'KnockKnock:' Make Sure You Lock Your Door

There is something for security people to learn from most cyber attacks.  We can learn about new attack techniques used by cybercriminals, or new types of digital assets targeted by them. Some cyber attacks highlight certain application or infrastructure vulnerabilities that weren’t widely known or understood, while others highlight gaps in specific security technologies. Although the recently disclosed KnockKnock attack hasn’t received anywhere near the publicity of WannaCry, Petya/NotPetya, or BadRabbit, it provides a number of important lessons from which everyone can learn something. In no particular order those are:

Broadly-used platforms like Office 365 make juicy targets for attackers. 
As the popularity of a platform rises, attackers increasingly focus on it. They are responding to the basic economics of supply and demand. In the case of KnockKnock, the runaway success of Office 365 has drawn the focus of a particular botnet herder. But many other malicious actors are also increasingly focused on it as well.  Back in the day malware was primarily written for the Windows platform, in large part because the probability of bumping into a vulnerable Windows system was quite high.  Now with the rapid move of common business applications to the cloud, the probability of finding a vulnerable cloud tenant is also increasingly high. As the most popular cloud application in the world, Office 365 is on the way to attaining ubiquity on par with Windows. Couple that with the miniscule expense for the attacker to set up an Office 365 test environment of his own, and you have a perfect environment for an Office 365-focused attack campaign.

Admin or system accounts provide great backdoor entry points. 
Attackers often assume – correctly – that, organizations "set it and forgot it" when it comes to system admin accounts. This age-old attacker technique didn’t go away with the movement to the cloud. In fact, it got easier. By definition these accounts are Internet accessible and thus easy to find, access, and "knock-on."  In how many organizations are these privileged accounts protected with only a single authentication factor – passwords? That is certainly the case with many Office 365 admin accounts, even though multi-factor authentication is available.

Lateral movement leverages internal-to-internal phishing emails.
This portion of the KnockKnock attack is notable and increasingly common.  How many of your employees will be wary of clicking links or opening attachments in an email that literally comes from an internal sender?  What better way to spread an attack laterally than using your organization’s own email system. This is exactly what an attacker can do once they have control of one of your Office 365 accounts, whether it is a system account or even one of your regular user accounts. How many organizations have their email security systems reviewing internal-to-internal emails? While it is understandable that most organizations focus their email protections on inbound emails initially, it is increasingly important to also focus on protecting against malicious internal-to-internal emails. The spread of an attack is often much worse for the organization than the original infection. 

The bottom line is attackers are "knocking" all around your enterprise, including, increasingly, your cloud-based services. It is important to recognize this so you can apply your best defenses where they are needed most. Don’t assume that just because you have moved an application to the cloud that this insulates you from security risks and responsibilities.