Are You Ready for a Breach in Your Organization's Slack Workspace?

A single compromised Slack account can easily be leveraged to deceive other users and gain additional access to other users and multiple Slack channels.

When organizations moved to hybrid work at the beginning of the pandemic, Slack offered a crucial way for teams to collaborate efficiently regardless of physical location. But in most organizations, Slack is a relatively new solution, bringing the typical challenges of adopting new technologies — related to culture, functionality, expected user behavior, and, of course, security. For many organizations, Slack is now the primary communication channel, replacing email and knowledge management repositories. As a result, Slack increasingly contains more sensitive information than those traditional systems. 

Before diving into the challenges, let's be clear: Slack invests substantial resources into securing its infrastructure, platform, and the software itself. Nonetheless, like any other technology platform, Slack can serve as a basis for attacks by taking advantage of built-in features, insecure usage, or misconfigurations. And while established collaboration and communication platforms have an entire ecosystem of security solutions and best practices, Slack has only a small subset of these solutions and practices in place.

Slack offers an open and collaborative culture, so while years of phishing attacks created users suspicious of unusual emails, few suspect a message from a co-worker on Slack. Therefore, compromising a single account in Slack can easily be leveraged to deceive other users and gain additional access — not only to other users but to multiple channels. Most organizations leave many channels public to encourage participation and share knowledge as part of the Slack as a knowledge base approach. However, few consider who has channel access and therefore people share sensitive information — even secrets, such as passwords or API keys in channels. Shared as part of a conversation, very few people think about it being stored forever and accessible to any compromised account.

This open culture isn't the only problem. Slack also offers an extensive marketplace of applications and allows you to build additional applications outside of this marketplace. Third-party apps in SaaS platforms are a huge supply-chain risk, creating an attack vector for nearly every SaaS platform, including Slack. Many apps request extensive permissions, but even seemingly innocuous requests to “read from all public channels” allow broad access to a significant amount of data. Additional potential risks include content filtering, lateral movement, third-party communication (Slack Connect), and many more.

Slack Detection and Response
As Slack becomes an increasingly dominant part of your organization's infrastructure, it will become a target for attacks and eventually be breached, just like any other technology that we use. That’s why organizations must be able to identify, contain, and respond to security incidents quickly to minimize the impact. Unfortunately, both the technology and practices required to do so for Slack are still limited. For example, Slack provides access to security logs only to customers using its enterprise tier. Without security logs, both detection and response are almost impossible. Other advanced security features, such as single sign-on, are unavailable in their standard and pro plans, leaving many mid to large organizations exposed.

Furthermore, many don't realize that Slack doesn't keep a history of anything that's been erased. If an attacker deletes messages, they are gone forever. This can turn into an effective ransomware attack, which is hard to respond to without upfront preparations, predominantly backups.

Should I Stop Using Slack?
No — Slack is a great platform that can help your business work more efficiently. It's important to be aware, though, that any platform we use is susceptible to risk and may be an attack vector. By understanding these risks, we can become more secure and resilient when facing attacks.

Here are five ways to minimize the impact of a potential Slack breach.

1. Private/public channels: Define and enforce a clear policy about public and private channels. As a repository of sensitive data, your users need to think about where and how they share information.

2. Limit third-party permissions: Restrict your third-party apps to the minimum permissions to reduce the impact of a third-party breach.

3. Backups: Back up your Slack. If Slack serves as a knowledge management repository, it's a critical asset in the organization. Automate Slack's export capabilities or use an outside vendor to create backups.

4. Enable advanced security features: Require multifactor authentication and enable the security features in Slack's enterprise license, including additional encryption, compliance, and security management.

5. Collect logs: Collect and retain Slack logs so you have the information you need to investigate an incident.

The time you spend now considering the potential challenges and security risks of a Slack breach will help you if it happens. The steps outlined above can help you reduce the impact, and the likelihood, of potential Slack breaches.

Editors' Choice
Jai Vijayan, Contributing Writer, Dark Reading
Kelly Jackson Higgins 2, Editor-in-Chief, Dark Reading