Slack Security: Break it or Make it!
Slack the “Email slayer ‘’ is de facto “communication tool” for most of the start ups. It lets you create different chat groups/rooms that are better called as “Channels” in Slack.
It enables employees to collaborate in the most efficient way, so you can share files like .doc, .txt or .pem, over DM or channels in just one click.
Another awesome feature is that Slack lets you configure 3rd party plugins like Gdrive, Dropbox, other customized apps or Slack Bots in a way lets you consume the channel conversations and perform some functions like ‘auto greet’ or ‘reply’.
So, it’s easier for any Dev team to collaborate over Slack over email. So, you can share your team documentations or have separate auto monitoring notification channels. Just add the person in your channel, no need to repetitively forward the same or historical email trails.
Now, even better, Slack lets you get into voice or video calls known as “Huddle”, creating automated ‘workflow’ that lets you create routine tasks into automated processes. Most of the companies, particularly startups, like to use “Slack” because it is easy to set up, enables easy collaboration and yes it’s cool.
Slack lets you perform few straightforward easy searches, where filters can be applied at channel, individual or file level. But good technology does come with its own challenges, like the content that you are sharing in Slack can be viewed or utilized by someone with bad intent.
Let’s dive in and understand the pitfalls and our safety nets.
Security issues with Slack:
- Encryption: In messaging apps the Encryption ensures that your conversations aren’t intercepted by 3rd parties and only the person intended to receive the message can read it, so no eavesdropping.
Slack does encrypt your messages in transit and rest but not end-to-end encryption by default as it will technically limit its capability of searching and third-party integrations.
But Slack offers a paid feature called “Enterprise Key Management (EKM)” that provides an added layer of protection on your Slack. This lets its customers use their own encryption keys stored in AWS KMS to encrypt the data like messages, files and other information in Slack.
So, if you are looking for extra security and granular control over your Slack then try exploring this security feature.
2. Public Channels: Channels(Groups) that are created in Slack are by default “Public”, this means that you will have to explicitly make your channel private. Also, note that private channels cannot be converted to public but public channels can be converted to private with few exceptions like ‘files’ can’t be made private.
Also, note that #general cannot be made private so all new onboarded members are automatically added and cannot leave this channel. Slack Admin can enable the channel’s posting permissions in a way that only a few accounts are allowed to post in this channel.
3. Content Verification: Usually most of the companies will have Slack Channels like Memes or Jokes channels for employee engagement as per which employees are allowed to share external contents and they might end up sharing unverified or malicious links.
Hey, I am nowhere asking to stop this practice of Employee Engagement :-). They are good!
Currently, Slack doesn’t scan through your URL or files that you have shared over DM or Channels.
But yeah Slack does crawl through the posted links in and gives you the pre-loaded preview that is also called “links unfurling”. But this only gives the preview of the URL and nowhere calling it safe to browse.
So, you may have to use a platform like ‘Avanan’ from Checkpoint that “Sandboxes” every file before downloading, scans it and has the capability to quarantine the malicious files.
4. Easy Slack 3rd party integrations: Slack has huge directory of apps that can be enabled on Slack workspace. This opens the flood gate to various security challenges, like compromised Slack account was used to exfiltrate confidential data via Gdrive plugin in one of the government based organization(18F).
Slack also allows the users to create the custom apps and use it as a Slack add-ons. Such apps may ask for the permissions to Read the messages, Reply in Channel, perform particular actions and store all other user information from Slack.
Such permissions in Slack are called “Scopes”. You may also like to read this Slack documentation that gives some easy explanation to “understand app permissions”.
Slack App Approvals: I will recommend companies to have a proper “security approval” process for any new 3rd party or Custom app integration in your Slack. Members can install any app by default in your organization’s Slack, so it’s important to put proper controls on it.
Many companies with mature security teams have already ingrained it as a prerequisite for Slack app installation but many upcoming startups still requires to move in this direction.
Initial effort may be required to build this approval process but then it’s just about spending half an hour of your day administering it.
Let me share a few steps that can help you get started with your app approval process.
- Create list of pre-approved and restricted apps.
- Control who can install the apps in your Workspace.
- Enable App approval settings under Slack’s.
Settings & administration > Manage Apps > App Management Settings > Require App Approval (Enable)- Go through the permissions that the app requires. Refer: Scopes
- Have proper approval request setup on tools like Jira with questions as following:
A. Business Case and justification. (All Whys)B. Time duration the app needs to be enabled?C. Reference for 3rd party app’s Privacy and data storage policy.D. PIC for APP related issues.E. What assets are being used and how is data stored.F. How app token will be managed or stored.G. Proper security code review for customer based external apps/bot.
5. Easy Slack Installation: Some of the individuals are able to exfiltrate the data by messaging themselves in Slack. Then install Slack on their personal device and download the file. Walla!
But Slack’s answer to this solution is “EMM — Enterprise Mobility Management” that lets the Admin “Block file downloads and copying on unmanaged devices”.
Now that’s something you didn’t expect Slack can do. :-P
6. Sensitive Details: It’s common practice among devs or different teams to share the sensitive documents related to budgeting, business intelligence or even scripts with hard coded credentials in open Slack Channels.
Sometimes, they have common Admin credentials and that too is openly shared on Slack channel.
Slack supports keyword searching, so it is to search for words like “bank details”, “Budgeting”, “pricing” or even “password” in the Slack Search option.
Try it if you haven’t and I bet you did some good threat hunting!
Solutions to avoid the exposure:
A. Setup notifications for particular keywords mentioned in channels.
Slack > Preferences > My Keywords > “Enter Keywords”.B. You can create a Slack bot that auto responds to a particular word mentioned in the channel. for example: “Password:”, “Api-Key” etc.
So, the auto response can be in the form of user warning to delete or edit the message. Now, the next question here would be can we mask the particular word? No, we can’t but we can create the logic to delete the complete message.
Another solution to this would be to utilize enterprise level DLP tools like Cisco Cloudlock, Gamma.Ai or Fireye. They let you create regex patterns to identify the PII and other sensitive data. These tools are also capable to notify the individual about violation and quarantine the message until approved.
You cannot make any changes in the original message but Admins have the capability to delete the entire message.
- Slack’s Discovery API available to Enterprise customers empowers them to export the messages & files from a workspace and run pattern matching against them. Regex patterns like Bank details, DOB, Passwords, secrets, etc can be matched against data.
Same mechanism is used by Enterprise DLPs, however you can use few open source tools like Slack Watchman and Slack Pirate that lets you interact with the Slack API, pull the data and match the patterns.
The above open source tools are widely used by Security teams and Hackers for scrutinizing the Slack workspace for juicy data. Identifying and detecting sensitive information that shouldn’t have been posted on the open channels.
Some other pointers that may help to secure your company’s Slack setup.
1. Have dedicated Slack Administrators from IT or Security teams.2. Store token in vaults and no hard coding of token on public repo.3. Restrict Apps API to an allowed list of IPs.4. Enable token rotation as token never expires by default.5. Tie up your org’s SSO with Slack, enforce 2FA and session timeout.6. Remove orphan accounts and apps.7. Enable Slack Audit logs and set up correlation rules for them in SIEM.
~Please reach out to me for any editions to my above article.
Keep Learning!
