This month, the Wall Street Journal reported that a hacking group published internal communications data from entertainment giant Disney. The group behind the Mickey megaleak claims to have exfiltrated 1.1 terabytes from the company’s Slack platform.
The haul, which allegedly included everything from corporate communications to employees’ dog photos, got a few IT pros thinking about recommendations for how to spot that kind of info spill.
Retention. An internal comms evaluation presents a chance for enterprises to investigate retention policies for an individual’s email and other messaging platforms. Slack (which did not respond to requests for comment from IT Brew), for example, allows automatic deletion of workspace data, according to its help documentation.
Retention policies may differ depending on role, but strong disposal rules give attackers less data to peruse, according to Alexandra Rose, director of government partnerships and director of threat research at Secureworks.
“We would like them to ideally not have the entire history of you working at the company and using Slack and all your comms for that time period. They might get something, but they’re not getting years worth of data,” Rose told IT Brew.
Managed accounts. In data-leak cases, Keith Jarvis, senior security researcher at Secureworks, frequently hears claims from threat actors that they gained access through a company insider—claims that are often not true, he said; with breaches, according to Jarvis, it’s more likely that attackers stole credentials or cookies from an active session and then operated from another machine.
Conditional access-management providers offer single sign-on access to known, enrolled devices, and provide a layer of protection against a remote attacker who lacks enrollment.
“If they do steal credentials or session cookies, they can’t just load that into a different machine and access that resource and download everything; they actually have to come from a company-managed device, which adds more complexity to carrying out that attack,” Jarvis told IT Brew.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Role-based access control. Slack allows limited data exporting, depending on role, according to its documentation. Access controls limit who can transfer large amounts of data and who cannot, according to Amit Patel, SVP at Consulting Solutions. “It could be as simple as, ‘Hey, if you’re a project manager, or just an end-user of Slack, have a limit of the types of data that you can share, or that you can upload or download,” Patel told IT Brew.
Alert! Alert! Patel also recommended alert configuration for anomalous actions, like, say, a transfer of 1 TB of data. Security information and event management (SIEM) tools, he said in a follow-up email to IT Brew, collect logs from network devices, servers, applications, and endpoints, and companies can define specific actions for specific detected anomalies: For example, “If most employees usually only download up to 5 GB of data at a given moment, then perhaps set a rule that triggers a stoppage when someone downloads 10 GB of data (an abnormal behavior),” Patel wrote.
Skepticism. For Jeff Orr, director of research for digital technology at advisory firm ISG Information Services Group’s Ventana Research, the defense lies not in employee training on proper ways to use Slack, email, or the communication-platform du jour. The recommendation from Orr: Create healthy skepticism among employees, to let them know that today’s malicious hackers target workers who are just trying to do their job well.
“I’d say in a communications platform…just assume everything that you’re sharing is public. It really then causes you to think about: ‘Well, is this the right place to be sharing this information or having this discussion?’” Orr said.