Logging, monitoring and alerting is probably the single biggest weakness that most organizations have.
Office 365 is also likely the single biggest vulnerability.
So what actions should you be monitoring in Office?
According to AT&T’s Alien Vault division, here is the answer.
- User access – who is there normally; what is your user baseline. Are you seeing more failed logins than normal?
- Administrator actions – a hacker will likely try to become an administrator, assuming the account they hacked doesn’t belong to an administrator already. Any change in patterns could be a warning sign.
- Changes to Office policies – if the attacker wants to get away with something would normally normally not be allowed, they will want to change the policy to let them do it.
- Current threat intelligence – use your threat intel sources such as the FBI, Secret Service, public alert feeds and others to tweak what you are alerting on based on attacks that the industry is currently seeing.
What are the details (see the link for even more detail)?
- Logins – both success and failures including time and location
- New users, deleted users, permission changes
- Changes to logging rules
- Access – to Sharepoint, One drive and other resources
- Changes to Sharepoint and One drive permissions
- Changes to O.365 policies including spam, DLP and other policies that might allow an attacker to get data out or malware in
- Contact with known malicious IPs (see indicators of compromise from various alerts)
- File uploads of file types known to be used in ransomware attacks (exfiltration of data)
You do need to review the alerts that you get in real time and that will take some resources, but you should be able to train lower level staff to perform first level triage.
This is not simple and it will take resources. However, being hacked, having a breach or dealing with a ransomware attack is not free either.
Source: AT&T Alienvault