Luke Jennings from Push Security joins co-host Jared to talk all things SaaS, including SAS attacks, vulnerabilities in SaaS products, lateral movement, managing unauthorized apps, creating Incognito, persistence in SaaS applications, and future plans for the show.
SaaS attacks pose a growing threat to organizations, with various techniques like API key theft and OAuth access abuse.
Persistence in SaaS attacks presents a complex challenge for incident response teams, requiring management of API keys and shared links.
Research and proactive detection strategies are crucial in combating SaaS attacks, as the evolving landscape demands specialized knowledge and preventive controls.
Deep dives
The Challenges of SaaS-based Attacks
In this podcast episode, Luke Jennings discusses the growing threat of SaaS-based attacks. With the increasing use of SaaS applications, organizations are at risk of compromise through various techniques, such as API key theft, OAuth access abuse, and sharing links. The lack of centralized logging and limited detection capabilities make it difficult to identify and prevent these attacks. Jennings emphasizes the need for organizations to anticipate and prepare for SaaS-based attacks, as traditional endpoint-focused defenses may not be sufficient to mitigate this evolving threat.
The Significance of Persistence in SaaS Attacks
One crucial aspect of SaaS attacks is persistence. Once an attacker gains access to a SaaS app, they can employ different techniques to maintain their presence and continue their activities. These techniques include creating API keys, establishing secondary logins for user accounts, and leveraging shared links between different SaaS apps. Unlike traditional endpoints, SaaS apps offer a multitude of persistence options, and managing persistence in this context becomes a complex challenge for incident response teams.
The Need for Research and Detection Strategies
Jennings highlights the significance of conducting research and developing detection strategies for SaaS attacks. With the evolving SaaS landscape, there is a growing need to understand the potential attack vectors and develop proactive defense measures. By focusing on detection, organizations can better anticipate and respond to SaaS-based threats. Researchers and professionals looking to specialize in SaaS attacks have a unique opportunity to delve into this field and contribute to the development of detection techniques and preventive controls.
The Impact of Luke Jennings' Creation, Incognito
Jared and Payne discuss the impact of Luke Jennings' creation, Incognito. Incognito, released in 2007, revolutionized the approach to attacking Windows endpoints by introducing access token theft. Prior to its existence, traditional methods of compromising individual systems were different, and access tokens were largely overlooked. Incognito sparked a new perspective, bringing awareness to the prevalence and potential of token theft. Its significance remains, entering the realm of credential shuffling in today's Windows attacks, serving as a starting point for those interested in investigating, detecting, and preventing token-based attacks.
The Importance of Addressing SaaS Security
The podcast episode emphasizes the importance of addressing the security risks associated with SaaS usage. With the lack of centralized logging, limited detection capabilities, and evolving attack vectors, organizations must actively consider the vulnerabilities and potential for compromise in the SaaS landscape. By understanding the challenges posed by SaaS-based attacks and staying proactive in defense strategies, organizations can minimize the risks associated with this emerging threat.
DCP is back! New intro, new cover, new host! With Jonny stepping away from the podcast, Luke has moved into the co-host position with Jared. On this first episode, we are joined by Luke Jennings of Push Security to talk all things SaaS.
