Ransomware Through SaaS: The New Frontier

Maor Bin, CEO & Co-Founder

It might sound dramatic to call ransomware a “scourge on business,” but the reality is that more companies are impacted every day. Some of these attacks hit the news cycle, but many don’t. As you look to protect yourself against the ever-burgeoning threat landscape, securing your Software-as-a-Service (SaaS) application stack is more important than ever.

The SaaS Ransomware Attack Vector

You love your SaaS apps. They enable your business to support collaboration and offer better customer experiences. Unfortunately, threat actors love your SaaS apps just as much.

SaaS applications transmit and store a lot of sensitive data. Whether it’s your enterprise resource planning (ERP) or customer relationship management (CRM) solution or your organization’s user directory and collaboration workspace, you’re putting a lot of sensitive information in the cloud.

And threat actors know this.

Most of the successful attacks on cloud services stem from misconfiguration, mismanagement and mistakes. Despite robust native controls, the configuration vulnerabilities are up to the company’s security team to monitor and protect. (I recount some of the top misconfiguration events where one seemingly innocuous configuration exposed the organization to massive repercussions here.)  

In this blog, I’m going to take you through a SaaS ransomware attack and discuss the 3 steps to protect yourself from being a victim.

Anatomy of an attack

When threat actors decide to target your SaaS applications, they can use more basic to the more sophisticated methods. Similar to what Kevin Mitnick in his RansomCloud video, a traditional line of a business email account attack through a SaaS application follows this pattern:

screenshot taken from Kevin Mitnick’s SaaS ransomware attack presentation

This is a specific type of attack through SaaS, however, other malicious attacks through OAuth applications can occur in an organization’s environment.

3 Steps to Mind the SaaS Security Gap

With the multitude of SaaS apps global settings compounded by the amount of users and permissions for each app, it is near impossible to run manual, continuous monitoring and security checks for each and every SaaS in use. To further complicate matters, SaaS owners often do not sit within the security team but in the departments that most utilize the SaaS. This creates a situation where the security team has no visibility or control over the organization’s SaaS estate, leaving the playing field open for infiltration.

1. Monitor for Misconfigurations

The first step to securing your SaaS ecosystem is to look for and remediate any misconfigurations that increase your risk of being the victim of a ransomware attack.

Many organizations don’t regularly review their SaaS configurations. For example, according to our 2021 SaaS Security Survey Report, while most companies are worried about their SaaS application security configurations, less than one third of companies consistently check them.

Among the types of misconfigurations, you should review regularly are:

(For more in depth information on important configurations to monitor, check out this blog.)

Another important aspect in misconfiguration monitoring is the dispersal of SaaS responsibility. One of the biggest challenges companies face when trying to secure their SaaS landscape is that the people in charge of security aren’t part of the security team.

According to our 2021 SaaS Security Survey Report, 52% of organizations delegate security setting management to the SaaS application owner. These owners sit outside the security department’s day-to-day activities, meaning that the security team may not know what’s going on.

Your security team should have a single location where everyone can collaborate and maintain governance of the entire SaaS estate. Not only for compliance purposes, but to ensure complete observability and protection for the company’s SaaS security posture.

2. Move from Visibility to Observability

Just because you can see something, doesn’t mean you’re really observing it. If you’ve ever stepped on a LEGO brick left on the floor, you know that someone saw it. However, no one observed it, meaning no one considered that painful middle-of-the-night walk to get a glass of water.

The same is true with SaaS misconfigurations.  Even with the best dashboards, seeing doesn’t equate to  deeply observing and correlating data. You need to really observe the potential security gaps in your SaaS landscape so that you can take meaningful, purposeful action.

3. Prioritize and Automate Remediation

Your team is in a race against cybercriminals, and you want to win – or at least limit the potential damage. The best way to prevent misconfigurations from leading to a ransomware attack vector is to identify and prioritize your remediation strategies.

While all misconfigurations can be a security weakness, not all are the same level of risk. Some of the highest priority remediation configurations to look to correct are:

(You can read up on other easily missed configurations in this blog.)

With the right automation, protecting yourself against these high-risk vulnerabilities doesn’t need to be burdensome.

Final Thoughts

Ransomware isn’t going anywhere. Even more stressful, cybercriminals work together and have a collective set of resources for trying to find new ways to exploit vulnerabilities.

With Adaptive Shield’s SaaS Security Posture Management (SSPM) platform, you can identify misconfigurations before they allow an attack, and automate the prioritization and remediation processes to prevent any misconfiguration issues.

About the writer

Maor Bin, CEO & Co-Founder

A former cybersecurity intelligence officer in the IDF, Maor has over 16 years in cybersecurity leadership. In his career, he led SaaS Threat Detection Research at Proofpoint and won the operational excellence award during his IDI service. Maor got his BSc in Computer Science and is CEO and co-founder of Adaptive Shield. Oh and he is a globally-ranked chess player.