Written by: Nitin Jyoti , VP Product Management – These are challenging times. Over the last few weeks, the COVID-19 pandemic has affected all aspects of our lives. Take a moment to consider it, and you will realize:
- You are working differently
- You are shopping differently
- You are interacting differently
Think about all the computer users in your enterprise. They are spending hours interacting daily with folks in a virtual world, made possible by platforms like Zoom, Microsoft Teams, Skype, WebEx, and others. It’s a no brainer that criminals are scouring these applications to find vulnerabilities, gain an edge, and make their move into your network. These tools were “nice to have” earlier and have become a “must-have” today. Not surprisingly, Zoom is facing much of the scrutiny due to its vast popularity. Some of these issues, if used with malicious intent, can aid in causing a breach. This blog focuses on how one could use Attivo’s technology and the flagship solution, the Attivo ThreatDefend® platform, to mitigate the risks to ensure customers are better protected.
Before we go any further, it’s essential to realize that attackers are chasing credentials as a critical object, as these make it easy for them to move inward and fulfill their objectives. Depending on which vulnerability you are looking at, these could simply be the employee’s Zoom password or their NTLM password hash (https://www.bleepingcomputer.com/news/security/zoom-lets-attackers-steal-windows-credentials-run-programs-via-unc-links/).
The Attivo ThreatDefend platform, together with the ThreatStrike® solution – part of the Endpoint Detection Net (EDN) suite – can very easily detect and deceive an attacker who has made inside your network, providing you with information on users and endpoints that they compromise. You can build playbooks and take response actions for those subsets of users or systems.
At a high level, you can achieve in the following ways:
- Create attractive looking accounts that appear higher in the value chain for Zoom and deploy them across the endpoints
- Create deceptive credentials that match the existing usernames and lead attackers to network decoys that the BOTsink® deception server projects across the network
The goal behind both of these methods is simply to deceive attackers into using fake credentials, leading to an alert that captures information on what they are after. Below are details on how to implement these scenarios:
- Attractive Zoom credentials deployed across a select few high-value targets:
- Create additional Zoom accounts that look like privileged user accounts
- Configure the Zoom app to forward the Zoom authentication logs to your SIEM (Syslog, Splunk, etc.) *Note that SSO bypasses this, so you must configure it accordingly.
- Create or edit an endpoint campaign to include these new Zoom accounts to deploy as deceptive credentials for all browsers.
- Generate a ThreatStrike binary and deploy it to the user endpoints.
- Deceptive credentials mimicking real usernames leading attackers to decoy servers:
- Create a Decoy Server group with DNS objects within the BOTsink. The DNS names for these objects can contain the real zoom.us servers, but the corresponding IP addresses would be your decoys.
- Create or edit an existing endpoint campaign to include these decoy servers and mimicking actual usernames as deceptive credentials for all browsers.
- Re-generate the ThreatStrike binary and deploy it across your endpoints.
Both these methods enable you to detect attackers that target the Zoom credentials, but it goes without saying that you must include deceptive credentials for the existing services.
So long, stay safe even in the virtual world!