Page 104 - Cyber Defense eMagazine March 2024
P. 104

where the attacker tries to guess the same password against multiple accounts; credential stuffing, where
            the attacker uses known credentials from a breach and uses them against other services where the user
            may have an account; and brute forcing, where the attacker guesses multiple passwords against the
            same account.


            Unlike the adversary in the middle attack example from earlier, this attack requires no interaction on the
            part of the victim. Tools like MFASweep and trevorspray, which are both available free and open source
            on GitHub, allow attackers to carry out credential attacks and check to see if any accounts lack MFA. An
            attacker that finds an account with a weak password and no MFA has found a prime target for a business
            email compromise attack.



            VPN use for initial access

            This tactic is more closely aligned with defense evasion than initial access, but it’s included here because
            it’s a common attribute of account takeovers. According to reports from the Huntress Security Operations
            Center, about 75% of confirmed attacks against Microsoft 365 identities come from VPNs. A smaller
            percentage of attacks come from anonymous proxies, like Tor. While VPNs and proxies are different
            technologies, it’s considered that they are similar in terms of impact to partners. Threat actors use proxies
            and VPNs to conceal their IP address while performing account takeovers.

            Like a good jiu-jitsu counterattack, security businesses can use this tactic to their own advantage as
            defenders. Is VPN use normal for their users? If VPN is normal, which types of VPNs should be in use?
            Analyzing the IP address from the login can reveal key facts and intelligence that they can factor into the
            threat calculus, like the IP’s service provider or if the IP is a known exit node for a shady proxy service.
            This allows them to differentiate between a user who logs in while using a common corporate SASE
            solution and a user who logs in from Tor. These two events aren’t the same in terms of risk and good
            detection programs should be able to recognize it and act accordingly.



            Conclusion

            Taking a bite out of BEC is about forestalling adversaries at any point along the attack chain. Identifying
            and combating tactics that indicate different phases of the attack chain, like persistence, defense evasion
            and execution activity, is an effective means of combating business email compromise. Every phase of
            the attack chain can telegraph different indicators and presents opportunities for detection. It only takes
            one detection to halt what would otherwise be a business-ending event. For businesses' own security
            programs, maybe initial access is a great initial place to look!












            Cyber Defense eMagazine – March 2024 Edition                                                                                                                                                                                                          104
            Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.
   99   100   101   102   103   104   105   106   107   108   109