Messaging and workplace collaboration apps have become incredibly popular tools for business. As their use grows, collaboration apps have become a new method for malicious insiders (employees, contractors, etc.) to steal information, as well as for employees to accidentally expose customer data or sensitive information. A survey of security professionals found that more than a third of accidental employee breaches exposing sensitive information involved collaboration and file-sharing services.
The ease of collaboration and data sharing these platforms provide—and employees love—is also the most dangerous security risk. Even when a business strictly follows its security protocol, it is still possible for an employee to accidentally or intentionally misuse communication tools.
Why Securing Cloud-Based Apps is Challenging
In addition to securing internal networks, databases, and servers, IT and security teams must now deal with securing devices (e.g., mobile device management, policy management, device access and tracking). The rise of cloud-based apps has added further complexity with the need to manage and secure users’ connections (i.e. authentications) and interactions to these apps (e.g., file sharing, calendars, email forwarding, file downloads, etc.).
Traditional threat detection tools, such as Security Information and Event Management (SIEM) and Data Security Platforms, monitor, capture, and report anomalous behavior across a company’s network. These can help security teams quickly discover who is using cloud services to upload sensitive corporate information or attempting to access restricted cloud applications, but they can’t monitor activities within the apps themselves.
Without strong governance, in many cases, end users determine how cloud-based platforms are implemented. Individual choices impact which endpoints and networks are used to access these services, what data is shared when using the applications, and the security of their individual user accounts.
Some popular collaboration applications, such as Slack, integrate into Google Drive accounts, can facilitate data sharing across dispersed workforce members and exfiltrate data securely, bypassing corporate event logs.
There are thousands of chat apps on the iOS, Apple Store and Google Marketplace. Identifying each app is a losing proposition; rather, the corporation must focus on digital loss prevention and instilling best practices as part of the corporate culture.
An Insider Threat Example
Let’s look at a specific use case of how an insider threat defrauded a company of proprietary data.
After being notified that their contract would not be renewed the next fiscal year, a third-party vendor created private chat channels in the corporate Slack platform and used the channels to discuss intellectual property, fiscal opportunities, and methods to keep the client dependent. Since the corporation had implemented the 'free' version of Slack, there was no data retention for private channel messages, deleted channels, nor deleted messages. The two-person rule for separation of duties, a best practice for Fraud Prevention, was not enabled. An individual could create a private chat channel, exfiltrate data to a third-party member, and then delete the record. While performing digital forensic analysis for the client, Incident Response experts from Revolutionary Security noted the reference to deleted channels.
What Motivates an Insider to Steal?
When discussing Insider Threats, it’s always helpful to review why employees or other trusted individuals would look for an opportunity to steal, defraud, or harm their employer. The Fraud Triangle is a popular model used to explain the reasoning behind Insider Threats. It consists of three components which, together, can identify fraudulent behavior:
- Incentive – What is motivating the person? Personal financial pressure, such as debt or a shortfall or loss in income from a layoff or firing is a common motivator. This can be exacerbated by a climate of high unemployment and/or economic uncertainty.
- Opportunity – Is there opportunity to commit fraud? In this stage the employee sees a clear course of action where they can take information or money and not be discovered.
- Rationalization – Is the act justified? In the final stage of the fraud triangle, the employee justifies his or her crime, such as a need to care for family or a sense that the company “owes” them. Most fraudsters are first-time criminals and do not see themselves as criminals, but rather a victim of circumstance.
Ensure You’re Capturing Critical Data
The example above, and others that have made headlines (e.g. Waymo vs. Otto), demonstrates how critical it is for companies to fully understand the risk involved with the apps they give employees access to and what features are available to capture in-app activity needed for digital forensic investigation.
While collaboration and innovation through unapproved software may provide tactical short-term benefits, the corporate liability may outweigh the productivity and hinder strategic achievements. The “Shadow IT” implementation of collaboration tools- without corporate approval and oversight - provides a quantifiable advantage to the insider threat. Audit not only the installed enterprise software, but the accounts used on a regular basis and remove the unnecessary accounts. Removing access to unapproved software is not typically part of the employee departure process and may facilitate unauthorized data access.
Here are insights for three of the most popular collaboration platforms: Apple, Google, and Slack.
Apple iCloud Services
With its universal ease-of-use advantage, Apple solutions are being deployed by more and more businesses. While Apple doesn’t present iCloud as an enterprise-focused product, the highly secure service does provide a range of useful tools for enterprise professionals. In addition, the company reversed plans to add end-to-end encryption to iCloud backups, and settled on encrypting health and payment information. As a result, Apple can supply investigators who have a legal order with unencrypted backups of data captured from both mobile and traditional digital sources.
For internal investigations on company-owned devices, the iCloud data backup for your users provides a wealth of information, including iMessage, pay activity, calendars, contacts, email, and online store purchases. Any of these areas can provide evidence during an investigation. One investigation we facilitated uncovered meetings with competitors scheduled in the employee’s calendar.
In addition, the backup captures user login data/times/IP addresses, which you can use to determine if there are multiple IDs being used by the user or if a user had been hacked.
Google Hangouts Chat is Google's team chat service provided as part of G Suite. If you use Gmail with a company email address, you're already utilizing a G Suite user account and have access to Hangouts Chat. This service includes direct messaging, just like the consumer Hangouts, but also offers threaded team channels like Slack. As with most messaging apps, photos, files, and screenshots can be shared via Hangouts Chat.
When evidence for digital forensic investigations and eDiscovery is needed, Google Takeout and Google Vault can be used. With Takeout, 47 different kinds of data—including Hangout chats, Contacts, Photos, Gmail, and bookmarks—can be extracted from an end user’s Google account. Unfortunately, Takeout does not include detailed logs which can be used to import metadata into digital forensics and eDiscovery tools, nor does it include cryptographic hashes of the exported items. Google Vault’s output is very similar to that of Google Takeout, but with better search features and MD5 hashes of the exported files.
Take note: By default, deleted data is not retained unless you’ve configured your G Suite business or enterprise account to do so and purchased Google Vault.
Slack is an extremely popular communications tool for teams. Once implemented, it has a sneaky way of getting embedded into many other workflows thanks to its directory of more than 750 integrated applications. The proliferation of third-party apps and integrations may be great for your users, but without proper oversight, users can create new integrations at the click of a button.
As with Apple and Google, Slack makes it easy to share documents and media files. Unfortunately, Slack offers no built-in data leakage prevention capabilities for identifying and controlling access or sharing of sensitive data, which makes preventing data loss a must.
This is further exacerbated by the fact that users can have multiple channels without the account holder knowing they have done so. Unless you have a corporate account with two-person control, when those channels are deleted you will have no information retained. Furthermore, with a corporate Slack account you can configure it to retain all deleted chats and documents.
One takeaway from Revolutionary Security Analysts: deleted data in Slack isn’t available without upgraded access and access to deleted files isn’t retroactive after purchasing upgraded access.