As we all know, during 2020 and 2021 most of the world worked from home in distributed workspaces. This massive shift means users will continue to access information, data and systems from outside the corporate perimeter walls regardless of whether the now-remote or hybrid workforce goes back to an office. This creates a tempting vulnerability for an attacker, especially one for whom lateral movement is a primary goal. A different approach to cybersecurity is required beyond the typical core infrastructure and endpoint focus. It’s useful for security professionals to start thinking in terms of the edge.

SaaS Apps and Distributed Workspaces

SaaS applications are particularly dangerous in this context. The primary value of SaaS-based apps is that the software is always running the latest version and, since the provider knows their app best, they are the expert in securing it. However, many other services are running within these applications, presenting a major risk that an attacker could hijack the environment and move laterally within it.

Many CRM tools, for example (Salesforce, Hubspot, Oracle, SAP, etc.), offer a chat feature that delivers an intuitive, consumer-grade, social-media-esque feel to managing opportunities or customers. As soon as I hear the word social, I think of social engineering and how it can be used to influence action by establishing trust. A CRM chat tool couldn’t be a more straightforward social attack platform. You are communicating with people you trust about something you care about, like an opportunity that earns you a paycheck.

What does a CRM chat tool in a SaaS app have to do with my so-called ‘think edge’ perspective? The chat tool is a slick method for gaining access and then escalating to lateral movement across a network. An attacker could compromise a laptop or break into a web app; there are tons of ways to do this. Once in the CRM system, it won’t matter if a low-level worker or a high-ranking VP account is compromised—the result is the same. Here’s how it would work.

An attacker performs simple recon and then some basic social engineering. They’d go to the chat feature and see what contacts they would be able to access and engage in communication. They would figure out whose account they’re using by looking at the victim’s CRM profile and then check LinkedIn or other social platforms to gain deeper insight. The attacker would then send a chat message with interesting-sounding work-related info and a link or attachment and recommend others check out.

Of course, the colleagues and connections would have no way of knowing it was an attacker and not their legitimate co-worker.

By pushing send, the attacker launches a laterally moving phishing attack across the user population. They completely avoided using email, and the attack has the potential to become a business-crippling problem, fast.

Never Trust, Always Verify

To address these SaaS and edge use cases, a never trust, always verify approach using a zero-trust strategy is critical.

Consolidating identities to a single identity store is a logical start, but you can’t stop there. Applying centralized multifactor authentication (MFA) across all authentication points and combining that with behavioral analytics is a multi-layered strategy to defend against these kinds of attacks.

Knowing who is accessing apps and keeping out those who should not access them solves most of the problem. For additional security, give users only the role-based access needed to do their job in a distributed workspace by establishing least-privilege access.

Security is a fickle game, and we never know if the right person is who they say they are. It is always a good idea to monitor user activity within apps to enforce security policies. Your new enhanced strategy can take you far beyond simply securing the core and endpoint to the cutting edge of security.