The increasing sophistication of attack groups

The Okta breach is yet another indication of what we have been seeing for the past few years in the cybersecurity industry, particularly in the incident response practice, demonstrating the increased sophistication and capabilities of various attack groups. This is due to a combination of several trends we are seeing:

  • Increased potential financial gain for attackers justifies a larger investment in attacks, allowing criminal threat actors to build campaigns with substantial resources. Resources that were formerly only available to state level actors.
  • There’s continuous leakage of cyber capabilities from state-level actors to the private market, including a wealth of knowledge and skill formerly unavailable to criminal groups.
  • The line between state-level attacks and criminal threat actors is disappearing. Certain nation states encourage (or willingly ignore) criminal cyber activities as part of the new age of the Cyber Cold War, making it easier for criminal threat actors to build up a substantial force.

The state of security in cloud applications and services

Naturally, the increased sophistication of adversaries creates a huge issue as organizations increasingly use software as a service (SaaS), platform as a service (Paas), and infrastructure as a service (IaaS) to deliver applications and services. While these cloud services reduce the need for complex software and hardware management, the mesh of applications and services creates new complexities for security teams. In this asymmetrical space, where attackers need only one success and defenders need to succeed at preventing intrusions and attacks 100% of the time, it is almost impossible to prevent breaches by threat actors that have (nearly) the same resources and skills as a nation state.

The potential implications of critical identity provider SaaS breaches

Breaches to SaaS providers can have significant implications, particularly when it comes to identity providers (such as Okta and Azure Active Directory). As organizations have increased cloud adoption, the world has transitioned from the classic perimeter (that is, the physical network in the office, protected by a firewall) into an era of the identity-driven perimeter. As some often say, “identity is the new perimeter,” meaning that the main gateway to the organization is through your identity providers.

Today, most large organizations rely on Single-Sign-On (SSO) as their main security gateway, allowing users to identify themselves through a single, secure identity provider, and propagating this identity through the entire organization. This aligns with the zero-trust model, where all users are authenticated, authorized, and validated before gaining access to applications and data — and users only have access to the resources they need to perform their jobs. Zero trust depends heavily on identity and creates controlled environments in which identity truly is the new perimeter for organizations. While combining zero-trust with identity provider solutions alleviates risks associated with separate identities per resource, it creates a new risk when the single, main identity provider is breached, as we recently saw in the Okta breach.

While in this specific case the breach scope was limited, a substantial compromise of any identity provider could enable an attacker to impersonate any user in any organization using that identity provider, allowing them to gain access to almost every resource in the organization. In many cases, this would also allow attackers to impersonate administrator users, gaining full control of every customer.

It is important to note that while these identify providers provide various controls to reduce potential attacks (such as Multi Factor Authentication and IP Risk Profiling, for example) – once the vendor itself is compromised, these controls may all potentially be circumvented.

How to protect or prepare your organization for SaaS, PaaS, and IaaS breaches

In a complex environment of software, platforms, and applications offered as services, global organizations and startups alike continuously update and change their applications and services. This brings new capabilities and innovations to market quickly — but also makes it challenging for security teams to stay on top of changes or know where to focus their attention. And although each provider does their best to release secure solutions, we cannot rely on the providers themselves to ensure security across the complex ecosystem existing in most organizations.

Complex incidents like the LAPSUS$ breaches (whose targets included Microsoft,  Samsung, Nvidia, Ubisoft, Globant, and, of course, Okta) demonstrate two important things. The first one, which has been part of every good security posture for years (yet many organizations fail to sufficiently implement it) is that security requires multiple layers. Only through that approach can organizations guarantee that the breach of a single provider will not allow for full compromise of the organization.

The second important approach, which is becoming more and more apparent in the last few years, is that at the end of the day, while we strive to minimize our exposure to breaches, the complexity of today’s computing and cloud systems makes it almost impossible to avoid. Therefore, most organizations are likely to suffer breaches. It is imperative for organizations to build their cyber resilience and increase their ability to respond quickly and efficiently to breaches, so that they can bounce back with minimal impact to normal operations.

Learn the 9 fundamental ways cloud incident response is different

LAST UPDATED:

November 7, 2024

Don't miss these stories:

Why Wi-Fi Isn’t Enough: Joseph Salazar on Wireless Airspace Security

In this episode of Mitiga Mic, we sit down with cybersecurity veteran Joseph Salazar, now with Bastille Networks, to uncover the vast and often invisible world of wireless attack surfaces. From Bluetooth-enabled coffee mugs and smart thermostats to malicious USB cables that launch attacks from parking lots, Joseph walks us through real-world threats that operate outside your firewall and beyond traditional security tools.

From Breach Response to Platform Powerhouse: Ofer Maor on Building Mitiga for Cloud, SaaS, and Identity Security

Solutions Platform Helios AI Cloud Security Data Lake Cloud Threat Detection Investigation and Response Readiness (TDIR) Cloud Detection and Response (CDR) Cloud Investigation and Response Automation (CIRA) Investigation Workbench Managed Services Managed Cloud Detection and Response (C-MDR) Cloud Managed Threat Hunting Cloud and SaaS Incident Response Resources Blog Mitiga Labs Resource Library Incident Response Glossary Company About Us Team Careers Contact Us In the News Home » Blog Main BLOG From Breach Response to Platform Powerhouse: Ofer Maor on Building Mitiga for Cloud, SaaS, and Identity Security In this premiere episode of Mitiga Mic, Mitiga’s Co-founder and CTO Ofer Maor joins host Brian Contos to share the journey behind Mitiga’s creation—and how it became the first purpose-built platform for cloud, SaaS, and identity detection and response. Ofer discusses why traditional incident response falls short in modern environments, how Mitiga built its platform from real-world service experience, and the crucial role of automation and AI in modern SOC operations.

Helios AI: Why Cloud Security Needs Intelligent Automation Now

Mitiga launches Helios AI, an intelligent cloud security solution that automates threat detection and response. Its first feature, AI Insights, cuts through noise, speeds up analysis, and boosts SecOps efficiency.

Hackers in Aisle 5: What DragonForce Taught Us About Zero Trust

In a chilling reminder that humans remain the weakest component in cybersecurity, multiple UK retailers have fallen victim to a sophisticated orchestrated cyber-attack by the hacking group known as DragonForce. But this breach was not successful using a zero-day application vulnerability or a complex attack chain. It was built on trust, manipulation, and a cleverly deceptive phone call.

No One Mourns the Wicked: Your Guide to a Successful Salesforce Threat Hunt

Salesforce is a cloud-based platform widely used by organizations to manage customer relationships, sales pipelines, and core business processes.

Tag Your Way In: New Privilege Escalation Technique in GCP

GCP offers fine-grained access control using Identity and access management (IAM) Conditions, allowing organizations to restrict permissions based on context like request time, resource type and resource tags.