Attackers Find Your Session Cookies Irresistible
Cookies are one of the most important web technologies around, even though they are almost as old as the web browser itself. They sometimes have a bad reputation, but there’s no denying that cookies do make our lives a lot easier. They store information that allows us to stay logged in to a site and enjoy a productive experience instead of continually having to re-authenticate and redo the same actions.
However, cookies also represent an opportunity for attackers, who can steal them to conduct a range of illicit activities. For your organization’s SaaS applications, this can lead to the theft or misuse of sensitive data, unauthorized transactions, and much more.
In this case we’re talking about session cookies. While short-lived, session cookies–such as those generated by banking sites–are not particularly useful to attackers. Longer duration cookies are, however, since they are used for “active” sessions that can persist for many hours or days.
It’s important to note that session cookies are used to authenticate a user’s identity, meaning they are generated post-MFA. So, when the attacker can “pass-the-cookie” – or use it for a new web session – they can impersonate a legitimate user.
An Ongoing Threat
Session cookies can be stolen in a variety of ways, such as tapping into unsecured Wi-Fi networks, cross-site scripting attacks, phishing, trojans and other malware, and man-in-the-middle attacks.
For a real-world example, consider the Racoon Stealer malware, which is just one of many malware families designed to steal cookies. The hacking group, Lapsus$, reportedly used Racoon Stealer to gain unauthorized access to the systems of video game company Electronic Arts using a stolen session cookie. They created a clone account of an existing EA employee and ultimately absconded with hundreds of GBs of data, including game source code.
In fact, cookie theft is quite common, with an estimated 22 billion cookie records stolen in 2022.
But the focus of this post is not how SaaS session cookies are stolen or even how to prevent it. Instead, we are looking through a zero-trust lens. So, let’s assume that session cookies have already been stolen, what do you do to mitigate this threat?
Defending SaaS Applications
SaaS applications are critical to doing business today, with the average organization using 130 of them. Session cookies for a SaaS application would give the attacker access to the same information and permissions as the legitimate user. This could include sales transactions and internal files. In the instance of a hijacked web mail session, the attacker could access all the user’s emails, send emails that prompt others to take specific actions which benefit the attacker, and more.
Fortunately, it’s possible – and quite simple – to defend against the hazards of stolen session cookies with Harmony SASE SaaS Protection.
Harmony SASE assigns a unique, static IP address to your organization, and only traffic coming from your address will be allowed access to your SaaS applications. Everything else is denied by default.
Even if an attacker has obtained active session cookies which, again, bypass the MFA mechanism, the traffic would simply be blocked by the SaaS server.
Protection Beyond the Session Cookie
Harmony SASE gives you the visibility and control you need to mitigate SaaS security risks.
The easy availability of SaaS means convenient access for your team members, wherever they’re located, but it also gives attackers ample opportunity to probe for security gaps. With 55% of security executives reporting a recent SaaS security incident, it’s clear that the attacks aren’t going away.
In addition to a unique IP address, Harmony SASE also lets you align users’ access and permissions with their roles and responsibilities. This keeps everybody “in their lane” and prevents unauthorized access to applications and data.
Harmony SASE also provides real-time visibility and easy reporting of the users and devices that connect to your SaaS apps. If you ever have reason to suspect unauthorized activity, a user and all their devices can be logged out with the click of a button. This is also handy when an employee leaves, as their access to all SaaS apps can be instantly turned off.
Visit our Harmony SASE page to learn more about protecting your SaaS applications.