Mitiga Appoints Charlie Thomas as CEO READ THE RELEASE

Mitiga Announces $30M Series B Led by SYN Ventures READ THE NEWS

Customers
Why Mitiga
Request a DemoEmergency Assistance
Home
»
Blog Main

The increasing sophistication of attack groups

The Okta breach is yet another indication of what we have been seeing for the past few years in the cybersecurity industry, particularly in the incident response practice, demonstrating the increased sophistication and capabilities of various attack groups. This is due to a combination of several trends we are seeing:

  • Increased potential financial gain for attackers justifies a larger investment in attacks, allowing criminal threat actors to build campaigns with substantial resources. Resources that were formerly only available to state level actors.
  • There’s continuous leakage of cyber capabilities from state-level actors to the private market, including a wealth of knowledge and skill formerly unavailable to criminal groups.
  • The line between state-level attacks and criminal threat actors is disappearing. Certain nation states encourage (or willingly ignore) criminal cyber activities as part of the new age of the Cyber Cold War, making it easier for criminal threat actors to build up a substantial force.

The state of security in cloud applications and services

Naturally, the increased sophistication of adversaries creates a huge issue as organizations increasingly use software as a service (SaaS), platform as a service (Paas), and infrastructure as a service (IaaS) to deliver applications and services. While these cloud services reduce the need for complex software and hardware management, the mesh of applications and services creates new complexities for security teams. In this asymmetrical space, where attackers need only one success and defenders need to succeed at preventing intrusions and attacks 100% of the time, it is almost impossible to prevent breaches by threat actors that have (nearly) the same resources and skills as a nation state.

The potential implications of critical identity provider SaaS breaches

Breaches to SaaS providers can have significant implications, particularly when it comes to identity providers (such as Okta and Azure Active Directory). As organizations have increased cloud adoption, the world has transitioned from the classic perimeter (that is, the physical network in the office, protected by a firewall) into an era of the identity-driven perimeter. As some often say, “identity is the new perimeter,” meaning that the main gateway to the organization is through your identity providers.

Today, most large organizations rely on Single-Sign-On (SSO) as their main security gateway, allowing users to identify themselves through a single, secure identity provider, and propagating this identity through the entire organization. This aligns with the zero-trust model, where all users are authenticated, authorized, and validated before gaining access to applications and data — and users only have access to the resources they need to perform their jobs. Zero trust depends heavily on identity and creates controlled environments in which identity truly is the new perimeter for organizations. While combining zero-trust with identity provider solutions alleviates risks associated with separate identities per resource, it creates a new risk when the single, main identity provider is breached, as we recently saw in the Okta breach.

While in this specific case the breach scope was limited, a substantial compromise of any identity provider could enable an attacker to impersonate any user in any organization using that identity provider, allowing them to gain access to almost every resource in the organization. In many cases, this would also allow attackers to impersonate administrator users, gaining full control of every customer.

It is important to note that while these identify providers provide various controls to reduce potential attacks (such as Multi Factor Authentication and IP Risk Profiling, for example) – once the vendor itself is compromised, these controls may all potentially be circumvented.

How to protect or prepare your organization for SaaS, PaaS, and IaaS breaches

In a complex environment of software, platforms, and applications offered as services, global organizations and startups alike continuously update and change their applications and services. This brings new capabilities and innovations to market quickly — but also makes it challenging for security teams to stay on top of changes or know where to focus their attention. And although each provider does their best to release secure solutions, we cannot rely on the providers themselves to ensure security across the complex ecosystem existing in most organizations.

Complex incidents like the LAPSUS$ breaches (whose targets included Microsoft,  Samsung, Nvidia, Ubisoft, Globant, and, of course, Okta) demonstrate two important things. The first one, which has been part of every good security posture for years (yet many organizations fail to sufficiently implement it) is that security requires multiple layers. Only through that approach can organizations guarantee that the breach of a single provider will not allow for full compromise of the organization.

The second important approach, which is becoming more and more apparent in the last few years, is that at the end of the day, while we strive to minimize our exposure to breaches, the complexity of today’s computing and cloud systems makes it almost impossible to avoid. Therefore, most organizations are likely to suffer breaches. It is imperative for organizations to build their cyber resilience and increase their ability to respond quickly and efficiently to breaches, so that they can bounce back with minimal impact to normal operations.

Learn the 9 fundamental ways cloud incident response is different

LAST UPDATED:

November 7, 2024

Don't miss these stories:

Can vulnerabilities in on-prem resources reach my cloud environment?

What risk does this Zoho password manager vulnerability present, and could this on-prem vulnerability impact cloud environments as well?

Log4Shell - identify vulnerable external-facing workloads in AWS

Cloud-based systems should be thoroughly searched for the new Log4j vulnerability (CVE-2021-44228). But this is a daunting task, since you need to search each and every compute instance, from the biggest EC2 instance to the smallest Lambda function. This is where Mitiga can help.

How Transit Gateway VPC Flow Logs Help Incident & Response Readiness

In this blog, we will focus on the security and forensic aspects of Transit Gateway VPC flow logs and expand the way they can be used by organizations to respond to cloud incidents.

Uber Cybersecurity Incident: Which Logs Do IR Teams Need to Focus On?

On September the 16th, Uber announced they experienced a major breach in their organization in which malicious actor was able to log in and take over multiple services and internal tools used at Uber. What are some of the logs that IR teams should be focusing on in their investigation?

Viral Outbreaks: Thinking of Microsoft’s New Wormable Vulnerability in a Coronavirus Context

But today, in the midst of a pandemic outbreak of Coronavirus (COVID-19) and while governments and global organizations work to contain and eradicate the virus, we’re hearing of a new wormable vulnerability in Microsoft’s SMBv3 protocol.How can we learn from these unfortunate events to provide us with a different context and an opportunity to rethink our level of readiness for unexpected, viral cyber events?

Unlocking Cloud Security with Managed Detection and Response

See how Mitiga’s Cloud Managed Detection and Response tackles complex cyber threats with proactive threat management and advanced automation at scale.