-based solutions with their corporate email. This is where cloud access security broker (CASB) solutions come in.
A cloud access security broker is on-premises or cloud-based software that sits between cloud service users and cloud applications, and monitors all activity and enforces security policies. The ability to identify the apps people are using and get these integrated into an identity platform can allow people to use the platforms they want to use without unnecessarily opening risk to the organization. Without these centralized controls, organizations are at risk from attackers compromising those platforms but also the data leakage that can occur as a result.
“Today, attackers are far more likely to extort through public disclosure rather than simply encrypt on-premises data," Ashton said. "So, identifying where and how data is shared and stored and putting standardized controls around those locations is paramount.”
There are other things that company leaders can do, according to Jay Leaf-Clark, head of IT at New York City-based cybersecurity company Dashlane. He has five suggestions:
- Audit organizational settings: IT should audit their settings to share channels and DMs across organizations and, if they are allowed, frequently audit and create expiration dates so they do not linger.
- Create and maintain a files and attachment retention policy: Files and attachment retention settings should be set and controlled at an organizational level.
- Enforce app integration policies: Third-party add-ons and app requests must be approved beforehand, and IT or security teams should vet tools before allowing them in the organization.
- Train employees: Much like how we train people to spot phishing attacks or scan for malicious software, it's important they also be on the lookout in tools like instant messages.
- Onboard a strong antivirus: Ensure you have a robust antivirus agent to detect, isolate and remove any malicious executables before they spread.