Despite the fact that we’re in the business of responding to breaches, I still feel terrible when we get a call that a client has been hacked. It’s the same story most of the time, which is probably two to three times a week. A client calls us panicked because one of their email accounts was compromised and the bad guy is seemingly using the compromised account to hack into the network or use it as a jumping off point to email all the contacts in the account in an effort to exploit them as well.
We almost always start with the exact same recommendation:
In the name of all that is good and decent, change your Office 365 defaults.
To help prevent your company from being hacked, enable two-factor authentication and enable logging.
Two-factor Authentication (2FA)
What is 2FA?
Two-factor authentication (also known as 2FA) is a type, or subset of multi-factor authentication. It’s a method of confirming users' claimed identities by using a combination of two different factors: 1) something they know, 2) something they have, or 3) something they are.
How does 2FA work?
There are many ways to set up 2FA. For me, anytime I log in to my email account, I get a notification on my cell phone asking me if it’s really me that is trying to log in. If a hacker steals your credentials and tries to login, you’ll get a phone call, and (hopefully) you will not say it’s you and they will be blocked. It’s pretty straight forward actually.
By default, Office 365 does not have this option enabled when you create the account, so you have to enable it yourself.
Do it.
Do it right now.
Literally—this blog can wait.
Sure, it can be a little bit of work to enable and set up, but comparatively speaking, this is a very small effort that will either stop the hackers or make it significantly more difficult for them to get in. Yes, you can find articles out there about the weaknesses of 2FA—it’s not a cure-all, but it’s still a no brainer to have it enabled because it will help lock out hackers from the account. Notice I said help. Without further analysis, you wouldn’t know if and where they have moved to from there.
Log Data
In the Office 365 settings, logging is not enabled by default.
Turn it on.
There are many different settings and options, but an IT professional can very easily set this up. Log data is the very first thing we want to get our hands on when someone has been hacked. It helps us identify where they are logging in from and when, as well as plenty of other information for us to build the timeline for what has happened. If a client doesn’t have logging enabled, we miss out on important pieces of information.
Equally as important is actually reviewing the log data to spot any abnormal activity.
For example, if I live in Buffalo, NY and my log data shows me logging in from Buffalo every day for months, but then, all of a sudden, the log data shows that I’ve logged in from Russia at 2 a.m., there is likely an issue.
I know it’s easier said than done, but someone should review this log data on a regular basis because it’s even better than having log data to analyze after you’ve been hacked. If you have the time and resources, you or your IT team could certainly monitor these logs in house, or you can outsource log data review to a managed security services provider (MSSP), like Avalon. We pull in this log data, set up alerts for abnormalities, and automate the review of such data.
See how this works in our KnightVision explainer video.
Your licensing of Office 365 will dictate your abilities to and options for enabling these features, and if you fully understand all the Microsoft licensing, then hats off to you. It should be an easy conversation with your IT resource to work this all out.
Dig into these two items a little and hopefully you can prevent yourself from being the next company that calls us with an issue. How does the saying go? An ounce of prevention is worth…
Check out this video, Incident Response: Office 365 Email Compromise