The State of SaaS Security - Part 2

We recently covered the overall state of Software-as-a-Service (SaaS) security, highlighting the market explosion, some key benefits to organizations, notable breaches over the prior 12 months, and general thoughts on moving forward more securely. As a follow up to that, I wanted to dive a bit deeper into the breaches and some guidance on common tactics, techniques, and procedures (TTPs) that we’re seeing. Threat actors are getting much more aggressive in this space, with organizational training and employee situational awareness still lagging behind.

As outlined in the first blog, 8 out of the 10 larger SaaS breaches we listed were largely the result of a customer or vendor breakdown such as a misconfiguration or credential attack. Only a few of these high-profile data leaks involved any exploitation of the software or website itself, even after initial access. This is in line with Gartner projecting “99% of cloud security failures will be the customer’s fault” within a couple years (Is The Cloud Secure).

The threats that SaaS and cloud providers face are not isolated to a single actor type or motivation either. Nation state and advanced persistent threat actors target SaaS providers for sensitive data, intellectual property, or trade secrets. Hacktivists actively cause disruptions or leak sensitive information from platforms and providers used by organizations or governments they disagree with, or entities that have taken a stance on a geopolitical topic they oppose. Ransomware or extortion groups may target SaaS and cloud providers for financial gain or the ability to pivot into multiple customer victims from a single-entry point to maximize profits.

With that, I would like to focus on the overlapping techniques rather than a handful of specific threat actors. This will help provide a more extensive view into the more common TTPs leveraged targeting this space. It is worth noting, the TTPs highlighted below are not exclusive to SaaS and cloud-based attacks, making the guidance at the end applicable beyond this topic.

As with nearly anything, preparation is key. Actors begin by collecting host (T1592) and identity (T1589) information, especially email addresses (T1589.002) and user credentials (T1589.001). These may be collected through passive means or searching previous disclosures or data dumps, or more active means such as direct phishing for information (T1598). Access or credentials can also be purchased from access brokers on dark web marketplaces to simplify the reconnaissance and initial access steps needed.

Once any reconnaissance is complete, it is time to utilize that intelligence gained so far. This often entails establishing infrastructure, such as domains (T1583.001) for impersonation or social engineering. It may also involve beginning to establish accounts (T1585.001) that will be used for targeting or go a step further with actual account compromise (T1586) for use within the primary attack.

At this point it is time to get in. Occasionally this relies on 0days or direct exploitation of the target infrastructure (T1190), although as noted this is less frequent here than in some other sectors. More frequently, initial access is gained through phishing (T1566, T1660) or spearphishing (T1566.001, T1566.002, T1566.004). In some cases, the actor may leverage an existing, trusted relationship (T1199) – this wouldn’t immediately achieve their intentions but can help to secure a connection to the infrastructure for the adversaries.

After access is gained, code is often executed to achieve other techniques such as persistence, privilege escalation or defense evasion. These TTPs vary heavily depending on the access and environment but often begin with command or script interprets, especially PowerShell (T1059.001) or Windows Command Shell (T1059.003). In pure SaaS and some cloud environments, other cloud services may be abused resulting in serverless execution (T1648).

Persisting in these environments can happen in a wide variety of ways. Simple account access may be the quickest route – either existing, valid accounts (T1078) with leaked credentials obtained in the recon process or creating new accounts (T1136) if privileges are elevated. Otherwise, as is the case in many corporate environments, scheduled tasks (T1053.005) or modifying registry keys (T1547.001) can achieve the same results.

Credential access most commonly comes in three forms – multi-factor authentication (MFA) request generation (T1621), credential stuffing (T1110.00) or forged web credentials (T1606) such as session cookies or web tokens.

Depending on the actors’ objectives, discovery will take place to identify cloud tenants and services, sensitive information, or third-party pivot points. An actor may move laterally or exfiltrate data via living off the land (LOTL) techniques and services such remote desktop (T1021.001), SSH (T1021.004), Windows Remote Management (T1021.006).

Either immediately to minimize being discovered or after enough information is uncovered, data is collected and exfiltration begins. Key collection areas include email (T1114), local (T1005) and cloud storage (T1530), code repositories (T1213.003) and SharePoint sites (T1213.002). Data may then be exfiltrated over a more covert C2 channel (T1041) or hide in plain site by leveraging third party cloud storage (T1567.002).

Data may be encrypted or simply stolen and used for extortion/ransom. In other cases, the initial access is simply a starting point to pivot into other tenants or customer environments. This varies based on the threat actor in question, the target organization, and the target environment itself.

Based on the most prevalent TTPs, below are some key areas of focus for organizations – vendor or customer.

• User Training & Awareness – The most important piece up front is employee training and awareness around these threats. These targeted attacks are typically more aggressive than general phishing and social engineering attacks – sometimes including personal information beyond the work environment or even physical threats. Most corporate security training doesn’t dive in deep enough for non-technical or even moderately technical employees to spot the more advanced actor attempts. Employees also need to be aware of signs of these threats on their own accounts and devices in addition to work devices.
• Phishing Resistant Multifactor Authentication – Most organizations understand the need for multifactor authentication (MFA), however basic implementations are susceptible to several threats. Phishing or exploiting network protocols can defeat simple MFA, and more advanced threats such as SIM swapping or push bombing (MFA fatigue) can as well. Ensure you’re using more secure implementations for access wherever possible.
• Targeted Domain Impersonation – Many of these attacks use infrastructure that mimics the target environment or known vendors. Establish or subscribe to some form of domain registration monitoring that can track variations or typo squatting style registrations that may be staging for an attack against your organization.
• Privileged Account Management – Privileged accounts are an obvious target for access, code execution and persistence. This puts a larger target on the back of IT and helpdesk staff, as well as system/root accounts. Whenever possible, these should be disabled, restricted, or segmented in a way that prevents a single account takeover from compromising the entire environment.
• Dark Web Monitoring – There are countless dark web marketplaces with data dumps and credentials for sale that can be used to simplify the upfront work for attackers. These initial access brokers (IAB) can often offset much of the burden from the reconnaissance and exploitation stages by providing credentials or bypass opportunities up front. There are also Phishing as a Service or MFA Bypass toolkits available for purchase or subscription that are used in these attacks as well. Ideally, organizations can stay on top of this by monitoring for data leaks that may involve corporate or employee information or subscribing to a monitoring service if the capability doesn’t exist internally.

This is just a small subset of guidance that could be provided here, other basics – patch management (this will move the needle without a lot of investment), AV/EDR software, etc. – still apply to these attacks as well. Further mitigations for the TTPs above are available in the MITRE ATT&CK framework (Mitigations - Enterprise | MITRE ATT&CK®). Hopefully this provides further insights into the growing attacks facing this still emerging space, and provides some additional focus areas to help prevent, detect, and hunt for this behavior.