Account Takeovers (ATOs) are a major threat to organizations around the world. This common form of attack occurs when a cyber criminal uses legitimate credentials to gain unauthorized access to user accounts. Once inside, the attacker may steal data (PII or sensitive corporate data), steal money, and perform fraud campaigns. Each year, organizations lose millions of dollars in account takeover attacks.
But to start, let’s understand how attackers get their hands on legitimate credentials; Though there are many ways attackers can acquire credentials, there are a few main methods used:
Once the attacker has the credentials and makes their way inside, takeovers can go unnoticed for a great deal of time--and sometimes, they are never even discovered. This malicious actor on the inside can put your data and reputation in danger and can leave your organization in violation of regulations such as CCPA and GDPR.
There are many reasons that account takeover attacks are a popular attack method. But a main driver currently is the prevalence of SaaS applications used across organizations today. These platforms hold a wealth of critical corporate data, which has made them a favorite target for attackers looking to launch account takeovers. Office 365, for example, with its 180 million users and easy access to communication channels and stored data, has become a preferred attack vector. In fact, according to Microsoft’s own stats, Office 365 experiences more than 300 million fake sign-in attempts--per day. Attackers use the stolen credentials to gain access and launch attacks from inside the application.
But it's not just MS’s productivity platform that is targeted--In 2019, the ever-popular Slack was found to be harboring a security flaw that allowed attackers to initiate automated account takeovers. And not only are they easy to execute, they turn a great profit; with as little as $100, the attacker can acquire the stolen credentials and brute force or credential stuffing tools needed to pull off massively damaging attacks.
Organizations and the SaaS platforms themselves invest a huge amount of money and resources into trying to prevent account takeover attacks. But the very same elements that make SaaS applications so useful for organizations--access to vast amounts of storage and simplified communication and collaboration--continue to make them appealing targets for account takeovers.
There are some defenses organizations use to try prevent these attacks:
Fortified Password Hygiene - Using stronger, better passwords seems like a decent place to start when thinking about how to fortify account security. But here’s the thing about passwords; We all know that for a password to be secure it must be a long, random, and difficult-to-guess string of letters or words. People just aren't wired for randomness and what we think is hard to guess is often a piece of cake for an attacker. And according to Google, nearly 66% of people reuse passwords from account to account and there’s a very high likelihood that other accounts belonging to the same user will be accessible with the same passwords. Moreover, with the right tools, as mentioned above, even the most random and unique passwords can, in time, be cracked.
Multi-factor Authentication (MFA) and Single Sign On (SSO) - These two preventive measures are tightly coupled and both play an important role in preventing account takeover attacks since they provide extra layers of security to the main login method i.e., the web interface. But there are many legacy authentication protocols that don't support MFA and almost all SaaS platforms have ways to bypass SSO governance for the purpose of resiliency, making these methods less than 100% effective.
Continuous Monitoring of Accounts - A common approach to prevent account takeovers is constant monitoring for potential signs of a breach, such as suspicious logins from new browsers, devices, and locations; multiple password reset attempts in close succession; the implementation of new and questionable mailbox settings and configurations; the turning off of MFA, etc. But by nature, these attacks look like normal user behavior and thus, these behaviors may fly under the radar of continuous monitoring solutions.
To prevent account takeovers, you need to get full and automated control over your SaaS applications. With SaaS security posture management, you can detect weaknesses in real time and address them before attackers have the opportunity to make use of them by:
With Adaptive Shield, you can fine tune your SaaS native security controls to understand the full picture and see all the gaps and loopholes that exist to prevent account takeovers across all your applications. By extending visibility across your entire stack, you can fix issues immediately and keep your organization from experiencing the damaging impact of ATOs. To learn more about extending automatic control across your SaaS applications, get in touch with us today.