Account Takeover (ATO) is a thorn in the side of enterprise security teams which Juniper Research has estimated cost companies worldwide $25bn in one year.
What is Account Takeover?
Securing digital information with passwords has always been flawed. In fact, the first-ever computer to use passwords also ironically went on to become the target of not one, but two breaches.
Account Takeover is when attackers abuse the inherent weaknesses in passwords to hijack an account for their own malicious ends. In an enterprise setting, it can be applied to everything from commandeering email accounts to illicitly accessing collaborative working tools or other SaaS services. The result can be anything from locking users out of accounts, to vast data breaches.
Download the 8 steps of Account Takeover Infographic
In fact, the move to hybrid working and rush to put everything in the cloud has only magnified the problem, with vast volumes of critical information and vital processes now behind a remotely accessed login. The Russia-Ukraine war has also driven an increasingly unstable security environment, driving malicious cyber activity. The attack surface is more under threat than ever, whilst also being fragmented and no longer contained within a perimeter.
The most commonly sought credentials by cybercriminals are for cloud email services such as Microsoft 365. Compromising these allows an attacker a strong foothold for collecting intelligence, socially engineering employees or stealing critical IP emailed to the hijacked account.
The result is that Account Takeover can have a variety of real-world impacts. If part of a data-stealing operation, the resultant brand impact and financial losses from breaches are obviously sizeable – not to mention the associated regulatory issues.
What to watch out for
Typically, security teams protecting against Account Takeover need to be aware of three main attack vectors, all aimed at compromising passwords in some way:
-
Phishing: The aim is for malicious actors to convince users to hand over their username and password to enable ATO. Typically, the higher-profile the target, the more tailored the phish. For prime targets, such as government or financial organisations, an attacker may spend significant time researching their mark by collecting information to personalise the approach.
-
Credential stuffing: This sees attackers using a database of stolen usernames and passwords to try and log-in to a variety of different accounts. Success rates increase significantly when using a freshly stolen database.
-
Brute-force attacks: A form of password cracking, this is where large lists of possible passwords are rapidly tried against the target system or application. Often, this will be launched from varying IP addresses to remain below the radar of automated detection systems.
How to protect yourself from Account Takeover
As with any strong security posture, layered security is the watchword. A mesh of complimentary countermeasures always provides the best defence. Identity solutions such as Multi-Factor Authentication (MFA) and Identity-as-a-Service (IDaaS) in particular can be applied to protect user accounts with more than just a password. Even if an attacker obtains account credentials they are unable to access the account – or mailbox.
This is especially true in a world which has just, all of a sudden, embraced mass remote working. With large numbers of employees being forced to work at home, adding MFA and IDaaS as standard to applications such as Microsoft 365 should now be considered mandatory. Security teams can make this less burdensome by tiering rollout – starting with the most at-risk targets, such as admins and senior management.
This should be integrated with strong email, web and cloud application security solutions and combined with ongoing employee training to help cut phishing off as a route to stolen credentials. This is crucial to making a dent in ATO attacks targeted at your organisation in particular.
As part of ongoing hygiene, security teams should also keep abreast of breached credentials databases to ensure their users don’t unknowingly become a risk. In addition, unusual login activity and other anomalous patterns of behaviour, such as attempts to access from irregular geos, should also be flagged across all SaaS applications.
Download all these tips in a convenient eBook. For more information on how to protect yourself from Account Takeover, visit our How to Secure Microsoft 360 hub.
Defence365 Vlog: How do I protect my organization from account takeover in Microsoft 365?