Phishing in the Cloud: We're Gonna Need a Bigger Boat

SasS security is everyone's problem.

Michael Clark, Director of Threat Research, Sysdig

December 8, 2022

4 Min Read
Phishing/fishing hook
Source: Andrea Danti via Alamy Stock Photo

Phishing has long been one of the best ways to gain access to a target organization. It didn't used to be this way. In the early days of computer security, the remote code exploit (RCE) was the preferred method of gaining access, as it required no user interaction. In fact, if something required user interaction, it wasn't considered a serious threat. Better security practices started to take hold, and the RCE method of access became much more challenging. And it turned out, getting users to interact was easier than ever imagined.

The same cycle has started to repeat itself with on-premises targets. Organizations have started to make advances in securing their internal networks against using endpoint detection and response (EDR), and other technologies are better equipped to detect malware and lateral movement. While attacks are becoming more difficult, it's by no means an ineffective strategy for an attacker yet. Deploying ransomware and other forms of malware is still a common outcome.

Why Your Cloud Infrastructure Is a Top Target for Phishing Attacks

The cloud has given phishers a whole new frontier to attack, and it turns out it can be very dangerous. SaaS environments are ripe targets for phishing attacks and can give the attacker a lot more than access to some emails. Security tools are still maturing in this environment, which offers attackers a window of opportunity where methods such as phishing attacks can be very effective.

Phishing Attacks Targeting Developers and Software Supply Chain

As we saw recently, Dropbox had an incident due to a phishing attack against its developers. They were tricked into giving their Github credentials to an attacker by a phishing email and fake website, despite multifactor authentication (MFA). What makes this scary is that this wasn't just a random user from sales or another business function, it was developers with access to a lot of Dropbox data. Thankfully, the scope of the incident doesn't appear to affect Dropbox's most critical data.

GitHub, and other platforms in the continuous integration/continuous deployment (CI/CD) space, are the new "crown jewels" for many companies. With the right access, attackers can steal intellectual property, leak source code and other data, or conduct supply chain attacks. It goes even farther, as GitHub often integrates with other platforms, which the attacker may be able to pivot. All of this can happen without ever touching the victim's on-prem network, or many of the other security tools that organizations have acquired, since it is all software-as-a-service (SaaS)-to-SaaS.

Security in this scenario can be a challenge. Every SaaS provider does it differently. A customer's visibility into what happens in these platforms is often limited. GitHub, for example, only gives access to its Audit Log API under its Enterprise plan. Getting visibility is only the first hurdle to overcome, the next would be to make useful detection content around it. SaaS providers can be quite different in what they do and the data that they provide. Contextual understanding of how they work will be required to make and maintain the detections. Your organization may have many such SaaS platforms in use.

How Do You Mitigate Risks Associated With Phishing in the Cloud?

Identity platforms, such as Okta, can help mitigate the risk, but not completely. Identifying unauthorized logins is certainly one of the best ways to discover phishing attacks and respond to them. This is easier said than done, as attackers have caught on to the common ways of detecting their presence. Proxy servers or VPNs are easily used to at least appear to come from the same general area as the user in order to defeat country or impossible travel detections. More advanced machine learning models can be applied, but these are not yet widely adopted or proven.

Traditional threat detection is starting to adapt to the SaaS world as well. Falco, a popular threat detection tool for containers and cloud, has a plug-in system that can support nearly any platform. The Falco team has already released plug-ins and rules for Okta and GitHub, among others. For example, the GitHub plug-in has a rule that triggers if any commits show signs of a crypto miner. Levering these purpose-built detections is a good way to get started in bringing these platforms into your overall threat detection program.

Phishing Is Here to Stay

Phishing, and social engineering in general, will never be left behind. It has been an effective attack method for years, and will be for as long as people communicate. It is critical to understand that these attacks are not limited to the infrastructure you own or manage directly. SaaS is especially at risk due to the lack of visibility most organizations have to what actually happens on those platforms. Their security cannot be written off as someone else's problem, as a simple email and fake website is all it takes to get access to those resources.

About the Author

Michael Clark

Director of Threat Research, Sysdig

Michael Clark is the Director of Threat Research at Sysdig, managing a team of experts tasked with discovering and defending against novel security threats. Michael has more than 20 years of industry experience in many different roles, including incident response, threat intelligence, offensive security research, and software development at companies like Rapid7, ThreatQuotient, and Mantech. Prior to joining Sysdig, Michael worked as a Gartner analyst, advising enterprise clients on security operations topics.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights