Security Posture and Detection Measures
to Counter Potential Cyberwar Tactics
Author’s Note: This article is the first in a series of ongoing updates that AppOmni will provide to our customers and other organizations looking to quickly augment their SaaS security procedures. As the situation continues to develop, we will update accordingly.
In the wake of the Russian invasion of Ukraine, several AppOmni customers have asked for additional best practices and security measures they can take to help mitigate the risks of data breaches or outages of their critical SaaS applications. AppOmni has already updated its Security Insights Library to enhance our monitoring and analysis of customer SaaS environments should the scope of cyber attacks expand during the course of the conflict. Nvidia, for example, was recently reported to have been the victim of a major cyber attack, although a definitive tie to Russia has not been confirmed at this time.
AppOmni is providing an overview of our guidance given the current cybersecurity landscape, and making recommendations to implement stronger security measures for SaaS. More information is available in our technical note for customers: “AppOmni Best Practices for Third-Party Applications and Microsoft 365 Heightened Security Posture.”
Threat Landscape Assessment:
Historically, Russian cyber attacks have primarily focused on disruption and destruction methods via ransomware and malware. Additionally, probing attacks have been directed at customer contact and employee lists to enable more specific targeting and phishing attacks. AppOmni’s guidance aligns with and builds upon CISA’s “Shields Up” guidance in the U.S., as well as the UK National Cyber Security Centre’s (NCSC) heightened cyber risk guidance.
State-aligned entities and proxies have made explicit threats to initiate attacks against any party involved in cyberattacks or “war activities” against Russia. Additionally, there is a medium risk of “collateral” damage should specific tactics be executed by a broadly spraying mechanism or distributed attack kits. Given the recent identification of Hermetic Wiper malware and the prevalence of attack tools, organizations should implement least privilege data and permission access to reduce the impact of spillover ransomware and data destruction attacks.
In preparation for these types of tactics, AppOmni has proactively added additional alerts and detection measures to further protect customers through AppOmni Insights1. Specifically, AppOmni Insights for Microsoft 365 and our threat detection model have already been updated to analyze environments for tactics, techniques, and procedures (TTPs) commonly employed by Russian and Belarusian hackers such as Conti and other groups. These updates predominantly focus on mitigating risks for phishing and ransomware attacks, which are commonly used methods. We will continue to add new AppOmni Insights to explicitly detect usage of and identify weaknesses to new tactics as they emerge.
SaaS Hardening Recommendations Using AppOmni:
The list below provides a high level overview of heightened security measures that we recommend all organizations implement. Customers will receive the technical note that provides more detailed guidance on configuring and monitoring these security controls using AppOmni.
AppOmni recommends implementing specific security practices and continuous monitoring in the following areas:
- Focus on critical configuration gaps that can be exploited. AppOmni Insights have been updated to highlight misconfiguration around authentication posture that could be exploited with commonly used tactics. Reviewing updated Insights and adjusting your posture can significantly reduce risk.
- Disable legacy authentication methods and protocols. Today, the majority of all compromising sign-in attempts come from legacy authentication. Legacy authentication does not support multi-factor authentication (MFA). Even if you have a MFA policy enabled on your directory, a bad actor can authenticate using a legacy protocol and bypass MFA. The best way to protect your environment from malicious authentication requests made by legacy protocols is to block these attempts altogether.
- Enforce higher security authentication requirements. An account is 99.9% less likely to be compromised if you use multi-factor authentication (MFA).
- Analyze and monitor Microsoft 365 conditional access rules for changes and IP block exceptions. Attackers often make modifications to conditional access rules to open access permissions further or implement exception rules. As these rules can be nested and complex, it’s important to validate rules and enable continuous monitoring.
- Perform third-party access assessments in SaaS platforms. Third-party integrations and applications can be conduits for horizontal privilege escalation to other SaaS systems and are often installed with high level permissions. Organizations should verify that the third-party access or application is approved, has been reviewed, and is actively in use. To mitigate the impact of a third-party compromise, permissions and data access to third-parties should be reduced to only those necessary.
- Identify public and anonymous data access permissions. Organizations should enforce least privilege access. As ransomware attacks proliferate and the toolsets to execute attacks are more broadly distributed, exposed datasets could be destroyed in the process. Data access modeling and third-party app analysis can help identify exposure points to the public internet.
- Monitor for anomalous user activity. AppOmni’s threat detection system has been enhanced to detect additional anomalous user activity scenarios. Organizations should look for password spraying, excessive failures, and monitor for compromised accounts in threat intelligence feeds.
Customers can use AppOmni to quickly identify the critical security gaps detailed above. They can also contact AppOmni support for more information and guidance. Customers will receive more detailed guidance in a separate technical note or can login to AppOmni and follow the alert instructions.
We will continue to update AppOmni Insights in real-time as attacks evolve and provide follow-up information on an ongoing basis.
1AppOmni Insights are a dynamic library of critical settings and threat events developed and curated by our SaaS subject matter experts (SMEs) and AO Labs, our offensive security and research team. The purpose of AppOmni Insights is to provide high value SaaS-specific alerts to enable quick focus and prioritization of critical misconfigurations and active attack events. For example, an insight has been added for Microsoft 365 to provide quick visibility into overlapping controls such as Azure AD Security Defaults and “risky user” settings to minimize the amount of searching and hunting security teams need to perform to ensure they are protected.