Attackers Have Office 365, G-Suite in Their Sights
Now, Let’s Make This Easier
The AT&T Security team regularly updates threat intelligence and writes correlation rules to detect threats in the cloud, including in your Office 365 SaaS environment. (Caveat: It’s impossible to write correlation rules for every threat in the universe, but we have created hundreds, and are continuously updating those rules as well as adding more daily.)
For Office 365, for example, we’ve created a correlation rule for “Delivery & Attack | Brute Force Authentication | IMAP”–that is, using automation to repeatedly test a username/password field by using random inputs such as dictionary terms or known username/password lists.
The screen shot in figure 5 shows a summary of alarms triggered for “successful authentication after brute force.” This also includes all the associated events (a number of failed user logins), priority of the alarms, username, source IP and more.
Users can drill down to get even more information, including associated events (such as number of user login attempts and failures). In addition, the alarm shows the MITRE ATT&CK “rule attack tactic” (credential access) and “rule attack technique” (brute force). This is good for those of you who are using the ATT&CK framework as a best practice in your threat detection and response strategy. (AT&T Security has mapped all its correlation rules to the ATT&CK framework. You can read more about the MITRE ATT&CK dashboard here.)
Alarms also include recommendations on what to do next and how to do it (figure 7).
One final consideration in terms of protecting cloud accounts: They don’t live in a vacuum. If you’re like the bulk of organizations out there, you’re probably using multiple cloud services providers (IaaS, PaaS and Saas) combined with your on-prem network. Gaining visibility into all these environments—and the threats to them—in one place is key to being able to stay ahead of things like brute force account compromise in the cloud.
Tawnya Lancaster joined AT&T Security as a Senior Product Marketing Manager in 2018. Previously, she served as the Director of Global Communications for Skybox Security, where she specialized in cybersecurity thought leadership for the vulnerability and threat management and firewall and security policy management space. She graduated from Oregon State University with a B.A. in English, and has received certification in Stanford’s Professional Publishing course, an intensive program for established publishing and communication professionals.
This guest blog is part of a Channel Futures sponsorship
- Page 1
- Page 2