Slack’s public S1 filing tells us a lot about the current state of insider threats. The company listed common insider threat vectors as risk factors for investors. These vectors included employee theft or misuse of data and systems, nation-state sponsored actors, phishing, and credential theft. Much like other data exfiltration channels, such as email or cloud storage accounts, Slack represents a new channel organisations must consider monitoring and protecting as a part of a comprehensive insider threat program.
Slack and State-Sponsored Threats
State-sponsored cyberattacks are on the rise, especially in industries with high-value information, such as financial services and healthcare. A recent report from the Carnegie Endowment for International Peace showed that, out of 94 cases reported as financial crimes since 2007, 23 of them were allegedly state-sponsored.
Motivations for state-sponsored threats could include loyalty to a home country, financial reward, or political unrest. According to the Carnegie report, the majority of nation-state attacks were coming from countries such as Iran, Russia, China, and North Korea. State-sponsored actors may lurk within Slack channels that contain proprietary information, or leak data from their Slack accounts to personal devices or other personal accounts.
A combination of user and data activity monitoring can catch state-sponsored threats in the act of a malicious insider attack. Often times, there will be a history of suspicious user activity, combined with a pattern of data exfiltration that can help security analysts identify these types of malicious threats.
Slack Me Your Credentials: Third-Party Data Theft
While Slack has made it much easier for teams to collaborate, often bad habits form based on convenience, such as sharing credentials via unencrypted channels such as Slack or email. Phishing attacks disguised as legitimate emails from Slack requesting a user’s password can also mislead an employee into falling victim to credential theft.
Once a malicious actor is in a Slack organisation, they may trick other employees into disclosing sensitive information, or granting them permission to sensitive files or areas of the company’s servers.
To prevent third-party data exfiltration and credential theft, security teams must provide comprehensive cybersecurity awareness training for employees. This training should cover company policy on sharing credentials, as well as advice on how to identify and report a phishing attack. Many security analysts choose to send test phishing emails to employees to see how well they retain the trainings—not so much to catch them in an embarrassing mistake, but to correct user behaviour before it’s too late.
Employee Theft and Misuse on Slack
Employee theft and misuse is a common type of insider threat incident. Motives for these types of insiders could either be malicious or completely innocent. For example, perhaps a user doesn’t know that downloading and sharing work files from Slack is not permitted on a personal device, and accidentally downloads a sensitive file. Or, they’re aware that sharing via Slack with third-party contractors isn’t within policy, but they do it anyway for the sake of convenience.
Malicious insiders, on the other hand, may be looking to enact revenge, steal corporate intellectual property for a future employer, or exfiltrate data for their own financial gain. Employees under personal stress, such as family issues or financial pressure, may be particularly susceptible to becoming insider threats (including the nation-state type of threats we discussed above). Former employees who aren’t properly offboarded from Slack can also present problems for organisations.
To prevent both malicious and unintentional insider threats, security teams must implement proper cybersecurity and policy awareness training, as well as thorough, secure offboarding procedures to cut off unauthorised access. In addition, insider threat management solutions can both detect threats and speed the time to investigate potential incidents.
Implementing a Holistic Insider Threat Program
The best way to prevent insider threats is by enacting a holistic insider threat program that encompasses people, processes, and technology. On the people front, as mentioned above, cybersecurity awareness training can prove invaluable, especially when it comes to avoiding employee mistakes. Good processes, such as policy reviews and ongoing employee engagement can keep security top-of-mind. Finally, a dedicated insider threat management solution, such as Proofpoint ITM, can monitor both user and data activity, providing the context security analysts need to effectively and quickly investigate incidents.
How have you addressed cybersecurity threats on Slack in your organisation?