SaaS Apps Present an Abbreviated Kill Chain for Attackers

BLACK HAT USA – Las Vegas – Thursday, Aug. 8 – Organizations that are expanding their use of SaaS applications may want to revise their notions of — and approaches to — the cyber kill chain.

SaaS applications have transformed the modern organization's attack surface and eliminated — or made easier — several of the steps that adversaries have traditionally needed to execute a successful attack, researchers at AppOmni said in a talk at Black Hat USA 2024.  Security teams need to revise and readjust their defenses to keep ahead of the new reality.

The SaaS Kill Chain

"The SaaS-enabled kill chain, when considered from the lens of MITRE ATT&CK tactics, is abbreviated," the researchers said. "Several steps are often skipped or entirely unnecessary for an attack to accomplish their goals and the majority of defenses are focused on the initial access stage."

The software-as-a-service model has become nearly ubiquitous. Research Productiv conducted last year revealed organizations, on average, used a staggering 342 SaaS applications at the end of 2023, with operations teams being the biggest users, followed by IT, sales, and product teams. Among the most popular SaaS products were Confluence, Salesforce, Tableau, Atlassian Cloud, and Jira.

AppOmni found the growing use of such applications give adversaries new — and often quicker — ways to target enterprise application and data than before. Researchers at the company analyzed some 230 billion normalized SaaS audit log events from across 24 different SaaS services and 1.9 million alerts over a six-month period to get an idea of attacker tactics, techniques, and procedures (TTPs) in SaaS environments.

The analysis showed that attackers often don't need to execute all seven steps of the traditional chain to launch a successful SaaS attack. Lockheed Martin's cyber kill chain — which has long been used as a basis for defending against attacks — identifies reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives as actions an adversary must complete to pull off a successful attack.

With attacks on SaaS environments, "the kill chain from an attacker's perspective is really centralized down to a couple of points: initial access and credential access, and collection and exfiltration," Brandon Levene, principal product manager, threat detection, at AppOmni tells Dark Reading.

Walking in Through the Front Door

In many of the attacks that AppOmni analyzed, adversaries gained access to an organization's SaaS applications through an externally facing identity provider. "Usually, they just walk in through the front door with valid accounts," Levene says. Attackers often use infostealers to grab user credentials to cloud accounts or tactics like credential stuffing, brute force, and password spraying to acquire credentials to cloud accounts — or they simply purchase them in Dark Web markets, according to Levene.

"Once you are past the IdP [identity provider] like an Okta, or a Ping or an Entra, all applications behind that are freely available to you as the attacker," he says. That means attackers don't have to necessarily conduct reconnaissance to gather information on a target environment because they already have access to it.

Similarly, an attacker needs little time and resources to establish persistence on a compromised environment or enable lateral movement because a valid credential gives them persistent and wide access to whatever they need. "Once you compromise an externally facing identity provider like Okta, you don't need persistence or lateral movement," Levene says.

He points to two large attacks that AppOmni analyzed as examples of how adversaries target SaaS environments. In one of them, the threat actor logged into the IdP using a valid token and then modified the IP ranges that were allowed to authenticate to various applications. In just 10 minutes, the threat actor downloaded more than 100 files from cloud storage and information repositories. They also modified authentication policies for some applications and changed direct deposit payment choices in a likely attempt to redirect funds. "They didn't have to go through a VPN. They didn’t even bother to obfuscate their real location. What they did was basically smash and grab," Levene says.

He adds that many of the brute force, password spraying, and credential stuffing attacks that AppOmni observed targeted Microsoft O365 and came from two large Chinese networks: ChinaNet and China Unicon.

Enabling better visibility across SaaS environments is a key first step to protecting against such attacks, he notes. Organizations need to understand their attack surface, look at how their SaaS apps are configured and monitor them. They must also fully leverage their IdP's capabilities and features like MFA and hardware tokens. Levene adds that the goal should be to enforce a zero-trust access model to SaaS applications.