Communication platforms are an essential part of how organizations collaborate today. They let teams work efficiently regardless of location—which has become increasingly important in recent years. Today, many online collaboration tools are offered as Software-as-a-Service (SaaS) solutions, making it easy for teams to communicate and work together. As these solutions have gained traction, they have become a new target for attackers.
Platforms such as Slack and Microsoft Teams have gained popularity worldwide to improve collaboration and communication, bringing with them the security challenges we have learned to expect when adopting innovative technologies. Even if the platforms themselves are secure — and Slack and Teams both offer robust security capabilities — the way organizations use them can expose them to diverse types of attacks that leverage misconfigurations, insecure practices, third-party applications, and inevitable user mistakes. Security teams now find it challenging to detect and respond to attacks in communication and collaboration platforms, hindered by limited security processes, lack of relevant skills, and limitations on available technology.
The changes in the communication and knowledge management stack are also changing the culture in many organizations. In some organizations, Slack has become the primary communication channel – including document sharing, video calls, and chats. It replaces email for many tasks, embedding itself into the daily lives of users. Similarly, Teams encompasses a suite of integrated solutions that offer all these capabilities. The platforms are increasingly becoming primary sources of knowledge, replacing knowledge management repositories. Today, these platforms hold much more sensitive information than even the corporate email system or the internal knowledge management system.
Like any other technology platform, Slack and Teams can serve as a basis for attacks that take advantage of built-in features, insecure usage, and misconfigurations. While email has an ecosystem of security solutions and well-known best practices, many newer communications platforms have just a subset of these security solutions and practices in place.
Too many years of phishing attacks have made users suspicious of ordinary emails, checking the authenticity of new emails and using chat platforms to verify the legitimacy of an unusual message. However, few users suspect messages from a coworker on Slack or Teams. This means an attacker can use a single compromised account, as occurred in the EA breach, to deceive others and gain increased permissions or access. In addition, open channels and groups encourage conversation, and messages shared there are stored indefinitely and accessible to a compromised account. An attacker can search those messages for information to leverage, such as secret keys or passwords.
While Slack and Teams are excellent platforms that make business more efficient and collaborative, any platform that we use — including email, file collaboration, and video conferencing — introduces potential risk. Understanding and preparing for these risks can help organizations become more secure and resilient to these attacks.
Here are the five points to cover that can help security teams prepare for a potential Slack or Microsoft Teams breach:
- Culture: Do not underestimate how a company’s culture can affect security. Define a policy about what types of groups should stay public versus private, then enforce it and educate users about that policy.
- Permissions: Third-party applications often request extensive permissions. Make sure the team restricts them to the minimum permissions necessary to limit the impact of a third-party breach. It’s all too easy to forget what these applications have access to, so limiting it up front will save stress later.
- Backups: If Slack or Teams serve as a knowledge management repository in the organization, consider it a critical asset. Make sure the team sets up backups in the platform, either natively or through third-party vendors.
- Security features: At a minimum, make sure the teams requires multi-factor authentication (MFA), directly or through a single sign-on (SSO) solution. Enable the security features available in the company’s platform, including added encryption, compliance, and security management.
- Forensics: Think of forensic analysis as the basis of any major breach response, so collect, analyze, enrich, and store logs for Slack or Microsoft 365. This makes incident investigation and response faster, so the team can contain the breach as quickly as possible with minimal impact.
The time the security team spends today thinking about the potential challenges and security risks of a breach in its communications and collaboration platforms will help the organization prepare for one. These five tips will help if – or when – the organization’s communications and collaboration platforms are breached by an attacker, and help the company return to business-as-usual quickly.