By Ryan Squires Posted August 19, 2019
Software-as-a-Service (SaaS) applications are more widely used than ever before largely due to convenience and cross-platform availability. But, with that increase in usage comes risk to your reputation, financial standing, and your clients’ data. If you’ve ever wondered about the ways in which bad actors are looking to take advantage of you, or leverage your platform for ill gotten gains, keep reading.
DDoS Attacks and Your Service
One of the biggest ways that bad actors are looking to take advantage of SaaS companies is by leveraging DDoS attacks. DDoS attacks work by flooding a service with requests—so many that the service becomes unresponsive and shuts down. In order to perform an attack like this, bad actors need to send massive amounts of request. So, they assemble botnets, or collections of systems and devices. This is accomplished by setting up off-shore servers or leveraging malware-infected laptops/desktops/servers to push requests to a service.
Another way that hackers are flooding services with malicious requests is through Internet of Things (IoT) devices. As these devices become more prevalent, many have realized that they can be used to perform DDoS attacks. Part of the reason for using IoT devices is because they lack a lot of security features, which makes them easy targets. They are also not widely monitored which makes it easy to sustain an attack over a period of time. Let’s take a look at the potential damages that you could incur based on your service going dark.
- Financial Loss:
- About half of organizations incur losses between $1,000-$10,000 per minute spent down as a result of a DDoS attack. Further, 53 percent suffered losses between $10,000 and $100,000 per each minute offline. [Link]
- Reputational Injury:
- SaaS companies are expected to keep their services available. Because so many critical applications are hosted in the cloud now, should your service go down, you can expect to field angry emails and loss of revenue as customers pivot to something else. Word gets out to potential customers and they’ll defer to another solution that hasn’t experienced outages.
Ill-Gotten Gains and Methods: DDoS Attacks, Credential Stuffing, User Enumeration
You may wonder why anyone would want to obstruct what you’re doing—which is essentially helping people get work done. Well, some people simply want to disrupt order. Others have motives that you may likely guess and perhaps others that you may not. Let’s get into it.
- Financial Gain:
- Disrupting your service for a long enough time via a DDos attack can cause you to react. And with upwards of $100,000/minute lost, you may be compelled to simply settle with your attacker after they ransom your service.
- Reputational Gain:
- Taking down a SaaS company is big for some hacking organizations. It gives them clout in the hacking community, so some may be willing to do it for exposure and hacker credibility.
- You could also experience such an attack at the hands of your biggest rival. If your service goes down it makes them look good in comparison.
- Credential Discovery:
- Some attacks are made in an attempt to obtain credentials in what are called credential stuffing attacks. Bad actors will utilize username and password combinations, taken from data breaches and published on the darkweb, and run them through your login screen. If they’re granted access to your service, they can then steal any data accessible to that user on your platform. Also, these malcontents will then reuse those credentials they’ve confirmed to work on various websites and do whatever damage they can there too.
- User Enumeration: Different from credential stuffing, user enumeration seeks to obtain credentials. Bad actors try various usernames on your login screen, and in some services, the webpage will indicate if the user is found or not. Bad actors also attempt to do the same though the forgot password utility where they input usernames to find if any are correct.
What You Can Do To Protect Yourself and Your SaaS Service
There are a lot of things that can happen in the moment, or during the attack, and it is likely you’ll be feeling a mixture of emotions from anger to confusion. That said, it is important that you’re prepared, and that you have a plan so that you’re not influenced by those emotions to act in a negative way. Here are some tips for you if and when you face a DDoS attack. This is not an exhaustive list, but it is a good place to start.
- Have a plan for if and when this happens. If your company makes the majority of their money online, then you need a proactive plan in place for if/when this happens to you. The bigger you get, the more likely it is to occur.
- Don’t panic. Many want to simply shut down their website so access can’t be granted to anyone. If you do that, the attacker wins.
- Contact a DDoS service such a Cloudflare to route your traffic to them so they can analyze and allow the right people access to your site, then send those requests back to you. Better yet, use a content distribution network if you can afford it and that will limit your risk immediately.
Credential Stuffing, User Enumeration and Proactive Steps You Can Take
It is probably important to you that your clients’ data stays safe. There are some ways that you can prevent bad actors from obtaining info about your clients’ users.
- Have varied response times from your server so bad actors can’t infer from the response time if a user is valid or not.
- Utilize a generic message for when a user cannot authenticate. Do not indicate if their username/password is correct or not. Additionally, every part of the webpage should not leak information including the response URL, landing page, etc.
With this information, you can prepare yourself to handle the different ways that malicious actors seek to damage your service or exploit it in their favor.