Identity attacks are the main threat to combat in the SaaS context

In recent months we’ve seen the cybercrime ecosystem lean towards credential theft and padding attacks, with a booming market in breached credentials that feeds and is fed by a continuous pipeline of data breaches, giving attackers plenty of primary, secondary and third-party victims to extort, often targeting a single SaaS application. The Snowflake breach, considered one of the largest in history, is a telling example of this that will undoubtedly be seen as a watershed moment. Using malware to steal credentials from employees of various companies, the attackers managed to gain access to accounts without multi-factor authentication (MFA). And it doesn’t stop there.

• 80% of current attacks involve compromised identity and credentials (CrowdStrike).
• In 2023 alone, there was a 10-fold increase in identity attacks, with an average of 4,000 attacks per second (Microsoft).
• 79% of Web application compromises were the result of breached credentials (Verizon).
• a million new infostealer registrations are distributed every month, 3-5 per cent of which contain corporate credentials (Flare).
• 147,000 token replay attacks were detected by Microsoft in 2023, an increase of 111 per cent on the previous year (Microsoft).

Today, the vast majority of identity vulnerabilities exist in the context of SaaS applications. The reasons for this are clear: security teams have less supervision and central control over SaaS applications than they are used to, these applications exist in large numbers per company and the identities used to access these applications are… complicated, to say the least. So protecting hundreds of applications, with thousands of associated identities, is no easy task.

The compromise of a standard user in a low-risk application can quickly turn into a wider compromise, allowing attackers to move on to high-risk applications with the functionality or data they want. Attackers can (and will) achieve their goals in stages (take control of an account, backdoor an application, spread to other applications, exfiltrate data…) using various techniques, often in tandem. The goal is always to progress to the end of the attack chain to achieve whatever their objectives are: data theft and extortion, abuse of functionality in the application (for example, to issue fraudulent payments) etc.

Understanding attack techniques is therefore fundamental to preventing them from spreading. Here are all the known techniques that can compromise a company without touching the endpoint, according to Push Security.

Initial access techniques

Most of the techniques that have gained prominence are predominantly in the initial access phase, including ghost logins, AitM phishing, session cookie theft, MFA downgrade attacks and guest access abuse, all of which are account control methods, complementing the classics such as credential stuffing.

The initial identity attack designed to gain control of the account is the most important part of the SaaS attack chain. The fact that attackers are focused on finding new ways to compromise identities illustrates the value, but also the fragility, of the identity controls that most organisations rely on (which may also be one of the reasons why attackers are focused on this).

Whether we’re talking about anti-phishing protections, conditional access policies or MFA, attackers are continually finding new ways round them. Just look at what the recent high-profile breaches show us about how lucrative it can be for attackers to find ways to take control of workforce identities to access web-based business applications, with the recent Snowflake attacks being the elephant in the room. If all an attacker really needs to do to cause damage is log in to an application and abuse its legitimate features and functions, there really is no margin for error – you always need to successfully disrupt the initial identity attack.

You can’t rely on your endpoint and network controls to catch them later, as they used to. Similarly, it’s unlikely that your CASB or DLP solution can prevent a legitimate application, using legitimate resources such as API-based workflows, from sending data to an infrastructure controlled by attackers. This is a classic case where the attackers only have to win once. And at the moment, it’s a numbers game that they’re winning enough to keep them coming back for more.

Chain of techniques

Another possibility is to create attack chains by creatively combining techniques at different stages of the attack lifecycle, once an initial level of access has been obtained.

For example, by combining two of our new favourite SaaS attack techniques, poisoned tenants and SAMLjacking, it is possible to create a simple but effective attack chain.

Poisoned tenants involve an adversary registering a tenant for a SaaS application they control and tricking target users into joining, usually using the built-in invitation functionality. The end goal is to get some target users to actively use a tenant that you (the adversary) control.

SAMLjacking, on the other hand, is when an attacker uses the SAML SSO configuration settings for a SaaS tenant they control in order to redirect users to a malicious link of their choice during the authentication process. This can be highly effective for phishing attacks, as the original URL will be a legitimate SaaS URL.

It is possible to combine these techniques so that a poisoned tenant doesn’t need to be a large target to be useful and a SAMLjacking attack doesn’t necessarily need to be phishing. The attack can succeed simply by a target accessing their own bookmarks or open tabs of an application they already use.

The best way to defend against these types of attacks is to have visibility of the entire identity attack surface and then focus on strengthening security.