Why Unsanctioned Apps Complicate ATO Attacks–And How to Protect Against Them

When an incident pops, every second counts. The math is simple: the longer it takes incident response teams to triage and investigate a live incident, the more damage an attacker can do.

Account takeover attacks (ATO) are difficult to detect, particularly if the attackers are careful. With traditional email and DLP security tooling, ATO TTPs can be very difficult to distinguish from normal behavior.

Adding fuel to the fire, depending on which stats you believe, anywhere between 45 and 80% of your employees are using unsanctioned apps in their day-to-day work. Even though the majority are used with good intentions, cloud apps or services your employees are using outside of the visibility of IT and security teams make entry and lateral movement easier for the attackers–while making detection and response harder for security and IR teams.

‍

ATO is difficult to detect, and shadow IT makes it worse

Discovering and effectively assessing breaches is often the most difficult part of the incident response process. ATO attacks that originate with a compromised mailbox can be particularly tricky, as the attacks can be hard to distinguish from expected use. Particularly sophisticated attackers can be nearly impossible to detect–which is why when larger attacks make the news it often comes out that they’ve been inside accounts for months or longer.

Legacy SEG and DLP solutions may detect sensitive information in outgoing emails, but your authorized users will also be sending that information legitimately during the normal course of business. The alerts that pop up will only be distinguishable from normal behavior patterns if an attacker gets sloppy and sends unusually high volumes of data in short periods of time. And even then, your security teams may not notice those alerts within the thousands of others they’re getting from noisy DLP tools until it’s too late.

When unsanctioned apps enter the equation, your attack surface expands even as detection becomes even more difficult. Unmonitored apps introduce new vulnerabilities and potential entry points for attackers. Shadow IT by definition isn’t tracked by the security team, which means the logs these apps and services generate aren’t fed into your SIEM or SOAR platform. This forces IR teams to deal with significant gaps in the digital forensics they have to evaluate the attack vector that allowed the attacker inside, track how they moved within the environment, and evaluate the extent of the damage done.

After a breach is detected and investigated, the containment and isolation process can be complicated enough even when dealing with known, sanctioned systems and apps. But containment of a breach becomes significantly more complicated when you don’t know the full extent of the systems affected, how those systems are interconnected, and lacking telemetry from those systems–and that’s exactly the scenario facing IR teams when shadow IT is in play during an ATO scenario.

Maintaining regulatory compliance during breach containment can be incredibly difficult when shadow IT is in play, as well. Unsanctioned apps will often fail regulatory requirements simply by nature of falling outside of an organization’s GRC program, let alone whether they meet compliance guidelines by themselves. This forces IR teams to take additional steps to ensure they’re not breaching regulatory requirements with their containment efforts.

‍

Detect, Contain, and Protect ATO and Unsanctioned Apps with Material

Material is able to detect a wider range of potential ATO signals thanks to our API connection with your email system, combined with the advanced analysis and correlation our structured data platform makes possible. Our security toolkit is the only security toolkit designed to provide comprehensive email security, understanding email not only as an attack method (providing multi-layered protection against phishing attacks), but also as an attack vector (detecting and containing lateral movement and account takeovers) and an attack target itself (protecting the sensitive historical data within inboxes).  

Our approach to email and data security speeds detection of and response to potential breaches, providing additional signals and telemetry that traditional security tooling misses. Critically, we also provide a layer of prevention and posture hardening that significantly reduces the risk of compromise in the first place.

• Phishing Protection - Material’s inbound email defenses minimize the risk of successful phishing attacks, which remain among the most common method of incursion for account takeovers. Our combination of AI, threat research, custom detections, behavioral analysis, and collective intelligence provide critical defense in depth to native security tooling, and is able to detect and protect against sophisticated attacks that evade native security controls.  
• Auto-forwarding detection - Material surfaces all instances of auto-forwarding set up within your environment, both internal and external. This not only gives visibility into who’s sending email outside of the organization automatically (potentially dangerous behavior even when not indicative of an ATO), but the platform also allows you to disable forwarding with a single click.
• Posture Management and Hardening - See which of your Google Workspace and Microsoft 365 accounts don’t have MFA enabled, which Google Groups allow message posting from external users, whether any accounts, apps, or partners have been part of public data breaches, and more.
• Shadow IT Detection, Protection, and Blocking - Our ability to detect and intercept machine-generated emails like password resets and account verification emails gives Material the ability to surface which unsanctioned apps are in use within your organization. We give you the ability to monitor these emails, protect them with an additional MFA prompt, or block them completely.
• Account Verification Email Protection - Material’s API integration with Google Workspace and Microsoft 365 allows us to detect and intercept account verification emails (like the password reset and other emails that attackers use to pivot from compromised inboxes to other apps). We give an added layer of protection to these emails, requiring the user pass a simple MFA challenge.
• Sensitive Data Containment - We keep sensitive historical data safe in your mailboxes, even post-breach. Material automatically detects, classifies, and removes sensitive data from mailboxes unless an MFA challenge is passed–logging every access attempt.
• User Behavior Analysis - Our platform combines data from all of the above features and more, providing deep insight into user behavior within their inbox and the ability to quickly and accurately unearth changes in behavior that could indicate account compromise.  

Taken together, these capabilities combine to provide robust preventative security against all of the ways your email system can be attacked, while simplifying response and remediation actions for ATO attacks and the complications that arise from unsanctioned and unmanaged apps and services.

‍

Ready to take control of your environment? Contact Material Security for a demo to shine a light on the shadows of your organization.