The next target for phishing and fraud: ChatOps

Cloud-based chat systems introduce a unique set of requirements given the breadth and depth of access to potentially sensitive data

chat bots

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.

Enterprise chat applications have surged in popularity, driven in large part by Slack, which now claims to serve more than three million users daily.  What’s more, the popularity of these apps has given rise to a new phenomenon known as ChatOps, which is what happens when these new messaging systems are used to automate operational tasks. 

The ChatOps term was coined by GitHub to describe a collaboration model that connects people, tools, processes and automation into a transparent workflow.  According to Sean Regan, Atlassian’s Head of Product Marketing for HipChat, this flow connects the work needed, the work happening and the work done in a consistent location staffed by people, bots and related tools.  Its transparent nature hastens the feedback loop, facilitates information sharing, and enhances team collaboration, but also ushers in a new set of challenges for securityand risk professionals.

Take, for example, the General Services Administration. Earlier this year, the agency and one of its outside partners shared a series of documents and spreadsheets through Slack. In doing so, they opened up programmatic access to more than 100 Google Drive accounts for nearly half a year, in violation of the acceptable permissions policy defined by the GSA’s information security team.

This is not a security flaw in Slack – instead, it is a risk exposed by the combination of unfamiliar systems being used and managed by business users who are not security specialists familiar with the many regulatory and compliance-related rules around data protection.

Chat systems, however, can be securely adopted and managed.  In understanding how, first consider how these systems have been adopted.  The ease of using these platforms, coupled with their cloud-native integration capabilities with other systems, is largely responsible for rapid growth in the enterprise.

Business users are also leveraging chat systems to automate tasks such as filing expense reports, developing to-do lists and scheduling meetings, thanks to the ability to integrate bots and AI into the messaging applications.  Microsoft’s Bot Framework for Skype, Slack and Office 365 allows organizations to build and connect intelligent bots that interact naturally where their users are talking. 

By interweaving third party content into the daily communication stream of the typical employee, and coupling that with extensible capabilities, these chat applications are beginning to supplant not only email as the dominant daily messaging system, but also the command line and even the web browser for many repetitive tasks.

Age old threat

While integration means new risks, the surging popularity of chat tools opens the door for a more basic threat, spear phishing, an issue the industry has been grappling with – largely unsuccessfully – for some time.  Over the past 18 months the FBI says more than $3 billion has been lost to phishing. In large part, this category of attack has been successful because existing email security products have been designed to block, quarantine, or prevent delivery of malicious mail.

This is changing as vendors realize that this strategy has failed to prevent attacks that rely on deception and targeted social engineering, rather than malware or blacklisted sending servers. Unfortunately, much of the security market remains focused on point solutions and perimeter controls for email.

As chat platforms become increasingly popular, they are an obvious target for the same kinds of impersonation attacks. Especially for organizations that allow external users, such as customers or contractors, to engage via chat platforms. CISOs and security teams need a comprehensive strategy for identifying these attacks broadly. While the legacy vendors have yet to catch up to this new threat surface (excepting limited data loss prevention functionality), safeguarding against targeted attempts to steal IP, financial resources, or other sensitive data should be part of a comprehensive security posture for Slack.

Malicious apps and permissive bots

A second major area of focus when establishing a security program to address risk in ChatOps programs involves third party access.

Like many cloud platforms, chat tools allow external organizations to leverage internal APIs to extend functionality, ranging from scheduling assistants to travel booking tools to various engineering and product management systems. Overall, this extensibility represents a core strength of these systems.

From a security perspective, however, they can represent data exfiltration opportunities that must be addressed. First, not every third party company is a good steward of the data they have access to; corporate policies for vendor review and acceptable use should apply to chat programs in the same way that they do for any system. As with the GSA example, relying on users to understand the technological limitations and risks around connecting technologies is not a strong strategy.

The root problem is that many CISOs and CIOs have limited visibility into what third party apps are even being used, and effectively no capabilities for removing them when in violation of internal security policy. While trusted applications can be a productivity boon, being able to detect and manage risks from apps and bots that fail to meet organizational standards – ideally with access to information that identifies the risk profile for each application in real time – is a critical security capability for these new ecosystems.

Credential loss and account misuse

The final consideration from a chat security perspective is ensuring that credentials are not being stolen and misused.  As with any enterprise application, the most difficult threat to detect is the internal user whose account is compromised and then used to move laterally within the organization.

For a chat program, this can lead to data loss through impersonation, the installation of malicious bots, or even direct system compromise for other pieces of corporate infrastructure.

In addition to enforcing strong passwords and multi-factor authentication, information security teams should ensure they have comprehensive analysis capabilities for credential use, capable of detecting unusual login or access activity across not only their chat environment, but all of the systems that are connected to it. Furthermore, suspicious events should prompt automated alerting and response, minimizing the window of opportunity for an attacker to bypass controls and exfiltrate sensitive information.

The reality for most organizations is that the pace of cloud app adoption is continuing to accelerate. Chat systems are simply a manifestation of modern hyper-connected infrastructure, and protecting against threats within these systems requires a disciplined but ultimately business-empowering approach, where threat detection and remediation are seen as being part of how organizations can embrace rather than attempt to block new technologies.

On balance, the rise of cloud-based chat systems is both a positive and productivity-enhancing paradigm shift. However, as with any new system, security considerations need to be identified and planned for – and these platforms introduce a unique set of requirements given the breadth and depth of their access to potentially sensitive data and personnel.

Copyright © 2016 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022