科里·米查尔与布兰登·莱文与本·普鲁斯_现代杀链现实世界SaaS攻击与缓解策略.pdf

1、Modern Kill ChainsReal World SaaS Attacks and Mitigation StrategiesCory MichalVP of SecurityAugust 7,2024Brandon LevenePrincipal Product Manager,Threat DetectionBen PruceLead Threat Detection Engineer1Agenda Reflect on where we are currently Hypothesize why we are here Examine what it is like to be

2、here Determine if something better is possible Outline how we could move to better state2Historical Attack Surface Change3Pre Cloud&SaaS Attack Surface 20094DMZDMZDMZModern Attack Surface 20205Attack Surface Observations Hardened network perimeters VPN access Physical access controls Network Access

3、Control/Wifi Endpoint protection Internal IdP Internal IT Systems Internal Business Systems Logging/Monitoring/SIEM/Flow6 Rapidly dissolving perimeters Access from work or BYOD Remote access from anywhere Uncontrolled network upstream Endpoint protection External IdP External SaaS Systems External I

4、aaS/PaaS Substantially reduced visibilityLegacy Attack Surface Modern Attack SurfacePre-Cloud and SaaS Mapped to ATT&CK7ReconnaissanceInitial AccessExecutionPersistenceCommand and ControlPrivilege EscalationCollection Exfiltration ImpactResearch Target,Scan,Find UsersDeliver target payloadsExploit p

5、erimeter vulnerabilitiesEstablish persistence of footholdEstablish control of compromised hostsEscalate privilege if possibleIterate 35x for lateral movement PayDay!SaaS ATT&CK Tactics8Research Target,Find Users,Find SaaSReconnaissanceInitial AccessCredential AccessPersistenceCommand and ControlPriv

6、ilege EscalationCollection Exfiltration ImpactStuff,Spray,SIM Swap Login to IdPAccess SaaS services and Manipulate login ConfigurationsSkipSkipOAuth,API Keys,Integration,App,Often Skipped!IdP tiles,Collaboration,Doc,SourcePayDay!This is Why We Cant Have Nice Things Substantially expanded our attack