Permiso, an identity threat detection and response startup, is offering complimentary, private threat briefings with the P0 Labs team on attacks against the identity provider (IdP) control plane, a common attack vector by multiple threat groups over the last few months.
Attacks against identity providers have been responsible for breaching environments in several high-profile attacks over the last months including MGM and Caesars back in September 2023.
Identity-first security strategy
"An identity-first security strategy is paramount to defending against modern threat actors. P0 Labs is at the forefront of understanding these attacks by making identity a pillar of their research," said Jason Chan, former Head of Security at Netflix.
"Identity is as close to a silver bullet as it gets in the cloud. If you get it wrong, you face significant risks and challenges in securing your enterprise effectively."
Free briefings
The team will also offer strategies for securely configuring the identity layer of a cloud environment
The free briefings, conducted by Ian Ahl, SVP of P0 Labs and former Head of Advanced Practices at Mandiant, and his team will demonstrate what typical cloud attacks against the identity provider's control plan look like, and provide hunting tips on what to look for in an environment to develop effective detections.
The team will also offer strategies for securely configuring the identity layer of a cloud environment to better defend against common attacks against identity providers like Okta and Entra ID (formerly Azure AD).
Centralized authentication
“Threat actor groups have been very successful at bypassing identity providers. They strategically target admin-level identities and can compromise credentials and bypass MFA with ease,” said Permiso Co-founder and Co-CEO Paul Nguyen.
"The convenience of centralized authentication has proven to be a significant security risk to many organizations because they simply aren't monitoring the control plane of their identity provider."
Native security features
The P0 Labs team has been researching and responding to attacks against the IdP control plane"
"Security teams are starting to realize that the native security features of these IdPs are not nearly enough to secure their identities in the cloud."
"The P0 Labs team has been researching and responding to attacks against the IdP control plane for a while now and it's generated more than a hundred detections and signals for our product. As we have in the past, we want to share this with the broader security community."
Impersonation technique in Okta
In July of 2022, the P0 labs team discovered an impersonation technique in Okta whereby when an Okta Administrator changes their or another’s username assignment to another existing user, an unexpected impersonation event can occur that allows the impersonator to authenticate and assume the permissions of the impersonated user in the target application.
Permiso disclosed their findings to Okta and was told that this is expected behavior for the edit user assignments functionality.
Okta breach
Back in October 2023, Okta notified its users of a breach in its customer support system
Back in October 2023, Okta notified its users of a breach in its customer support system. At the time, the company reported that 1% of their 18,400 customers were impacted by the incident.
After further investigation, the company issued another statement recently claiming they had discovered that in fact, all of its customers had data stolen during the breach. Okta isn't the only identity provider that has been impacted by these attacks.
JumpCloud and Azure AD
In July of 2023, both JumpCloud and Azure AD were the targets of nation-state threat actors. North Korean state-sponsored threat groups breached JumpCloud where the attack reportedly impacted a handful of customers.
Threat actors from the Chinese government were able to access email accounts of 25 organizations including the US Department of State and Commerce when Azure AD was breached at the same time earlier in 2023.
Identity-related attacks
The continued focus on identity-related attacks is also coupled with a 160% increase in attempts
Crowdstrike has reported that 80% of breaches used compromised identities, of which 62% of interactive intrusions involve the abuse of valid accounts, with 34% of intrusions specifically involving the use of domain accounts or default accounts. The continued focus on identity-related attacks is also coupled with a 160% increase in attempts to gather secret keys and other credentials.
The report also noted a 147% increase in access broker advertisements for credentials for purchase in criminal or underground communities, demonstrating how valued these credentials are to threat actors that leverage them to complete their mission in the shortest amount of time possible.
Cloud Detection and Response Survey Report
Earlier in 2023, Permiso released their Cloud Detection and Response Survey Report, where they found that more than 80% of respondents expressed confidence that their current team and tools would be able to prevent a threat actor from being able to breach their environment.
95% of the respondents, however, expressed concern with their ability to detect a threat actor if they were able to gain access to their environment. 55% of those expressed their concern as ‘very concerned’ and ‘extremely concerned.’
