Low Code High Risk: Enterprise Domination via Low Code Abuse

students those are the apps that business users are building themselves and we're going to see just how far we can take it to really get uh where we want to be so uh a quick note about myself I uh lead in an OS group dedicated to low code no code so that's like the top 10 uh four local no code apps if you're interested check it out we have over 200 people that are part of this group already um I did a company called zenity which is focused on on this area uh we've been we've been around for something like two years and I've actually been focused on security for low code for about four years now started off with Microsoft I was part of the T I was part of a team now that created a bunch of new products that are around like Defender 4X so Defender for apis Defenders for iot and others and I also write in that creating if you're interested in this in in this topic there's a bunch more uh going to Shell more than today so reach out or or shoot me an email or something okay a quick disclaimer uh of course even though this talk is given from an attacker's perspective the idea the kind of local code is is awesome this thing is really and we're gonna say it in a moment local is really putting power in the hands of business users which are of course the people that are uh kind of the best to move the business forward and we're gonna see uh just how kind of I mean what what those people are able to actually create um but it's important to do it in a secure way and that's why we're giving this talk so here's what we're going to do this is a quick uh outline here we're going to start by making sure that we all uh that we're all on the same page on what local.com is just to understand it attacks that were observed in the wild uh we'll start off with living off the land attacks you'll find that uh low code apps they have compute they run on somebody else's Cloud they're really difficult to monitor which makes them the perfect thing uh for for living of the land attacks we'll also see uh persistency mechanism and we're going to follow an apt group that actually uh used power automate specifically as a persistency mechanism and then we're going to see this predictable misconfigurations just think like open S3 buckets and how long we've tried to solve that problem so we're going to see this pop up again here and of course we'll drop it off with uh a how how do you how you can protect your organization when you when you go home but also a few tools that you can play around with to just kind of uh get a feeling of it so let's start with low code the number one slide that's kind of a swati's presentation the most important thing you're gonna see today is the next slide so uh here it is this is a chart that's representing a single Fortune 500 organization and the number of applications that were built by their business users using low code no code of course this is anonymized and we are seeing this across multiple organizations and the numbers could vary but when you talk about business users building applications or in other words it's people are calling this citizen development this is taking off in a way that's really unprecedented to what we know from kind of professional application development I mean how many applications are built in your org every year a hundred a thousand if you're huge not uh you won't find five five thousand or ten thousand applications that were that were built by professional developers that means that everything that relies on manual operations won't work Security reviews won't work so add modeling won't work just kind of vulnerability management if you need to take to take a look at all of these different applications this won't work we need a new approach here and that's why this is important you're also seeing that this chart goes up very rapidly and this is kind of just with the proliferation of these tools across the Enterprise where more and more business users becoming aware of it of course not all these of all of these applications are huge many of them are very small you can call them my co-ops but they still have identity they still touch data they can still do operations so they still pose a risk all right so this is essentially trying to capture why local exists right and this is a perennial problem we will never have enough I.T I.T resources to Target everything that the business needs and also I mean we things get lost in translation right when somebody from from the business needs something done and they need to get somebody convinced so they can actually go ahead and build it things don't work properly and if you if this sounds familiar like this idea of enabling business users if this sounds like a not a new thing well it's not a new thing it's been around since forever if you think about Excel for example that's like the perfect local tool right everybody's using Excel Avenues Excel across my career I've learned a lot of things but Excel is has always been there so and imagine and and think just how many jobs are fully focused on Excel are empowered by Excel what uh what low code is trying to do is basically bring you the next generation of Excel and when you look at child one of the things that's obvious is that the risks associated with these technologies that are enabling business users they have always been they've also been with us uh since forever so Excel had macros and macros are of course a problem until today and so this uh this is part of a trend and I itd centralization giving more power to the business so the people that actually move the business forward so what people what are people building so let's try and think kind of let's try to understand what are the types of things that these applications can be so they actually they can be whatever whatever people want them to be so a lot of them are these like if this then that automations so you do you take uh for example every time you get an email you do something every time a file arrives on SharePoint you send it off to your private Google Drive these things are kind of the the number one scenario on top of that you'll find Integrations so one system can talk to another you'll find business applications that are facilitating a specific workflow so for example at Microsoft they built um their marketing team built an application that was that is used to to basically coordinate product launches so everything around product largest is built into this app built by the marketing team you can find all products that are that have been built with low code with professional development teams and of course mobile apps there's a lot of them um now one thing that you could have at the in the back of your mind right now that would allow you to kind of try and escape this uh this talk unharmed is to think that this doesn't apply to you or that this doesn't apply to your organization uh so I'm sorry to be the one to uh to say this but uh you don't have a choice if you're using any of the top SAS platforms today the top Enterprise SAS platforms low code is being pushed in you don't get a choice nobody asks you if you have Salesforce if you have service now if you have Microsoft they are um in order to make those platforms more useful to your business users the capabilities the automation the integration the application capabilities are being pushed into those platforms and you will get and you get some of them with the basic license that means that in most organizations it's already there I've actually never seen an organization and when we do this engagement a lot where we go where we go kind of partner with someone and we look at their environment and we try to see what's already there and they're like well yeah nobody's doing citizen development here we're we're a bank or something like that nobody will ever let business users build their own things well reality is different and so I really encourage you to uh to think of this as something that will happen it's very similar uh kind of in nature to what we to the way that we had to handle a mobile or bring your own device where we had some time we thought that it might not reach the enterprise we were never allow bring your own device in this org well today everybody's doing it right because there's no other way so there's so it's really important for us to understand that this is already something that other business users uh have have the capability to use by the way this is a good thing it's not a bad thing it's it's allowing business users to actually produce more uh more value to your organizations so a quick recap low code is available in every major organization we just saw this because these platforms are the platforms that hold your business data so imagine your office your Microsoft c65 your Salesforce then by definition it has access to business to business data and it is able to do business operations and also Powers business processes because business users are building it to facilitate their operations it runs as SAS and we all know that that it makes it challenging to to Monitor and to control and as most of us know I mean it's it's pretty underrated by ITN security teams the things that people the business users are building we're used to think about them as like as toys as something that they use for their own personal use that's really not the reality today and we'll see and and one of the kind of largest things that happened in in the last couple of months of course with the introduction of things like church GPT into low code is that business apps have become even easier to build so today instead of kind of writing a prompt that will give you an answer you can write a prompt that will build an app this is actually available in Microsoft 65 today and so the number of apps of course only gets bigger all right so we we've gone through the kind of intersection one one last thing I want I want all of us to make sure that we get correctly is this better all right I'm gonna lean in um okay so we went through the Intel but one thing that I want us to make sure is that we understand we have an intuitive understanding of what these applications are and I also want to make sure that you're convinced that everybody can build these applications so let me show you an example and hopefully this will work all right so yeah you probably maybe you'll see something in a moment but while this is working let me let me show what I'm actually building here so we're using slack in my company and there's this annoying thing about slack well if you mention someone on a public channel uh then if somebody mentions you then they expect you to answer pretty quickly which is I mean this is kind of annoying so um but I've noticed that if you have this small icon next to your name that says that you're on a call then they'll find that they want they won't nudge you so here's the automation every time I get mentioned on slack I'm going to change my status as if I'm on a call so people won't bother me and five minutes later I'm going to change the status back to to free so nobody will will be will be suspicious and so this is this is a small automation that I'm building and while I'm building it you can see that I'm I'm dragging and dropping I'm choosing I had to choose a specific account on slack that I'm going to use this is run this is this demo is actually uh showing you zapier so it's able to go to the slack API it's uh think about kind of the complexities of this application it needs to subscribe to webhook it needs to reach out to the API afterwards that five minute wait period means that there's some sort of state it needs to it needs to to wait right and you can see that while I'm building this I mean there's nothing sophisticated here and on on the on the Builder side this takes me about two minutes to build this application and I want you to notice a couple of things one is that in no point in this while building this application do I need to provide access to uh to slack so how does this work right how does zapio connect to my to my slack account we'll see that in a moment and the other thing is think about the sdlc and compare it to what you're saying on screen right there's no sdlc here right I'm just building something and once I click save it will be deployed in production and by the way some platforms also uh auto save so any change that you make is automatically being pushed and if you think about this as as uh for for a critical process then think about all of the things that you lose by not having an sdlc right there's no review there's no security gates they'll kind of forget about shift left okay so you just saw that I got kind of this little icon there I'm publishing this app that's it it's operational and now I'm kind of demoing that it works so again this was just a couple of minutes but you understand um just how powerful this application is so the number one thing that's important to us is the identity and actually before I created this application I've gone through a very small process which is called created creating a connection so what is a connection a connection is basically a no of consent flow for slack in this case and you can see the regular of consent flow that's asking me for specific permissions I can choose a bunch of applications these platforms come built in with hundreds of different connectors and once I go through the OS consent flow I get this object created which is called the connection okay what's important about this connection it has this little shell button this is weird it's an oauth I went through an hour slow I granted consent for the appear to act on my behalf and then I can share that consent I can share that that thing that connection that active connection with other users how does it work okay on one side we have zapier all power automate or any other automation platform this is not picking on a specific Vendo the entire industry is doing the same thing and I'll tell you in a moment why the other side you in the other side you have a rest apis by the way this can also be your on-prem your uh um your Cloud anything okay how does it work well essentially there's what they're doing there is that they are taking the refresh tokens out of the O of consent flow and then they are allowing you to share those refresh tokens with other users okay think about what this means this is completely breaking the permission model completely breaking the oauth model because this is a user impersonation by Design the application is impersonating the user and you are impersonating the user when you share those connections with other users and so by installing these refresh tokens and then reusing them you are able to a uh kind of bypass any anything that I mean again your own personality in the user but also think about the productivity benefit no more asking for permissions you can build whatever app you'd like with your own permissions as long as you can do it as a user you can build an app that automates it this is very different from your experience as a professional developer right as a developer you need to ask for permission you you have an application it has a service account or something like that not here I mean you can do it but in many cases you don't now because uh because you've seen the the large the chart of the kind of with so many applications and it's so easy to create those applications then you get a whole bunch of applications and these are just examples from the uh from kind of templates provided by the different vendors the important thing about this is the logos next to the names of these applications why are the logos important because that means that there's an active connection to each one of these systems so when you have lots of different applications behind each application there is a trail of connections connections that can be shared connections that can be overused and so when you look at each one of these platforms what you'll typically find is some notion of a default environment somewhere where everybody can go into this platform they can create applications automations connections and they can share them with others now this sharing thing is one click away in some platforms in some cases it can be shared with the entire org by default and when I say the entire org I mean everybody for example everybody in your Azure ID tenant so that include guests by the way or contractors and vendors so when you when you go into one of those platforms again they are basically providing you credential sharing as a service right which bypasses the entire security mechanism think about the stock trying to figure out what's the difference between an application using your refresh token and yourself I mean it's just it's very difficult now of course once we have that then you can see the first attack here which is just kind of privileged escalation this is this is basic so the end result here is that when I have a single account in your org again this can be a guest account as well and I go to each one of those platforms there's a bunch of connections that are waiting for me to pick them up and use them you'll find FTP connections connecting connections to people's Outlook and teams you'll find uh connections to people's Cloud environment Azure and AWS and gcp so this is this is uh this is a lot now I don't know just using those connections other than just kind of getting those connections and being able to escalate your privileges you can also just use your those connections to actually get what you want so for example here's one answer well built with the with no code uh what you're seeing here is that I'm iterating or so I have a click I click a button and then I'm iterating over a SharePoint site for each file in that SharePoint site I'm going to encrypt that file using a handy encrypted function provided by the platform right because there are valid business use cases to encrypt files and then I'm going to Simply override the file uh with the with the encrypted version so once over again using this using no code tools and just again think about all of the protections you have in your org targeting ransomware they won't really find this and and we'll go in and we'll talk about uh and and we'll see in a moment how this goes well beyond us here's another example this one is uh I think or in almost every organization I've worked with I've seen this example in some formal or another uh we've tried to block business users from our users in general to you from using their own personal accounts in a in a work context I mean we're all guilty of that as well right everybody wants their calendar events in their in their personal Gmail there are solutions to do that you can you can use the DLP you can do something on the email server a bunch of things you can do but what if the business user creates an app that on one side connects to their to the corporate email on and on the other side with the separate connections connection connects connects to their own Gmail account and simply copies the content the content is being copied on the SAS on the SAS or the sus vendors Cloud so no network security Appliance will help you there no monitoring will help you there the only thing you can do is look at the platform itself because it's the only one that's aware that this application even exists now you're seeing here an example of email exfiltration and again this is very common but we've seen this with other things as well so syncing up a Corporate Drive with a with a personal Drive we've seen cases where people by mistake I mean they build an application that other business users are starting starting to use it's useful and it uses for example an Excel spreadsheet as a database but where is that Excel spreadsheet stored because as easily is you can plug in your corporate account you can plug in your personal account and that's it and the application is is