Software as a Security nightmare: The risks of collaboration on the cloud

Justin Fier, Director of Cyber Intelligence & Analytics | Tuesday April 23, 2019

It’s no secret that collaboration is the bedrock of business. In fact, a Stanford University study demonstrated that merely priming employees to act in a collaborative fashion — without changing their environment or workflow — makes them more engaged, more persistent, more successful, and less fatigued.

To digitally optimize this biologically ingrained capacity for teamwork, businesses the world over have adopted Software as a Service (SaaS) applications that facilitate the sharing of information between multiple users. Run via centralized, cloud-hosted data centers rather than on local hardware, such applications offer financial and technical benefits to companies of all sizes, from storage savings to reliable connectivity to support speed. Yet it is their collaborative nature that has positioned SaaS software at the heart of the modern enterprise.

Source: Blissfully 2018 Q1 SaaS Trends Report

At the same time, the interactivity of cloud services renders them an attractive target for advanced cyber-criminals, who can often leverage a single user’s SaaS credentials to compromise dozens of other accounts. And while leading SaaS vendors conform to high security standards, the cyber defenses they employ nonetheless have a common weakness: human error on the customer end. By launching sophisticated attacks like those in the case studies below, today’s threat actors are increasingly gaining access to cloud services through the front door, necessitating a fundamentally different security approach that can detect when credentialed users behave — ever so slightly — out of character.

Case study 1: Sensitive file access

Among the key challenges of SaaS security is balancing the convenience of open access to information with the imperative of protecting privileged assets. Indeed, with hundreds or even thousands of employees sharing a welter of files and databases at all times, safeguarding SaaS applications against insider threat is extraordinarily difficult with traditional security tools, which use fixed rules and signatures to catch only known, external cyber-attacks. Rather, detecting when credentialed users enter parts of these applications where they don’t belong requires AI security systems that understand their typical online behavior well enough to spot subtle anomalies. And as employees’ responsibilities and privileges inevitably change, such systems must be able to adapt while ‘on the job’.

The necessity of this AI-driven approach to cyber defense recently came to light when Darktrace detected a serious threat on the network of a European bank. After stealing credentials or otherwise gaining access to a SaaS service, cyber-criminals will frequently run scripts to identify files containing keywords like “password.” Such was the case with the attackers that Darktrace thwarted, who had managed to find an Office 365 SharePoint file that stored unencrypted passwords. As they had already breached the network, the attackers could have reasonably expected to be in the clear — having already successfully bypassed any conventional security controls.

However, while these attackers would likely have exploited the cleartext passwords to escalate their privileges and further infiltrate the organization, Darktrace AI flagged the activity as anomalous for the bank’s particular network because it breached the following model: “SaaS / Unusual SaaS Sensitive File Access.” Ultimately, the AI’s nuanced and evolving understanding of what constitutes “unusual” behavior for each of the bank’s users and devices proved critical, given that the suspicious file access may well have been benign in other circumstances.

Case study 2: Social engineering attack

Perhaps the most difficult cloud-based attacks to counter are those that rely on social engineering, since they involve deceiving employees into handing over their credentials and other lucrative information voluntarily. In these cases, AI anomaly detection is the optimal security strategy, as thwarting a social engineering threat before it’s too late means protecting employees from their own mistakes.

In 2018, Darktrace detected a device on the network of a UK property development company that had attempted to connect to a rare external domain — two seconds after landing on office365.com. The domain had a suspicious name and offered HTTP connections to a form containing sensitive data transmitted in plain text, which would be vulnerable to a man-in-the-middle (MITM) attack. Further investigation indicated that an employee at the property development company had been tricked by a shortened URL in a phishing email to visit the suspicious domain, showing the legitimate looking Office 365 login page below:

A screenshot of the suspicious domain. A minor spelling mistake — “someone” spelt as “sorneone” — appears in the login field of the otherwise legitimate-looking pop-up window.

Despite the user actively clicking on the URL to visit the page, Darktrace flagged the event as threatening due to the rarity of the destination domain in comparison to company’s normal network activity. Artificial intelligence has consistently demonstrated this ability to provide a safety net for human error — flagging anomalous connections and rare domains regardless of how well they may be disguised to the unsuspecting user.

From social engineering attacks to insider threats to stolen credentials, the risks inherent to SaaS are largely user-dependent. As a consequence, any security tool up to the task of defending SaaS applications must understand how these users work, evolve, and collaborate. Indeed, it is precisely the sought-after interconnectedness and collaborative nature of SaaS platforms which makes the potential reward for attackers so great, as a single breach could allow them to compromise an entire company. Yet the efficiencies promised by SaaS need not come at the cost of security, since the latest AI cyber defenses shine a light on even the most nebulous traffic in the cloud.

If you build it, they will come: Cyber-criminals are exploiting Latin America’s new digital economy

Max Heinemeyer, Director of Threat Hunting at Darktrace | Wednesday April 17, 2019

Over the past decade, Latin America has transitioned from a majority analog region to a predominantly digital one. But as its companies and governments embrace internet technologies at a breakneck pace, cyber security concerns have frequently taken a back seat. The number of internet users in Mexico, for instance, has grown by a staggering 13.4% annually since 2006, compared to a 3.3% annual increase in the United States. At the same time, the US spent considerably more on security solutions than all of Latin America combined, a discrepancy that experts anticipate will only widen in the coming years.

This dangerous combination of burgeoning networks and relatively lax cyber defenses has, unsurprisingly, attracted the attention of sophisticated online threat actors, who are now targeting the region with attacks designed to bypass conventional security tools. During the last few months, Darktrace detected a disproportionate barrage of such attacks against its Latin American customer base, three of which are examined below. From stealthy trojans to silent PowerShell attacks to subtle cloud-based threats, cyber-criminals are constantly innovating to compromise the personal information and intellectual property of the region’s 630 million residents. Safeguarding them will require a new approach to digitization — one that leverages AI to place cyber security at the very heart of the corporate network.

Case study 1: Polymorphic banking trojan

At a Latin American financial services company, a corporate desktop was seen downloading an EXE file from a rare external hostname. Following this download, the device generated multiple failed authentications with the credential “administrator” — an English word not frequently used in Spanish-speaking countries. The device then started sending rare EXE files with numeric names internally via SMB, before a few minutes later, multiple devices began beaconing to rare destinations never seen in the network before.

In the graph below, Darktrace’s Threat Visualizer captures the EXE file download and the resulting indicators of anomalous lateral movement. Every dot in the graph represents behavior that is atypical for the company’s unique users, devices, and network, as determined by Darktrace’s cyber AI algorithms, with darker colors corresponding to higher severity risks. These anomalous behaviors include the download of suspicious EXE files, connections to rare destinations, Kerberos authentication failures, and unusual internal transfers of EXE files via SMB.

Immediately after the download, the infected device was seen communicating with destinations that had never before been accessed from the network, as represented by the “100%” IP Rareness score shown in the box at the bottom right of this graph:

A subsequent analysis of the downloaded sample revealed that it was a live copy of the polymorphic Emotet banking trojan, which we examined on this blog in January. Whereas the Emotet trojan is notoriously difficult for traditional security tools to spot, the AI-powered approach to cyber defense managed to catch the threat because it provided an understanding of the company’s normal activity, allowing it to recognize Emotet’s key behaviors as abnormal.

Case study 2: PowerShell attack from rare location

These AI cyber defenses also proved critical in the defense of a technology start-up in another Latin American country, where a desktop was seen downloading a Python script from a rare location in Malaysia. Neither the desktop in question nor any other internal devices had ever connected to the external destination before, an early indicator of cyber-threat that signature-based security tools would have missed. The script was downloaded from a rare .com domain that included apparently legitimate strings like “windows”, but which was in fact not associated with Microsoft or other legitimate organizations.

Following the download, the device initiated an HTTP connection with the external destination using PowerShell, whereupon multiple company devices started communicating with this rare destination. But while this type of disguised attack has become popular among threat actors as a result of its ability to bypass traditional detection systems, AI anomaly detection flagged it right away as being unusual for the start-up’s particular traffic patterns, as illustrated by the graph below.

Download of script file and external communications with a suspicious rare external location.

Case study 3: Compromised SaaS credentials

At an international financial services firm based in Latin America, a Microsoft Office 365 user account that regularly authenticates from known Latin American locations suddenly started exhibiting unusual activity — authenticating many times from a rare IP address in Asia-Pacific. Darktrace AI immediately flagged the event as highly unusual, since the business has few ties to the Asia-Pacific region. This early detection of anomalous credential behaviour revealed a breach in the use of the corporate SaaS service, a breach that could have escalated to compromise other Office 365 users had the firm not caught it in its nascent stage.

An anomalously high number of SaaS authentications occurred in a short time interval — from a rare location for the customer.

Digitizing with diligence

In light of Latin America’s rapid digitalization and increasingly lucrative virtual assets, existing security vulnerabilities that were not significant several years — or even months — ago are now being exploited by cyber-criminals. Indeed, the high value of their potential compromises incentivizes these criminals to create malware specifically tailored to Latin American targets, which promise to cause major disruptions, inflict significant financial and intellectual property losses, and entail incalculable reputational costs.

In this climate, it is imperative that companies and governments take a step back from their digital transformation projects to make cyber defense a core aspect of their organization, rather than an afterthought. And only with AI defenses at the center of such projects can they durably shape the region’s new economy.

About the authors

Justin Fier

Justin Fier is the Director for Cyber Intelligence & Analytics at Darktrace, based in Washington D.C. Justin is one of the US’s leading cyber intelligence experts, and his insights have been widely reported in leading media outlets, including Wall Street Journal, CNN, the Washington Post, and VICELAND. With over 10 years of experience in cyber defense, Justin has supported various elements in the US intelligence community, holding mission-critical security roles with Lockheed Martin, Northrop Grumman Mission Systems and Abraxas. Justin is also a highly-skilled technical specialist, and works with Darktrace’s strategic global customers on threat analysis, defensive cyber operations, protecting IoT, and machine learning.

Dave Palmer

Dave Palmer is the Director of Technology at Darktrace, overseeing the mathematics and engineering teams and project strategies. With over ten years of experience at the forefront of government intelligence operations, Palmer has worked across UK intelligence agencies GCHQ & MI5, where he delivered mission-critical infrastructure services, including the replacement and security of entire global networks, the development of operational internet capabilities and the management of critical disaster recovery incidents. He holds a first-class degree in Computer Science and Software Engineering from the University of Birmingham.

Andrew Tsonchev

Andrew advises Darktrace’s strategic Fortune 500 customers on advanced threat detection, machine learning and autonomous response. He has a technical background in threat analysis and research, and holds a first-class degree in physics from Oxford University and a first-class degree in philosophy from King’s College London. He was most recently featured on BBC World, BBC Morning and Al Jazeera to comment on the news regarding the GRU.

Max Heinemeyer

Max is a cyber security expert with over eight years’ experience in the field specializing in network monitoring and offensive security. At Darktrace, Max works with strategic customers to help them investigate and respond to threats as well as overseeing the cyber security analyst team in the Cambridge UK headquarters. Prior to his current role, Max led the Threat and Vulnerability Management department for Hewlett-Packard in Central Europe. He was a member of the German Chaos Computer Club, working as a white hat hacker in penetration testing and red teaming engagements. Max holds a MSc from the University of Duisburg-Essen and a BSc from the Cooperative State University Stuttgart in International Business Information Systems.