Account Takeover Protection: What It Is and How It Combats ATO Fraud

Think about how many employees work at your organization. Now think about how many sensitive files each one can access. A single compromised user account could lead to an extortion scam, a ransomware attack, or even a data breach. If you haven’t reviewed your account takeover protection protocols in a while, now is the time.

Account takeover (ATO) protection is not a single countermeasure, but rather a whole set of cybersecurity measures. Any safeguard against unauthorized account access is part of your overall ATO protection strategy. This could be as simple as teaching employees how to spot phishing techniques or as complex as reimagining your whole organization’s cybersecurity architecture.

In a world of high-profile data breaches and sophisticated social engineering techniques, it’s not difficult to compromise an unsuspecting user’s account. But with an educated workforce and proactive countermeasures, you can thwart threat actors before they can do any

damage.

Common ATO tactics

What is account takeover? Simply put, it’s what happens when a threat actor compromises a legitimate user account and gains access to that user’s files, folders, and permissions. With a compromised account, an attacker could steal data or install malware. They could also impersonate a real user in order to deceive other members of an organization.

To take over an account, a threat actor almost always needs an up-to-date username and password. To acquire them, an attacker might use the following techniques:

Phishing

One of the most common types of cyber crime, phishing is a tried-and-true favorite of threat actors everywhere. Phishing scams are easy to create, hard to track and have a decent chance of success.

In a typical phishing scam, a threat actor sends an email or other online message that claims to be from a legitimate party. This could be a known entity, such as a friend, family member, coworker, bank, credit card company, cloud services provider, or online store. However, it could also be a scare tactic from a purported government agency.

In any case, the message often looks official and may even appear to come from a legitimate address (a process known as “spoofing”). The threat actor alerts the user to some “problem” that requires an account login to address. A link in the message leads the user to a convincing facsimile of a real login page. They enter their username and password (often in addition to other sensitive data), which then goes into a database that the threat actor maintains.Some savvy threat actors have even begun to circumvent multi-factor authentication (MFA) tools to gain control of sensitive accounts. 

Credential stuffing

Many account takeovers happen through no fault of the users themselves. When data breaches occur, cyber criminals often gather usernames and passwords in databases and distribute them on the dark web. The organization that suffers the breach almost always resets passwords as a precaution, but that doesn’t protect against credential stuffing.

In a credential stuffing attack, a threat actor takes a username and password from a data breach, then tries them in other high-profile sites. The average user is notorious for reusing usernames and passwords among multiple accounts, making it trivial for an attacker to gain control. If the account in question is an email service, then a threat actor can also reset passwords and MFA applications for other accounts, further exacerbating the issue.

Social engineering

Phishing is a popular form of social engineering, but it’s not the only kind. An account takeover attack could also take the form of manipulation, coercion, or deception from a threat actor. For example, an attacker could impersonate a family member and solicit login information with a deep-fake phone call. A pirated movie or video game could come with a keylogger, transmitting a user’s info back to a criminal outfit. Anytime a threat actor attempts to exploit a person’s psyche rather than a piece of hardware or software, it’s social engineering.

‍

Best practices in account takeover protection

There are essentially two forms of account takeover protection: ones that rely on technology and ones that rely on people. They’re both reliable and relatively simple to set up. At the same time, neither one is foolproof, so you should be sure to implement both. When skeptical, tech-savvy employees use secure, up-to-date systems, threat actors should have a hard time getting a foothold.

SSE technologies

Security service edge (SSE) refers to a collection of technologies that safeguard sensitive information in the cloud. In hybrid and remote work environments, employees can log in from almost anywhere. This can make it difficult to verify whether any given login attempt is a legitimate user or an attacker with a compromised account. SSE technologies include cloud access security brokers (CASB) to protect SaaS apps, zero trust network access (ZTNA) to protect private apps, and secure web gateways (SWG) to protect internet traffic. Together, these countermeasures can detect digital intruders and lock down access to sensitive materials.

Zero trust architecture

Zero trust architecture is the backbone of many account takeover solutions. As its name suggests, a zero trust system assumes that any login attempt could be from a threat actor. Users must log in with their full usernames, passwords, and MFA methods every time they start a new session. The system will occasionally log users out and make them verify their credentials again. Each user has the minimum number of permissions required to do their job, and the system employs continuous monitoring to spot irregular behavior. Even if an attacker can infiltrate a zero trust system, they may not be able to stay logged in for long.

UEBA monitoring

User and entity behavior analytics (UEBA) is an important process in account takeover detection. While most ATO protection tools are prophylactic, UEBA can identify an attacker after they’ve gained access to your organization’s system. By using machine learning (ML) algorithms, UEBA “learns” each user’s typical behavior over time — which devices they use, which files they access, which programs they need, and so forth — and flags any irregularities for an administrator to review. 

Employee training

Using software to safeguard your system isn’t enough. You also need to teach your staff the basics of account takeover prevention. Your employees should know what a phishing email looks like. They should be leery of messages from “coworkers” who need login credentials, particularly if they need them urgently or via irregular channels. Enforce a sensible bring-your-own-device (BYOD) policy. Ensure that they have 2FA active for every work-related account.

Above all else, there should be a fast, simple way to report any social engineering attempt to the IT and security teams. Threat actors will have a much harder time against a whole team working in concert.

‍

Secure your accounts with a data-centric platform

With the rise of hybrid and remote work, account takeover protection is more important than ever before. In the past, a threat actor with stolen credentials could at best compromise a single computer. Now, they could bring down an entire cloud computing operation. To protect your sensitive information, you need a data-centric platform.

Lookout offers a cloud-native, data-centric SSE solution that protects both online and on premises. Instead of running half a dozen programs that don’t communicate with each other, you can manage your organization’s data security from a single platform. To learn more, read our e-book Consolidating IT Security? Here’s Why You Need a Data-Centric Platform.