Another example is Twitter, says Halstead. “[In 2020] attackers gained access to the internal systems of Twitter through a social engineering and phishing scheme targeting employees,” he says. “Bad actors took over an internal IT administrator tool that was used to manage accounts. They leveraged prominent accounts, including those of high-profile individuals and companies, such as Coinbase, and used them to promote a cryptocurrency scam.” The hackers stole more than $118,000 worth of Bitcoin.
Six best practices to defend against corporate account takeover attacks
While there is no one security practice and control that can prevent CATO attacks, several used in combination (defense in depth), can significantly reduce the risk, says Biswas. Here are six best practices to prevent corporate account takeover attacks
Defense in Depth
Companies must implement a defense-in-depth approach, Halstead says. Maintaining a healthy security posture remains paramount in preventing corporate account takeovers among other cyberattacks.
“Organizations must implement layers of defense that include vulnerability management, network segmentation, email/web filtering, intrusion detection and monitoring, third-party risk management, and incident response.”
Multifactor authentication (MFA) and more for online account access
It’s important to have strong multifactor authentication around all corporate accounts, says Bryan Willett, CISO at Lexmark.
“What we’re finding with some of the latest phishing services that are out there, such as EvilProxy, is that they’re getting very good at imitating a login screen that looks just like your corporate login screen and your corporate MFA challenge,” Willett says. “And the user has the potential of falling victim to that and sharing their MFA.”
However, while companies need to continue enhancing their MFA they also need to continue looking at more advanced MFA methods, such as Fido keys, Willet says. But those more advanced methods are an investment, so organizations must decide whether they’re going to invest in them.
Strong access management strategies
Implementing strong access management measures is essential, particularly through the utilization of privileged access management tools, according to Halstead.
“And regular access reviews that also involve third parties are of utmost importance,” he says. “It is vital to establish procedures for both personnel joining and leaving the organization to uphold the principle of least privilege.”
Contextual access management measures
Organizations should also implement contextual access management that considers a user’s current location, the device being used, time of access, network environment, behavior patterns, and other contextual information, according to Halstead.
“By doing so, the risk of unauthorized access, often exploited in corporate account takeovers, can be significantly minimized,” he says.
Robust security monitoring
At Lexmark, security monitoring is performed by the security operations team. “They perform a 24-hour-a-day, seven-days-a-week function where they’re monitoring every alert that comes out of our tool sets,” Willett says.
“The toolsets are everything from our endpoint detection and response to our identity systems. For instance, in identity one of the triggers that frequently occurs when someone’s trying to do a business email compromise is some form of travel-type alert, where we saw someone logged in one location and all of a sudden, they’re showing up in a very different part of the world and that sets off an alarm.”
Employee education and training — a human firewall
Employee education and awareness are critical, says Halstead. This “human firewall” remains a very important defense in preventing corporate account takeovers.
“Ensure you regularly educate and train employees about the risks associated with corporate account takeovers, particularly those professionals who have privileged access or are in highly targeted areas, such as payments and finance,” he says.
This includes making employees aware of the key things to look for in an email to know that it was a malicious email or had malicious intent in some way, Willett says. “Everything from looking at the sender, looking at the URL they’re trying to send you too,” he says. “If you do happen to click on the URL and you see a login screen, make sure the login screen is going to a domain or URL that makes sense. It shouldn’t be Joe’s Smoke Shop that you’re logging into.”
