Phishing, spear-phishing, brute-force login attacks and advanced persistent threats (APTs) often represent step one of a data breach—and not just in on-premises environments. Many organizations process and store critical data in cloud-based SaaS applications. And while software-as-a-service makes sense from a business standpoint (it’s a low-cost implementation with limited overhead and immediate scalability), it’s no less susceptible to unauthorized schemes than on-premises solutions.
One of the most well-known examples came to light during the 2016 U.S. presidential election, when former White House chief of staff and the chairman of Hillary Clinton’s campaign, John Podesta, had his personal Gmail account hacked. The group responsible, coined Fancy Bear, garnered illicit access via a simple phishing scam that requested a password reset. The result of this seemingly insignificant oversight: A collection of his emails, many of which contained sensitive information, were stolen. Fancy Bear would strike again in 2018, this time against Claire McCaskill, a U.S. Senator from Missouri. And, lest we forget, some one million Google Docs users fell victim to a phishing scheme in 2017.
A Worsening Problem …
Ninety-three percent of data breaches start as phishing attacks, according to Verizon’s Data Breach Investigation Report. Once hackers have obtained the login credentials to a SaaS application, they can manipulate that access to escalate their privileges and move laterally on an enterprise network in search of critical data to steal or destroy. Alternatively, they may be on the prowl for password databases.
Whatever the end game, the first play is more often than not to achieve unauthorized access through one of the following mechanisms:
- Phishing: Any attempt made by hackers to trick unsuspecting users into divulging sensitive information. Phishing schemes often start as emails that appear to be from a legitimate source. They may request a fake user password reset (as occurred in Podesta’s case) in order to steal account credentials, or they may redirect to an unsafe site that can be used to collect information.
- Brute-force login: The systematic guessing of passwords or pass-phrase combinations in an attempt to acquire access to sensitive information. Hackers typically automate this process using password-cracking software, or in cases involving potentially longer pass phrases, dictionary-attack tools.
- Advanced persistent threats: A hacking strategy whereby intruders leverage advanced tactics to evade traditional threat detection tactics so that they can remain persistent on the network. This allows them to search for the information they need, and to gradually exfiltrate it.
Once inside, it’s fairly easy for a seasoned cybercriminal to collect valuable information that they can the use for extortion, sell on the dark web or leak on the internet for notoriety or to make a political point.
If You Can’t Stop Them, Detect Them
It’s not unusual for legitimate business users to access applications from multiple endpoints, which compounds the problem: How do you know if a login from a new IP address is legitimate or if it’s an indicator of compromise?
Organizations need to focus their efforts on detecting unusual patterns in account access or utilization rather than pouring more money into perimeter defenses. It’s not a SaaS provider’s responsibility to keep customers abreast of potentially suspicious login or account activity.
Rather, small and midsize enterprises SMEs need the continuous threat detection and incident response capabilities of a fully staffed security operations center (SOC). Security engineers, with the help of a security information and event management (SIEM) solution, can aggregate different SaaS logs into a central management console. Analysts can then apply machine-learning techniques to make subtle distinctions on a network that has millions of daily events, and respond to attempts at unauthorized access by revoking accounts that show signs of compromise.
It’s time to put an end to the vicious cycle of account compromise once and for all. To learn more, click on the banner below: