BLACK HAT USA – Las Vegas – Thursday, August 8th – Organizations that expand their use of SaaS applications should rethink their ideas and approaches to the cyber kill chain.
SaaS applications have changed the modern organization Attack surface and eliminated or simplified several of the steps attackers traditionally needed to launch a successful attack, AppOmni researchers said in a talk at Black Hat USA 2024. Security teams must revise and re-adapt their defenses to stay ahead of the new reality.
The SaaS Kill Chain
“The SaaS-based kill chain is an abbreviated approach from the perspective of MITRE ATT&CK tactics,” the researchers said. “Often, several steps are skipped or completely unnecessary for an attack to achieve its goal, and most defenses focus on the initial access phase.”
The software-as-a-service model is now almost ubiquitous. Research Productive A study conducted last year found that by the end of 2023, companies were using an incredible 342 SaaS applications on average, with operations teams being the biggest users, followed by IT, sales and product teams. The most popular SaaS products included Confluence, Salesforce, Tableau, Atlassian Cloud and Jira.
AppOmni has found that the increasing use of such applications is giving attackers new – and often faster – ways to attack enterprise applications and data than before. The company’s researchers analyzed around 230 billion normalized SaaS audit log events from 24 different SaaS services and 1.9 million alerts over a six-month period to get a picture of the tactics, techniques and procedures (TTPs) used by attackers in SaaS environments.
The analysis showed that attackers often do not need to complete all seven steps of the traditional chain to launch a successful SaaS attack. Lockheed Martin’s cyber kill chain — which has long been the basis for Defense against attacks – identifies reconnaissance, arming, delivery, exploitation, installation, command and control, and objective achievement measures as measures that an adversary must take to conduct a successful attack.
When attacking SaaS environments, “the kill chain from an attacker’s perspective is centralized into a few points: initial access and credential access, and collection and exfiltration,” Brandon Levene, senior product manager for threat detection at AppOmni, told Dark Reading.
Enter through the front door
In many of the attacks analyzed by AppOmni, attackers gained access to a company’s SaaS applications through an external-facing identity provider. “Usually they just come in through the front door with valid accounts,” Levene says. Attackers often use infostealers to harvest user credentials for cloud accounts, or tactics like credential stuffing, brute force and password spraying to obtain cloud account credentials – or they simply buy them on dark web markets, Levene says.
“Once you get past the IdP (identity provider) like Okta, Ping or Entra, all the applications behind it are freely available to you as an attacker,” he says. This means attackers don’t necessarily need to conduct reconnaissance to gather information about a target environment because they already have access to it.
Likewise, an attacker needs little time and resources to establish persistence in a compromised environment or enable lateral movement, because a valid credential gives them persistent and comprehensive access to everything they need. “Once you’ve compromised an external-facing identity provider like Okta, you no longer need persistence or lateral movement,” Levene says.
He points to two major attacks that AppOmni analyzed as examples of how attackers are targeting SaaS environments. In one of them, the threat actor logged into the IdP with a valid token and then changed the IP ranges allowed to authenticate to various applications. In just 10 minutes, the threat actor downloaded more than 100 files from cloud storage and information repositories. They also changed the authentication policies for some applications and changed the payment options for direct deposits, likely in an attempt to redirect funds. “They didn’t have to go through a VPN. They didn’t even bother to disguise their actual location. What they did was basically a break-in and theft,” Levene says.
He adds that many of the brute-force, password-spraying and credential-stuffing attacks observed by AppOmni targeted Microsoft O365 and originated from two major Chinese networks: ChinaNet and China Unicon.
Enabling greater visibility into SaaS environments is an important first step to protecting against such attacks, he notes. Organizations need to understand their attack surface, look at how their SaaS apps are configured, and monitor them. They also need to take full advantage of their IdP’s capabilities and features, such as MFA and hardware tokens. Levene adds that the goal should be to enforce a zero-trust access model for SaaS applications.
