{"id":4767,"date":"2024-08-08T08:00:00","date_gmt":"2024-08-08T13:00:00","guid":{"rendered":"https:\/\/www.darkreading.com\/application-security\/saas-apps-present-abbreviated-kill-chain-for-attackers"},"modified":"2024-08-08T08:00:00","modified_gmt":"2024-08-08T13:00:00","slug":"saas-apps-present-an-abbreviated-kill-chain-for-attackers","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/08\/08\/saas-apps-present-an-abbreviated-kill-chain-for-attackers\/","title":{"rendered":"SaaS Apps Present an Abbreviated Kill Chain for Attackers"},"content":{"rendered":"
<\/a><\/div>\n
<\/div>\n

BLACK HAT USA \u2013 Las Vegas \u2013 Thursday, Aug. 8 \u2013<\/span><\/span> Organizations that are expanding their use of SaaS applications may want to revise their notions of \u2014 and approaches to \u2014 the cyber kill chain.<\/span><\/p>\n

SaaS applications have transformed the modern organization’s <\/span>attack surface<\/a><\/span> and eliminated \u2014 or made easier \u2014 several of the steps that adversaries have traditionally needed to execute a successful attack, researchers at AppOmni said in a talk at Black Hat USA 2024.  Security teams need to revise and readjust their defenses to keep ahead of the new reality.<\/span><\/p>\n

The SaaS Kill Chain<\/h2>\n

“The SaaS-enabled kill chain, when considered from the lens of MITRE ATT&CK tactics, is abbreviated,” the researchers said. “Several steps are often skipped or entirely unnecessary for an attack to accomplish their goals and the majority of defenses are focused on the initial access stage.”<\/span><\/p>\n

The software-as-a-service model has become nearly ubiquitous. Research<\/span> Productiv<\/a><\/span> conducted last year revealed organizations, on average, used a staggering 342 SaaS applications at the end of 2023, with operations teams being the biggest users, followed by IT, sales, and product teams. Among the most popular SaaS products were Confluence, Salesforce, Tableau, Atlassian Cloud, and Jira.<\/span><\/p>\n

AppOmni found the growing use of such applications give adversaries new \u2014 and often quicker \u2014 ways to target enterprise application and data than before. Researchers at the company analyzed some 230 billion normalized SaaS audit log events from across 24 different SaaS services and 1.9 million alerts over a six-month period to get an idea of attacker tactics, techniques, and procedures (TTPs) in SaaS environments.<\/span><\/p>\n

The analysis showed that attackers often don’t need to execute all seven steps of the traditional chain to launch a successful SaaS attack. <\/span>Lockheed Martin’s cyber kill chain<\/a><\/span> \u2014 which has long been used as a basis for <\/span>defending against attacks<\/a><\/span> \u2014 identifies reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives as actions an adversary must complete to pull off a successful attack.<\/span><\/p>\n

With attacks on SaaS environments, “the kill chain from an attacker’s perspective is really centralized down to a couple of points: initial access and credential access, and collection and exfiltration,” Brandon Levene, principal product manager, threat detection, at AppOmni tells Dark Reading.<\/span><\/p>\n

Walking in Through the Front Door<\/h2>\n

In many of the attacks that AppOmni analyzed, adversaries gained access to an organization’s SaaS applications through an externally facing identity provider. “Usually, they just walk in through the front door with valid accounts,” Levene says. Attackers often use infostealers to grab user credentials to cloud accounts or tactics like credential stuffing, brute force, and password spraying to acquire credentials to cloud accounts \u2014 or they simply purchase them in Dark Web markets, according to Levene.<\/span><\/p>\n

“Once you are past the IdP [identity provider] like an Okta, or a Ping or an Entra, all applications behind that are freely available to you as the attacker,” he says. That means attackers don’t have to necessarily conduct reconnaissance to gather information on a target environment because they already have access to it.<\/span><\/p>\n

Similarly, an attacker needs little time and resources to establish persistence on a compromised environment or enable lateral movement because a valid credential gives them persistent and wide access to whatever they need. “Once you compromise an externally facing identity provider like Okta, you don’t need persistence or lateral movement,” Levene says.<\/span><\/p>\n

He points to two large attacks that AppOmni analyzed as examples of how adversaries target SaaS environments. In one of them, the threat actor logged into the IdP using a valid token and then modified the IP ranges that were allowed to authenticate to various applications. In just 10 minutes, the threat actor downloaded more than 100 files from cloud storage and information repositories. They also modified authentication policies for some applications and changed direct deposit payment choices in a likely attempt to redirect funds. “They didn’t have to go through a VPN. They didn\u2019t even bother to obfuscate their real location. What they did was basically smash and grab,” Levene says.<\/span><\/p>\n

He adds that many of the brute force, password spraying, and credential stuffing attacks that AppOmni observed targeted Microsoft O365 and came from two large Chinese networks: ChinaNet and China Unicon.<\/span><\/p>\n

Enabling better visibility across SaaS environments is a key first step to protecting against such attacks, he notes. Organizations need to understand their attack surface, look at how their SaaS apps are configured and monitor them. They must also fully leverage their IdP’s capabilities and features like MFA and hardware tokens. Levene adds that the goal should be to enforce a zero-trust access model to SaaS applications.<\/span><\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

BLACK HAT USA \u2013 Las Vegas \u2013 Thursday, Aug. 8<\/p>\n","protected":false},"author":12,"featured_media":4768,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[809],"class_list":["post-4767","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-dark-reading"],"featured_image_urls":{"full":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/saas-apps-present-an-abbreviated-kill-chain-for-attackers.jpg?fit=1920%2C1080&ssl=1",1920,1080,false],"thumbnail":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/saas-apps-present-an-abbreviated-kill-chain-for-attackers.jpg?resize=150%2C150&ssl=1",150,150,true],"medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/saas-apps-present-an-abbreviated-kill-chain-for-attackers.jpg?fit=300%2C169&ssl=1",300,169,true],"medium_large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/saas-apps-present-an-abbreviated-kill-chain-for-attackers.jpg?fit=640%2C360&ssl=1",640,360,true],"large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/saas-apps-present-an-abbreviated-kill-chain-for-attackers.jpg?fit=640%2C360&ssl=1",640,360,true],"1536x1536":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/saas-apps-present-an-abbreviated-kill-chain-for-attackers.jpg?fit=1536%2C864&ssl=1",1536,864,true],"2048x2048":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/saas-apps-present-an-abbreviated-kill-chain-for-attackers.jpg?fit=1920%2C1080&ssl=1",1920,1080,true],"chromenews-featured":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/saas-apps-present-an-abbreviated-kill-chain-for-attackers.jpg?fit=1024%2C576&ssl=1",1024,576,true],"chromenews-large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/saas-apps-present-an-abbreviated-kill-chain-for-attackers.jpg?resize=825%2C575&ssl=1",825,575,true],"chromenews-medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/saas-apps-present-an-abbreviated-kill-chain-for-attackers.jpg?resize=590%2C410&ssl=1",590,410,true]},"author_info":{"display_name":"Dark Reading","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/darkreading\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","jetpack_featured_media_url":"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/08\/saas-apps-present-an-abbreviated-kill-chain-for-attackers.jpg?fit=1920%2C1080&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/4767","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=4767"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/4767\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media\/4768"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=4767"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=4767"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=4767"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}