Lapsus$ Playbook in the Open, and Companies Are Not Ready - Read More
Executive Summary

57% of organizations cite collaboration applications such as Slack, Microsoft Teams, and Zoom, as the tech stack representing the most risk. Since the start of 2020, the use of such channels has boomed. The digital workspace these channels create is highly vulnerable to a range of digital risks, including social engineering, ransomware, third-party risks, insider threats, and compliance violations. This growing threat surface has compelled enterprises to attempt to secure collaboration channels through technology solutions that can provide cloud-native defenses and mitigate risks.

These collaboration platforms represent incredible opportunities to innovate across remote teams of employees and their third-party contributors and, in many cases, directly with customers. But the explosion in the use of these cloud-based channels has caught most enterprises off-guard; where they were once an adjunct to the enterprise, platforms like Slack, Zoom, and Microsoft Teams have now become part of a world without a perimeter. Enterprises cannot and should not solely count on these brands to deliver the security levels they need to keep their people, data, and brands safe. Brands simply must own their own security and compliance initiatives in the cloud and mobile workplace. What’s needed is a new generation of solutions that secure collaboration channels – solutions that are highly scalable, and provide full visibility, automated compliance, sandboxing, and other features. By integrating with the at-risk cloud applications, these applications provide companies with secure data collaboration.

To secure collaboration and chat platforms requires adopting solutions capable of closing security gaps, addressing compliance risks, and preventing cyber threats – before they infiltrate an enterprise’s IT systems. The data shows that this is an urgent need: 

  • 45% of business communication is now in digital channels outside of email, up 17% since 2020. (Business Communications Report, 2022)

  • Data breaches have, however, become more prominent with web applications and digital channels (56%), with emails only running second (28%). Threat actors find it doubly easier to exploit internal systems through collaboration and chat applications. (Data Breach Investigations Report) 

  • Moreover, 30% of malware threats in the previous year were backdoor threats, which attackers often use to exploit third-party providers like Slack, Zoom, Teams, and more. (Cyber Threat Intelligence Report)

  • Insider threat incidents have also risen 44% over the past two years, with costs at about $15.38 million per incident. The number one reason for insiders? Negligence. (Ponemon Institute, Observe IT)

  • Unfortunately, 67% of employees admit failing to fully adhere to cybersecurity policies for various reasons, like they “hindered productivity” or “took too much energy and time to complete.” (Harvard Business Review)

  • Further, 58% of companies view compliance as a barrier to entering new markets. (Compliance in the Era of Digital Transformation)

  • 87% of organizations see risk management as reactive and costly vs proactive. (Disruption is the New Norm: Risk Management Survey Report)

But first, we need to understand how digital collaboration accelerated to what it is now, the threats and risks that come with this growth, and the steps organizations need to take to secure collaboration and chat channels.

Every savvy company learned long ago that managing projects over email is a nightmare. 

As an alternative, collaboration channels like Slack, Microsoft Teams, and Zoom have become the norms of doing business due in part to the normalization of distributed teams. Organizations today now rely heavily on SaaS collaboration and communication channels, as well as social networking, to conduct business internally and externally.

They are too powerful in facilitating daily operations to ever unwind from. They are here to stay. And they bring with them visibility limitations into which traditional enterprise security and compliance tools are rendered ineffective. 

A blind-spot is growing for security operations as adoption of these tools increases, creating more risk and vulnerability to ransomware, business compromise, and confidential information leakage.

This threatens companies not only with millions of dollars in data breach costs and compliance penalties. It also increases the risk of massive data loss and brand damage. 

For example, in a risk report we compiled for one of our customers, we discovered that their collaboration tool (MS Teams) accounted for one-third of the org’s business communication volume. The organization would have gone on leaving their Teams instance open to ransomware attacks, data leaks, and non-compliance had that not been detected.

“Communication is critical infrastructure to any business.”

- Director of IT, Security, and Compliance

Full visibility and contextual analysis of these applications require deep monitoring across functionalities, like direct messages, group chats, and team meetings. Current defenses, however, miss the patterns, context, and intent of communications that indicate early stages of phishing, social engineering, and business communication compromise attacks.

These apps have become the new hotspot for cybercriminals; they know it’s an exposure and are rushing to capitalize on it before you can close the gap.

Today, there is awareness that digital collaboration does not immediately confer secure, compliant, and encrypted collaboration. These channels create a digital workspace that is currently under-protected. As these channels are on-boarded by more and more companies, the vulnerabilities and limitations of human users become more and more attractive to bad actors.

Truly secure collaboration tools can be hard to come by, and executives are aware of that. According to our recent survey, 57% of organizations cite internal collaboration tools and platforms as the tech stack representing the most risk. CISOs are right to be worried.

Timeline of Notable Threats and Risks Across Collaboration Platforms

2022

  • Several alleged members of the Lapsus$ hacking group were arrested by the British police. The threat group conducted a slew of data breaches on top global companies, including Microsoft, Samsung, Ubisoft, Nvidia, and Okta, by gaining access to and utilizing communication channels like Slack and Teams.

  • Scammers created a deepfake of Patrick Hillmann, Chief Communications Officer at Binance, and used that on Zoom calls in an attempt to scam people from the cryptocurrency community. According to his article, a team of hackers had utilized his previous TV appearances and interviews to create a hologram “refined enough to fool several highly intelligent crypto community members.”

2021

  • A stolen Slack authentication cookie enabled bad actors to infiltrate the EA Games’ network, stealing 780Gb worth of data, including source codes, to two of the company’s multi-billion dollar franchises.

2020

These are just a couple of examples of how both internal and client collaboration channels have been targeted. Though vulnerabilities are usually quickly patched, they also keep coming and not all are detected. And traditional cybersecurity techniques fail to offer a layer of protection against issues like this.

The vulnerability of collaboration platforms is rooted in three main factors:

  1. A high velocity and volume of communications

  2. Lack of true visibility into these communications

  3. The inadequacy of manual monitoring

The average Slack or Teams instance plays host to thousands or even tens of thousands of daily messages. These messages are exchanged at lightning speed, around the clock. They are sent in groups and DMs; they often contain links and attachments.

Meanwhile, Zoom meetings enable a number of participants to interact through video conferencing together, a much more direct version of the collaboration. However, these meeting rooms are often easily accessible, and random people can Zoombomb your calls, even business meetings where sensitive information is discussed. 

Just one malicious message in your Slack or Teams instance, or one BEC attack on your Zoom call, can cause serious damage. However, collaboration channels’ nonstop flow of human interaction moves far too fast to be manually monitored. Scanning every message is simply not practical.

This renders collaboration channels black boxes. Security teams lack visibility and control, and secure collaboration channels can feel nonexistent. The activity proceeds at a consistent pace, but teams have no way to get their arms around everything that is going on. In this scenario, it is virtually a matter of time before one of the following security and compliance issues arise:

 Malware & RansomwareMalware & Ransomware

A simple click on a link is all it can take for malware or ransomware to strike. And bad actors are increasingly skilled at crafting innocent-looking URLs that draw people in. Malware can now be skillfully embedded within innocuous files: Word documents, PDFs, or any other format.

Moreover, bad actors can target various things – money, credentials, and even cryptocurrencies. An example: a credential stealer piece of malware was being posted in a Telegram channel for cryptocurrency trading. The malware, dubbed ‘Echelon,’ performed various functions such as targeting credentials, crypto wallets, and device details. At first glance, this may seem like an isolated event, but it underlines the risk exposure of enabling modern communication to conduct business. 

Frequently, the cause of malware or ransomware getting loose is pure accident. A staff member shares what they believe to be a legitimate site or a fun video – but they are unwittingly sharing a threat vector for malware. For example, they might share a file that someone they thought was a customer sent them on LinkedIn. However, this customer was a spear phisher, looking to gain access to the company infrastructure. 

Alternatively, Slack, Teams, and Zoom instances frequently preserve the login credentials of former employees, or third parties, or other groups who may have reason to try and do harm to the enterprise. Most companies have no centralized way to manage account access in a systematized way.

Moreover, increasingly, ransomware possesses delayed mechanisms that allow them to evade initial detection. Even in the unlikely event that a manual review team casts an eye over an offending file or message, they might not spot it for what it is the first time around. Enterprises with secure collaboration channels are better prepared to fight and prevent this digital adversary.

Spear Phishing & Account TakeoverSpear Phishing & Account Takeover

Spear phishing campaigns have taken to targeting Microsoft Teams users through fake emails. These emails, which mimic automated notifications from a solution provider, point users to bogus login pages. There, bad actors collect and harvest legitimate login credentials from company employees. Most companies won’t be able to detect such account changes. They then won’t be able to recover the login credentials stolen from them.

The 2021 EA Games breach stated above is an example of this; a bad actor imitated a former employee to gain access.

Spear phishers exploit Slack vulnerabilities, as well. Ashley Graves, a Cloud Security Researcher at AT&T Alien Labs, describes how bad actors can abuse Slack webhooks to gain access to sensitive Slack data. They do this by crafting a phishing message which they send directly through a leaked webhook URL that leads to a Slack workspace. The message tricks the user into installing a malicious app that then exfiltrates data from the workspace. These sorts of threats will only get worse, with Slack upgrades allowing communication across different workspaces and business partners. 

Senior executives are often the target of these attacks, which is why most CISOs are so keen to lay their hands on secure collaboration channels. Alternatively, a successful phishing attack can lead to a cybercriminal posing as an employee in your channels’ instance for weeks or months. The effect can be serious damage: financial and reputational.

Attacker_Dark-1Third-Party Risks

Third-party risks must be taken very seriously. Data breaches brought about by third-party vulnerabilities can cause billions of dollars in loss. A good example is the Colonial Pipeline exploit, which also happened in 2021 and resulted in a shut down of the fuel line, which cut off gasoline supply for people in the Mid-Atlantic and other parts of the US.

Brand and reputation damage can also come from these risks, especially when the brand in question has been a victim of compromise multiple times.

Even cyberbullying, hate speech, discrimination, and other threats to a harmonious workplace can become third-party risks, which leads to brand damage, as well. For example: Away, the luggage startup, was one of the most-sought-after brands of designer luggage, but when news of their toxic work environment and breaches of employee policies came out, it left a bad taste for some of their customers. This leads to our next set of risks: compliance violations.

ComplianceDoc_Dark-1Compliance Violations

The volume and velocity of digital communications creates significant risk exposure to heavy fines & penalties, litigation expense and/or reputation damage. This is especially true for heavily-regulated industries and enterprises such as financial services (finserv), pharmaceutical companies, and healthcare institutions.

Moreover, the need for visibility across all their apps and platforms requires the archiving of significant data for legal discovery. This allows companies to cover their bases and stay compliant to laws and regulations.

Robust compliance protection should include the ability to prioritize and quarantine high-risk violations. This also includes capturing, analyzing, and archiving all direct chats and app group conversations that might contain potential compliance-based violations.

Case in point: An organization needed to establish a secure collaboration platform. However, they generated just over 125,000 chat messages in the first ten days of their deployment. The organization had to onboard dedicated software to help them detect cyber threats like malware and malicious content.

Insider_Dark-2Insider Threats

Insider threat incidents have increased 44% over the past years. This has cost companies more than $15M per incident, on average. The most common form of insider threat is credential theft, with $4.6 million in losses. Furthermore, financial companies have the highest insider threat cost — $21.25M (up 47% from the previous year).

76% of executives admit that insider threats are what they worry about the most. Especially since more than two out of three insider incidents happen because of negligence. Collaboration platforms play host to very sensitive company information. On Slack or Teams, staff exchange strategic plans, legal documents, financial reports, and other material that they would hate to see leaked. This free flow of sensitive information makes a secure collaboration platform paramount.

Hundreds of thousands of data breaches happen every year, and about 90% of these are due to insiders. The breach could come from anywhere. It could be a complete accident. Or it could come from third-party users with bad intentions. But when people are handling sensitive information in a siloed environment, unfortunately, it is a matter of time before someone breaches the silo. When that happens, enterprises no longer have a way of detecting where their sensitive files have gone or what they have triggered.

Secure data collaboration channels possess systems designed to guard entry to instances. Microsoft Teams, for example, enforces “team-wide and organization-wide two-factor authentication, single sign-on through Active Directory, and encryption of data in transit and at rest.” However, such measures do not address inherent digital risks within the platform. For this reason, most businesses rely on CASBs (cloud access security brokers) for infrastructure protection.

However, CASBs have gaps of their own:

  • A blind gap with message and attachment visibility. CASBs cannot see the contents of these, leaving open doorways to digital risks.

  • A coverage gap for natural language processing. CASBs cannot glean context clues regarding data loss, harassment, and other compliance risks.

  • A measurement gap around data archiving and legal readiness. SIEMs, often used as “buckets” for CASB logs, do not help legal teams needing searchable records and full audit trails.

CISOs need real secure collaboration channels to augment their CASBs. This means integrating applications like Slack and Teams with software crafted to provide protection. This protection should include these capabilities:

Total Visibility Deep Visibility 

Enterprises need 100% visibility into messages and user activity in order to secure team collaboration environments, which are corporate assets. From direct chats to larger conversation threads to whole 40-minute long meetings on your third-party apps, organizations need the ability to continuously monitor, scan, and detect digital threats and risks. Instantaneous vetting of messages, links, attachments, and even GIFs is a must to reduce mean time to detection and response (MTTD/R).

Search-Analyze_DarkContextual Analysis

The ability to automate the review and analysis of links and language used in messages on collaboration applications is crucial. A solution needs the capability to stop malicious links from getting to your employees and apply contextual analysis to detect third-party risks, including Natural Language Understanding (NLU) to analyze context and intent and detect social engineering language and attack campaigns through cross-channel event correlation.

Malware_Dark-1Malware Detection and Analysis

Security teams must have sandboxing capabilities for analyzing, detecting, and alerting on all attachments sent through security channels. Additionally, many pieces of modern malware possess algorithms that delay attacks. This allows the malware to avoid detection for a few days before unspooling. To address this, a secure cloud collaboration solution with next-generation sandboxing that performs a full execution path unfold is required. This capability fully unpacks all data and files within your system, unraveling and capturing even the most sophisticated malware. The platform should also be able to notify the console and SOC for the review and resolution process.

Customizable PoliciesCustomizable Policies

Every organization in every industry deals with different digital risk pressures. That means each enterprise should tailor their own internal standards and policies. When establishing protocols for secure collaboration, enterprises must deploy risk management solutions that allow complete and bespoke policy customization. Companies need the power to quickly apply these policies across the entire enterprise to secure collaboration channels and apps.

Scalable Technologies Scalable Technologies 

Solutions that secure collaboration channels must have no ceiling. An increasing number of enterprises are onboarding both internal and client collaboration platforms. Companies are hiring all the time. This means the amount of messages and activity within these applications are only going to grow in scale. Security solutions must take advantage of AI and machine learning in order to face zero restrictions on scalability.

 


 
READY TO GET STARTED?

SafeGuard Cyber was born out of the realization that existing security solutions aren't enough to combat malware and phishing on social, chat, and collaboration apps that are business-critical in the digital economy.

The Safeguard Cyber platform can keep pace with the scale and velocity of modern digital communications with our patented NLU-powered engine that analyzes context and intent across 30+ communication and collaboration platforms, providing Unified Visibility. Detect and correlate risk events across channels, disrupt attacks earlier, and quicken MTTD and investigation time. Secure collaboration and chat with the right solution.

Screenshot 2023-01-10 at 4.47.27 PM

Secure Human Connections

Ready to see how SafeGuard Cyber secures modern communication apps wherever they exist?