In response to ongoing cybersecurity events, the National Security Agency (NSA) released a Cybersecurity Advisory “Detecting Abuse of Authentication Mechanisms.” The advisory provides guidance to National Security System (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) network administrators to detect and mitigate against malicious cyber actors who are manipulating trust in federated authentication environments to access protected data in the cloud. It builds on the guidance shared in the cybersecurity advisory regarding VMware with state-sponsored actors exploiting CVE 2020-4006 and forging credentials to access protected files, though other nation states and cyber criminals may use this tactic, technique, and procedure (TTP) as well.

This advisory specifically discusses detection and mitigation of two TTPs to forge authentications and gain access to a victim’s cloud resources. While these TTPs require the actors to already have privileged access in an on-premises environment, they are still dangerous as they can be combined with other vulnerabilities to gain initial access, then undermine trust, security, and authentication. Initial access can be established through a number of means, including known and unknown vulnerabilities, says the NSA. The recent SolarWinds Orion code compromise is one serious example of how on-premises systems can be compromised, leading to abuse of federated authentication and malicious cloud access. 

Mitigation actions include hardening and monitoring systems that run local identity and federation services, locking down tenant single sign-on (SSO) configuration in the cloud, and monitoring for indicators of compromise. 

Brendan O’Connor, CEO and Co-Founder at AppOmni, says, “Risk of 3rd party applications has always been a concern for security teams. The SolarWinds breach is an example of a 3rd party application inserting a vulnerability into an otherwise secure infrastructure. While the SolarWinds breach occurred in an on-premise environment, 3rd party apps can also create vulnerabilities in SaaS environments."

AppOmni's data shows that, on average, there are more than 42 distinct third party applications connecting into live SaaS environments within an enterprise. Approximately half of these applications were connected directly by end users, not installed by IT administrators. The typical enterprise has an average of 900 user-to-application connections. O'Connor says this represents hundreds of "authorized" third party connections to the data stored in the SaaS environment.

Of those 42 third party apps, an average of 22 have not been used in the last 6 months - yet retain the ability to access data via these connections. These inactive applications often represent a trial usage that was abandoned from a user's perspective, or applications where the business contract may have expired but the vendor access was not removed, he says, and these application connections remain authorized until that access has been revoked.

O'Connor says, "Due to the nature of these third party connections, they are frequently approved by individual users without any security oversight. While these applications may be quite useful, they are hidden pathways into an organization's most sensitive data. These cloud-to-cloud connections exist outside the firewall and cannot be detected by traditional scanning and monitoring tools. There are a variety of ways for 3rd party apps to connect to cloud services, but there are three in particular to focus on:

  • Service Account integration: Where a service is assigned a dedicated username + password to connect to the cloud service just like a human user.
  • Administrator installed applications: When an Admin connects a third party application and makes it available to groups of users (or all users) of the cloud application
  • User connected applications: When a non-Admin user grants an access token to a third party application, granting all of their privileges or a subset of their privileges to the third party. This flow uses something called OAuth. If you've ever signed in to an application with your Facebook or Google account, you are using an Oauth flow. Enterprise SaaS applications have the same functionality through OAuth.

"We've known this is a problem for quite some time. Looking back at the Apollo Breach, we saw the compromise of a 3rd party app as the stepping stone to dumping 200 million contacts from a major SaaS application. Just earlier this year, Facebook's Twitter account was compromised. It wasn't Facebook or Twitter's security that was compromised. It was a third party application that had access to the account," he adds. "When thinking of your overall attack surface, cloud applications are currently one of the biggest blind spots. This year we have seen a huge increase in cloud adoption driven by the pandemic and work from home. Existing investments in security technologies that focus on the network or the endpoint cannot help us with this challenge. It’s not that our premise tools have failed, the data has moved where they can't see it. Getting visibility into what 3rd party applications are already connected to your cloud applications should be one of the top priorities for security teams. Successful organizations will have a process for continuously scanning and monitoring their cloud applications, and having a review and approval program for 3rd party connections.”

Praveen Jain, Founder/CEO of WiteSand Systems, notes, "Organizations should implement strict access enforcement in the network to prevent bad actors from penetrating inside your perimeter.”