As you likely know, a nonprofit association called MITRE has created a knowledge base of techniques used by cyber adversaries to gain access to organizations’ valuable data. The framework, ATT&CK (Adversarial Tactics, Techniques and Common Knowledge), classifies offensive actions used against various platforms. Rather than focusing on tools and malware the adversaries use, ATT&CK addresses how those tools interact with systems during an operation.
While the ATT&CK framework has been around since 2013, interest in it has grown of late as threats have increased and organizations better understand how critical it is to guard against cyber risks. CISOs look to MITRE ATT&CK to measure how well their security IT teams and security stack are prepared for the various attack vectors, adjusting resource deployments accordingly. If you’re not familiar with MITRE ATT&CK, we at DoControl urge you to explore the framework as part of your cybersecurity planning.
One of the tactics catalogued in the curated MITRE knowledge base is “Data from Information Repositories” – a threat avenue that DoControl can help organizations guard against. In this process, the adversary gathers data, then looks for ways to exfiltrate the data. Sources for the data to be collected include drives, browsers, email and audio/video, often collected by capturing screenshots and keyboard input.
As MITRE ATT&CK specifies, adversaries mine these data repositories for sensitive data such as the following:
The framework says the key mitigation technique to combat the Data from Information Repositories threat is through continuous monitoring and detecting anomalous behavior. The framework has identified two platforms to which this attack vector has been deployed (so far): Microsoft SharePoint and Atlassian’s Confluence. While the MITRE ATT&CK framework identifies methods by which organizations using those applications can detect anomalous behavior using the platforms’ own tools, the framework notes that, “As information repositories generally have a considerably large user base, detection of malicious use can be non-trivial.” Those creating the framework further suggest, “Additional log storage and analysis infrastructure will likely be required for more robust detection capabilities.”
At DoControl, we respectfully suggest that is a severe understatement. The potential for cyber adversaries to exploit information repositories like Google Drive, Dropbox, and Github, among others, is huge and growing daily. While the MITRE ATT&CK framework is helpful for calling attention to the vulnerabilities in SharePoint and Confluence, the threat extends to all SaaS applications where repositories exist for bad actors to carry out the collection phase of an attack. In fact, the danger lurks in Salesforce, Box, Slack, and any of the other widely-used or highly specialized SaaS applications. Our experience tells us that the danger of the Data from Information Repositories tactic is vast and not feasibly managed just by relying on the security features of individual SaaS applications.
That’s why we created DoControl – to provide organizations a comprehensive view of their SaaS applications and the risks they pose by exposing data, and to allow security teams to effectively monitor and remediate those threats. We invite you to get in touch with us to learn more about how we can help your organization guard against this threat and others.
This stat comes from the industry report we published earlier this year: The Immense Risk of Unmanaged SaaS Data Access. It’s a great read. We recommend you check it out.
We are excited to announce our expansion of DoControl’s integrated technology partnership program to include Datadog. As a leading platform provider for monitoring and security for cloud applications, the integration with Datadog allows security operations teams to have a more holistic view of risk across the mission-critical Software as a Service (SaaS) applications being leveraged to enable business enablement and productivity.
The last time the RSA Conference was a live, in-person event was right before the world as we knew it came to a screeching halt. Every technology vendor did their best to rollout “virtual” events which were in no way comparable to the real thing. Everyone – including all of us here at DoControl – was missing the “human connection.” As a vendor that was “born out of the pandemic,” we were very excited to (for the first time!) meet face-to-face with prospects, customers, peers, partners and more to talk about all things Software as a Service (SaaS) data security.
When it comes to addressing insider risk, security starts within. Protecting sensitive company data from exfiltration and misuse requires a combination of the right people, process, and technology. Managing insider risk and preventing threats to the business is not achieved with any of these pillars individually. Modern businesses require technology that prevents and detects unauthorized access to critical assets; processes to support automated data access remediation; and people that are educated about – and watchful of – potentially risky activity who can course-correct during potentially risky activity. Modern organizations need all three pillars interconnected in order to protect their most critical assets.