Addressing Account Takeovers: Security Leaders Share Their Concerns

Originally published by Abnormal Security.

Written by Ryan Schwartz.

For many security stakeholders, the phrase “account takeover” brings to mind email account compromise. But today’s cloud application ecosystems are increasingly broad, interdependent, and complex. As these apps proliferate—and become ever more integral to key operational processes—additional points of entry into enterprise environments emerge.

At the same time, it’s progressively more difficult to maintain centralized visibility and unified control across diverse collections of cloud services. This is especially true when different business units are individually responsible for their own apps.

To better understand the challenges that security stakeholders face in this area, as well as how they are thinking about solutions, we surveyed over 300 security professionals across an array of global industries and organization sizes. Participants shared their views about the account takeover threat, where standard countermeasures fall short, and which features the ideal security solution offers.

Here are a few of the key takeaways from the report.

Account Takeovers Are Leading Cybersecurity Concern

Already a severe threat, account takeover attacks have grown in prevalence in recent years. Threat actors are making more attempts to harvest credentials, steal active session cookies, or otherwise gain access to email and cloud software accounts. Unfortunately, an escalation in attempted attacks creates additional opportunities for success—and more dire consequences.

Given the increased volume of account takeover attacks—and the power that success puts into criminal hands—it’s no surprise that two-thirds of survey respondents listed account takeover attacks as one of the top four cyber threats that concern them the most. This makes ATO the leading worry for security leaders—even ahead of the threats that dominate headlines, like ransomware and spear phishing.

The anxiety about account takeovers is certainly justified, as survey participants are already experiencing this problem firsthand. A significant majority (83%) reported that their organization had been impacted by an account takeover attack at least once over the past year. Further, nearly half of organizations were impacted by ATO more than five times within the past year, while almost 20% had experienced 10 or more significant ATO attacks.

Leaders Prioritize Prevention but Lack Confidence in Standard Security Measures

Over 70% of stakeholders claimed they “strongly agree” that preventing account takeovers is a primary concern, with fewer than 1% stating they disagreed with that sentiment. That said, there appeared to be increasing awareness that even some of the security measures previously considered the gold standard in ATO prevention aren’t suitably effective against modern cloud account takeover.

A mere 37% of respondents reported having strong confidence in the effectiveness of multi-factor authentication (MFA) in protecting against these threats. This is a justified opinion, as threat researchers observed a significant increase in MFA bypass attacks over the past year.

An investigation conducted by Kroll Advisory discovered that 90% of the successful adversary-in-the-middle (AiTM) and business email compromise (BEC) attacks it analyzed occurred while MFA was already in place.

Survey participants are even less confident in single sign-on (SSO) technology, another widely implemented ATO protection measure with limited efficacy. A full 65% of security stakeholders reported a lack of confidence in SSO’s ability to protect against compromised accounts. SSO does have benefits—for instance, it’s easier to apply rules requiring strong passwords since these have to be enforced in only one place. However, SSO still has a significant downside: once compromised, it offers attackers ease and simplicity when it comes to lateral movement across the environment.

Potential Business Disruption Cited as Top Obstacle to Defending Against ATOs

Considering the large number of successful account takeovers and their devastating consequences, it’s clear that defenses—across geographies, organizational sizes, and industries—could be more effective than they are today.

To gain better insight into why stopping ATO is a growing problem, survey participants were asked about their biggest obstacles to preventing account takeovers. Nearly 60% of stakeholders chose concern about potential business disruptions as the leading response. This is understandable, as automatically blocking account access when suspected ATO activity is detected can drastically interfere with operations—especially when this access is for mission-critical business applications.

Insufficient automation, also near the top of the list of inhibitors, was mentioned by half of the participants. Again, this is reasonable, given the need for speed in effective defense. Insufficient integration among the organization’s security solutions was similarly ranked and is closely related to the next-most highly ranked inhibitor: insufficient visibility.

To counter these threats, security teams need consistent, uniform visibility and control across often disparate ecosystems of cloud apps and services. Unfortunately, currently available tools often offer only fragmented visibility, protect only some applications, and neither correlate events nor deliver actionable insights.

Stakeholder Wishlist: Better Integration Among Current Security Solutions

Regarding their initiatives to upgrade their defenses against account takeover attacks within the next year, more than half of survey participants stated that improving integration among their current security tools was a top priority. Such integration is key because these attacks typically leave multiple signals across different applications, particularly as threat actors move between platforms.

Additionally, 41% of respondents reported the need to replace current tools and solutions with better ones. This is likely a result of the dissatisfaction leaders feel with the capabilities that are most widely available and most popular today—underscoring the need for a new and radically better approach.

When asked to list the most important features of an ideal solution for defending against account takeover attacks, 66% cited the accuracy of detection and prevention capabilities as the #1 requirement. This was closely followed by the ease of integration with existing tools and workflows (58%), coverage for all of the organization’s applications (57%), and ease of deployment (46%).