Today, an increasing number of large enterprises, from financial institutions to healthcare, are using messaging and collaboration tools. According to a report by industry analyst firm International Data Corporation (IDC), worldwide revenue in the collaboration applications market grew 28.4% year over year in 2021 to $29.1 billion. “This growth was driven by a series of factors including companies expanding collaboration to more people, the purchase and integration of multiple solutions to better meet corporate needs, and price increases and/or feature upgrades.” Yet these apps can instill a false sense of security, putting millions of users at risk for cyberattacks.
Redefine What Makes a Trusted Environment
When it comes to messaging security, organizations tend to have a myopic view that it’s only about “email, email, email.” True — email is far from dead. In fact, business email is increasing and remains the main incursion vector. Yet more sophisticated attacks are happening over Teams and Slack. People just don’t realize it because they view these apps as internal tools and aren’t taking the necessary steps to secure these platforms.
Let me explain. Access tokens, the keys to the Slack platform, tie together the scopes and permissions your app has obtained that allow it to read, write, and interact. I’ve seen attacks that target, exfiltrate, and abuse specific tokens. Let’s say I steal your Slack token and send a message, as you, to all your colleagues and make them click on a link or download and execute something. Your device will never know about it. Slack will know that I’m coming from a different IP address, but it’s a script that I executed. It’s nothing that anybody else would see.
With Slack, you can impersonate another user or create a new app. With that I can use it as the a user or the app and write messages to everyone in the organization, messages like, “Click on this link,” “Hey, here’s the executable for you to update a Windows computer with the second half of this year’s security updates,” OR, “Hey, please reset my password” or whatever. Your colleagues — or whoever received this message — believe they’re in a trusted environment, so they’re more inclined to follow the instruction or click on that link or download that executable.
Build Messaging Security into Overall Cloud Program
Today, attackers are more likely to succeed when abusing messaging tools versus email because emails have a lot of safeguards in place, from spam and malware filters to sender authentication standards. In addition, email users are frequently warned by the FBI, security awareness training programs, their preferred retailers, banks, and other organizations to follow basic common sense security protocols such as, “Don’t trust emails when they ask for urgent things.” For messaging tools, however, there is little security guidance.
The wake-up call to the risks that these apps present will be when an organization goes through its logs and realizes the Slack token was compromised — something they don’t have visibility into today. Instead, they’ll only be able to realize that something weird was happening in their organization. Efforts by collaboration software providers to incorporate security features into their products are still in their infancy. Companies need more than basic malware scanning as zero-day malware or social engineering is still being missed.
Organizations need to include these messaging tools as part of their overall comprehensive cloud security strategy. In the meantime, below are a few immediate countermeasures you can take:
● Don’t federate with everybody. If Company B wants to interact with Company A on Slack or another messaging app, you need to establish a relationship, also known as a federation. If you put a security flag in place, there’s a handshake that happens that confirms: “Yes, both of us want to participate.” It’s not a one-way relationship that can be established.
Federate with the partners that you want to partner with, but don’t be open to everybody. Build a workflow so that you can initiate a federation with interested parties, but not everybody can federate with your tenants.
● It’s the intention. Just because you feel secure in Slack or in Teams doesn’t mean you’re secure. Just as we have learned with business email compromise, you should question the intention of the sender of the message to ensure their request is legitimate.
● Watch that executable. People still exchange executables on Slack and Teams, including malicious executables. Leverage the filter capabilities built into Slack and Teams to only allow document exchange, no code exchange.
The intimate nature of these messaging tools may foster a false sense of security. In addition to the steps mentioned above, be sure to also continue to build a culture of security at your organization that educates your users on the potential risks these tools may pose. Your business depends on it.
● Enhance behavioral analytics and monitoring. Leverage tools like CASB to inspect what users or apps are posting. This not only helps fend off common risks like malicious files or sensitive requests, but it also provides visibility into behaviors that are out of norm to then allow remediation.