Attackers are increasingly making use of “networkless” attack techniques targeting cloud apps and identities. Here’s how attackers can (and are) compromising organizations – without ever needing to touch the endpoint or conventional networked systems and services.
Before getting into the details of the attack techniques being used, let’s discuss why these attacks are becoming more prevalent.
The SaaS revolution and product-led growth have had a huge impact on the structure of company networks, and where core business systems and data reside.
Most organizations today are using tens to hundreds of SaaS applications across business functions. Some are entirely SaaS-native, with no traditional network to speak of, but most have adopted a hybrid model with a mixture of on-premise, cloud, and SaaS services forming the backbone of business applications being used.
The bulk of SaaS adoption is user-driven, as opposed to centrally managed by IT, as bottom-up adoption is inherent to product-led growth. The latest data from Push Security indicates that only 1 in 5 SaaS apps have been sanctioned by the business. The majority is simply unknown and, therefore, has not been reviewed at all.
Cloud and SaaS apps are designed to be interconnected, functioning like the closed networks of internal business applications you might have used in the past. The vehicle for this interconnectedness is identity.
The most basic form of identity is a user account created for services you sign up to with a username/email and password. To reduce the risk of account takeover and complexity of managing an ever-increasing number of accounts, organizations are using the services of identity providers (IdPs) to centralize access to apps within a single platform and identity, using protocols like single sign on (SSO) and OAuth to manage authentication and authorization respectively.
The particular make-up of an identity can vary a lot. Depending on the app, it’s possible to have multiple authentication mechanisms for the same account – for example, via SAML, social logins (OIDC), and username and password. Whilst SAML requires that admins set it up in advance for a given app tenant, users can sign up for an app using OIDC simply by using the “sign in with Google” feature.
In effect this creates multiple identities tied to a single account, which can introduce a lot of confusion and complexity – for example, just because an IdP admin deletes that account, doesn’t mean the app/account can’t then be accessed by using one of the other login methods that’s been created. This can make it hard to know what apps are in use, and what identities exist in the organization.
So, in practice, it’s possible to end up with a combination of the following:
It can get pretty complicated – with most organizations having 100+ apps in their inventory, resulting in thousands of sprawled identities.
Then, depending on the OAuth scopes approved for a given app, permissions and workflows in one app can impact other apps where approval is granted for them to talk to one another.
Identity is the glue that holds this ecosystem together. However, the controls that exist to secure identity have serious limitations. Companies often think that all their apps and identities have MFA rolled out or all apps are behind SSO. But the reality is that only 1/3 of apps actually support SSO (and many of these only at the premium tier, with a hefty price increase). Further, around 60% of unique identities (i.e., not using SSO) do not have MFA registered.
So in reality, there are significant gaps in the security controls protecting cloud identities, while identities and cloud apps are becoming more prevalent.
Attackers are taking note of this. According to Verizon’s 2024 DBIR, 74% of all breaches involved the human element, targeting compromised user accounts via human error, privilege misuse, use of compromised credentials, or social engineering.
While this is nothing new (some description of identity/phishing attacks have been the top attack vector since at least 2013), Crowdstrike’s latest global threat report goes further, noting that 75% of attacks to gain access were malware-free, and that “cloud-conscious” attacks (deliberate rather than opportunistic targeting of cloud services to compromise specific functionality) increased 110%. Microsoft also notes around 4,000 password attacks per second specifically targeting cloud identities, while there are suggestions from Google employees that attacks looking to steal session cookies (and therefore bypass MFA) happen at roughly the same order of magnitude as password-based attacks.
Looking beyond the numbers, evidence from breaches in the public eye tells the same story. Threat groups like APT29/Cozy Bear/The Dukes and Scattered Spider/0ktapus show how attackers are actively targeting IdP services, SaaS apps, and SSO/OAuth to carry out high-profile attacks against companies like Microsoft and Okta.
If you want to read more about this, you can check out this blog post tracking identity attacks seen in the wild.
Cloud apps and identities are the new land of opportunity for attackers. Because of the shift to cloud services, they offer the same value as a traditional attack designed to breach a network perimeter via the endpoint. In many ways, identity itself is the new attack surface. Contrary to other security boundaries like the network or endpoint, it also presents much less of an obstacle in terms of the controls that currently exist to defend this new perimeter.
Identity-based attacks used to be localized to the endpoint or adjacent “identity systems” like Active Directory. The goal for the attacker was to breach this perimeter and move within the organization. Now, identity is much more dispersed – the gateway to an ecosystem of interconnected cloud apps and services, all accessed over the internet. This has significantly shifted the magnitude of the challenge facing security teams. After all, it’s much harder to stop credential-stuffing attacks against 100 SaaS apps than the single centralized external VPN/webmail endpoint of yesteryear.
It seems pretty clear that cloud identities are the new digital perimeter. This isn’t the future, it’s now. The only piece that is still to be determined is what offensive techniques and tradecraft will emerge, and what the industry response will be in order to stop them.
Last year, Push Security released a matrix of SaaS attack techniques on GitHub (inspired by the more endpoint-focused MITRE ATT&CK Framework) that demonstrates how attackers can target a business without touching traditional surfaces such as the network or endpoints.
When chained together, these techniques enable an attacker to complete an end-to-end attack in the cloud.
Push has also released a number of blog posts covering how these techniques can be used – the most popular techniques are summarized below:
But there’s nothing quite like seeing them in action to understand just how impactful these techniques can be. So check out the clip below from Luke Jennings, VP of R&D at Push. In this video, he covers:
After seeing what’s possible, it’s important to ask – could you detect and respond to this attack scenario?
Most organizations have a security gap when it comes to identity-based attacks. This is in large part because the controls around identity security are typically focused on securing central identity systems (think Active Directory/Entra ID) as opposed to the larger identity infrastructure as it relates to cloud apps and services.
Equally, the controls that organizations have invested in are largely bypassed by these attacks. EDR tools used to secure underlying operating systems have minimal presence here because these apps are accessed in the browser – increasingly touted as the new operating system. As discussed here, securing the identity is absolutely vital to protecting services in the cloud. And a significant portion of the attack chain – for example, phishing attempts in general, including AiTM and BitB techniques designed to bypass MFA, or password sharing across apps and services, are simply not covered by endpoint security tools, IdP logs, or SaaS logs from individual apps and services.
These types of attacks are a real challenge for many organizations right now because they fall through the cracks of existing security tools and services.
If you want to find out more about identity attacks in the cloud and how to stop them, check out Push Security – you can try out their browser-based agent for free!