Don’t Let Attackers Crumble Your Cookies: Electronic Arts Breach Lessons
Leading American video game company Electronic Arts (EA) recently disclosed a breach that resulted in the theft of hundreds of gigabytes of data. The exfiltrated information included source code and software that power popular games like FIFA and Battlefield. What’s notable about this attack is that the attackers gained access to EA’s infrastructure through stolen Slack cookies that contained cached employee login credentials.
As I’m writing this, we still don’t have information about how these Slack cookies were leaked. What we do know is that the attackers used the compromised credentials to gain access to certain internal Slack channels. They posed as EA employees to the company’s IT team and asked for new multi-factor authentication (MFA) tokens, claiming that they lost their phone at a party the night before.
Slack is one of the many cloud-based software-as-a-service (SaaS) tools that have enabled us to stay productive from any location and any device. But this ease of access to corporate infrastructure has made it more difficult for IT and security teams to understand who is accessing data and whether users or devices pose any risk when they connect. Taking that a step further, it is just as critical that you can secure that data even if it leaves your SaaS platform and prevent data leakage.
Cloud apps and remote work create a complex environment
When analyzing an incident like this, it’s important to take a step back to better understand the underlying challenges it highlights. In this case, the security environment has become more complicated due to cloud apps and how data is handled with everyone working from anywhere.
Having Slack, Microsoft Teams or other similar apps have become required tools for today’s business operations. With these cloud collaboration apps, employees can efficiently communicate and share content with each other regardless of where they sit. This creates an expectation among employees that they should have seamless access to what they need no matter where they’re located or the type of device they use — managed or not.
As a result, your organization is caught in the middle. While enabling your employees to be productive from any location or device, you have lost the visibility and control over your data that you once had when everything was inside your corporate perimeter.
A breach only takes one compromised account
Threat actors are exploiting the complex environment of different devices and cloud apps. Instead of brute-forcing their way into your infrastructure, they now compromise devices or credentials to save time and evade detection.
The EA breach is an example of the attackers gaining access by using compromised credentials. This incident did so in an atypical manner that shows how threat actors are constantly evolving. Regardless of how the stolen credentials are acquired, once an attacker enters your infrastructure posing as an employee, they can easily move laterally and elevate their privileges and steal your data.
The most common way attackers steal credentials is by targeting mobile devices with phishing attacks. We place so much trust in phones and tablets because we see them as an extension of ourselves and believe they are inherently secure.
Attackers exploit our misplaced trust in mobile devices to socially engineer us with phishing campaigns. It doesn’t help that, unlike desktop computers, mobile devices have countless channels to deliver phishing messages, such as SMS, social media platforms, messaging apps or even dating apps.
Four steps to secure SaaS apps against account takeovers and protect your data
The EA breach shows that cloud apps, remote work and personal devices have made the security environment much more complex. In addition, it highlights how easily cyberattackers can move laterally with stolen credentials and evade detection. Malicious lateral movement usually comes as a result of out-of-date access controls, lack of visibility into user behavior, and misconfigured cloud services. To help secure your data, here are three steps you can take to safeguard against account takeovers:
1. Educate users and implement phishing protection on mobile devices.
As I wrote earlier, phishing attacks against mobile devices are especially effective. To secure your employees’ credentials you need to make sure that your security training includes mobile specific information. Also, you need phishing protection for managed and unmanaged mobile endpoints in addition to existing email phishing security. Phishing scams occur on any app, not just email.
2. Deploy dynamic Zero Trust access controls.
Remote access has traditionally been provided via VPNs. While this technology still has its place for now, bring your own device (BYOD) and cloud apps have extended the need beyond what a VPN can provide.
To modernize secure access with awareness of the context under which a user or device is connecting to your infrastructure, you need to deploy technologies like cloud access security broker (CASB) and Zero Trust Network Access (ZTNA). These solutions enable your remote employees to seamlessly connect to any app from any device without putting data at risk of compromise.
3. Learn and monitor users’ behavior.
User behavior anomalies can provide a strong indicator of an insider threat or stolen credentials. Examples include when a user starts accessing resources they don’t usually touch, downloading a large amount of files and data or a high number of failed login attempts.
To secure against these malicious activities, you need a security solution that has user and entity behavior analytics (UEBA). By understanding how your users behave, you regain visibility into activity that you lost as your traditional perimeter disappeared.
4. Verify that your apps are correctly configured.
All of this access and visibility is of utmost importance. However, if there are misconfigurations in your infrastructure such as leaving access open from any IP to port 8839 in your AWS instances or not ensuring that Salesforce sessions are locked to their original domain, then you’re working on a shoddy foundation.
Use security solutions that provide cloud service posture management (CSPM). CSPM uses a number of of standards, such as CIS benchmarks and cloud-specific best practices, to verify whether your cloud-based infrastructure is properly configured. These automated assessments provide actionable information that help you ensure the environment itself has a secure baseline.
Only an integrated platform can simplify endpoint-to-cloud Zero Trust
I want to leave you with this thought. Slack and cloud apps are just some of the places your data now travels to. Your employees are likely using their personal mobile devices and connecting to software in SaaS apps and your data centers. To ensure you deploy Zero Trust across your organization, you need an integrated platform that works from endpoint to cloud.
These recommendations span securing the endpoint, the user, the network and cloud services. The last thing you need is the complexity of acquiring, implementing and managing four separate solutions. An integrated platform will simplify this challenge by providing one way to define security policy from the endpoint to the cloud and one console from which to manage it.
Check out our Slack-Lookout integration page to learn how our CASB can secure your Slack app. To learn more about how you can secure your organization holistically, take a look at the Lookout Secure Access Service Edge Solution page. You should also take a look at the capabilities of the Lookout CASB.