Abnormal Knowledge Bases: Using AppBase to Prevent Third-Party Application Attacks

Remember when Apple’s trademark “there’s an app for that” was simply a quippy phrase to push the utility of having a smartphone?

Well, 12 years removed from Apple registering that trademark, the ubiquity of applications have taken on a new meaning in the corporate world…and in the world of cybercriminals.

Businesses use, on average, 323 SaaS applications, and to the delight of threat actors, IT teams typically only manage and have visibility into 27% of those apps.

One area of the business that is especially susceptible to application overload is an organization’s cloud email platform. With dozens of plug-ins and third-party app integrations for everything from calendars to creative suites, even organizations with the most granular app policies may be met with a visit from the shadow IT fairy. And that could spell trouble.

In fact, vulnerabilities in third-party software accounted for 13% of all breaches in 2022–costing victimized organizations $4.55M on average.

If you’re wondering how these app attacks typically present themselves, there are a couple of ways: either a threat actor flat-out steals API keys and then installs malicious applications with read/write access, or an internal user is tricked by a threat actor into installing what appears to be a legitimate application.

Both of these attacks can and do bypass traditional inbound email security tools as they often include no payload, come from a legitimate sender, or simply do not have an email component at all. The key to stopping these breaches is visibility and the ability to quickly address suspicious app installs and permission changes across the email platform.

Abnormal Security addresses this problem head-on in two interconnected ways: AppBase and the Security Posture Management Add-On. The latter is fed by the data within the former, as AppBase provides a running catalog of every app installed in your cloud email platform and the permissions for those apps.

This data is then correlated against the other Knowledge Bases–in particular, PeopleBase and TenantBase–to build detailed, dynamic genomes connecting user behavior, app activity, and tenant activity. Security teams can quickly determine when a risky pattern may be emerging, especially when an unknown app with outsized permissions has been discovered.

Security Posture Management acts as a complement and extension of AppBase by surfacing when changes then occur to apps and associated permissions. Organizations can discover which apps their users have installed, and critically, when suspicious events occur–such as apps going from calendar access-only to suddenly being able to read and write to email.

Let’s take a closer look at the breadth of capabilities within AppBase. As noted, AppBase centralizes app install and usage data, permissions, and other key metadata to help security teams understand how many apps are integrated into their cloud email platform, what those apps can do, and how heavily those apps are used.

Specifically, AppBase is provided a running list that includes:

• App Name

• Access Level (Low or High levels of privilege)

• Permissions (calendar and mailbox read/write access)

• App Type

• Tenant housing this integration

• Registered user count

• Platform

• Analysis (insights such as privileged users having access)

If an Abnormal user drills down into the applications in the inventory list, they are met with a running timeline for a given application alongside additional details–including the publisher, an app description, and integration dates. In the example below, we can see the permissions granted for the fictional application, Spoof Force:

From this app profile, a security analyst investigating a threat can then click the App ID to be taken directly to the application in Azure. The analyst can also click the names of users or tenants in the activity timeline to be taken to PeopleBase or TenantBase–continuing their investigation by using the activity contained in those Knowledge Bases.

If security teams were previously unaware of Spoof Force or felt Renee West was a risky user, it is crucial to know that this application not only exists in the organization’s email environment, but is integrated into the primary mail tenant, is accessed by privileged users, and has full permissions to access calendars and mailboxes. AppBase puts this information at the fingertips of security teams so they can remediate risks faster.

Again, if your organization is like most, you have hundreds of SaaS apps. Many of those apps are directly integrated with your cloud email security platform. Do you know what they are? Do you know what they can access? Do you know who accesses them? AppBase, along with the other Abnormal Knowledge Bases and Security Posture Management, helps to answer these questions so you can shine a light on the shadowy world of malicious app attacks.

Want to learn more about AppBase? Schedule a demo today.