科里·米查爾與布蘭登·萊文與本·普魯斯_現代殺鏈現實世界SaaS攻擊與緩解策略.pdf

1、Modern Kill ChainsReal World SaaS Attacks and Mitigation StrategiesCory MichalVP of SecurityAugust 7,2024Brandon LevenePrincipal Product Manager,Threat DetectionBen PruceLead Threat Detection Engineer1Agenda Reflect on where we are currently Hypothesize why we are here Examine what it is like to be

2、here Determine if something better is possible Outline how we could move to better state2Historical Attack Surface Change3Pre Cloud&SaaS Attack Surface 20094DMZDMZDMZModern Attack Surface 20205Attack Surface Observations Hardened network perimeters VPN access Physical access controls Network Access

3、Control/Wifi Endpoint protection Internal IdP Internal IT Systems Internal Business Systems Logging/Monitoring/SIEM/Flow6 Rapidly dissolving perimeters Access from work or BYOD Remote access from anywhere Uncontrolled network upstream Endpoint protection External IdP External SaaS Systems External I

4、aaS/PaaS Substantially reduced visibilityLegacy Attack Surface Modern Attack SurfacePre-Cloud and SaaS Mapped to ATT&CK7ReconnaissanceInitial AccessExecutionPersistenceCommand and ControlPrivilege EscalationCollection Exfiltration ImpactResearch Target,Scan,Find UsersDeliver target payloadsExploit p

5、erimeter vulnerabilitiesEstablish persistence of footholdEstablish control of compromised hostsEscalate privilege if possibleIterate 35x for lateral movement PayDay!SaaS ATT&CK Tactics8Research Target,Find Users,Find SaaSReconnaissanceInitial AccessCredential AccessPersistenceCommand and ControlPriv

6、ilege EscalationCollection Exfiltration ImpactStuff,Spray,SIM Swap Login to IdPAccess SaaS services and Manipulate login ConfigurationsSkipSkipOAuth,API Keys,Integration,App,Often Skipped!IdP tiles,Collaboration,Doc,SourcePayDay!This is Why We Cant Have Nice Things Substantially expanded our attack

7、surface Attack surface is now on other peoples stacks IaaS and SaaS companies have similar problems Substantially reduced effective security controls Shortened and compressed the Kill Chains Internet remains a relatively lawless free for all9Current State of Affairs Phishing,Social Eng,SIM Swap grou

8、ps-Winning Ransomware Affiliates and RaaS Platforms-Winning Credential Spraying Actors-Winning Infostealer Actors Winning APTs Hacking Supply Chain-Winning Sophisticated attackers we dont see Probably Winning Organizations and Regular folks on the Internet-Losing 10AprJanFebMarMayJulAugSepOctNovDecA

9、prJun20232024Telemetry InformationRaw Processed Data:230 Billion SaaS Audit Log Events YTD 950 TB of events collected Average 1.2 Billion events per day 24 distinct SaaS ServicesSignals/Alerts Analyzed:1.9 Million over last 180 days 300K Unique IPs111 HPU Hamster Processing UnitSaaS Attacks Dont Req

10、uire Most Killchain Activities12Reconnaissance activities not logged in most SaaSValid credential activity and data movement are highest observed activities 70%Maintaining foothold-while somewhat present is in many cases not required to achieve objectives 2%SaaS Attacks Heavily Leverage Cloud Provid

11、ers13SaaS Attacks Heavily Leverage Cloud Providers14Chinese-Affiliated Attacks Focused on Microsoft 365 Observed ASNAS4134AS483715Enriched Alerts Organized by Tactic 16Threat Actors Target Valid Account and MFA TechniquesValid AccountsPublic LeaksSuspicious IP:Open ProxyThreats&Actors:Nation StateAb

12、use Elevation Control Mechanism17Attacker Observations-Credential AccessInitialAccessCredentialAccessSuspicious IP:VPNSuspicious IP:Socks bSuspicious IP:ScannersSuspicious IPTor Nodes18Attacker Observations-Credential Access19Brute Force&MFA ExhaustionAttacker Observations-Actions on Objectives20Ema

13、il CollectionData ManipulationModify Authentication ProcessData from Cloud StorageData from Information RepositoriesData DestructionSteal Application Access TokenValid AccountsImpair Defenses5/175/205/235/265/296/16/46/76/106/136/166/196/226/256/287/12024Technique NamesRefresh Token Reuse AttemptedO

14、kta High Risk LoginMass Download ActionsAuthentication Policy ModifiedDirect Deposit Payment Election ModifiedInbox Email Forwarding Set or UpdatedIP Address Range ModifiedMass Resource DeletionAttacker Observations-Attack ChainTactic NamesImpactCollectionDefense EvasionCredential AccessInitial Acce

15、ssTimeline of Tactics and Techniques for Cluster:6,ASN:396982Mass Download Actions21Valid AccountsSteel Application Access TokenModify Authentication ProcessData from Information RepositoriesData from Cloud StorageData DestructionAutomated ExfiltrationData Manipulation2024Technique NamesMass Resourc

16、e DetectionExcessive Downloads DetectedAnomalous Search ActivitySecurity Policy ModifiedRefresh Token Reuse AttemptedOkta High Risk LoginMass Download ActionsDirect Deposit Payment Election ModifiedAttacker Observations-Attack Chain4/224/254/285/015/045/075/105/135/165/195/225/255/285/316/066/066/09

17、6/126/156/186/216/246/276/307/037/06Tactic NamesExfiltrationImpactCollectionDefense EvasionCredential AccessInitial AccessTimeline of Tactics and Techniques for Cluster:11,ASN:39698222Valid AccountsUse Alternate Authentication MaterialRemote ServicesEmail CollectionsData from Information Repositorie

18、sData from Cloud StorageBrute ForceAccount ManipulationData Destruction2024Technique NamesPassword Spraying AttemptedUser Added to High Privileged RoleAzure AD PowerShell Accessing Non Active Directory ResourcesMass Resource DeletionMass Download ActionsAttacker Observations-Attack Chain1/161/191/22

19、1/251/281/312/032/062/092/122/152/182/212/242/273/013/043/073/103/133/163/19Mass Download ActionsInbox Email Forwarding Set or UpdatedNew Credentials Added to Application Service PrincipalMultiple Login Failures Due to Conditional Access PolicyTimeline of Tactics and Techniques for Cluster:12,ASN:15

20、830Tactic NamesPersistenceCredential AccessImpactCollectionLateral MovementInitial Access23System Identity controls are lacking in most SaaS productsNetwork Level IP allowlist?Maybe,likely cant be utilizedBlock TOR Access?DoubtfulDevice LevelCorp Device Check?DoubtfulDevice Attribute Profile Monitor

21、ing?MaybeAuthentication FlowSSO Available?Sure-pay the SSO TaxRestrict Alternative Auth Methods?DoubtfulMFA Available?Yes-likely not for service accounts24Observed TTPs SummaryCredential AccessBuy Phish Cred SprayCred StuffEnter front doorPersistenceModify AuthenticationCreate/Use Alternative Creden

22、tials25ImpactStage data and push to cloud resourcesDownload directly Email Forwarding RulesObfuscation MethodsVPNsProxiesCloud ProvidersTORWell How Did We Get Here?Bought 150 SaaS products and 3 IaaS/PaaS Moved most business processes to SaaS Moved most data processing to IaaS/PaaS Moved our IdP to

23、the Cloud Considered security ramifications too late Covid accelerated remote work and SaaS Diluted the“Zero Trust protection strategy26Embrace Your New Attack Surface27Key Takeaways:StrategicIdentifyProtectDetectRespond SaaS&IaaS intake Determine your trust Harden tenant posture Maintain posture st

24、ate Know SaaS&IaaS in use Know the users Know the data Know the interconnects Know their criticality Integrate into SIEM Integrate into XDR Integrate into MDR Integrate IR Process Posture change Config drift New Interconnects Anomalous behavior Threat Intel Matches New SaaS/IaaSWhat Should We Do?Use

25、 Phishing resistant hardware MFA devicesMove important SaaS behind an IdP you can trustEnforce Hardware Key+Device Trust with IdPAvoid the use of“Service Accounts when possibleIngest your SaaS logs and monitor themEnrich your logs with proxy,VPN,tor,and ASN taggingUtilize UEBA capability at the SIEMImplement Zero Trust,for real28Key Takeaways:Tactical Thank YouAssess SaaS Threats in Your Environmentshttps:/ US HOW TOBooth#166029