Earlier this week, Rippling announced that it had filed a lawsuit against one of their biggest competitors, Deel. The lawsuit alleges that Deel had placed a ‘spy’ within Rippling in order to harvest confidential sales and business strategy data from Slack channels and other applications. While this story may be great for gossip and social media, it can also provide a cautionary tale for security teams that are monitoring their environment for threats. They found the employee in question, someone working in a payroll department, had increased the number of ‘Deel’ related search terms in Slack, began accessing sales and competitive related channels and more.
Reported in TechCrunch on Monday:
“Beginning in November 2024, [an employee referred to as] D.S. beginning [sic] previewing channels at a rate orders of magnitude greater than he had before — both in terms of the number of channels previewed, and in the number of times he previewed each of those channels.”
The lawsuit states that many of these channels contained confidential sales and business strategy discussions, with particular emphasis on Deel.
“The channels D.S. previewed during this period have no connection to his payroll operations job responsibilities,” states the complaint. “What they do relate to, however, are all aspects of Rippling’s business development, sales, and customer retention strategies—the most sensitive of the Company’s Sales and Marketing Trade Secrets and confidential business information—with a particular emphasis on a single competitor, Deel.
“Leaving no doubt about the ultimate beneficiary of the brazen espionage scheme, D.S. viewed channels related specifically to Rippling’s competitive intelligence concerning Deel over 450 times during the course of the scheme… Indeed, D.S.’s top 10 channel previews since November 2024 are all sales-related channels, completely unrelated to D.S.’s role in payroll operations.”
The lawyers allege the employee also read and downloaded related exchanges and documents in those channels, and worked on helping try to poach people from Rippling.
So what could all of this mean for security teams? Based on the PO team’s experience responding to hundreds of breaches over the last several years, two things come to mind.
1.) Insider threats tend to look a lot like attacks carried out by advanced threat actor groups. There is a great deal of focus in learning about your organization by leveraging the functionality of your knowledge base, ticketing, and chat solutions.
2.) We can learn a whole lot about detecting threats (either by malicious insiders or external threat actors) by monitoring users search terms, viewed documents, and exported data in critical SaaS applications.
Insider Threats Look A lot Like Attacks Carried Out By Advanced Threat Actor Groups
The P0 Labs team has conducted extensive threat research on groups like LUCR-3 (Scattered Spider) and observed the common methods with which they orchestrate attacks against environments. The common pattern that emerges with these threat groups is that they target highly privileged users for compromise in identity providers like Okta or Entra ID. Once they’re able to gain access into an environment, they have access to all of the applications and services that are housed within that identity provider, giving them easy access into cloud service providers like AWS, GCP or Azure, SaaS applications like Salesforce, Jira or Slack, and code repositories like Github.
Over the course of their attack, both the advanced threat actor and malicious insider are learning as much as they can from your own SaaS applications using the native search functions of those applications. They aren’t deploying malware, or any overtly malicious things. They are simply using the native search features, view features, and export features to find relevant data, review it, and take it from your environment. If you can’t detect Insider threats, you probably can’t detect advanced threat actors either
In short, insider threats such as those alleged against the Rippling employee often resemble those of external threat actors. They’re able to use your own tools and applications against you to access and exfiltrate data. In the case of both LUCR-3 above, and many insider threats, they’re logging into an identity provider, and accessing the applications they’ve been granted access to, in this case, Slack. The recon column in the graphic above shows where malicious insiders and advanced threat actors share common ground - they leverage SaaS applications available to them to learn about the organization’s operations. Both leveraged Slack as a primary channel to access and exfiltrate sensitive data. Because of this, both external attacks and insider threats often go undetected.
An identity leveraging permissions to applications granted to them isn’t anything out of the ordinary. So how can security teams better detect this nefarious behavior? It requires understanding what baseline behavior for identities should look like in order to be able to understand when those identities deviate from that behavior. In the case of threat actors like LUCR-3, MFA factor rotation, or specifically a switch/downgrade of devices to access the identity provider should sound some alarm bells. In the case of the accused insider at Rippling, it was a significant spike in ‘Deel’ related search terms in slack and accessing channels that weren’t relevant to their role.
In other instances, it could be a user logging into applications they haven’t accessed in several weeks or months. It could also be those same users leveraging permissions they don’t normally use. It goes without saying that if a user hasn’t accessed a SaaS application in months, they probably don’t need access to it and least privilege would address that. Similar to the permissions they’ve been granted that went unused for a long period of time. If those permissions weren’t being actively used by the identity for several weeks or months, least privilege principles would dictate that user shouldn’t have had those permissions in the first place. In the case of the accused insider at Rippling, one may argue someone in a payroll position doesn’t need access to competitive intelligence and sales channels that may hold sensitive information.
In both the case of modern threat actors like LUCR-3, as well as this recent lawsuit, both individuals simply leveraged the tools readily available to them to access and exfiltrate sensitive data.
Search Terms Show Glaring Intent in SaaS Applications
You may have seen true crime shows where a defendant is standing trial having being accused of committing a murder. In the course of the investigation, the phone or computer of the accused is confiscated and examined for evidence. Investigators look at call logs, text messages, or emails sent by the accused to understand their behavior and activity leading up to the crime. Every so often, investigators are able to find damning evidence not in an email or text message, but in search history where perpetrators take to search engines to help them commit and cover up a crime. These searches include things like:
“How to dispose of a body”
“Can you be charged with murder without a body”
“How long does DNA last”
“How to clean blood from wooden floor”
This is just a list of examples of ways that detectives and prosecutors are able to demonstrate clear intent. Could someone randomly be searching these without having committed a crime? Absolutely, but when these searches are discovered by the leading suspect in the disappearance of his wife, these search queries show clear intent of the accused.
This isn’t much different in the way users often search SaaS applications, like Slack. In the case of the alleged insider at Rippling, while the search terms weren’t nearly as direct or nefarious, the combination of that employee actively searching (hundreds of times) for Deel related search terms in Slack, and accessing channels that were well outside the scope of their role could be an indication of the mal intent. The post by Rippling alleges that the ‘spy’ searched the term “Deel” in the Rippling’s Slack instance on average of 23 times a day over a four month period. This allowed the insider to capture Rippling sales pipeline on opportunities where they were competing with Deel, ‘including proposed pricing, details of sales meetings and conversations between Rippling and prospective customers evaluating a switch away from Deel, and training materials for Rippling’s sales organization on how to compete against Deel.’
Rippling went as far as to set up a honeypot trap that ‘spy’ in an effort to prove the operation was coordinated by senior leadership at Deel.
In a September 2023 breaking threat research blog article, Permiso's SVP of P0 Labs, Ian Ahl, details the TTPs of LUCR-3(Scattered Spider). His article includes several references to how the threat group was observed leveraging basic search features in various SaaS applications in order to carry out their mission. Most notably, how these search terms show clear and distinct intent of the threat actor. This article has since been referenced in research by Wiz, MITRE and the SANS Institute.
LUCR-3 utilizes mostly Windows 10 systems running GUI utilities to carry out their mission in the cloud. Using the native features of SaaS applications such as
search, LUCR-3 is able to navigate through an organization without raising any alarms.
Later in this article, Ian walks through how specifically threat actors use the search feature of these SaaS applications for recognizance.
R-SaaS
In order to carry out their goal of data theft, ransom and extortion, LUCR-3 must understand where the important data is and how to get to it. They perform
these tasks much like any employee would. Searching through and viewing documents in the various SaaS applications like SharePoint, OneDrive, knowledge
applications, ticketing solutions, and chat applications, allows LUCR-3 to learn about an environment using native applications without setting off alarm
bells. LUCR-3 uses search terms targeted at finding credentials, learning about the software deployment environments, code signing process, and sensitive
data.
Ian goes onto explain how LUCR-3 used native search features to establish persistence/maintain presence.
EP-SaaS
LUCR-3 will use all the applications available to them to further their goal. In ticketing systems, chat programs, document stores, and knowledge applications
they will often perform searches looking for credentials that can be leveraged during their attack.
Finally, he shows how search features can also help the threat group complete their mission.
Complete Mission (CM)
...
While in the SaaS world, they complete their mission by searching and downloading documents and web pages via a traditional web browser.
Search terms show exactly what someone is trying to achieve and are key indicators of what someone is looking to accomplish. Permiso has monitored both insider and external threats where actors are actively searching for API keys, password documents on shared drives and things like code signing certificates. They’ve observed threat actors search knowledge apps, ticket/support applications, chat services, document stores and other areas where sensitive data is stored. It's critical to be able to baseline the normal behavior for users to then be able to detect when that user is behaving differently.
.png?width=900&height=492&name=image%20(38).png)
Similar to off-boarding employees, you tend to see nefarious activity, and generally anomalous behavior when employees are about to leave. So understanding what they are accessing, data they maybe exfiltrating data such as customer lists, pulling roadmap information - all of which deviates from their normal behavior.
As dozens of companies have unwittingly hired thousands of North Korean IT workers over the last several months, monitoring of search terms in key SaaS applications, coupled with access and behavioral anomalies, will give security teams a pretty quick view into the intentions of their workforce and be able to quickly uncover when an identity has been compromised, or an insider poses a threat to their organization.
Whether you’re looking to monitor account takeover or insider threat, Permiso helps security teams detect suspicious and malicious activity in their environment for both human and non-human identities, wherever they live. Want to learn more? Get a demo today!
