August 8, 2024 at 11:00AM
AppOmni analyzed 230 billion SaaS audit log events, finding that most SaaS security incidents involve simple smash and grab incursions, with attackers using legitimate credentials for entry. The use of MITRE ATT&CK kill chain is minimal. AppOmni recommends implementing a full zero trust policy with effective MFA to prevent attacker success.
From the meeting notes, the key takeaways include:
1. AppOmni’s analysis of SaaS audit log events revealed that attackers with access to SaaS apps tend to engage in smash and grab activities, utilizing legitimate credentials to swiftly exfiltrate data within a short time frame.
2. The MITRE ATT&CK kill chain is largely irrelevant for most SaaS security incidents, with attackers focusing on exploiting default application behaviors rather than establishing persistence or engaging in traditional lateral movement.
3. Attackers utilize legitimate credentials obtained from sources like infostealers or phishing providers to gain entry, highlighting the prevalence of credential stuffing and password spraying attacks against SaaS apps.
4. A significant portion of attacks against Microsoft 365 originate from large Chinese autonomous systems, AS 4134 (China Net) and AS 4837 (China Unicom), indicating notable attempts to log into US organizations from these sources.
5. While “smash and grab” is a common threat activity, there are also more specialized clusters, such as financially motivated attacks and those involving reconnaissance and pivoting into customer networks.
6. The primary focus for preventing attacker success revolves around implementing a comprehensive zero trust policy with effective multi-factor authentication (MFA) for SaaS apps, as many companies lack effective zero trust implementation despite claiming to have it in place.
Overall, the meeting notes emphasize the need for proactive measures to address the prevalent use of legitimate credentials by threat actors and the inadequacy of traditional security protocols in mitigating such attacks.