At the Black Hat USA conference in Las Vegas on Thursday, Aug. 8, researchers at AppOmni delivered a presentation highlighting the evolving landscape of cybersecurity threats as organizations increasingly rely on Software-as-a-Service (SaaS) applications. The researchers emphasized the need for security teams to rethink their strategies in light of the changing dynamics of the cyber kill chain.
SaaS applications have fundamentally altered the attack surface of modern organizations, streamlining the process for threat actors to carry out successful attacks. According to AppOmni’s analysis, adversaries can now bypass several traditional steps in the cyber kill chain, making it imperative for security teams to adapt and enhance their defenses to stay ahead of these new challenges.
The widespread adoption of SaaS applications has created a significant expansion in the attack surface for organizations. Research conducted by Productiv in 2023 revealed that, on average, organizations were using a whopping 342 SaaS applications by the end of the year. This trend has provided adversaries with new and faster avenues to target enterprise applications and data, as illustrated by AppOmni’s analysis of SaaS audit log events and alerts over a six-month period.
One key finding from the analysis is that attackers no longer need to execute all seven steps of the traditional cyber kill chain to launch a successful attack on SaaS environments. Instead, the focus has shifted to key points such as initial access, credential access, collection, and exfiltration of data. This shift underscores the importance of reevaluating security strategies to address these critical areas effectively.
In many instances analyzed by AppOmni, attackers gained access to organizations’ SaaS applications through externally facing identity providers, effectively “walking in through the front door” with valid accounts. Tactics such as infostealers, credential stuffing, brute force attacks, and even the purchase of credentials from Dark Web markets have enabled threat actors to infiltrate cloud accounts with relative ease.
Once inside the environment, attackers have broad access to sensitive data and applications, minimizing the need for extensive reconnaissance or persistent lateral movement. By compromising an identity provider, adversaries can quickly escalate their attacks and achieve their objectives without the need for prolonged persistence or elaborate evasion tactics.
AppOmni highlighted several real-world examples of attacks on SaaS environments, including incidents where threat actors were able to modify access controls, exfiltrate data, and manipulate authentication policies within minutes of gaining entry. These attacks underscore the speed and efficiency with which adversaries can exploit vulnerabilities in SaaS applications, emphasizing the critical need for enhanced visibility and proactive defense measures.
To combat these evolving threats, organizations are advised to prioritize better visibility across their SaaS environments, assess and monitor app configurations, and leverage identity provider features such as multi-factor authentication (MFA) and hardware tokens. By enforcing a zero-trust access model to SaaS applications, organizations can significantly enhance their security posture and mitigate the risks associated with the growing prevalence of SaaS-based attacks.