The Decider tool is designed to make the ATT&CK framework more accessible and usable for security analysts of every level, with an intuitive interface and simplified language.

The US Cybersecurity and Infrastructure Security Agency (CISA) has launched Decider, a free tool to help the cybersecurity community more easily map threat actor behavior to the MITRE ATT&CK framework.

Created in partnership with the US Homeland Security Systems Engineering and Development Institute (HSSEDI) and MITRE, Decider is a Web application that organizations can download and host within their own infrastructure, thus making it available to a range of users via the cloud. It's meant to simplify the often onerous process of using the framework accurately and effectively, as well as open up its use to analysts at every level in a given cybersecurity organization.

**ATT&CK: A Complex Framework**

ATT&CK is designed to help security analysts determine what attackers are trying to achieve and how far along they are in the process (i.e., are they establishing initial access? Moving laterally? Exfiltrating data?) It does this via a set of known cyberattack techniques and sub-techniques determined and refreshed periodically by MITRE, that analysts can map on top of what they might be seeing in their own environments.

The goal is to anticipate the bad guys' next moves and shut down attacks as quickly as possible. The framework can also be incorporated into a variety of security tools, and it provides a standard language for communicating with peers and stakeholders during incident response and forensic investigations.

That's all well and good, but the problem is that the framework is notoriously complex, often requiring a high level of training and expertise to select the correct mappings, for instance. It also continually expands, including beyond enterprise attacks to incorporate threats to industrial control systems (ICS) and the mobile landscape, adding to the complexity. In all, it's a sprawling data set to navigate — and cyber defenders often end up in the weeds when trying to use it.

"There are a lot of techniques and sub-techniques that are available and that can get very involved and very technical, and oftentimes analysts are overwhelmed, or it slows them down quite a bit, because they don't necessarily know if the sub-technique they're picking is the right one," James Stanley, section chief at CISA, says, noting that complaints about mis-mappings using the tool are common.

"When you go to the website, there's a lot of information in front of you and it gets daunting quickly. The Decider tool really just brings it into more plain language for an analyst to use, regardless of their level of expertise," he says. "We wanted to give our stakeholders more guidance on how to use the framework, and make it available to, say, junior analysts who could benefit from using it in real time during middle-of-the-night incident response, for instance."

    

Decider uses a series of questions to guide analysts through the framework. Source: MITRE Corp.

On a broader level, proselytizers at CISA and MITRE believe that a wider use of ATT&CK — as encouraged by Decider — will lead to better, more actionable threat intelligence — and better cyber-defense outcomes.

"At CISA, we really want to put the emphasis on using threat intelligence to be proactive in your defense and not reactive," Stanley says. "For a very long time, the industry's go-to for that has been to share indicators of compromise (IOCs), which have very broad, very limited context." 

In contrast, ATT&CK tips the playing field to the defense's advantage, he says, because it's granular and gives organizations a way to understand the specific threat actor playbooks that are relevant to their specific environments.

"Threat actors should know that their playbooks are essentially useless once we highlight what they do and how they do it and incorporate it into the framework," he explains. "Organizations that can use it have a much stronger security posture as opposed to just kind of blindly blocking IP addresses or hashes, like the industry is so used to doing. Decider gets us closer to that."

**Simplifying ATT&CK for Analyst Accessibility**

Decider makes ATT&CK mapping more accessible by walking users through a series of guided questions about adversary activity, with the goal of identifying the correct tactics, techniques, or sub-techniques in the framework to fit the incident in an intuitive way. From there, those results can "inform a range of important activities such as sharing the findings, discovering mitigations, and detecting further techniques," according to CISA's March 1 announcement of the new tool.

    

Decider uses simplified language and definitions for techniques and sub-techniques. Source: MITRE Corp.

  
In addition to the prepopulated guiding questions, Decider uses simplified language that would be accessible to any security analyst, an intuitive search and filter function for uncovering relevant techniques, and a "shopping cart" functionality that lets users export results to commonly used formats. Additionally, organizations can tailor and tune it to their own individual environments, including flagging common mis-mappings.

The hope is for ATT&CK to eventually become a foundational, background tool for cybersecurity organizations, according to John Wunder, department manager, CTI, and Adversary Emulation at MITRE, rather than the unwieldy, if useful, instrument that it has been.

"One thing that I would really love to see as ATT&CK moves more into the background is just a part of the day-to-day operations of cybersecurity and individual analysts just having to pay less attention to it," he says. "It's just something that should form the foundation of what we do and thinking about understanding adversary behaviors, and not something that you have to spend a lot of time thinking through each time you're doing an incident response. Decider is a big step forward to that."

The tool also helps ATT&CK's syntax to become the de facto common nomenclature across tools and security platforms, and for sharing threat intelligence.

"Once you see ATT&CK used across more and more of the ecosystem, and everyone using a common language, then the users of ATT&CK start to see more and more benefit from aligning things to the framework and using it to more effectively correlate tools and so on," Wunder says. "Hopefully through things like Decider that make it easier to use, we'll start to see more and more of that."

CISA, MITRE Look to Take ATT&CK Framework Out of the Weeds

The new White House plan outlines proposed minimum security requirements in critical infrastructure — and for shifting liability for software products to vendors.

The Biden-Harris administration today announced a sweeping new National Cybersecurity Strategy that, among other things, seeks to establish meaningful liability for software products and services and sets mandatory minimum cybersecurity requirements in the critical infrastructure sector.

When fully implemented, the strategy will also strengthen the ability of both federal and private sector entities to disrupt and dismantle threat actor operations and require all entities that handle data on individuals to pay closer attention to how they protect that data.

One key objective of the strategy is for federal regulators to look for opportunities to incentivize all stakeholders to adopt better security practices via tax structures and other mechanisms.

**Rebalancing the Responsibility for Cybersecurity**

"\[The strategy\] takes on the systemic challenge that too much of the responsibility for cybersecurity has fallen on individual users and small users," President Biden wrote in the introduction to his new plan. "By working in partnership with industry, civil society, and State, local, Tribal, and territorial governments, we will rebalance the responsibility for cybersecurity to be more effective and equitable."

Biden's strategy seeks to build collaboration and momentum around five specific areas: critical infrastructure protection, disruption of threat actor operations and infrastructure, promoting better security among software vendors and organizations handling individual data, investments in more resilient technologies, and international cooperation on cybersecurity.

Of these, the proposed initiatives around critical infrastructure security and shifting liability to software vendors and data processors could have the most significant impact.

The critical infrastructure component of Biden's strategy includes a proposal to expand minimum cybersecurity requirements for all operators of critical infrastructure. The regulations will be based on existing cybersecurity standards and guidance such as the National Institute of Standards and Technology's (NIST) Framework for Improving Critical Infrastructure Cybersecurity and the Cybersecurity and Infrastructure Security Agency's (CISA) Cybersecurity Performance Goals.

**A Focus on Secure by Design**

The requirements will be performance based, adaptable to changing requirements, and focus on driving adoption of secure-by-design principles.

"While voluntary approaches to critical infrastructure security have produced meaningful improvements, the lack of mandatory requirements has resulted in inadequate and inconsistent outcomes," the strategy document said. Regulation can also level the playing field in sectors where operators are in a competition with others to underspend on security because there really is no incentive to implement better security. The strategy provides critical infrastructure operators that might not have the financial and technical resources to meet the new requirements, with potentially new avenues for securing those resources.

Joshua Corman, former CISA chief strategist and current vice president of cyber safety at Claroty, says the Biden administration's choice to make critical infrastructure security a priority is an important one.

"The nation has seen successful cyber disruptions in critical infrastructure that have significantly impacted numerous lifeline functions, including access to water, food, fuel, and patient care, to name just a few," Corman says. "These are vital systems that are increasingly suffering disruptions, and many of the owners and operators of this critical infrastructure are what I call 'target rich, cyber poor.'"

These are often among the most attractive targets for threat actors but have the least number of resources to protect themselves, he notes.

Robert DuPree, manager of government affairs at Telos, views congressional support as key to Biden's plans to bolster critical infrastructure cybersecurity.

"The push to impose mandatory cybersecurity requirements on additional critical infrastructure sectors will need congressional authorization in some cases, which in the current political environment is a longshot at best," he said in a statement. "The Republican House majority is philosophically opposed to new government mandates and is not likely to give the Biden Administration such authority."

**Holding Vendors Accountable for Software Security**

In what is likely to a controversial move, Biden's new national cybersecurity strategy also puts emphasis on holding software vendors more directly responsible for the security of their technologies. The plan specifically shifts liability for insecure software and services to the vendors and away from the end users who bear the consequences of insecure software.

As part of the effort, Biden's administration will work with Congress to try and pass legislation that would prevent software manufacturers and publishers with market power to simply disclaim away liability by contract. The strategy provides a safe harbor for organizations with demonstrably secure practices for software development and maintenance.

"Too many vendors ignore best practices for secure development, ship products with insecure default configurations, or known vulnerabilities," and with insecure third-party components, the strategy document said.

In addition to shifting liability to software vendors, the new strategy also calls for minimum security requirements for all organizations handling individual data especially geolocation and health data.

Support in Congress for efforts to shift liability to software vendors has manifested in fits and starts for over a decade, says Brian Fox, CTO and co-founder of Sonatype. "In 2013, H.R.5793 — Cyber Supply Chain Management and Transparency Act known as the Royce Bill started the conversation around introducing software bills of material (SBOM)," he says.

Ultimately that proposal didn't move forward, but the requirement for all software suppliers to the federal government to produce SBOMs on demand ended up being incorporated in a May 2021 Executive Order from President Biden, he says. "More recently, we've seen the Securing Open Source Software Act of 2022 working its way through committees. It seems clear that Congress is looking for a way to move the industry forward, and the strategy lays out specific new elements to be considered."

**Carrot and Stick**

As part of the effort to guide better security behavior, the federal government will use its enormous purchasing clout to get software and service suppliers to contractually adhere to minimum security requirements. It will use grants and other mechanisms — such as rate-making processes and tax structures — to get organizations to invest more in cybersecurity.

Karen Walsh, cybersecurity compliance expert at Allegro Solutions, says if the plan works as intended it could shift corporate mindsets from a "security means penalties" to a "security means attaining rewards" mentality.

"In many ways, this is similar to how the government already offers incentives for clean energy initiatives," Walsh says.

**Fighting Back**

One major focus of the new strategy is on strengthening federal and private sector capabilities to disrupt threat actor operations and infrastructure. The plans include developing a whole-of-government disruption capability, more coordinated takedowns of criminal infrastructure and resources, and making it harder for threat actors to use US infrastructure for cyber-threat operations.

"Dismantling threat actors is unlikely to take place on a broad scale," says Allie Mellen, a senior analyst at Forrester. "It's similar to the idea of 'hack back' — hypothetically great, but difficult to execute on."

Mellen considers the proposed expansion of regulations on critical infrastructure providers as by far the most significant component of the new strategy.

"Not only does it look to establish a set of minimum cybersecurity requirements, but it also begins to link technology providers such as infrastructure-as-a-service (IaaS) companies to these requirements, broadening its reach," she says.

Claroty's Corman says some of the proposals in the new strategy will likely trigger some hard conversations. But it is high time to have them, he notes.

"The more controversial topics, such as software liability, are admittedly going to be tougher to achieve," Corman notes. But the effort is crucial, he says.

"There is a significant gap between the current state and the desired state for critical infrastructure cyber-resilience — we need bold thinking and bold action in order to narrow that gap."

Biden's Cybersecurity Strategy Calls for Software Liability, Tighter Critical Infrastructure Security

Sold for around $5,000 in hacking forums, the BlackLotus UEFI bootkit is capable of targeting even updated systems, researchers find.

BlackLotus UEFI bootkits are deployed to take over the boot process of operating systems: bypassing security measures and deploying their malicious payloads.

Now, researchers with ESET are raising the alarm that even completely updated Windows 11 systems with UEFI Secure Boot enabled are vulnerable to BlackLotus attacks. Worryingly, the new bootkit, first discovered in October 2022, is readily available for as little as $5,000 on hacking forums.

"It was just a matter of time before someone would take advantage of these failures and create a UEFI bootkit capable of operating on systems with UEFI Secure Boot enabled," ESET explained in the report. "As we suggested last year in our RSA presentation, all of this makes the move to the ESP more feasible for attackers and a possible way forward for UEFI threats — the existence of BlackLotus confirms this."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

BlackLotus Bookit Found Targeting Windows 11

The same "sophisticated" threat actor has pummeled the domain host on an ongoing basis since 2020, making off with customer logins, source code, and more. Here's what to do.

For years, the domain registrar and Web hosting company GoDaddy has experienced a cyber barrage of extraordinary scale, it has confirmed — affecting both the company and its many individual and enterprise clients.

As described in its 10K filing for 2022, released Feb. 16, the company has been breached once every year since 2020 by the same set of cyberattackers, with the latest occurring just last December. It's worth also mentioning that the company has been the subject of earlier cyber incursions as well. The consequences to GoDaddy are one thing, but, more notably, the breaches have led to data compromises for more than 1 million of the company's users.

That may well be the key to why the bad guys keep coming back. Because of the nature of its business, GoDaddy is a connecting link to millions of businesses around the world. As Brad Hong, customer success lead at Horizon3ai puts it: "This is the equivalent of your landlord's office being left unlocked, giving a bad actor access to the keys to your house."

**GoDaddy's Three-Headed Breach**

While the world was coming to grips with COVID-19, thousands of GoDaddy customers had a second problem on their hands. In March 2020, the company discovered that an attacker had compromised the login details for a small number of their employees, as well as 28,000 of their hosting customers.

It was a harbinger of worse things to come.

In November 2021, a threat actor got their hands on a password that allowed them access to Managed WordPress, GoDaddy's hosting platform for building and managing WordPress sites. This case touched 1.2 million Managed WordPress customers.

There was yet more. In a statement published alongside its 10K, GoDaddy shared details of yet a third compromise.

"In early December 2022, we started receiving a small number of customer complaints about their websites being intermittently redirected," the company said. It turned out that an attacker had breached and planted malware on the company's hosting servers for cPanel, a control panel program for Web hosts. This malware intermittently redirected users from the websites they intended to visit, to malicious sites.

In their statement, the company claimed to "have evidence, and law enforcement has confirmed, that this incident was carried out by a sophisticated and organized group targeting hosting services like GoDaddy. According to information we have received, their apparent goal is to infect websites and servers with malware for phishing campaigns, malware distribution, and other malicious activities."

**The Supply Chain Problem With Hosting Services**

According to Domain Name Stat, GoDaddy is far and away the largest domain name registrar on the Internet, capturing more than 12% market share with its nearly 80 million registered domains. Scale, alone, would make it an attractive target for cyberattacks, but being a hosting service makes this a whole other animal.

"GoDaddy and other Web hosting sites are prime targets for adversaries looking to conduct supply chain attacks," says Allie Roblee, intelligence analyst at Resilience. A company may take care to implement strong security practices and software, shunting phishing attacks, and patching up software bugs, yet still be vulnerable through a trusted provider like their Web hosting service. "Breaching large service providers like GoDaddy allows adversaries to compromise organizations and individuals they may have been unable to get into directly."

Of course, once attackers get in through the side entrance, they can do anything from stealing credentials to dropping malware, redirecting users to malicious sites, planting backdoors for later use, and much more. But "the implications for these compromises go even beyond that of security," Hong warns.

Consider an innocent person who intends to visit a business's website, but instead ends up redirected to a malicious site. Would that person ever risk visiting that business' website again? This, Hong points out, "hurts the reputation and operations of thousands, if not millions, of legitimate businesses."

Beyond that, there's a broader cost. "Weak security at this vendor level additionally allows attackers to force multiply their ability to carry out whatever objective they wish to," he explains. Such compromises "not only provide them with rich PII and private key data intelligence, but also an extensive network of websites and servers to do their bidding — similar to an IoT botnet, but instead of multiplying traffic, it multiplies the chances of successfully carrying out attacks which rely on humans as a weakness."

**What GoDaddy Customers Can Do**

If it didn't end that first or second time, how likely is it that the campaign against GoDaddy is over now? "It's possible," Roblee warns, "that the attackers still have access to GoDaddy's infrastructure or have the capability to find vulnerabilities in the stolen source code they can exploit to regain access."

For that reason, she says, "customers should audit any recently changed or uploaded files on their website to ensure that malware has not been installed. Additionally, I would recommend checking historical DNS records to see if any of their domains had been temporarily redirected."

Hong's advice is even simpler. "Affected businesses should change everything!" including all potentially affected login credentials, "and especially deprecating and creating fresh SSL private keys if using them."

Preventative measures will be more necessary going forward than ever before. As GoDaddy assessed in their 10K, the risk of attack "is likely to increase as we expand the number of cloud-based products we offer and operate in more countries."

GoDaddy declined to comment for this article beyond its published statement when contacted by Dark Reading.

What GoDaddy's Years-Long Breach Means for Millions of Clients

Access-as-a-service took off in underground markets with more than 775 million credentials for sale and thousands of ads for access-as-a-service.

The cybercrime economy centered around access to compromised systems, services, and networks has grown dramatically in the past year — with a sixfold increase in the number of credentials stolen via malware and offered for sale.

With cyberattackers using information-stealing malware to gather credentials, the expansion of access-as-a-service offerings has blossomed in the criminal underground with thousands of advertisements offering would-be cybercriminals access to compromised systems, according to findings in Recorded Future's newly published annual report.

In addition, the collection of data, use of stolen accounts, and phishing are among the top 10 most-discussed tactics in cybercriminals forums, according to the report.

The analysis of the most popular topics from underground forums demonstrates that stolen credentials and the sale of initial access continue to dominate cybercriminal markets, says David Carver, a senior manager at Recorded Future's Insikt research group.

"Credentials are a massive business because they continue to be successful and profitable for criminals," he says. "So as long as there continues to be fairly easy ways to monetize credentials at scale, which has been true for criminal markets for a long time, I don't see the drive for that type of theft changing."

    

Stolen credentials logged by info-stealing malware grew significantly in 2022. Source: Recorded Future

A decade ago, cybercriminals focused on stealing valuable data or on compromising specific companies that not only could be exploited but would also pay the attacker to leave them alone. Yet with the popularity of ransomware and the ability to use cryptocurrencies as a method of payment, attackers have been able to monetize nearly any breach of an organization. Thus, selling stolen credentials and opportunistic access has become the go-to product of the underground economy.

**MFA Fail**

Deploying stolen credentials has become more difficult for cybercriminals thanks to multifactor authentication (MFA), but attackers have countered with bypass techniques for many types of MFA, so credential theft has continues to be a standard post-breach tactic and access-as-a-service continues to thrive, Recorded Future's Carver explains.

"Until either our concept or our fundamental methods around identity change, there's not going to be a change in the criminal market, or at least not in the way that we're seeing right now," he says.

In 2021, the attackers focused on finding valuable systems and encrypting them with ransomware, with data encrypted for impact (T1486) and system information discovery (T1082) topping the list of trending tactics, techniques, and procedures uncovered by Recorded Future. In 2022, cybercriminals shifted their focus to the collection of data from local aystems (T1005) and the use of valid accounts (T1078) for access, according to the "2022 Annual Report."

The trend shows that access has become increasingly important, as cybercriminals have more options than just ransomware to monetize compromised systems, leading to information-stealing functionality becoming popular, the firm said. Ransomware payments decreased by nearly 60% in 2022 compared with 2021, according to Recorded Future's data.

"Credential sales remain popular on dark web marketplaces, typically for use in account takeover and credential stuffing attacks," the report stated. "The tactic has grown in sophistication with the rise of information-stealing malware and the proliferation of the malware-as-a-service model."

Recorded Future would not discuss the specifics of where its credential numbers came from, but its researchers believe that they have captured evidence of at least half of total campaigns from major info stealers.

"This is as close to 'bare metal' as you can get in terms of what is being exfiltrated and exposed as part of multiple different info-stealer malware campaigns," Carver says. "So to some extent, we're getting these directly as a result of understanding what data that malware is pulling in."

**Not Just Usernames and Passwords**

An attacker's focus on collecting credentials following a compromise has evolved as more information about the user has become necessary to bypass some security controls. Now, attackers are likely to collect session tokens from the browser cache, geographical information, browser version information, and other data in addition to usernames and passwords, Carver says.

"When we think about credential theft, what we actually need to be thinking about is the kind of complete browser fingerprint that some of these info sealers are looking for," he says.

Companies should assume that threat actors have employees' basic credentials, and that multifactor authentication could be bypassed, Carver said. They also need to ensure they can detect anomalous account behavior.

"The absolute first thing that \[companies should\] look at is identity and access management, making sure that across the complete scope of identities or platforms, or users that have access to anything internal, that there is a really robust and well understood security program," he says. "To me, that's table stakes right now for a more secure program, given the rise of info stealers."

Sale of Stolen Credentials and Initial Access Dominate Dark Web Markets

Overcoming the obstacles of this security principle can mitigate the damages of an attack.

When I was forming the idea for the company that would become Veza, my co-founders and I interviewed dozens of chief information security officers (CISOs) and chief information officers (CIOs). No matter the size and maturity of their modern tech-savvy companies, we heard one theme over and over: They could not see who had access to their company's most sensitive data. Every one of them subscribed to the principle of least privilege, but none of them could say how close their company came to achieving it.

"Least privilege" is defined by NIST's Computer Security Resource Center as "the principle that a security architecture should be designed so that each entity is granted the minimum system resources and authorizations that the entity needs to perform its function." That sounds simple, but things have changed. Data is now spread across multiple clouds, hundreds of SaaS apps, and systems old and new. As a result, all modern companies accumulate "access debt" — unnecessary permissions that were either too broad in the first place or no longer necessary after a job change or termination.

A KPMG study found that 62% of US respondents experienced a breach or cyber incident in 2021 alone. If any employee falls prey to phishing, but they only have access to non-sensitive information, there may be no economic impact at all. Least privilege mitigates the damage of an attack.

There are three obstacles to achieving least privilege: visibility, scale, and metrics.

**Visibility Is the Foundation**

It's hard to manage something you can't see, and access permissions are spread across countless systems in the enterprise. Many are managed locally within the unique access controls of a system (e.g., Salesforce admin permissions). Even when companies implement an identity provider, such as Okta, Ping, or ForgeRock, this only shows the tip of the iceberg. It cannot show all the permissions that sit below the waterline, including local accounts and service accounts.

    

Source: Veza

This is especially relevant today, with so many companies conducting layoffs. When terminating employees, employers revoke access to the network and SSO (single sign-on), but this does not propagate all the way to the myriad systems in which the employee had entitlements. This becomes unseen access debt.

For companies where legal compliance mandates periodic access reviews, visibility is manual, tedious, and vulnerable to omissions. Employees are dispatched to investigate individual systems by hand. Making sense of these reports (often, screenshots) might be possible for a small company, but not for one with a modern data environment.

**Scale**

Any company might have thousands of identities for employees, plus thousands more for non-humans, like service accounts and bots. There can be hundreds of "systems," including cloud services, SaaS apps, custom apps, and data systems such as SQL Server and Snowflake. Each offers tens or hundreds of possible permissions on any number of granular data resources. Since there is an access decision to make for every possible combination of these, it's easy to imagine the challenge of checking a million decisions.

To make the best of a bad situation, companies take a shortcut and assign identities to roles and groups. This addresses the scale problem but worsens the visibility problem. The security team might be able to see who belongs to a group, and they know the label on that group, but labels don't tell the whole story. The team can't see access at the level of tables or columns. When identity access management (IAM) teams are receiving a never-ending stream of access requests, it's tempting to rubber stamp approvals for the closest-fit group, even if that group confers broader access than necessary.

Companies can't overcome the scale challenge without automation. One solution is time-limited access. For example, if an employee was given access to a group but doesn't use 90% of the permissions for 60 days, it's probably a good idea to trim that access.

**Metrics**

If you can't measure it, you can't manage it, and nobody today has the tools to quantify how much "privilege" has been granted.

CISOs and their security teams need a dashboard to manage least privilege. Just as Salesforce gave sales teams the object model and dashboards to manage revenue, new companies are creating the same foundation for managing access.

How will teams quantify their access? Will it be called "privilege points"? Total permission score? A 2017 paper coined a metric for database exposure called "breach risk magnitude." Whatever we call it, the rise of this metric will be a watershed moment in identity-first security. Even if the metric is an imperfect one, it will shift a company's mindset toward managing least privilege like a business process.

**Going Forward**

The landscape has changed, and it has become practically impossible to achieve least privilege using manual methods. Fixing this will require new technologies, processes, and mindsets. The CISOs and CIOs I work with believe least privilege is possible, and they're making prudent investments to move beyond the bare minimum of quarterly access reviews. It won't be long before manual reviews are a thing of the past, and automation tames the complexity of modern access control.

Everybody Wants Least Privilege, So Why Isn't Anyone Achieving It?

A new report from Adaptive Shield looks at the how volume of applications being connected to the SaaS stack and the risk they represent to company data.

The software-as-a-service (SaaS) app footprint is expanding nonstop at every organization across the globe. Employees are granting third-party apps access to the company's core SaaS apps, like Microsoft 365 (M365) and Google Workspace, causing security risks. Meanwhile, security teams and organizations are unable to track the number of connected apps or quantify the level of risk these apps are causing.

The recently released report from Adaptive Shield, "2023 SaaS-to-SaaS Access Report: Uncovering the Risks & Realities of Third-Party Connected Apps," found an average of 4,371 connected apps in a typical 10,000 SaaS-user organization that are connected to both M365 and Google Workspace. Furthermore, over 89% of third-party apps connected to Google Workspace and 67% of apps connecting to M365 represent a high or medium risk to a company's SaaS data. Disturbingly, many of these apps are granted high-risk permissions that allow them to delete or share confidential and proprietary corporate data.

Providing insights into the unknown SaaS abyss, Adaptive Shield has aggregated anonymized customer data from hundreds of tenants to provide security teams with a realistic view of the ubiquity of third-party apps and explain today's SaaS-to-SaaS realities and risks in depth.

**Understanding the Issue**

Here's a scenario a typical employee could be facing: Google Docs lacks a native mail merge feature. Users who need this feature can find an app that does this. Mailmeteor, for example, can provide this functionality — and requires the employee to grant permissions enabling it to delete Google spreadsheets and send emails on behalf of the user.

Mail Merge, a different app, requests permission to see, edit, create, and delete all Google Docs documents, all Google Sheets spreadsheets, all Google Slides presentations, and any other Google Drive file. Mail Merge also requests permissions to manage drafts and send email, change settings and filters in Gmail, and run when users are not present.

In this scenario, Mail Merge is a more high-risk app for the employee to install. If a threat actor gained control of their Mail Merge application, they could easily delete, download, or encrypt entire Google Drives containing critical corporate data.

**Volume of Third-Party Connected Applications**

The sheer volume of third-party apps makes third-party connected apps nearly unmanageable. As companies grow, the number of apps increases in proportion to that growth.

These are the numbers of M365 connected apps on average by company size:

*   <5,000 users: 522 connected apps
*   5,000-10,000 users: 1,253 connected
*   10,000-20,000 users: 3,508 connected apps

Furthermore, apps connected to Google Workspace are significantly higher than M365. As shown in the chart below, these are the numbers of Google Workspace connected apps on average by company size:

*   <5,000 users: 1,309 connected apps
*   5,000-10,000 users: 4,216 connected apps
*   10,000-20,000 users: 13,913 connected apps

Based on these shocking stats, this means that, on average, a company with 1,000 users should expect to see over 600 apps connected to Google and 200 apps connected to M365.

    

Figure 1: Average number of apps integrated with Google Workspace by users.

A cursory glance at this data might lead one to think that the M365 environment has less cause for concern due to fewer connected applications. However, that is not the case.

While there are more third-party applications typically connected to the Google Workplace, when running the numbers, the amount of oversight and control needed by the security team working with Microsoft and Google to secure the connected apps are on a similar scale.

**Risky Permission and Scopes**

Every third-party app requests specific permissions when connecting to a SaaS app. The report categorizes these permissions as low, medium, and high risk, based on the types of permissions being requested by the application.

The "2023 SaaS-to-SaaS Access Report" details how 39% of apps connected to M365 are considered high risk, and another 28% are medium risk. Only 11% of apps connected to Google Workspace are high risk, but an overwhelming 78% are medium risk and require access to sensitive permissions.  

    

Figure 2. Risk level for apps connected to M365 and Google Workspace

Many applications with high permission scopes are able to read, update, create, and delete content. Apps are often granted full access to mailboxes, and can send emails as the user.

    

Figure 3: Top 3 high-risk permissions requested by apps connected to M365 and Google Workspace.

These permissions pose a significant risk to the company, as apps can be taken over by threat actors, who can steal, sell, encrypt, or publish the data that they find.

**Staying on Top of SaaS-to-SaaS Access**

The scope of SaaS-to-SaaS access makes it impossible to manage manually. Organizations trying to control this attack surface and protect data from the risks imposed by third-party apps require an automated tool.

SSPMs automate third-party app monitoring, providing visibility into each app connected to your SaaS stack and the permissions granted to each application.

Download the full report to read all the insights and findings.

**About the Author**  

    

A former cybersecurity intelligence officer in the IDF, Maor Bin has over 16 years in cybersecurity leadership. In his career, he led SaaS Threat Detection Research at Proofpoint and won the operational excellence award during his IDI service. Maor got his BSc in Computer Science and is CEO and co-founder of Adaptive Shield.

New Report: Inside the High Risk of Third-Party SaaS Apps

Researchers exploited issues in the authentication protocol to force an open redirection from the popular hotel reservations site when users used Facebook to log in to accounts.

Flaws in the authorization system of the Booking.com website could have allowed attackers to take over user accounts and gain full visibility into their personal or payment-card data, as well as log in to accounts on the website's sister platform, Kayak.com, researchers have found.

Researchers from Salt Security discovered the issues in the platform's implementation of OAuth, an open authorization standard designed to allow cross-application access delegation for different sites to share login credentials, according to a blog post published today. Though it was not specifically designed for this purpose, the protocol has become a standard for allowing websites to read data from Facebook profiles, or log in to a site using Google credentials, for example. Most people are familiar with the "Log in with Facebook"-type options for some online accounts that allow users to sign in without creating a new set of login credentials.

"A security breach \[via\] OAuth can lead to identity theft, financial fraud, and access to all sorts of personal information including credit card numbers, private messages, health records, and more," Yaniv Balmas, vice president of research at Salt Security, wrote in the post.

Specifically, researchers discovered an open redirection vulnerability in Booking.com and achieved log in success by accessing the site through the "log in with Facebook" option. They ultimately exploited three security issues and chained them together to gain full account takeover, according to the post.

"Once logged in, the attacker could have performed any action on behalf of the compromised users and gain full visibility into the account, including all of a user's personal information," Balmas wrote.

The issue could have caused a serious data breach for customers of the widely used hotel reservations website, which is part of the Booking Holdings Fortune 500 company and has more than 500 million visitors per month, he said. The site also allows users to rent cars and book taxis.

"An attacker could potentially make unauthorized requests on behalf of a victim, cancel existing reservations, or access sensitive personal information such as booking history, personal preferences, and future reservations," Balmas wrote in the post.

Salt Security disclosed the issues to Booking.com, which researchers lauded for responding quickly to address and completely mitigate them. Moreover, there had been no evidence of compromise to the Booking.com platform before the issues were resolved, Booking.com said in a statement provided by Salt Security.

"On receipt of the report from Salt Security, our teams immediately investigated the findings and established that there had been no compromise to the Booking.com platform, and the vulnerability was swiftly resolved," the company said. "We take the protection of customer data extremely seriously."

**How OAuth Works**

To understand how researchers compromised Booking.com's OAuth implementation, it's important to understand how the standard in a site operates and how the Booking.com's interpretation of it was flawed.

OAuth comes into play when a user logs in to a website and clicks on the "Log in with Facebook" option that many sites use to allow cross-platform authentication. The site will then open a new window to Facebook and, if it's the user's first time visiting the site, ask for permission to share details with the site. If not, Facebook automatically authenticates the user to the site.

Once the user clicks on a button to, for example, "Continue as Jane," Facebook generates a secret token that is private for the website and associated with the user's Facebook profile. Facebook then uses the token to direct the user to the website, which uses the token to communicate directly with Facebook to get the user's email address. Facebook then approves the address and its association with the user, which the site uses to log in the user successfully.

All of this communication between Facebook and the sites involves various redirections to different URLs, which is where the researchers were able to exploit the implementation of OAuth to steal the token or code of the victim, they said. Bad implementations are not uncommon; indeed, in a breach last May, attackers used OAuth tokens stolen from Salesforce subsidiary Heroku to gain access sensitive customer account data.

**Finding Means for Exploit**

Knowing this token is where the attacker opportunity lies, the researchers investigated the security of the standard's implementation by causing "unexpected behaviors of the flow" by changing various parameters to see how this would allow them to launch a successful attack, Balmas said. What they found were ways to manipulate the URL redirects that occur in the communication between the two sites to redirect users to URLs controlled by the researchers, thus creating an open redirection bug in Booking.com.

"We created a link that takes over any account on Booking.com that uses Facebook," Balmas wrote. "The link itself points to a legitimate Facebook.com or Booking.com domain, which makes it difficult to detect (manually or automatically)."

This method also allowed for account takeover on Kayak.com and affected users signing into Booking.com from Google, the researchers said.

**Wider Cyber-Risk of Poor OAuth Implementations**

While researchers only divulged how they used OAuth to compromise Booking.com in the report, they discovered other sites with risk from improperly applying the authentication protocol, Balmas tells Dark Reading.

"We have observed several other instances of OAuth flaws on popular websites and Web services," he says. "The implications of each issue vary and depends on the bug itself. In our cases, we are talking about full account takeovers across them all. And there are surely many more that are yet to be discovered."

OAuth provides an easy solution to bypass the user login process for site owners, reducing friction for which is a "long and frustrating" problem, Balmas says. However, though it seems simple, implementing the technology successfully and securely is actually very complicated in terms of proper technical implementation, and a single small wrong move can have a huge security impact, he says.

"To put it in other words — it is very easy to put a working social login functionality on a website, but it is very hard to do it correctly," Balmas tells Dark Reading.

Overall, Balmas advises site owners to treat OAuth "as a sensitive part of your service and either build the internal deep knowledge of the field, undergo continuous security testing and reviews to validate your assumptions, or, of course, both." 

He adds, "This is general advice that is relevant for any sensitive path/technology that is part of one's service."

Booking.com's OAuth Implementation Allows Full Account Takeover

It's 10 p.m. Do you know what your children are playing? In the age of remote work, hackers are actively targeting kids, with implications for enterprises.

Video games are a part of nearly every kid's life, and distributed work is increasingly a part of every adult's. According to experts, it's a recipe for small-time gaming scams to turn into larger-scale business compromises.

Hackers will leverage anything popular or good in this world, and video games are no exception. As described in a March 1 blog post from Kaspersky, financially motivated attackers are targeting children, in particular, with open-faced scams aimed at stealing in-game items, account credentials, and bank details.

The story doesn't necessarily end there, though. Even a primitive phishing attack against a kid playing Fortnite could, theoretically, turn into a wider attack not just against the parent but also the parent's workplace.

An attack that targets a business, through an employee or through an employee's child, may seem like a step too much work when phishing and business email compromise are so much simpler. But, to state the obvious: Children are easy marks, and nearly all of them play video games. That, combined with the proliferation of remote work and bring-your-own-device (BYOD) policies, makes this vector a long-tailed but fruitful one for attackers.

**How Games Get Hacked**

Last year, researchers for Avanan uncovered a surge of Trojans hidden in cheat codes for the ultrapopular online game Roblox. "The file would be downloaded by the child," explains Jeremy Fuchs, cybersecurity researcher/analyst at Avanan, "and then, most likely, mistakenly uploaded to a corporate OneDrive folder. This file installs library files (DLL) into the Windows system folder. The malicious code can be perpetually referenced by Windows and remains running."

This is just one of many forms that gaming scams can take. For example, "we've seen multiple cases in which a BYOD device was compromised via a gaming-related phishing site, which led to the compromise of the connected corporate network," says Jordan LaRose, practice director for infrastructure security at NCC Group. "Another gaming-related vector we've seen in the wild are direct exploits through users playing games. This is most common on mobile devices but can affect desktop gaming as well. Attackers will either embed an exploit directly in an attractive mobile game that users download and thereby compromise their mobile device, or target a user playing a game with a remote code execution (RCE) vulnerability to compromise the computer running it."

Mere weeks ago, such a vulnerability was being exploited in the mega-hit Grand Theft Auto V.

The potential damage caused by such a compromise is clear. "Trojans like this can break applications, corrupt or remove data, and send information to the hacker," Fuchs says.

What's less obvious but more worrisome is how this damage could extend beyond the device or even the home in question.

**How Gaming Hacks Spread to Businesses**

Fuchs puts it bluntly: "The perimeter no longer exists."

"We can access work documents on home computers and vice versa," he says, "but it also relates to game usage."

Young children, especially, often play games from their parents' PCs and mobile phones or, if nothing else, their home Wi-Fi. Parents then take their PCs and phones to work, or work remotely from their home network.

Fuchs theorizes that kids "could be playing on their parents' computer and accidentally upload it. This is an easy way for compromises and malicious files to easily infect your corporate cloud." But in most cases, a child need not go that far — attackers can make the jump from home to office on their own.

"In the era of BYOD and remote working," LaRose explains, "attackers often just need to compromise a user's personal computer to get a foothold on a corporate network. Once an attacker has a foothold on a personal device, they can often steal a VPN session or browser session, or simply find a user's corporate credentials stored in their computer."

**How Businesses Can Stop the Spread**

In their blog post, Kaspersky researchers recommended that gamers practice diligent cyber hygiene: strong passwords, two-factor authentication, antivirus, and the like. They also highlighted the utility of virtual bank cards that only fill to meet the exact amount of a particular purchase.

"By entering the numbers from your bank card," Kaspersky explained, "you risk losing all the funds you have there. And remember that a bundle of licensed games selling for a song is a reason to be wary."

LaRose stresses that "gaming is not innately any more insecure an activity than normal Web browsing." Still, because gaming can be _just as_ insecure, "businesses should do everything they can to separate a user's presence in the corporate environment and the personal one."

He recommends implementing endpoint/extended detection and response (EDR/XDR) and a security operations center (SOC) that can help respond in case of a breach.

The most important defenses of all, though, are the policies and procedures businesses that implement to address remote work and BYOD.

"If BYOD is absolutely necessary for a business to function," LaRose says, "they should limit the policy to mobile phones only and ensure they use a strong mobile device management (MDM) solution that separates work and personal data on the phone. This is an imperfect solution with some workarounds for attackers but will at the very least serve as a deterrent and give the business more visibility into any potential exposures."

Hackers Target Young Gamers: How Your Child Can Cause Business Compromise

There's never enough time or staff to scan code repositories. To avoid dependency confusion attacks, use automated CI/CD tools to make fixes in hard-to-manage software dependencies.

Software dependencies, or a piece of software that an application requires to function, are notoriously difficult to manage and constitute a major software supply chain risk. If you're not aware of what's in your software supply chain, an upstream vulnerability in one of your dependencies can be fatal.

A simple React-based Web application can have upward of 1,700 transitive NodeJS "npm" dependencies, and after a few months "npm audit" will reveal that a relatively large number of those dependencies have security vulnerabilities. The case is similar for Python, Rust, and every other programming language with a package manager.

I like to think of dependencies as decaying fruit in the unrefrigerated section of the code grocer, _especially_ npm packages, which are often written by unpaid developers who have little motivation to put in more than the bare minimum of effort. They're often written for personal use and they're open sourced by chance, not by choice. They're not written to last.

    

NodeJS dependencies, highly vulnerable, live in production! I took this from an actual, production React-Native application found on GitHub.

Recently (as of the writing of this article), PyTorch, one of the top two most popular machine learning libraries for Python, was compromised for five days via its dependency "torchitron." The attacker was able to collect system information and steal 1,000 files from each affected user's home directory. In 2021, Log4j was famously compromised and because it was bundled into basically every Web-facing Java project, DevSecOps teams were under a lot of pressure to identify where exactly they were vulnerable.

    

Too many dependencies to reliably keep track of, even if most are "mostly" secure.

Even 20 _intentional_ dependencies are too many for a development team to continually audit, much less 2,000 _transitive ones_.

**What's Been Done So Far?**

Not all hope is lost. For _known_ (reported and accepted) vulnerabilities, tools exist, such as pip-audit, which scans a developer's Python working environment for vulnerabilities. Npm-audit does the same for nodeJS packages. Similar tools exist for every major programming language and, in fact, Google recently released OSV-Scanner, which attempts to be a Swiss Army knife for software dependency vulnerabilities. Whether developers are encouraged (or forced) to run these audits regularly is beyond the scope of this analysis, as is whether they actually take action to _remediate_ these known vulnerabilities.

However, luckily for all of us, automated CI/CD tools like Dependabot exist to make these fixes as painless as possible. These tools will continually scan your code repositories for out-of-date packages and automatically submit a pull request (PR) to fix them. Searching for "dependabot\[bot\]" or "renovate\[bot\]" on GitHub and filtering to active PRs yields millions of results! However, 3 million dependency fixes versus hundreds of millions of active PRs at any given time is an impossible quantification to attempt to make outside of an in-depth analysis.

**State of the Art Isn't Quite Good Enough**

You need to keep in mind that these auditing tools do nothing to protect developers against zero-day exploits or N-days that were reported but have yet to be officially accepted. In the case of the PyTorch vulnerability previously mentioned, none of the auditing tools would have caught this _class_ of dependency vulnerability, because there was no traditional "software vulnerability" being exploited. These "dependency confusion" attacks take advantage of the fact that package managers look to their "default" repository before checking other repositories that dependencies may select for _their_ dependencies. In the case of PyTorch, the "torchitron" dependency was self-hosted by the PyTorch Foundation. When the attacker uploaded their version to PyPI, it took precedence over the official version.

How long will this continue? Forever. If there is value in exploiting these vulnerabilities, attackers will continue to take advantage of them. Luckily, in the case of PyTorch, "only" data exfiltration took place. Future victims might not be so lucky, however. A sophisticated attacker only needs one successful attempt at access to remain persistent in a victim's system (and network).

**What Does This Mean for Me?**

Did you install your packages from the command line? If so, did you type them in properly? Now that you've installed your dependencies "correctly," did you verify that the code for each dependency does exactly what you think it does? Did you verify that each dependency was installed from the expected package repository? Did you ….

Probably not, and that's OK! It's inhumane to expect developers to do this for every single dependency. The best bet for software developers, software companies, and even individual tinkerers is to have some form of runtime protection/detection. Luckily for us all, there are detection and response tools that have relatively recently been created which are now part of a healthy and competitive ecosystem! Many of them, like Falco, Sysdig Open Source, and Osquery, even have free and open source components. Most even come with a default set of rules/protections.

Source

DARKReading