The consequences of mailbox attacks and remote working
In our Work From Home pandemic world, NTT's Patric Balmer explains what Kiwi businesses should be doing to protect themselves against mailbox attacks.
We know that many organisations were not prepared for the first lockdown and were forced to rapidly transition toward putting remote working solutions in place, a foreign concept to the once traditional workplace setting.
Security is a growing concern, with 79 percent of organisations saying they find it more difficult to spot IT security or business risk in a remote setting, yet just half (55 percent) say they’ve had to completely rethink their IT security to accommodate new, hybrid ways of working.
NTT’s latest release of the monthly Global Threat Intelligence Centre report highlights relevant attacks threatening companies around the world. At the heart of these risks has been the evolution of mailbox attacks, which pose threats that are easier to suppress and more difficult to manage. Organisations now need to accelerate the adoption of zero-trust security models and take a holistic approach that incorporates device, user, application and data to ensure ingrained security and data protection.
The local state of play
The working from home model was a rapid transition for most businesses, which also meant that there were no best practice processes or security controls in place on how organisations should be cyber secure. In 2021 we’ve seen a gradual increase and upgrade of how New Zealand businesses are prepared, however only 43 percent of employees are confident that their company information is safe when they’re working from home.
According to research from CERT NZ, cyber-attacks circulated by email pose the greatest threat to New Zealanders’ cyber safety. Phishing and credential harvesting, where an attacker collects personal data to perform a variety of online crimes such as fraud, was the most reported form of attack during 2020.
Just over half (53 percent) of organisations strongly agree that cybersecurity controls are effective in protecting and enabling their employees wherever they work, while (51 percent) agree special cybersecurity tools are required for remote workers.
Email compromise – how does it work?
Due to the use of cloud, VPNs and remote desktop protocols we are seeing more sophisticated attacks where attackers are turning to strategies that imitate human behaviour and are much harder to defend.
The first step in any mailbox compromise is obtaining valid mailbox credentials, the username and password. Attackers tend to use proven social engineering techniques to harvest user credentials. We saw this in the media recently, where a data breach compromised one of New Zealand’s largest and most reputable organisations. The incident affected nearly 3.5 percent of 3.2 million customers, which was approximately 112.000 customers.
Because these attacks depend on human behaviour, we’ve seen the majority of occurrences with users handing over credentials on a forged email landing page hosted on an attacker-controlled website. Attackers do not need to harvest many credentials to accomplish their goal. Naturally, working from home can generate an enhanced risk because of the increase in communication online.
Even a single set of valid credentials can be invaluable if they’re related to the right target. Attacks are targeted in a way where cyber-criminals tend to focus on employees in the finance or executive teams, but they are not limited to this. The compromised credentials allow the attacker to identify the shared mailboxes to which the user had access, and create mailbox rules that further compromise data beyond the user’s mailbox. This allows the attacker to access many more emails than those of the initial user. From there, they hold access as an employee of the business.
What businesses should be doing to protect themselves
Unfortunately, email compromises are not particularly difficult for a dedicated attacker. For internal teams, having limited human connection, can lead employees to respond on auto-pilot. But moving forward, there needs to be continuous upskilling on tactics on how to better recognise phishing emails and better secure the workplace. Some of the initial preventative measures include:
- Secure login credentials for internet facing services with multi-factor authentication, so in the event of a username and password being breached, it isn’t as simple for cyber-criminals to actually access accounts and services.
- Continuously review mailbox audit logs to hunt for anomalies. These logs can identify accounts with anomalous failed login activities and accounts that show unusual login activity from multiple locations.
- Spam filters can help prevent phishing emails before attackers can harvest credentials
- As more companies encourage employees to work from anywhere, on any device, data loss prevention (DLP) solutions are rapidly evolving from nice-to-have to a must-have. An organisation’s strategy for DLP requires security and risk management leaders to identify sensitive data, build use cases for appropriate data handling, develop policies and workflows to address requirements, and integrate with other security technologies.
There is no one rule that fits all mechanics for businesses. As we move into an environment where communication is heightened online, so is the rise of mailbox attacks. Threats are sophisticated, personable and today, hackers add Intellectual Property to their motives. Regardless of whether remote work continues or we see a shift back to physical offices, it is vital for local businesses to prepare and deploy active enhancements to protect the cyber safety of their systems and employees.
NTT New Zealand Ltd
NTT Ltd is a leading, global technology services company. We’re here to enable the connected future.
Compliance and Vulnerability
Cloud compliance is the general principle that cloud-delivered systems must be compliant with standards that the cloud customers face. Essentially, cloud customers need to look at the effective security provisions of their vendors the same way they would look at their own internal security. They will need to figure out whether their cloud vendor services match the compliance that they need. There are several ways to go about this. In some cases, companies can just look for vendors that certify compliance, and choose their services without any further input. However, sometimes clients may need to actually get involved in accessing the cloud vendor's security, to make sure that it complies with the industry standards and regulations.