Are collaboration tools opening up a backdoor into enterprises? [Q&A]

The pandemic changed the way we work, with more people working from home and fewer in the office. That meant we became much more reliant on tools like Slack and Teams in order to keep in touch with colleagues.

Even though some people are now going back to the office, reliance on these collaboration tools remains high. The dark side of this trend is that cybercriminals have noticed and are increasingly using them as vectors for phishing attacks.

We spoke to Toby Pischl, head of information and email security at Broadcom, to find out more about the problem and what organizations can do to combat it.

BN: How are collaboration tools being used to facilitate cyberattacks?

TP: Sophisticated attacks are happening over Teams and Slack.

For example, access tokens are the keys to the Slack platform. Tokens tie together all the scopes and permissions your app has obtained, allowing it to read, write and interact. I have seen attacks that target, exfiltrate and abuse specific tokens. Let's say I steal your Slack token and send a message, as you, to all of your colleagues and make them click on a link or download and execute something. Your device will never know about it. Slack will know that I'm coming from a different IP address, but it's a script that I executed. It's nothing that anybody else would see.

With Slack, you can impersonate another user or create a new app. Through that app, I can use it as the app owner and write messages to everyone in the organization, messages like, "Click on this link." Or, "Hey, here's the executable for you to update a latest Windows computer with the second half of this year's security updates," or whatever. Your colleagues -- or whoever received this mail -- believe that they are in a trusted environment, so they are more inclined to click on that link or download that executable.

BN: In the rush to adopt new working practices have enterprises failed to fully appreciate the risks?

TP: Yes. People view these apps as internal tools and are not taking the necessary steps to secure these platforms. And the messaging and collaborative tools market is growing. According to a report by industry analyst firm International Data Corporation (IDC), worldwide revenues in the collaboration applications market grew 28.4 percent year over year in 2021 to $29.1 billion.

BN: Do the paid versions of tools like Slack offer better protection than the free ones?

TP: These tools have some security in place, but often need to be enabled by default. Advanced capabilities are often missing, as the primary purpose for these applications is collaboration, and security can be an afterthought. Additional tooling like a CASB can provide extra safeguards to safely adopting these collaboration tools, such as malware scanning, file sandboxing and risk analytics.

BN: How important is it to educate staff in the safe use of these tools?

TP: Extremely. Today attackers are more likely to succeed when abusing messaging tools versus email because emails have a lot of safeguards in place, from spam and malware filters to sender authentication standards. In addition, email users are frequently warned by the FBI, security awareness training programs, their preferred retailers, banks and other organizations to follow basic common sense security protocols like, ‘Don’t trust emails when they ask for urgent things.’ For messaging tools, however, there is little security guidance.

The wake up call to the risks that these apps present will be when an organization goes through their logs and realizes that the Slack token was compromised -- something they don’t have visibility into today. Instead, they will only be able to realize that something really weird was happening on the endpoint.

BN: What other steps can businesses take to reduce the risks?

TP: Below are a few steps businesses can take:

• Don't federate with everybody. If Company B wants to interact with Company A on Slack or another messaging app, you need to establish a relationship, also known as a federation. If you put a security flag in place, a handshake happens that confirms: 'Yes, both of us want to participate.' It's not a one-way relationship that can be established. Federate with the partners that you want to partner with, but don’t be open to everybody. Build a workflow to initiate a federation with interested parties, but not everybody can federate with your tenants.
• It's the intention: Just because you feel secure in Slack or in Teams, doesn't mean you are secure. Just as we have learned with business email compromise, you should question the intention of the senders of the message to ensure their request is legitimate.
• Watch that executable: People still exchange executables on Slack and Teams, including malicious executables. Leverage Slack and Teams built filter capabilities to only allow document exchange, but no code exchange.
• Leverage security tools (like our CASB): Tools that do advanced inspection to protect against malicious links or malicious files lurking on these platforms, can remediate before there’s damage. Further these tools also provide UEBA capabilities where you could identify potential abnormalities on posting behavior etc that are indicators of such compromises.
• Secure the token: Often when these tokens get stolen, they may get transferred out of your organizational safe environment. By putting simple monitoring or safeguards in place, protects these tokens from being leaked to a file storage site an attacker might use to collect these tokens before the attacker moves into the next stage of their attack.

Image credit: vova130555/depositphotos.com