Push Security

💡 Introducing a SaaS attack matrix of networkless SaaS attack techniques - This is how attackers can own a company without touching the endpoint or the network - These networkless attacks bypass EDR and network detection We hope this helps defenders better understand the threats they face. 💬 #Pentesters #Redteams We’d love to some comments or contributions for things you've tried on GitHub! Links in 🧵 #security #infosec #SaaSsecurity #supplychainsecurity

If you're securing (or attacking) SaaS software, check out Push Security's SaaS attack matrix. It's one of the best resources I've come across for securing SaaS tools, whether you're bringing them into your organization or building them yourself. The list is a common list of attacks you can do directly on SaaS software, including malicious ecosystem integrations, open guest invites, and session cookie theft. These things tend to be shared across SaaS tools regardless of what they do. Of course, each tool will have unique features, but this is the core of what you should look at first. You can use SSPM tools to help automate some of the remediation, but I recommend manually assessing your most critical applications against this list.  https://lnkd.in/gPcrmsFB

Ghost Logins are an attack technique falling under access, persistence and defense evasion on the SaaS Attacks Matrix. They most frequently appear when an organisation brings an existing SaaS application behind an SSO identity solution. However, what is often missed is this doesn't actually stop anyone going to the SaaS application directly, using legacy or single factor credentials - avoiding the identity solution entirely. Attackers love Ghost Logins as they allow basic credential attacks with usernames and passwords, followed by more sophisticated persistence techniques (eg configuring alternative authentication methods). Finding Ghost Logins is one thing, remediating them is another - but Browser Telemetry (streaming of user authentication methods) is a great place to start generating high-fidelity data. So level-up like Pacman, and read more about dealing with Ghost Logins here (link to Push Security blog) https://lnkd.in/eYbgAxmd

Heading to the Windy City for #BlueTeamCon this weekend! You can find us: 👨🔬 In the Lab on Saturday between 10 AM and Noon, where Joe Stanulis //O will let you get your hands on the product 👾 At the booth Saturday & Sunday, where Mike Spitz and I will be hanging out, giving demos, and sneaking peeks of our Fantasy Football scores DM if you want to schedule a time to meet!

Nearly every call I’ve had in the last month has been speaking with people who are seeing a dramatic spike in advanced phishing attacks targeting their users, specifically AiTM. Customers are telling me that by the time their existing tooling alerts them to AiTM attacks or session token theft, it’s too late. I have to hand it to our product team and what seems like a crystal ball they must have. Earlier this year, our SaaS attacks research guided them to build these first of their kind controls. Our extension blocks these attacks in real time. Last year they had effectively predicted an incident like what happened to Snowflake customers by mapping out all identities in the cloud and reporting back vulnerabilities on them. If only they could give me the lottery numbers next. 🤑

I've seen some wild takes about the Yubikey vulnerability, where an attacker with extended physical access, tens of thousands of dollars of specialist equipment, and a background in cryptography might be able to clone them. While it's interesting research, the contrast between that and the real-world issues the security community is facing could not be more vast. One example - constantly - we’re helping our clients deal with scenarios where the same password used for SSO accounts is being reused for literally everything the employee logs into. Buying clothes, jewelry, donuts, and playing the McDonalds monopoly game – all are deserving of the same key used to access the crown jewels. 🫠 Imagine it: the same password that a fund manager uses to manage billions of pensions is also used to order FroYo. Or the same password a hospital admin uses to access patient PII is also used to log into Netflix. And if it’s breached anywhere, there’s a good chance that any semi-competent attacker will find the other, much more valuable places it’s used.   So while I'm all for a little bit of Hollywood hacking with lasers now and again, I do think it's good to have a little perspective on where the real risks lie for most of us.

Excited to see that Push Security has been included organically as one of the key vendors in the latest Gartner Emerging Tech report for SaaS Ecosystem security. It’s a very positive sign for our industry that SaaS/identity is now being formally recognised as a critical part of a modern company’s attack surface. Raising awareness of the threat of SaaS attacks is really important, and something that we need to come together as a community to tackle. That’s why we launched the SaaS attack matrix, a free-to-all GitHub repo of attack techniques, just over a year ago. Since then, we’ve had some amazing feedback and contributions from OffSec pros, and it’s really encouraging to see more organisations adding their SaaS surface into the scope of their security assessments. As the repo just hit 1000 stars, I’m sharing an ungated copy of our SaaS attacks report as a great intro to SaaS attacks and how to use the GitHub repo effectively. There are a number of helpful links to other relevant content like demos of attacker tooling, specific SaaS matrix techniques, and deep-dive technical blogs (courtesy of Luke Jennings). So whether you’re a red teamer just starting to look into SaaS, or you’re responsible for coordinating your company’s security testing, the SaaS matrix is a really useful resource for you to draw on. You can find the repo here: https://lnkd.in/e6m-n4_i

Ready to meet the REAL cookie monster? No, not Luke Jennings – we’re talking about infostealers, of course! Attackers are increasingly using infostealers to compromise MFA-protected services by stealing session cookies and hijacking live sessions. Join us on September 12th where Luke will be demonstrating: ⚠️ Running infostealers to steal and exfil browser data. ⚠️ Importing stolen cookies into an attacker-controlled browser.  ⚠️ Bypassing controls and policies preventing session hijacking.  ⚠️ Compromising downstream SaaS apps that are usually locked behind SSO. Don’t miss out – register for the webinar here: https://lnkd.in/eEu_p3ui

The recent Snowflake attacks were a great ad for infostealers. It’s quite alarming that 80% of the credentials that facilitated one of the largest breaches in history were just sitting around on the internet.  So, Luke Jennings from Push Security is back with another technical deep dive into hacker tools and techniques. This time, he’s rolling up his sleeves to demonstrate: ⚠️ How attackers use infostealers to steal sessions and compromise MFA-protected services like M365. ⚠️ How attackers use residential VPNs to bypass conditional access policies. ⚠️ How downstream SaaS app sessions can be stolen to avoid the need to access highly protected IdPs like Microsoft and Okta. Don’t miss out – register for the webinar here: https://lnkd.in/eEu_p3ui