Examine other types of attacks

Completed

Two other types of attacks worth mentioning are Password cracking and Malicious insider. Hackers often use these attacks in the kill chain of events.

Password cracking

In this scenario, an attacker acquires access to an application, service, or data store that allows them to try many different password combinations for an account. Attackers use specialized software that tries thousands upon thousands of combinations in a short amount of time. If the password is short, weak, common, or the same as another account password owned by the user, the chances are good that an attacker can guess the password and compromise the account.

Preventing password cracking

Microsoft 365 uses Microsoft Entra ID for authentication when organizations don't enable federation. Microsoft Entra ID temporarily disables an account after multiple sign-in failures. This process is referred to as smart password lockout. Keep in mind that organizations store credentials in many other places, thereby enabling attackers to attempt their cracking operation. If an organization doesn't use Microsoft Entra ID for authentication, Microsoft recommends enabling directory controls against multiple failed sign-in attempts. This process disables an account after several failed attempts. Organizations must determine the number of failed attempts they support.

Malicious insider

In this scenario, one of your approved users is conducting illicit activities in your tenant. These sorts of attacks can be the most damaging. The user usually knows a lot about your company. They also clearly understand how to maximize the negative effect on the company and its data. Motivations for a malicious insider vary, but typical ones include:

  • Disgruntled employees looking for ways to make extra money.
  • They want to cause issues for others before leaving the company.
  • They want to harm specific individuals or the organization as a whole.

A malicious insider might even take steps to ensure long-term access by building in backdoor accounts or go straight to exfiltration or deleting sensitive data. Users with administrative rights are typically the most dangerous malicious insiders.

Preventing the malicious insider scenario

As with the other scenarios in the kill chain, organizations must ensure they secure their accounts, manage privileges well, and protect their data effectively. In most cases, an attacker achieves all the required prerequisites to execute any attack. As a result, the focus on prevention should be to ensure that you have:

  • Processes that enable you to discern motive.
  • Ways to identify disgruntled or unhappy employees.
  • Ways to protect yourself from short-term vendors and contingent staff by implementing access controls and auditing.