Observing Privilege to Reduce Risk in Software-as-a-Service (SaaS)
Risk remains the top concern for organizations adopting software-as-a-service (SaaS) models and this is an issue that is only getting worse. What is needed today is the ability to remove the dependency on human behavior and human error, bringing control back to the security team.
Risk in a SaaS environment is largely an identity problem. Specifically, it is a misuse of identity and the privilege access granted to that identity. Before implementing any SaaS platform, you must consider how much access is really being granted in the cloud. More importantly, how is that privilege access being used? The principle of least privilege is even more important in these SaaS environments where identity is the only thing within control of the organization and data and resources are highly consolidated. A service or user should have no more permissions than absolutely required in order to do a job.
Within the SaaS world, Microsoft Office 365 has dominated the productivity space, with more than 180 million users. For many of those users, Office 365 is the core of enterprise data storage and communication, meaning it is an incredibly rich treasure trove. It was only natural Office 365 would become the latest focus of cyberattackers. Even considering the increasing adoption of security postures such as multi-factor authentication (MFA), 40 percent of organizations still suffer from Office 365 breaches, which is leading to massive financial and reputational losses.
Of those breaches, account takeover attacks are one of the fastest growing and prevalent problems for most organizations. It used to be that email and accounts were used to gain an initial foothold into a network. Now those same accounts are used for lateral movement to other users and privileged resources. The problem has become severe, and analyst firm Forrester Research puts the cost of account takeovers at $6.5 billion to $7 billion in annual losses across multiple industries.
The most common technique of account takeover is a behavior MITRE defines in the ATT&CK framework as internal spearphishing. It is an interesting use of spearphishing as a method of lateral movement by leveraging existing compromised accounts to further compromise other users in the same organization by posing as a trusted user. It is difficult to discern an email from a legitimate user asking for information as malicious or not, and prevention and detection controls are not designed to stop legitimate communication.
MITRE notes that internal spearphishing has been used in the wild by several threat actors. Those include the Eye Pyramid campaign who used malicious attachments to allows movement from Office 365 accounts to physical systems, compromising nearly 18,000 email accounts in the process. This type of lateral movement is also known to be a technique used by The Syrian Electronic Army (SEA) targeting the Financial Times. The SEA posed as the IT department further compromising systems even when the Financial Times knew it was a target.
So, how do we detect these stealthy attacks that blend into normal behavior?
Identifying the misuse of user access has largely been treated as a static problem, with approaches that are prevention-oriented or rely on manual entitlements that identify threats the moment they occur, leaving little time to properly respond. This type of access monitoring simply states an approved account is being used to access resources, but it doesn’t define how or why those resources are being used.
Rather than relying only on the granted privilege of an entity or being agnostic to privilege, security operations needs to include context on how entities are utilizing their privileges within SaaS applications like Office 365, e.g. observed privilege. This viewpoint is like how attackers observe or infer the interactions between entities. A defender should think in a similar fashion to their adversaries.
This can occur in two parts:
- Observe the interactions between entities. Based on the behavioral interactions between entities and the sensitivity of assets that are eventually accessed, dynamically determine each entity’s level of privilege. Entities with similar access patterns are grouped as peers. This can be achieved using artificial intelligence and machine learning models.
- Determine abnormalities of interactions between privileged entities. Compare a given access request to the access history to determine distance from normal group distance. Focus on the abnormalities that have security implications and consequences.
For Office 365, this translates to understanding how users’ access Office 365 resources and from where, but without prying on the data itself to protect privacy. It is about the usage patterns and behaviors, not the static access.
The importance of monitoring the misuse of user access cannot be overstated given its prevalence in real world attacks. As SaaS platforms like Office 365 have proven to be lucrative for lateral movement in organizations, it is critical to have additional focus around accounts and services. Ideally, when security operations teams have solid information about expectations for that infrastructure, malicious behaviors and privilege abuse will be much easier to identify and mitigate.