Do you know if your business has been hacked?

There have recently been some high-profile hacks that have taken place, but do you know what the initial cause was?  A 3rd party was duped into allowing access to M&S back-end systems.  

What is more, these systems were not being monitored effectively so the compromise was unchecked, allowing the hackers time to do damage.  You see when a system is compromised by hackers, they don’t do things immediately, they take their time. 

On average it takes over 200 days before the compromise gets discovered.  Especially now that everyone has moved some or all of their IT services into "The Cloud", that mystical place that magically hosts all the services that we consume without knowing exactly where they are, or let's be honest, who has access.

Most businesses use Microsoft 365 as their primary productivity service for email and collaboration in "The Cloud"  but have no real idea where about in the world their data is sitting.  The other thing that might surprise a lot of people is that it is not just one data centre in one country.  Depending on how the tenant was initially setup, your data might actually be anywhere in the world, which could also be illegal depending on the data.

So what can you do?

First and foremost, using the wise words from Douglas Adam's  "The Hitch Hikers Guide to the Galaxy"... Don't panic! 

The Silver Cloud Business has a security service your business can subscribe to that does real time scanning of your Microsoft 365 tenant, that monitors who has accessed your tenant, from where and also when.  Not only this but we can configure it to only allow people to login from specific locations, after all, most attacks are originating from outside the country.  We can monitor a whole raft of things and create alerts for them.  

Remember that prevention is better than a cure

By actively monitoring the tenant, businesses can intercept malicious activity long before any damage is done.  Remember earlier where we reported that hackers have, on average, over 200 days of access to the environment before they are found.  This is reduced to minutes or hours if the tenant is actively monitored for malicious activity.  Hackers use social engineering to gain access to environments and rely on humans, who are the weakest link in any security chain.  This is how most malicious access is granted to IT systems, by gathering information about employees, managers and the business from publicly available sources, mostly both personal and business social networks and it is why it makes monitoring and alerting imperative for any business that would like protection.

What can the monitoring suite do?

Our tenant monitoring suite of tools does a lot to help protect your business.  The following is a list of some of what our monitoring suite can do:

• Monitor your login location and block if it is not from an authorised location, which can be by IP address, city, region or country.  This is because most hacks are not carried out in your immediate location. 
• Monitor who has admin rights and notify the business owner(s) via a regular report and creates an alert if someone has their rights elevated, allowing the business to keep track of who has been granted new admin rights. 
• Monitor new MFA (multifactor Authentication) methods, reporting of any changes as setting up new unexpected MFA methods is often a sign of an attack.
• Azure / Entra application monitoring and create an alert if a new application has been associated to the tenant and then allow this application to either be blocked or accepted, depending on if the business was expecting a new application to be granted access to the tenant.  Unauthorised applications being given access to your tenant is a common approach used by hackers to gain access to a tenant and compromise it.
• Forced logout on a schedule which offers an additional layer of security by forcing users to have to re-authenticate to the tenant.  It is also a really useful tool if the business has a scheduled shutdown and staff are not meant to be working.
• Monitor and control working hours which means you can determine when people can access the tenant.  It is a really great way to help staff manage their mental health, forcing them to be unable to work outside of business hours.  But it also prevents hackers, who are often in completely different time zones, from gaining access to the tenant as well, as it narrows down the windows that people can access the online services.
• Monitor groups and alert when an external user has been added which allows a business to keep track of who has been granted access to the systems and data and revoke the permission if a member of staff has granted more access than expected.
• Monitor email forwarding and alert if someone has created email forwarding to external mailboxes.  This is a common hack where email is compromised and secretly forwarded to an external mailbox, bypassing security and allowing the hacker to build a picture of the business over time.  It is common for accounts teams mailboxes to suffer from things like this so they can gather information and do a social engineering attack, such as using a similar domain to one the company does business with, pretending to be from that client, saying "our bank account details have changed, here is your regular invoice" and getting them to pay into a different bank.  They also setup rules to intercept emails from the real sender so they never show up in the inbox, so when the company chases for their payment or their invoices, they go into a black hole.  Knowing who has setup email forwarding helps identify and stop this type of hack.
• Mailbox monitoring alerting when permission changes are made to someone's mailbox.  Do you know who has access to your mailbox?  Would you like to know, does your mailbox hold information that others should not have access to?  The monitoring suite will notify of any permission changes so that business owners can ensure only the right people have access to the right mailboxes.
• Monitor mailbox transport rules and send an alert if these change.  Mailbox transport rules are how the email server sends emails to the internet and a common hack is to add a mailbox transport rule that copies and forwards all email to a secondary recipient, allowing hackers to intercept all email being sent by your business.  The monitoring tool alerts if any new transport rules are created, allowing them to be validated and approved or deleted if they are not expected.  A lot of transport rules are genuine, but some can be malicious and should be removed.
• Monitor inbox rules allows selected, important mailboxes in an organisation, like the accounts or HR mailboxes to be monitored to see any rules are created or any suspicious activity is occurring with the monitored mailboxes.  Mailboxes that hold sensitive information are more likely to be targeted by bad actors with malicious intent.
• External sender warnings to remind staff that the email they are sending is going outside of the organisation.  This service can also be configured with an allow list of validated external recipients that regularly communicate with the business.  It is also a great way of identifying people trying to spoof a known contact with an engineered domain name.  Not many people would pick up on a transposition of letters so who would notice the difference between the two domain names spoonsoftheworld.com and spoonsofhteworld.com especially at a glance.  Hackers rely on the human brain automatically sorting the words into the correct order and exploit this.
• Internal spoofing protection detects spoofed emails and alerts the business to protect from emails slipping through the net and protects users from inadvertently thinking they are genuine emails.
• Monitor sharing with external 3rd parties and generate alerts, allowing businesses to see where data is being shared with external recipients and allowing management to determine if the recipient is allowed or to remove the access.
• Mass deletion alerts to notify the business if someone deletes a large amount of data from SharePoint.  Allowing for the deletion to be intercepted, stopped and reversed if unauthorised, protecting business data from malicious or accidental removal and protecting it. 

The suite of tools allows clients to pick and choose what needs to be monitored in their tenant, one, some or all of the monitoring for a flat, monthly fee.

The threat landscape has changed and businesses need to do more than ever in order to protect their systems.  If you would like more information on the price or a demonstration of how the reports and alerts look and work, call us on 01722 411 999. 

Remember, it is far cheaper, easier and effective to monitor your systems, than pay for the fallout and aftermath of a breach.  It is not just the cost of the breach but the reputational fallout afterwards, most businesses do not have the financial means to survive the outcome of a hack.