The numerous successful cyber attacks in recent months make it abundantly clear: IT security teams need insight into how users are interacting with their IT infrastructure across all media. Vectra AI, expert in AI-based cybersecurity, explains how this is possible.
Stay Alert Throughout The Attack Lifecycle
If a potential attacker is spotted trying to exfiltrate data from the production database, they cannot simply be eliminated to move on to the next task. Security professionals therefore need to be able to see how and where the attackers got in and plug this gap. However, they cannot do that if they cannot connect the dots between the cloud and the network infrastructure.
That’s why security engineers have developed solutions that provide a unified view of accounts across the network and the cloud.
An example would be when a user on Office 365 is the victim of spear phishing so that stolen credentials are used to access critical infrastructure. A contemporary security platform then displays this information, with full context of what the user did, when, and why action should be taken. If someone is performing some questionable Exchange operations on Office 365, a modern solution can quickly show which hosts that account affects on the network, so it can be seen if there has been any suspicious activity on those hosts.
Looking at some recent attacks, it’s clear that attackers don’t see the cloud network as the slightest impediment to their attack progression.
However, when the network and cloud detection portfolios are not linked, the scope of such an attack can be completely overlooked.
Office 365 ‘s attack surface isn’t just limited to first access. Attackers with Office 365 access can abuse SharePoint to corrupt shared folders and side-spread to endpoints using DLL hijacking techniques or by uploading malware. The same SharePoint functionality used to sync normal user files can be run on each endpoint to sync a single share, bypassing standard network collection techniques. An attacker can then, with a few clicks, set up persistent exfiltration channels via Power Automate flows that can upload data from any infected endpoint on a daily basis. There are many options here and there are more and more.
It’s also possible that there might be an issue in the cloud where the attackers used brute force to obtain an account’s credentials, followed by creating new email rules, which is bad but not bad. However, there was also sideways movement in the network, which is much more concerning since it is not known how the hackers got in. In Cognito, bringing these views together means analysts have an early and complete view, enabling them to stop the attack before data is moved or damage occurs.
