[{"data":1,"prerenderedAt":2185},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":36,"navbar-about-highlight":108,"navbar-resource-highlight":182,"blog/5-ways-to-defeat-identity-based-attacks":226},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"query":14,"data":15,"variations":20,"lastUpdated":21,"firstPublished":22,"testRatio":23,"createdBy":24,"lastUpdatedBy":25,"folders":26,"meta":27,"rev":35},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner","1c6207a5f24948ab82d4a0b17f251193","published",[],{"type":16,"url":17,"text":18,"link":19},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,1,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2","jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":28,"lastPreviewUrl":29,"breakpoints":30,"hasAutosaves":34},"data","",{"xsmall":31,"small":32,"medium":33},320,640,768,true,"ga0kpxjhh76",{"createdDate":37,"id":38,"name":39,"modelId":40,"published":13,"stageModifiedSincePublish":6,"query":41,"data":42,"variations":97,"lastUpdated":98,"firstPublished":99,"testRatio":23,"createdBy":100,"lastUpdatedBy":101,"folders":102,"meta":103,"rev":107},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":43,"text":44,"url":29,"blocks":45,"state":93},"ewrererw","testrfesssssssssss",[46,73,81],{"@type":47,"@version":48,"id":49,"component":50,"responsiveStyles":63},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":51,"tag":51,"options":52,"isRSC":62},"TopBannerContent",{"text":53,"ctaText":54,"url":55,"mainText":56,"cta":59},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks","Save Your Spot","https://pushsecurity.com/webinar/state-of-browser-security",{"content":57,"fontSize":58},"\u003Cp>Meet Push's browser security experts at BlackHat 2026.\u003C/p>","text-base",{"content":60,"fontSize":58,"url":61},"\u003Cp>Book a meeting →\u003C/p>","https://pushsecurity.com/events/blackhat-2026-meeting",null,{"large":64},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"marginTop":70,"marginBottom":70,"fontSize":71,"fontWeight":72},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"@type":47,"@version":48,"id":74,"component":75,"responsiveStyles":79},"builder-a2e1f4b9f30b464bb814d7f5de5b0aa7",{"name":76,"options":77,"isRSC":62},"Custom Code",{"code":78,"scriptsClientOnly":6},"\u003Cstyle>\n  .top-banner.bg-web-orange{background:rgb(114, 79, 255);}\n\u003C/style>\n",{"large":80},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69},{"id":82,"@type":47,"tagName":83,"properties":84,"responsiveStyles":88},"builder-pixel-o503s4fpvk","img",{"src":85,"aria-hidden":86,"alt":29,"role":87,"width":68,"height":68},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":89},{"height":68,"width":68,"display":90,"opacity":68,"overflow":91,"pointerEvents":92},"block","hidden","none",{"deviceSize":94,"location":95},"large",{"path":29,"query":96},{},{},1783541846936,1774968080803,"ST0tXQM8slWpFrmioqKHmENB2qe2","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"kind":104,"lastPreviewUrl":105,"hasLinks":6,"breakpoints":106,"hasErrors":6,"hasAutosaves":6},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},"kyujw1aptq",[109,145],{"createdDate":110,"id":111,"name":112,"modelId":113,"published":13,"stageModifiedSincePublish":6,"query":114,"data":115,"variations":138,"lastUpdated":139,"firstPublished":140,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":141,"meta":142,"rev":144},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":116,"type":117,"testimonialLink":118,"testimonial":119},{},"testimonial","/customer-stories/inductive-automation",{"@type":120,"id":121,"model":117,"value":122},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79",{"query":123,"folders":124,"createdDate":125,"id":121,"name":126,"modelId":127,"published":13,"data":128,"variations":132,"lastUpdated":133,"firstPublished":134,"testRatio":23,"createdBy":100,"lastUpdatedBy":100,"meta":135,"rev":137},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":129,"jobTitle":130,"quote":126,"image":131},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,{"kind":28,"lastPreviewUrl":29,"breakpoints":136,"hasAutosaves":34},{"small":32,"medium":33},"e8bsg4qrgtu",{},1776247404986,1776247404973,[],{"breakpoints":143,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"g9lqcuxphw7",{"createdDate":146,"id":147,"name":148,"modelId":113,"published":13,"meta":149,"stageModifiedSincePublish":6,"query":151,"data":152,"variations":178,"lastUpdated":179,"firstPublished":180,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":181,"rev":144},1776255761419,"05a9322735fc427db12e2740e4302300","Report: 2026 Browser Attack Techniques",{"breakpoints":150,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":153,"link":172,"type":175,"title":148,"description":176,"image":177},{"@type":120,"id":154,"model":117,"value":155},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":156,"folders":157,"createdDate":158,"id":154,"name":159,"modelId":127,"published":13,"data":160,"variations":166,"lastUpdated":167,"firstPublished":168,"testRatio":23,"createdBy":100,"lastUpdatedBy":24,"meta":169,"rev":171},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":161,"jobTitle":162,"author":163,"qoute":29,"quote":164,"image":165},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":28,"lastPreviewUrl":29,"breakpoints":170,"hasAutosaves":34},{"small":32,"medium":33},"ulhc0im1hfo",{"text":173,"url":174},"Download now","/resources/browser-attacks-report","resource","Learn about the latest techniques being used in the wild.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9",{},1776255810913,1776255810900,[],[183,205],{"createdDate":184,"id":185,"name":148,"modelId":186,"published":13,"meta":187,"stageModifiedSincePublish":6,"query":189,"data":190,"variations":200,"lastUpdated":201,"firstPublished":202,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":203,"rev":204},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":188,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":191,"link":199,"type":175,"title":148,"description":176,"image":177},{"@type":120,"id":154,"model":117,"value":192},{"query":193,"folders":194,"createdDate":158,"id":154,"name":159,"modelId":127,"published":13,"data":195,"variations":196,"lastUpdated":167,"firstPublished":168,"testRatio":23,"createdBy":100,"lastUpdatedBy":24,"meta":197,"rev":171},[],[],{"video":161,"jobTitle":162,"author":163,"qoute":29,"quote":164,"image":165},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":198,"hasAutosaves":34},{"small":32,"medium":33},{"text":173,"url":174},{},1776256937553,1776256937540,[],"xggsv10v1q9",{"createdDate":206,"id":207,"name":208,"modelId":186,"published":13,"stageModifiedSincePublish":6,"query":209,"data":210,"variations":220,"lastUpdated":221,"firstPublished":222,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":223,"meta":224,"rev":204},1776256949234,"ce043785b71b4ece98eac811ecf4ba10","inductive-automation",[],{"link":211,"type":117,"testimonial":212,"testimonialLink":118},{},{"@type":120,"id":121,"model":117,"value":213},{"query":214,"folders":215,"createdDate":125,"id":121,"name":126,"modelId":127,"published":13,"data":216,"variations":217,"lastUpdated":133,"firstPublished":134,"testRatio":23,"createdBy":100,"lastUpdatedBy":100,"meta":218,"rev":137},[],[],{"author":129,"jobTitle":130,"quote":126,"image":131},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":219,"hasAutosaves":34},{"small":32,"medium":33},{},1776256974140,1776256974130,[],{"breakpoints":225,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},{"id":227,"title":228,"authorsCollection":229,"content":237,"extension":978,"faqItemsCollection":979,"faqTitle":62,"featured":6,"hashTags":62,"meta":981,"metaTitle":982,"ogImage":983,"publishedDate":985,"relatedBlogPostsCollection":986,"slug":2155,"stem":2156,"subtitle":62,"summary":2157,"synopsis":2174,"sys":2175,"tagsCollection":2178,"__hash__":2184},"blog/blog/5-ways-to-defeat-identity-based-attacks.json","5 ways to defeat identity-based attacks",{"items":230},[231],{"fullName":232,"firstName":233,"jobTitle":234,"profilePicture":235},"Jacques Louw","Jacques","Co-founder / CRO",{"url":236},"https://images.ctfassets.net/y1cdw1ablpvd/39m8bektV23lnCRcEq0G8h/2a08f6276a50744f1a4b499b273f6bb2/Push_Founders_at_Cahoots_October_28_2022_by_Doug_Coombe-21.jpg",{"json":238,"links":942},{"nodeType":239,"data":240,"content":241},"document",{},[242,251,259,266,273,280,287,293,300,308,315,322,339,346,353,360,367,374,381,388,397,404,411,418,425,431,440,447,454,461,468,476,483,489,496,503,528,535,568,575,591,599,606,613,620,627,680,687,693,700,707,714,722,729,736,743,777,784,819,826,833,840,847,855,862,869,876,883,890,897,904,911,930,936],{"nodeType":243,"data":244,"content":245},"heading-1",{},[246],{"nodeType":247,"value":248,"marks":249,"data":250},"text","What is in an identity?",[],{},{"nodeType":252,"data":253,"content":254},"paragraph",{},[255],{"nodeType":247,"value":256,"marks":257,"data":258},"Like real identities, digital identities are a little hard to define. Formally it’s a mapping of a human into the digital world, but more often this term is used as synonymous with a credential (e.g. a username and password, a Multi-Factor Authentication (MFA) device, or a fingerprint) - the thing you use to prove you own the identity in an authentication process. When people say an identity is breached, they typically mean the credentials have been stolen.",[],{},{"nodeType":252,"data":260,"content":261},{},[262],{"nodeType":247,"value":263,"marks":264,"data":265},"This is a useful simplification, but bear in mind that reality is a bit more complex. For example - identities are typically tied to an account on an application (you want to login to Slack, Slack knows your password), but can also trust a third party (an Identity Provider or IdP) to authenticate an identity on your behalf in what’s known as federation (“login with Google” on Slack).",[],{},{"nodeType":252,"data":267,"content":268},{},[269],{"nodeType":247,"value":270,"marks":271,"data":272},"Surprisingly, it’s very common for modern apps to allow a user to authenticate to the same account using a local credential (a username and password) and a federated identity (e.g. the “login with Google” or “login with Microsoft” buttons) interchangeably.",[],{},{"nodeType":252,"data":274,"content":275},{},[276],{"nodeType":247,"value":277,"marks":278,"data":279},"That’s how you could wind up with multiple identities tied to a single account, or multiple accounts tied to a single federated identity. This is exactly what you see for real users - and every weird in-between case to boot.",[],{},{"nodeType":243,"data":281,"content":282},{},[283],{"nodeType":247,"value":284,"marks":285,"data":286},"The “new perimeter” … from a red-teamer’s perspective",[],{},{"nodeType":252,"data":288,"content":289},{},[290],{"nodeType":247,"value":29,"marks":291,"data":292},[],{},{"nodeType":252,"data":294,"content":295},{},[296],{"nodeType":247,"value":297,"marks":298,"data":299},"To see how identities are the new thing, it helps to see how we got here.",[],{},{"nodeType":301,"data":302,"content":303},"heading-2",{},[304],{"nodeType":247,"value":305,"marks":306,"data":307},"The good old days",[],{},{"nodeType":252,"data":309,"content":310},{},[311],{"nodeType":247,"value":312,"marks":313,"data":314},"A couple of decades ago, I was just getting started as a red-teamer or penetration tester, or whatever you want to call it. The job is to do what real attackers do so clients could understand the attack techniques and better defend against them. The most stressful part of each project was the first step - getting initial access to the target - getting past their perimeter and into the (usually) soft internals.",[],{},{"nodeType":252,"data":316,"content":317},{},[318],{"nodeType":247,"value":319,"marks":320,"data":321},"A security perimeter is a boundary at which controls can be enforced. From an offensive perspective, a security perimeter is the same as an attack surface: where you can target initial attacks to gain a foothold, from which you can launch further attacks. I use perimeter and attack surface interchangeably going forward.",[],{},{"nodeType":252,"data":323,"content":324},{},[325,329,335],{"nodeType":247,"value":326,"marks":327,"data":328},"A perimeter can be physical, like a wall around a house, or virtual like the network boundary between an internal network and the internet where controls are things like firewalls. A couple of decades ago this internet network boundary was ",[],{},{"nodeType":247,"value":330,"marks":331,"data":334},"the",[332],{"type":333},"italic",{},{"nodeType":247,"value":336,"marks":337,"data":338}," perimeter. As any decent red-teamer during this era, we had a pretty well-oiled process of mapping a client’s external network, scanning it for services, and then identifying and exploiting known vulnerabilities in those services. With this foothold on a target network, we could pivot to other, more sensitive internal systems.",[],{},{"nodeType":252,"data":340,"content":341},{},[342],{"nodeType":247,"value":343,"marks":344,"data":345},"Blue teams started having success with automated vulnerability scanning and patching programs, during this time. Then red teams responded by focusing on finding new vulnerabilities, especially in custom code like web applications. I fondly remember using techniques like xp_cmdshell with SQL injection to get access to breach perimeter systems and get access to internal networks. As DMZs, SDLC, vuln scanning and a dozen other tactics became generally adopted things improved to the point where those standard red-team playbooks weren’t working anymore. ",[],{},{"nodeType":301,"data":347,"content":348},{},[349],{"nodeType":247,"value":350,"marks":351,"data":352},"The shift to targeting users and their endpoints",[],{},{"nodeType":252,"data":354,"content":355},{},[356],{"nodeType":247,"value":357,"marks":358,"data":359},"About a decade ago, attackers realized it was easier to breach the perimeter and gain access to internal networks by simply targeting users with endpoints directly connected to the internal network. At the time the main techniques were email phishing and malicious web pages delivering exploits or straight malware. We put down Burp and our other web app testing tools and started spending our time crafting phishing emails with malicious macro-laden Microsoft Office documents for that initial entrypoint.",[],{},{"nodeType":252,"data":361,"content":362},{},[363],{"nodeType":247,"value":364,"marks":365,"data":366},"Defenders were on the back foot and even back then the “train your employees to spot attacks” advice felt as totally unrealistic as it’s now proved to be. The zeitgeist suggested, \"Attackers only need to succeed once; defenders must succeed every time.\" Defenders were blind and the focus was firmly on detection. Much much better telemetry was needed, which spawned the endpoint detection and response (EDR) revolution. ",[],{},{"nodeType":252,"data":368,"content":369},{},[370],{"nodeType":247,"value":371,"marks":372,"data":373},"EDR required immediate changes to red team tactics, and together with better endpoint security defaults, automatic OS updates (that actually started working) and memory exploit protections (things like DEP and ASLR) the timelines for successful attacks were stretching a lot.",[],{},{"nodeType":301,"data":375,"content":376},{},[377],{"nodeType":247,"value":378,"marks":379,"data":380},"The modern perimeter",[],{},{"nodeType":252,"data":382,"content":383},{},[384],{"nodeType":247,"value":385,"marks":386,"data":387},"Attackers have had to change tactics yet again, due to the rising cost of attacking endpoints and the fact that data has moved off endpoints and internal networks and onto cloud systems or Software as a Service (SaaS) applications.",[],{},{"nodeType":389,"data":390,"content":396},"embedded-entry-block",{"target":391},{"sys":392},{"id":393,"type":394,"linkType":395},"79wGG37CY7aBdRrdjO5eQY","Link","Entry",[],{"nodeType":252,"data":398,"content":399},{},[400],{"nodeType":247,"value":401,"marks":402,"data":403},"Identities have always existed as a target for attackers and were a critical part of the kill chain, but they used to be protected by some other perimeter, be that a network perimeter or an endpoint perimeter. ",[],{},{"nodeType":252,"data":405,"content":406},{},[407],{"nodeType":247,"value":408,"marks":409,"data":410},"This has fundamentally changed as modern work applications are now directly exposed to the internet  - and the only thing needed to access these apps are identities. That means identities are now no longer the second or third target but the initial target, the new perimeter.",[],{},{"nodeType":243,"data":412,"content":413},{},[414],{"nodeType":247,"value":415,"marks":416,"data":417},"Securing the (identity) perimeter",[],{},{"nodeType":252,"data":419,"content":420},{},[421],{"nodeType":247,"value":422,"marks":423,"data":424},"To understand how we can protect this new perimeter, I’ll discuss the general approach to securing any perimeter, and then how this applies to the identity attack surface.",[],{},{"nodeType":389,"data":426,"content":430},{"target":427},{"sys":428},{"id":429,"type":394,"linkType":395},"c0YSk60vVULBPorLkkBPL",[],{"nodeType":301,"data":432,"content":433},{},[434],{"nodeType":247,"value":435,"marks":436,"data":439},"1. Map your perimeter",[437],{"type":438},"bold",{},{"nodeType":252,"data":441,"content":442},{},[443],{"nodeType":247,"value":444,"marks":445,"data":446},"It’s impossible to secure what you don’t know about. Whether your perimeter is made of network services, user endpoints or identities, you must know what they are before you can implement controls to protect them, and crucially, verify those controls are effective.",[],{},{"nodeType":252,"data":448,"content":449},{},[450],{"nodeType":247,"value":451,"marks":452,"data":453},"In a traditional network setting, you might ask IT to inventory public network ranges, domains you own, and internet facing servers and services to get visibility into your attack surface. This is a pretty complex task and lots of the static inventory will quickly become outdated and incomplete. That’s why many orgs will perform network discovery activities to find internet-exposed network services, using anything from basic network scans to find onsite or self-hosted services to querying APIs in cloud infrastructure platforms (like AWS or Azure).",[],{},{"nodeType":252,"data":455,"content":456},{},[457],{"nodeType":247,"value":458,"marks":459,"data":460},"There are parallels in the identity perimeter space, like querying Identity Providers (IdPs like Entra/AzureAD or Okta) for federated identities to map the attack surface. Unfortunately there is no equivalent to scanning your public network ranges for identities, since you can’t scan or query an app to find accounts on your domain (would that we could!). This problem is compounded by the fact that while IT and developers are typically the only ones that can create and expose new network services, most apps allow any employee to create a new identity by signing up to a free account outside your SSO solution.",[],{},{"nodeType":252,"data":462,"content":463},{},[464],{"nodeType":247,"value":465,"marks":466,"data":467},"Knowing your perimeter without a technical solution is going to be a very hit and miss affair. To have confidence that you understand your identity perimeter, you need an inventory solution that can discover SSO identities (the easy part), as well as identities created outside SSO, like local accounts those employees created just by signing up. To secure identities it’s not enough to know that an employee is accessing an app website, you need to know if they are logged in and what identity they are using (is the username a company email or personal gmail?) or you’ll be dealing with endless false positives.",[],{},{"nodeType":301,"data":469,"content":470},{},[471],{"nodeType":247,"value":472,"marks":473,"data":475},"2. Reduce the size of your attack surface",[474],{"type":438},{},{"nodeType":252,"data":477,"content":478},{},[479],{"nodeType":247,"value":480,"marks":481,"data":482},"Once you have an idea of what makes up your perimeter, it’s generally a good idea to make it as small as possible. If you halve the number of network services an attacker can target, that means you can spend twice as long per service to secure the ones that remain - the same goes for identities!",[],{},{"nodeType":389,"data":484,"content":488},{"target":485},{"sys":486},{"id":487,"type":394,"linkType":395},"2XZ5vADLzuEnc2aAdZrkbO",[],{"nodeType":252,"data":490,"content":491},{},[492],{"nodeType":247,"value":493,"marks":494,"data":495},"To start this process, remove unused or unnecessary targets from the perimeter. ",[],{},{"nodeType":252,"data":497,"content":498},{},[499],{"nodeType":247,"value":500,"marks":501,"data":502},"On a network perimeter that might mean:",[],{},{"nodeType":504,"data":505,"content":506},"unordered-list",{},[507,518],{"nodeType":508,"data":509,"content":510},"list-item",{},[511],{"nodeType":252,"data":512,"content":513},{},[514],{"nodeType":247,"value":515,"marks":516,"data":517},"Shutting down unused servers or",[],{},{"nodeType":508,"data":519,"content":520},{},[521],{"nodeType":252,"data":522,"content":523},{},[524],{"nodeType":247,"value":525,"marks":526,"data":527},"Firewalling services that don’t need to be exposed to the internet.",[],{},{"nodeType":252,"data":529,"content":530},{},[531],{"nodeType":247,"value":532,"marks":533,"data":534},"In the identity space, you might:",[],{},{"nodeType":504,"data":536,"content":537},{},[538,548,558],{"nodeType":508,"data":539,"content":540},{},[541],{"nodeType":252,"data":542,"content":543},{},[544],{"nodeType":247,"value":545,"marks":546,"data":547},"Make sure new accounts use existing federated identities,",[],{},{"nodeType":508,"data":549,"content":550},{},[551],{"nodeType":252,"data":552,"content":553},{},[554],{"nodeType":247,"value":555,"marks":556,"data":557},"Delete or disable unused SSO identities on your IdP, or ",[],{},{"nodeType":508,"data":559,"content":560},{},[561],{"nodeType":252,"data":562,"content":563},{},[564],{"nodeType":247,"value":565,"marks":566,"data":567},"Manually delete unnecessary user accounts on work apps.",[],{},{"nodeType":252,"data":569,"content":570},{},[571],{"nodeType":247,"value":572,"marks":573,"data":574},"Manually deleting an unmanaged local identity on an app, e.g. after an employee leaves your org, is a (very) non-trivial task. This is because you often don’t known of the accounts and don't have access to manage the account (the IT or security team aren’t admin on the app tenant where it exists). You might have access to the user’s mailbox and be able to get access to the account by going through an account recovery flow and delete the account that way - but this is very time consuming and even more difficult if the user enabled MFA (which is what you want them to do!).",[],{},{"nodeType":252,"data":576,"content":577},{},[578,582,587],{"nodeType":247,"value":579,"marks":580,"data":581},"Given the difficulty of managing these accounts, a better strategy is to ",[],{},{"nodeType":247,"value":583,"marks":584,"data":586},"make sure they never exist in the first place",[585],{"type":438},{},{"nodeType":247,"value":588,"marks":589,"data":590},". If you find you have lots of identities on an app you may decide the risk warrants IT effort and you can take over management of the app and integrate it with your IdP solution - or ask employees to use an alternative app instead. You can also use browser-based technical controls to prevent users from creating local identities in the first place.",[],{},{"nodeType":301,"data":592,"content":593},{},[594],{"nodeType":247,"value":595,"marks":596,"data":598},"3. Harden the perimeter",[597],{"type":438},{},{"nodeType":252,"data":600,"content":601},{},[602],{"nodeType":247,"value":603,"marks":604,"data":605},"Once you’ve made the perimeter as small as possible, the next step is to make it more difficult to breach that perimeter. Similar to the other objectives, but especially here, there are two sides to this. First the implementation; you have processes, configuration standards, and tools to make sure network services are updated and securely configured. Virtually no one achieves success simply through implementing good processes, you must continually verify that these processes work and that it continues to work.",[],{},{"nodeType":252,"data":607,"content":608},{},[609],{"nodeType":247,"value":610,"marks":611,"data":612},"To verify network controls are in place and working you do something like vulnerability scanning, where you check the perimeter for known vulnerabilities that an attacker could exploit and gain a foothold on your internal network. You might even have a risk profile that means you are concerned about more targeted attacks and hire pentesters or run a bug-bounty program to find weaknesses that can’t be automatically discovered. Very few organizations with an external network of any significant size perform a vulnerability scan for the first time - even a low-quality automated one - and find no serious issues. ",[],{},{"nodeType":252,"data":614,"content":615},{},[616],{"nodeType":247,"value":617,"marks":618,"data":619},"In the identity space, the status-quo is to be content with making policies and implementing and configuring an SSO system without explicit verification that it works as it should. We should be following the same level of verification processes for the identity perimeter as we do/did for the endpoint and network perimeter. ",[],{},{"nodeType":252,"data":621,"content":622},{},[623],{"nodeType":247,"value":624,"marks":625,"data":626},"In this case, the vulnerabilities we are looking for aren’t unpatched systems or zero-days. Instead, we’re looking for:",[],{},{"nodeType":504,"data":628,"content":629},{},[630,640,650,660,670],{"nodeType":508,"data":631,"content":632},{},[633],{"nodeType":252,"data":634,"content":635},{},[636],{"nodeType":247,"value":637,"marks":638,"data":639},"Accounts without MFA, ",[],{},{"nodeType":508,"data":641,"content":642},{},[643],{"nodeType":252,"data":644,"content":645},{},[646],{"nodeType":247,"value":647,"marks":648,"data":649},"Those using weak MFA methods that make them phish-able,",[],{},{"nodeType":508,"data":651,"content":652},{},[653],{"nodeType":252,"data":654,"content":655},{},[656],{"nodeType":247,"value":657,"marks":658,"data":659},"Employees re-using the same password across multiple accounts, ",[],{},{"nodeType":508,"data":661,"content":662},{},[663],{"nodeType":252,"data":664,"content":665},{},[666],{"nodeType":247,"value":667,"marks":668,"data":669},"Passwords that exist in public breach dumps,",[],{},{"nodeType":508,"data":671,"content":672},{},[673],{"nodeType":252,"data":674,"content":675},{},[676],{"nodeType":247,"value":677,"marks":678,"data":679},"Identities that should be in SSO but aren’t.",[],{},{"nodeType":252,"data":681,"content":682},{},[683],{"nodeType":247,"value":684,"marks":685,"data":686},"It’s not yet standard practice to test or verify that identity controls are in place, but if the past has taught us anything it soon will be. You'd be surprised how many times we find that the MFA policies security teams thought they had in place, actually aren't.",[],{},{"nodeType":389,"data":688,"content":692},{"target":689},{"sys":690},{"id":691,"type":394,"linkType":395},"4w5UZcf5hJ7ADuoT5W2tkC",[],{"nodeType":252,"data":694,"content":695},{},[696],{"nodeType":247,"value":697,"marks":698,"data":699},"Part of the reason for this lack of verification is due to lack of awareness. While identities used to be an internal thing that we protected with the network perimeter, online identities today are external and have slowly become the perimeter, almost without anyone noticing. While online identities are external, they are absolutely part of your attack surface and must be controlled and hardened to some extent.",[],{},{"nodeType":252,"data":701,"content":702},{},[703],{"nodeType":247,"value":704,"marks":705,"data":706},"Verifying controls is also really difficult, which is another reason we may not be making it a crucial step in the process. Customers feel that SSO solutions are security solutions and using security tools on security tools feel wrong. But it’s no different to vuln-scanning to ensure your firewalls are patched and don’t have default passwords. ",[],{},{"nodeType":252,"data":708,"content":709},{},[710],{"nodeType":247,"value":711,"marks":712,"data":713},"Verification can also be legally challenging because it’s not yet clear whether pentesters or red teamers are allowed to target online identities during assessments. Often these assets aren’t considered in scope during client assessments. This means these vulnerabilities rarely end up in pentest reports and therefore don’t enter many organization’s security or risk management processes. Since you own the identities (even on a third party identity solution or app) and are allowed to grant permission to the red team to use these identities, it seems to me that adding identities to the scope is distinct from bug hunting or vulnerability research on these apps (which is the legally challenging aspect). I would strongly recommend that you discuss including online identities with the red team as part of your next pentest.",[],{},{"nodeType":301,"data":715,"content":716},{},[717],{"nodeType":247,"value":718,"marks":719,"data":721},"4. Limit breach impact",[720],{"type":438},{},{"nodeType":252,"data":723,"content":724},{},[725],{"nodeType":247,"value":726,"marks":727,"data":728},"The unfortunate reality is that regardless of what we do to harden a perimeter, there will always be a chance that breaches occur. The goal is to reduce that risk by minimizing the attack surface and hardening identities. ",[],{},{"nodeType":252,"data":730,"content":731},{},[732],{"nodeType":247,"value":733,"marks":734,"data":735},"When an attacker does get a foothold (by compromising an identity, for instance) you need to to restrict their further actions. Risk involves both the likelihood and the impact of an event. Previously, we focused on reducing the likelihood of breaches. Now, we're also aiming to lessen the impact if they do occur.",[],{},{"nodeType":252,"data":737,"content":738},{},[739],{"nodeType":247,"value":740,"marks":741,"data":742},"In our network perimeter story, we might think of using a DMZ network to restrict network access for systems exposed to the internet. A common example of a failure to limit impact on a Windows endpoint breach is having service accounts on all endpoints with Domain Administrator permission - which effectively turns a breach of any endpoint very quickly into a breach of every endpoint.",[],{},{"nodeType":252,"data":744,"content":745},{},[746,750,761,765,773],{"nodeType":247,"value":747,"marks":748,"data":749},"In an identity context, we need to think not only of the direct effect of an identity compromise (e.g. what data can this account read), but also of further lateral movement attacks. Consider this ",[],{},{"nodeType":751,"data":752,"content":754},"hyperlink",{"uri":753},"https://pushsecurity.com/blog/oktajacking/",[755],{"nodeType":247,"value":756,"marks":757,"data":760},"Oktajacking",[758],{"type":759},"underline",{},{"nodeType":247,"value":762,"marks":763,"data":764}," case study where a breached identity with admin permissions on an otherwise low-risk app which is connected to SSO can be used to perform a ",[],{},{"nodeType":751,"data":766,"content":768},{"uri":767},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/samljacking/description.md",[769],{"nodeType":247,"value":770,"marks":771,"data":772},"SAMLjacking",[],{},{"nodeType":247,"value":774,"marks":775,"data":776}," attack that compromises SSO credentials for all other users of the same low-risk app.",[],{},{"nodeType":252,"data":778,"content":779},{},[780],{"nodeType":247,"value":781,"marks":782,"data":783},"In contrast to traditional network or endpoint breaches, identity breaches are scoped to the permissions that the compromised account has. If an identity is compromised, whatever that identity is authorized to do is the scope of the breach. For example:",[],{},{"nodeType":504,"data":785,"content":786},{},[787,797],{"nodeType":508,"data":788,"content":789},{},[790],{"nodeType":252,"data":791,"content":792},{},[793],{"nodeType":247,"value":794,"marks":795,"data":796},"If an identity with read access to a code repository was breached you might consider that all the source code (hopefully no secrets!) they had read access to was taken unless you can prove otherwise. This is often more difficult than you expect - last time I checked Github (by far the world's most popular source code repository app) logs didn’t include, for example, zipped repo downloads. ",[],{},{"nodeType":508,"data":798,"content":799},{},[800],{"nodeType":252,"data":801,"content":802},{},[803,807,815],{"nodeType":247,"value":804,"marks":805,"data":806},"If an identity with write permission was compromised, you would also need to check all commits/changes to ensure no code was backdoored. The same applies for other apps - think of an identity with write access to a wiki being used to ",[],{},{"nodeType":751,"data":808,"content":810},{"uri":809},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/link_backdooring/description.md",[811],{"nodeType":247,"value":812,"marks":813,"data":814},"drop links to phishing pages",[],{},{"nodeType":247,"value":816,"marks":817,"data":818},".",[],{},{"nodeType":252,"data":820,"content":821},{},[822],{"nodeType":247,"value":823,"marks":824,"data":825},"For primary cloud collaboration platforms with complex data types (think O365 or Google Workspace) your IT team is likely already managing policies to limit the data that a user can read. For primary cloud hosting platforms your DevOps teams are likely maintaining policies to manage privileged access to production systems. The situation is typically very different for the few dozen high risk “core apps” beyond the 2 or 3 apps that receive a lot of attention and have dedicated teams.",[],{},{"nodeType":252,"data":827,"content":828},{},[829],{"nodeType":247,"value":830,"marks":831,"data":832},"Starting to review roles and permissions across the few dozen or so high-risk apps that are not as actively managed (or more likely self-managed by the teams using them) is a good way to start addressing the residual risk. The good news here is that most modern work apps use a much simpler permission model based largely around predefined roles like Owner, Admin, or Employee or similar variations. This means less flexibility, but also makes it a lot easier to manage permissions for identities on these apps - on balance, a good trade!",[],{},{"nodeType":252,"data":834,"content":835},{},[836],{"nodeType":247,"value":837,"marks":838,"data":839},"Consider this as part of your identity and access management review process. Something that used to be scoped around Active Directory group membership, but in a modern online identity context, now must be applied across many different work apps. ",[],{},{"nodeType":252,"data":841,"content":842},{},[843],{"nodeType":247,"value":844,"marks":845,"data":846},"Unless you want to try to get access to each tenant of each app and normalize this data into a mega-spreadsheet, you need access to this data in your identity inventory. This is an especially big challenge as teams find many of the apps they care about support authentication through SSO, but not authorization.",[],{},{"nodeType":301,"data":848,"content":849},{},[850],{"nodeType":247,"value":851,"marks":852,"data":854},"5. Detect and respond to attacks",[853],{"type":438},{},{"nodeType":252,"data":856,"content":857},{},[858],{"nodeType":247,"value":859,"marks":860,"data":861},"Your last line of defense in protecting a perimeter is to monitor for attacks. It’s typically when controls and detections fail that breaches end in the news. ",[],{},{"nodeType":252,"data":863,"content":864},{},[865],{"nodeType":247,"value":866,"marks":867,"data":868},"Telemetry is the core building block of attack detection. Typically, you might ingest audit or event logs into a SIEM system. To detect attacks against identities, you’ll typically want to start with telemetry from SSO or IdP logs. These will provide some minimal coverage of many of the IT managed apps, but unfortunately attacks are more likely to happen on apps that aren’t SSO integrated, so we need a strategy to cover these as well. An identity inventory is a critical starting point to identify non-SSO apps from which you can collect event logs, as well as giving you visibility of the identities that are not covered.",[],{},{"nodeType":252,"data":870,"content":871},{},[872],{"nodeType":247,"value":873,"marks":874,"data":875},"Monitoring breaches for hosted work apps is different from other domains, largely because you are almost totally reliant on the app vendor to produce the telemetry. Unfortunately (I suspect primarily due to lack of customer demand), many apps don’t offer any centralized logging functionality at all, and those that do offer limited audit logs, or only do so on the top tier “enterprise” license plans. ",[],{},{"nodeType":252,"data":877,"content":878},{},[879],{"nodeType":247,"value":880,"marks":881,"data":882},"In the network or endpoint world, when you need more telemetry you have all the access you need to install software or hardware to generate that additional telemetry. You could put a network monitoring appliance in-line with your internet gateways or install an endpoint (EDR) agent to generate more telemetry than your router or endpoint OS will generate. You can add a proxy in front of an app for your users, but (except for a very small number of highly configurable apps) you can’t make attackers go through your proxy.",[],{},{"nodeType":252,"data":884,"content":885},{},[886],{"nodeType":247,"value":887,"marks":888,"data":889},"What you can do, however, is generate additional telemetry on what happens to your employee’s identities in the browser. This is possible through browser extensions which can be managed through the enterprise management features available for all mainstream browsers (Chrome, Edge, Firefox, Safari, Brave etc. etc.). This is incredibly powerful, and useful in directly detecting a range of identity attacks like phishing (is an employee trying to enter an SSO password into an app that isn’t the SSO login page?), but also through correlations with existing application or IdP logs that indicate account takeover (e.g. has there been a login event that wasn’t observed through the employee’s browser as well).",[],{},{"nodeType":243,"data":891,"content":892},{},[893],{"nodeType":247,"value":894,"marks":895,"data":896},"Same, but different",[],{},{"nodeType":252,"data":898,"content":899},{},[900],{"nodeType":247,"value":901,"marks":902,"data":903},"Whether we’re looking at the Verizon DBIR or just keeping up with security news, it’s clear that identity-based attacks are already responsible for a significant number of breaches. Attackers have started shifting their focus and security teams need to recognize this shift and adapt.",[],{},{"nodeType":252,"data":905,"content":906},{},[907],{"nodeType":247,"value":908,"marks":909,"data":910},"This doesn’t require that we fundamentally rethink security or anything that radical, just that we apply what we’ve learned over the last couple of decades to this new domain. There are some new technologies and protocols to understand, new tools are needed, but the fundamentals like authentication and authorization are already familiar to any security professional. ",[],{},{"nodeType":252,"data":912,"content":913},{},[914,918,926],{"nodeType":247,"value":915,"marks":916,"data":917},"If you follow what I’ve outlined here, a lot of the decisions we’ve made with building Push will make perfect sense. For example, you can’t make API integrations with apps to find identities when you don’t know about the apps or identities yet, so we needed a unique new data source. We use our own custom-built browser extension that’s force-deployed to your workforce, so we can observe employee identities as they are used in the browser. This gives us some pretty unique capabilities. If you found this interesting, follow us on ",[],{},{"nodeType":751,"data":919,"content":921},{"uri":920},"https://www.linkedin.com/company/push-security",[922],{"nodeType":247,"value":923,"marks":924,"data":925},"Linkedin",[],{},{"nodeType":247,"value":927,"marks":928,"data":929}," for more detailed blogs as we unpack this topic.",[],{},{"nodeType":389,"data":931,"content":935},{"target":932},{"sys":933},{"id":934,"type":394,"linkType":395},"H7m9DHmbE945FO193oLYP",[],{"nodeType":252,"data":937,"content":938},{},[939],{"nodeType":247,"value":29,"marks":940,"data":941},[],{},{"entries":943},{"hyperlink":944,"inline":945,"block":946},[],[],[947,955,961,967,971],{"sys":948,"__typename":949,"title":950,"caption":62,"layoutMode":62,"file":951},{"id":393},"Image","Identity Security Attack Graphic",{"url":952,"width":953,"height":954},"https://images.ctfassets.net/y1cdw1ablpvd/4x0xxIRhYLw1v8NyXfSIKG/e10b949c8d5694239dc3d9e0a0e9d7a2/IdentitySecurity101_A.png",2560,1440,{"sys":956,"__typename":949,"title":415,"caption":62,"layoutMode":62,"file":957},{"id":429},{"url":958,"width":959,"height":960},"https://images.ctfassets.net/y1cdw1ablpvd/3vdIRlCwvBIk9RVpjRXojS/8092a8c05abb75206373e55340bbd07e/IdentitySecurity101_B.png",1280,720,{"sys":962,"__typename":963,"background":964,"text":966},{"id":487},"CalloutWidget",[965],"Sea Blue","“If you halve the number of network services an attacker can target, that means you can spend twice as long per service to secure the ones that remain - the same goes for identities!”",{"sys":968,"__typename":963,"background":969,"text":970},{"id":691},[965],"It’s not yet standard practice to test or verify that identity controls are in place, but if the past has taught us anything it soon will be.",{"sys":972,"__typename":973,"type":974,"ctaText":975,"buttonLabel":976,"buttonColour":977,"buttonUrl":62},{"id":934},"CtaWidget","Demo","Push maps your identity attack surface, hardens and minimizes it, helps you reduce impact and provides a unique telemetry source to help you detect and respond to identity attacks.","Book a demo","sunny orange","json",{"items":980},[],{},"Push Security: 5 Ways to Defeat Identity-Based Attacks",{"url":984},"https://images.ctfassets.net/y1cdw1ablpvd/4fNcMVZPgTYGgMRk7Wn0pd/9195a26bf242fa006e61ba45778f248f/Identity-Based-Attacks.png","2024-02-26T00:00:00.000Z",{"items":987},[988,1806],{"__typename":989,"sys":990,"content":992,"title":1788,"synopsis":1789,"hashTags":62,"publishedDate":1790,"slug":1791,"tagsCollection":1792,"authorsCollection":1802},"BlogPosts",{"id":991},"6VZQJzQ2FNetGNMEjiuXB2",{"json":993},{"nodeType":239,"data":994,"content":995},{},[996,1003,1010,1017,1024,1031,1038,1044,1063,1070,1115,1122,1129,1174,1194,1201,1208,1215,1235,1255,1262,1295,1302,1322,1329,1336,1368,1388,1395,1401,1408,1415,1422,1429,1436,1443,1450,1457,1464,1471,1478,1485,1501,1508,1579,1586,1593,1622,1637,1644,1651,1658,1691,1711,1718,1725,1732,1739,1758,1776,1782],{"nodeType":252,"data":997,"content":998},{},[999],{"nodeType":247,"value":1000,"marks":1001,"data":1002},"Our goal at Push is simple — to stop identity attacks. Today, the vast majority of identity vulnerabilities exist in the context of SaaS apps. ",[],{},{"nodeType":252,"data":1004,"content":1005},{},[1006],{"nodeType":247,"value":1007,"marks":1008,"data":1009},"The reasons for this are clear: Security teams have reduced central oversight and control over SaaS apps than they are used to, these apps exist in large numbers per company, and the identities that are used to access these apps are... complicated, to say the least. Securing hundreds of apps, with thousands of associated identities, is therefore no mean feat. ",[],{},{"nodeType":252,"data":1011,"content":1012},{},[1013],{"nodeType":247,"value":1014,"marks":1015,"data":1016},"Securing SaaS use means building controls that are easy to use, easy to understand — and ultimately effective. Not just effective against the hand-wavy concept of “SaaS attacks,” but specific techniques — the most common techniques that are likely to cause real damage.",[],{},{"nodeType":252,"data":1018,"content":1019},{},[1020],{"nodeType":247,"value":1021,"marks":1022,"data":1023},"To talk about this, we need to have a shared understanding of what these techniques are. To get that conversation going, we’ve pulled together all the techniques we're aware of, and our research team has even added a bunch of new ones.",[],{},{"nodeType":243,"data":1025,"content":1026},{},[1027],{"nodeType":247,"value":1028,"marks":1029,"data":1030},"The SaaS attack matrix",[],{},{"nodeType":252,"data":1032,"content":1033},{},[1034],{"nodeType":247,"value":1035,"marks":1036,"data":1037},"We’ve taken inspiration from the MITRE ATT&CK framework (certainly intended as the sincerest form of flattery), but wanted to make a conscious break away from the endpoint-focused ATT&CK techniques and instead focus on techniques that are SaaS-specific. In fact, these techniques don’t touch endpoints (so they bypass EDR) or customer networks (so they bypass network detection) — so we’re calling them networkless attacks.",[],{},{"nodeType":389,"data":1039,"content":1043},{"target":1040},{"sys":1041},{"id":1042,"type":394,"linkType":395},"768Zv5gTVHyu5rbzJAzL4F",[],{"nodeType":252,"data":1045,"content":1046},{},[1047,1051,1060],{"nodeType":247,"value":1048,"marks":1049,"data":1050},"You can find more detailed descriptions of these techniques (and hopefully PRs for some we missed) on ",[],{},{"nodeType":751,"data":1052,"content":1054},{"uri":1053},"https://github.com/pushsecurity/saas-attacks",[1055],{"nodeType":247,"value":1056,"marks":1057,"data":1059},"GitHub",[1058],{"type":759},{},{"nodeType":247,"value":816,"marks":1061,"data":1062},[],{},{"nodeType":252,"data":1064,"content":1065},{},[1066],{"nodeType":247,"value":1067,"marks":1068,"data":1069},"Since we’re not targeting endpoints, let’s talk about the new targets: The accounts/identities on SaaS apps. We found it was useful to think about these identities not as standalone isolated islands — but much more like a graph; less a single web-server on the internet and more like many Windows endpoints on an Active Directory. ",[],{},{"nodeType":252,"data":1071,"content":1072},{},[1073,1077,1086,1090,1099,1103,1111],{"nodeType":247,"value":1074,"marks":1075,"data":1076},"You can leverage this access to an identity on a trusted platform to target (so laterally move or escalate privilege to) other users or identities. For example, attacks like using access to SaaS apps to ",[],{},{"nodeType":751,"data":1078,"content":1080},{"uri":1079},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/in-app_phishing/description.md",[1081],{"nodeType":247,"value":1082,"marks":1083,"data":1085},"phish other employees through comments",[1084],{"type":759},{},{"nodeType":247,"value":1087,"marks":1088,"data":1089}," and ",[],{},{"nodeType":751,"data":1091,"content":1093},{"uri":1092},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/im_user_spoofing/description.md",[1094],{"nodeType":247,"value":1095,"marks":1096,"data":1098},"spoofing users on IM platforms",[1097],{"type":759},{},{"nodeType":247,"value":1100,"marks":1101,"data":1102}," to social engineer them there — or perhaps ",[],{},{"nodeType":751,"data":1104,"content":1105},{"uri":809},[1106],{"nodeType":247,"value":1107,"marks":1108,"data":1110},"backdooring links",[1109],{"type":759},{},{"nodeType":247,"value":1112,"marks":1113,"data":1114}," in documents.",[],{},{"nodeType":252,"data":1116,"content":1117},{},[1118],{"nodeType":247,"value":1119,"marks":1120,"data":1121},"In this case, unusually, it’s not the data in these hundreds of SaaS apps that create risk, and you need to consider low-risk (from a data perspective) apps as a vector to pivot to higher-risk apps in your estate.",[],{},{"nodeType":301,"data":1123,"content":1124},{},[1125],{"nodeType":247,"value":1126,"marks":1127,"data":1128},"Initial access and poisoned tenants",[],{},{"nodeType":252,"data":1130,"content":1131},{},[1132,1136,1145,1148,1157,1161,1170],{"nodeType":247,"value":1133,"marks":1134,"data":1135},"Attacks like ",[],{},{"nodeType":751,"data":1137,"content":1139},{"uri":1138},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/credential_stuffing/description.md",[1140],{"nodeType":247,"value":1141,"marks":1142,"data":1144},"credential stuffing",[1143],{"type":759},{},{"nodeType":247,"value":1087,"marks":1146,"data":1147},[],{},{"nodeType":751,"data":1149,"content":1151},{"uri":1150},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/email_phishing/description.md",[1152],{"nodeType":247,"value":1153,"marks":1154,"data":1156},"email phishing",[1155],{"type":759},{},{"nodeType":247,"value":1158,"marks":1159,"data":1160}," that get you initial access to SaaS apps are fairly well known — because they work and are widely used. We’re also starting to see tools and attacks that suggest that ",[],{},{"nodeType":751,"data":1162,"content":1164},{"uri":1163},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/im_phishing/description.md",[1165],{"nodeType":247,"value":1166,"marks":1167,"data":1169},"phishing employees through these IM apps",[1168],{"type":759},{},{"nodeType":247,"value":1171,"marks":1172,"data":1173}," is about to go mainstream.",[],{},{"nodeType":252,"data":1175,"content":1176},{},[1177,1181,1190],{"nodeType":247,"value":1178,"marks":1179,"data":1180},"Another interesting attack is a spin on the classic waterhole attack called a ",[],{},{"nodeType":751,"data":1182,"content":1184},{"uri":1183},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/poisoned_tenants/description.md",[1185],{"nodeType":247,"value":1186,"marks":1187,"data":1189},"poisoned tenant",[1188],{"type":759},{},{"nodeType":247,"value":1191,"marks":1192,"data":1193},". Rather than attacking a customer tenant for a SaaS app, the attacker lures employees into joining an attacker-controlled tenant. ",[],{},{"nodeType":252,"data":1195,"content":1196},{},[1197],{"nodeType":247,"value":1198,"marks":1199,"data":1200},"SaaS apps allow anyone to name app tenants (a.k.a. spaces, teams, or instances) anything they like — including your company name. Attackers send invites to your employees from within the app with a customized message explaining why they should join this new tenant (or sign up to the app if they are not already a user). ",[],{},{"nodeType":252,"data":1202,"content":1203},{},[1204],{"nodeType":247,"value":1205,"marks":1206,"data":1207},"Attackers might even pay for premium licenses in the app to further entice employees to join. The attacker then waits for the employee to upload sensitive data or create integrations with other company apps containing crown jewels.",[],{},{"nodeType":301,"data":1209,"content":1210},{},[1211],{"nodeType":247,"value":1212,"marks":1213,"data":1214},"Living-off-the-(SaaS)-land to persist and avoid detection",[],{},{"nodeType":252,"data":1216,"content":1217},{},[1218,1222,1231],{"nodeType":247,"value":1219,"marks":1220,"data":1221},"In the endpoint world, a favorite technique is the use of legit OS utilities or ",[],{},{"nodeType":751,"data":1223,"content":1225},{"uri":1224},"https://lolbas-project.github.io",[1226],{"nodeType":247,"value":1227,"marks":1228,"data":1230},"LOLBaS",[1229],{"type":759},{},{"nodeType":247,"value":1232,"marks":1233,"data":1234}," (Living-Off-the-Land Binaries and Scripts), which are often signed Microsoft utilities. Perhaps the most well-known example is executing scripts through PowerShell rather than building custom malware. That isn’t as useful these days, but there was a time when PowerShell was routinely used to bypass AV, EDR, and even app allow-listing.",[],{},{"nodeType":252,"data":1236,"content":1237},{},[1238,1242,1251],{"nodeType":247,"value":1239,"marks":1240,"data":1241},"In that same living-off-the-land mindset, an attacker trying to maintain access to each SaaS app they compromise using custom OAuth integration apps might instead choose to use legit SaaS apps that specialize in workflow automation to create ",[],{},{"nodeType":751,"data":1243,"content":1245},{"uri":1244},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/shadow_workflows/description.md",[1246],{"nodeType":247,"value":1247,"marks":1248,"data":1250},"shadow workflows",[1249],{"type":759},{},{"nodeType":247,"value":1252,"marks":1253,"data":1254},". Utilizing legit SaaS apps also means they can hide in plain sight from incident responders, instead of having to rely on unverified or unpublished integrations.",[],{},{"nodeType":252,"data":1256,"content":1257},{},[1258],{"nodeType":247,"value":1259,"marks":1260,"data":1261},"Perhaps the best example here is using a well-known automation app like Zapier, which claims to have more than 5,000 integrations. These integrations are often verified, approved, and connected to a trusted vendor (Zapier). An attacker might create workflows to:",[],{},{"nodeType":504,"data":1263,"content":1264},{},[1265,1275,1285],{"nodeType":508,"data":1266,"content":1267},{},[1268],{"nodeType":252,"data":1269,"content":1270},{},[1271],{"nodeType":247,"value":1272,"marks":1273,"data":1274},"Do daily data exfiltration from a victim’s data lake.",[],{},{"nodeType":508,"data":1276,"content":1277},{},[1278],{"nodeType":252,"data":1279,"content":1280},{},[1281],{"nodeType":247,"value":1282,"marks":1283,"data":1284},"Configure a webhook that adds malicious accounts to a Github repo on demand.",[],{},{"nodeType":508,"data":1286,"content":1287},{},[1288],{"nodeType":252,"data":1289,"content":1290},{},[1291],{"nodeType":247,"value":1292,"marks":1293,"data":1294},"Automatically find and replace bank account numbers in emails to the finance team.",[],{},{"nodeType":252,"data":1296,"content":1297},{},[1298],{"nodeType":247,"value":1299,"marks":1300,"data":1301},"All appear as legitimate Zapier integrations. But, before you put in alerts specifically for Zapier, know that it’s one of dozens of apps that support these kinds of offensive workflows.",[],{},{"nodeType":252,"data":1303,"content":1304},{},[1305,1309,1318],{"nodeType":247,"value":1306,"marks":1307,"data":1308},"A sneaky attacker might go further and use an ",[],{},{"nodeType":751,"data":1310,"content":1312},{"uri":1311},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/evil_twin_integrations/description.md",[1313],{"nodeType":247,"value":1314,"marks":1315,"data":1317},"evil twin integration",[1316],{"type":759},{},{"nodeType":247,"value":1319,"marks":1320,"data":1321}," to make another instance of an existing integration — making this backdoor almost impossible to discover.",[],{},{"nodeType":301,"data":1323,"content":1324},{},[1325],{"nodeType":247,"value":1326,"marks":1327,"data":1328},"Features or vulnerabilities?",[],{},{"nodeType":252,"data":1330,"content":1331},{},[1332],{"nodeType":247,"value":1333,"marks":1334,"data":1335},"When looking for attack techniques, you’re typically going after features that have weaknesses you can abuse rather than bugs in a single app that will be patched. ",[],{},{"nodeType":252,"data":1337,"content":1338},{},[1339,1343,1352,1355,1364],{"nodeType":247,"value":1340,"marks":1341,"data":1342},"It’s pretty common for SaaS apps to skip email verification or allow multiple simultaneous authentication methods. Both of these are conscious design choices in the name of lowering the friction of account creation and reducing customer support. However, these features make techniques like ",[],{},{"nodeType":751,"data":1344,"content":1346},{"uri":1345},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/account_ambushing/description.md",[1347],{"nodeType":247,"value":1348,"marks":1349,"data":1351},"account ambushing",[1350],{"type":759},{},{"nodeType":247,"value":1087,"marks":1353,"data":1354},[],{},{"nodeType":751,"data":1356,"content":1358},{"uri":1357},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/ghost_logins/description.md",[1359],{"nodeType":247,"value":1360,"marks":1361,"data":1363},"ghost logins",[1362],{"type":759},{},{"nodeType":247,"value":1365,"marks":1366,"data":1367}," possible. If these attacks become widespread, these might come to be seen more as bugs rather than a positive feature for users.",[],{},{"nodeType":252,"data":1369,"content":1370},{},[1371,1375,1384],{"nodeType":247,"value":1372,"marks":1373,"data":1374},"In other cases, the bugs are serious enough and hard enough to patch that they’re worth noting as a technique. The recently disclosed (and perfectly named) ",[],{},{"nodeType":751,"data":1376,"content":1378},{"uri":1377},"https://www.descope.com/blog/post/noauth",[1379],{"nodeType":247,"value":1380,"marks":1381,"data":1383},"nOAuth",[1382],{"type":759},{},{"nodeType":247,"value":1385,"marks":1386,"data":1387}," bug fits this bill. ",[],{},{"nodeType":252,"data":1389,"content":1390},{},[1391],{"nodeType":247,"value":1392,"marks":1393,"data":1394},"The bug arises from a confusion between an email identity and email metadata field in Microsoft integrations and without a central fix from MS (the fix isn’t trivial), these bugs are likely to be discovered and re-occur on third-party OAuth apps for a while to come.",[],{},{"nodeType":389,"data":1396,"content":1400},{"target":1397},{"sys":1398},{"id":1399,"type":394,"linkType":395},"6iKFd9Qys2SSuNqKVQB7ka",[],{"nodeType":243,"data":1402,"content":1403},{},[1404],{"nodeType":247,"value":1405,"marks":1406,"data":1407},"The SaaS market is driving these offensive techniques",[],{},{"nodeType":252,"data":1409,"content":1410},{},[1411],{"nodeType":247,"value":1412,"marks":1413,"data":1414},"SaaS apps are basically web apps that are run in the cloud and accessed from endpoints, so then WebApp, endpoint, and cloud security should cover all of SaaS, right? ",[],{},{"nodeType":252,"data":1416,"content":1417},{},[1418],{"nodeType":247,"value":1419,"marks":1420,"data":1421},"That was our assumption when we started, but what we found instead was that SaaS marketing practices are driving a lot of pretty interesting techniques that you don’t run into in standalone web apps.",[],{},{"nodeType":301,"data":1423,"content":1424},{},[1425],{"nodeType":247,"value":1426,"marks":1427,"data":1428},"Modern SaaS is easy to adopt, easy to use, low friction, low cost, low overhead",[],{},{"nodeType":252,"data":1430,"content":1431},{},[1432],{"nodeType":247,"value":1433,"marks":1434,"data":1435},"Making apps easy to sign up for and low effort to support means you need to make some interesting choices when it comes to designing account creation and recovery flows. ",[],{},{"nodeType":252,"data":1437,"content":1438},{},[1439],{"nodeType":247,"value":1440,"marks":1441,"data":1442},"Many apps allow users to sign into apps using multiple methods, easily invite collaborators (internal and external) and avoid any additional friction during the signup process. ",[],{},{"nodeType":252,"data":1444,"content":1445},{},[1446],{"nodeType":247,"value":1447,"marks":1448,"data":1449},"For example, many apps avoid verifying new account email addresses. This is not laziness, these are conscious design choices — not driven by security clearly, but not accidents.",[],{},{"nodeType":301,"data":1451,"content":1452},{},[1453],{"nodeType":247,"value":1454,"marks":1455,"data":1456},"Modern SaaS is highly integrated",[],{},{"nodeType":252,"data":1458,"content":1459},{},[1460],{"nodeType":247,"value":1461,"marks":1462,"data":1463},"Most SaaS apps are trying to build app marketplaces or perform well in other apps' marketplaces (often both), and it’s rare these days to find apps that don’t integrate with other apps. ",[],{},{"nodeType":252,"data":1465,"content":1466},{},[1467],{"nodeType":247,"value":1468,"marks":1469,"data":1470},"OAuth has become the de facto standard protocol for doing this, and most users have become quite used to approving OAuth2.0 consent flows. These integrations have opened up lots of incredibly useful doors for attackers to persist access and move laterally across SaaS apps that few incident response teams have run into yet. These tokens don’t expire when you reset passwords, aren’t protected by MFA, and actions they performed are rarely logged. ",[],{},{"nodeType":252,"data":1472,"content":1473},{},[1474],{"nodeType":247,"value":1475,"marks":1476,"data":1477},"These are not bugs or oversights but rather a consequence of how these APIs are intended to be used (by machines, not human adversaries).",[],{},{"nodeType":243,"data":1479,"content":1480},{},[1481],{"nodeType":247,"value":1482,"marks":1483,"data":1484},"Problems with observing SaaS attacks ",[],{},{"nodeType":252,"data":1486,"content":1487},{},[1488,1492,1497],{"nodeType":247,"value":1489,"marks":1490,"data":1491},"This research begs one question above others: ",[],{},{"nodeType":247,"value":1493,"marks":1494,"data":1496},"“Are we seeing these attacks in the wild?",[1495],{"type":333},{},{"nodeType":247,"value":1498,"marks":1499,"data":1500},"” ",[],{},{"nodeType":301,"data":1502,"content":1503},{},[1504],{"nodeType":247,"value":1505,"marks":1506,"data":1507},"Yes, definitely",[],{},{"nodeType":252,"data":1509,"content":1510},{},[1511,1515,1524,1527,1536,1540,1549,1553,1562,1566,1575],{"nodeType":247,"value":1512,"marks":1513,"data":1514},"For some of the better-known techniques, like credential stuffing and email phishing, the answer is an easy yes. Stats from ",[],{},{"nodeType":751,"data":1516,"content":1518},{"uri":1517},"https://www.microsoft.com/en-us/security/blog/2023/05/04/how-microsoft-can-help-you-go-passwordless-this-world-password-day/",[1519],{"nodeType":247,"value":1520,"marks":1521,"data":1523},"Microsoft (1,287 password attacks every second)",[1522],{"type":759},{},{"nodeType":247,"value":1087,"marks":1525,"data":1526},[],{},{"nodeType":751,"data":1528,"content":1530},{"uri":1529},"https://auth0.com/blog/top-insights-from-our-2022-state-of-secure-identity-report/",[1531],{"nodeType":247,"value":1532,"marks":1533,"data":1535},"Auth0 (a third of their traffic is credential stuffing)",[1534],{"type":759},{},{"nodeType":247,"value":1537,"marks":1538,"data":1539}," speaks volumes. Other sources like the ",[],{},{"nodeType":751,"data":1541,"content":1543},{"uri":1542},"https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2022/cyber-security-breaches-survey-2022",[1544],{"nodeType":247,"value":1545,"marks":1546,"data":1548},"NCSC's Cyber Security Breaches Survey 2022",[1547],{"type":759},{},{"nodeType":247,"value":1550,"marks":1551,"data":1552}," and the ",[],{},{"nodeType":751,"data":1554,"content":1556},{"uri":1555},"https://www.verizon.com/business/resources/reports/dbir/",[1557],{"nodeType":247,"value":1558,"marks":1559,"data":1561},"Verizon 2023 Data Breach Investigations Report",[1560],{"type":759},{},{"nodeType":247,"value":1563,"marks":1564,"data":1565}," suggest that phishing is also a major cause of SaaS breaches. Anecdotal reports from colleagues in the Incident Response field suggest that malicious mail forwarding rules are seen a lot, something which is supported by the ",[],{},{"nodeType":751,"data":1567,"content":1569},{"uri":1568},"https://expel.com/expel-quarterly-threat-report/",[1570],{"nodeType":247,"value":1571,"marks":1572,"data":1574},"Expel Quarterly Threat Report for Q1 2023",[1573],{"type":759},{},{"nodeType":247,"value":1576,"marks":1577,"data":1578}," (see page 6).",[],{},{"nodeType":252,"data":1580,"content":1581},{},[1582],{"nodeType":247,"value":1583,"marks":1584,"data":1585},"The takeaway is that the current focus for defenders should be to ensure users have good phishing-resistant account security in place — make sure you have basics like strong unique passwords and MFA in place across your entire SaaS estate.",[],{},{"nodeType":301,"data":1587,"content":1588},{},[1589],{"nodeType":247,"value":1590,"marks":1591,"data":1592},"For newer OAuth attacks, it’s a lot less clear …",[],{},{"nodeType":252,"data":1594,"content":1595},{},[1596,1600,1605,1609,1618],{"nodeType":247,"value":1597,"marks":1598,"data":1599},"Other techniques like consent phishing have been discussed in some breach disclosures like the ",[],{},{"nodeType":247,"value":1601,"marks":1602,"data":1604},"2020 SANS breach",[1603],{"type":759},{},{"nodeType":247,"value":1606,"marks":1607,"data":1608},". These OAuth techniques also pop up in the news (for example, the ",[],{},{"nodeType":751,"data":1610,"content":1612},{"uri":1611},"https://www.bleepingcomputer.com/news/security/github-how-stolen-oauth-tokens-helped-breach-dozens-of-orgs/",[1613],{"nodeType":247,"value":1614,"marks":1615,"data":1617},"2022 Github/Heroku/Travis-CI breach",[1616],{"type":759},{},{"nodeType":247,"value":1619,"marks":1620,"data":1621}," where GitHub accounts were breached using stolen Heroku and Travis-CI OAuth tokens). ",[],{},{"nodeType":252,"data":1623,"content":1624},{},[1625,1629,1634],{"nodeType":247,"value":1626,"marks":1627,"data":1628},"That said, none of these techniques come up as frequently as their usefulness would suggest. This means one of two things: ",[],{},{"nodeType":247,"value":1630,"marks":1631,"data":1633},"Either attackers aren’t yet using them widely, or they are and we aren’t detecting them",[1632],{"type":333},{},{"nodeType":247,"value":816,"marks":1635,"data":1636},[],{},{"nodeType":252,"data":1638,"content":1639},{},[1640],{"nodeType":247,"value":1641,"marks":1642,"data":1643},"There is certainly a case to be made that attackers simply don’t need these newer techniques yet. Many organizations don’t have a way of discovering SaaS use in their organization yet, never mind breached accounts, so new persistence techniques might be a bit more than necessary at the moment.",[],{},{"nodeType":301,"data":1645,"content":1646},{},[1647],{"nodeType":247,"value":1648,"marks":1649,"data":1650},"But would we know if it was happening?",[],{},{"nodeType":252,"data":1652,"content":1653},{},[1654],{"nodeType":247,"value":1655,"marks":1656,"data":1657},"On the other hand, there is certainly the possibility that these attacks are increasingly used, but are simply not being discovered. A strong argument in favor of this view is the difficulty in investigating these attacks. Very few SaaS apps provide enough logging capability to discover these attacks as a customer. This is true even for the biggest, most mature apps like Office 365 and Google Workspace unless you are on top license tiers. This is doubly true for attacks that use OAuth, with many apps providing no insight or details into actions made using OAuth-authenticated APIs. ",[],{},{"nodeType":252,"data":1659,"content":1660},{},[1661,1665,1674,1678,1687],{"nodeType":247,"value":1662,"marks":1663,"data":1664},"This suggests only the SaaS providers for these apps are really in a position to discover and investigate them. This does ring true when you consider that ",[],{},{"nodeType":751,"data":1666,"content":1668},{"uri":1667},"https://blog.heroku.com/april-2022-incident-review",[1669],{"nodeType":247,"value":1670,"marks":1671,"data":1673},"Heroku",[1672],{"type":759},{},{"nodeType":247,"value":1675,"marks":1676,"data":1677}," relied heavily on Github during the investigation (and in one case even the detection of) their 2022 breaches, and the same seems true for a similar breach affecting ",[],{},{"nodeType":751,"data":1679,"content":1681},{"uri":1680},"https://circleci.com/blog/jan-4-2023-incident-report/",[1682],{"nodeType":247,"value":1683,"marks":1684,"data":1686},"CircleCI",[1685],{"type":759},{},{"nodeType":247,"value":1688,"marks":1689,"data":1690}," later that year. Github and CircleCI’s customers prompted the investigation after seeing strange behavior, but Github had access to the logs to investigate. It’s difficult to imagine that most or even many SaaS vendors have the resources or inclination to run these investigations effectively as GitHub appears to have.",[],{},{"nodeType":252,"data":1692,"content":1693},{},[1694,1698,1708],{"nodeType":247,"value":1695,"marks":1696,"data":1697},"So, are these attacks happening in the real world? My best guess is it’s a little bit of column A and a little bit of column B — there are likely not so many of these attacks happening yet, and when they do, I suspect the vast majority go undetected. ",[],{},{"nodeType":751,"data":1699,"content":1701},{"uri":1700},"https://www.youtube.com/watch?v=j95kNwZw8YY",[1702],{"nodeType":247,"value":1703,"marks":1704,"data":1707},"But that’s just like my opinion, man.",[1705,1706],{"type":759},{"type":333},{},{"nodeType":247,"value":29,"marks":1709,"data":1710},[],{},{"nodeType":252,"data":1712,"content":1713},{},[1714],{"nodeType":247,"value":1715,"marks":1716,"data":1717},"This is part of the reason we think enabling red teamers to try these techniques in anger is useful — this is the time-proven way to understand these risks.",[],{},{"nodeType":243,"data":1719,"content":1720},{},[1721],{"nodeType":247,"value":1722,"marks":1723,"data":1724},"What’s next?",[],{},{"nodeType":252,"data":1726,"content":1727},{},[1728],{"nodeType":247,"value":1729,"marks":1730,"data":1731},"We’ve barely scratched the surface, but perhaps there is enough here to get the discussion going. From past experience, discussion may not be enough, and it’s likely that live offensive work like penetration tests or more likely red team exercises will be required to make the risks of using these techniques real for the wider security community. ",[],{},{"nodeType":252,"data":1733,"content":1734},{},[1735],{"nodeType":247,"value":1736,"marks":1737,"data":1738},"After all, seeing is believing. We think some more practical examples and tools to help red  teamers use these techniques on engagements will help drive awareness forward, so we’ll be looking to build out this content.",[],{},{"nodeType":252,"data":1740,"content":1741},{},[1742,1746,1755],{"nodeType":247,"value":1743,"marks":1744,"data":1745},"We’ve started with pure networkless attacks that don’t touch customer networks or endpoints, but there are many useful techniques to connect the old endpoint world to the SaaS world. Consider stealing OAuth tokens from a thick client on an endpoint, or using a ",[],{},{"nodeType":751,"data":1747,"content":1749},{"uri":1748},"https://github.blog/2023-07-18-security-alert-social-engineering-campaign-targets-technology-industry-employees/",[1750],{"nodeType":247,"value":1751,"marks":1752,"data":1754},"backdoored GitHub repo to get code execution on endpoints",[1753],{"type":759},{},{"nodeType":247,"value":816,"marks":1756,"data":1757},[],{},{"nodeType":252,"data":1759,"content":1760},{},[1761,1765,1772],{"nodeType":247,"value":1762,"marks":1763,"data":1764},"Help us all better understand how widespread these attacks are by sharing some war stories. We’d love some comments, discussions, or PRs on ",[],{},{"nodeType":751,"data":1766,"content":1767},{"uri":1053},[1768],{"nodeType":247,"value":1056,"marks":1769,"data":1771},[1770],{"type":759},{},{"nodeType":247,"value":1773,"marks":1774,"data":1775},"!",[],{},{"nodeType":389,"data":1777,"content":1781},{"target":1778},{"sys":1779},{"id":1780,"type":394,"linkType":395},"2y0INxqAi594O7rCAVKhTI",[],{"nodeType":252,"data":1783,"content":1784},{},[1785],{"nodeType":247,"value":29,"marks":1786,"data":1787},[],{},"Let’s talk about SaaS attack techniques","Offensive security drives defensive security. We're sharing a collection of SaaS attack techniques to help defenders understand the threats they face.","2023-07-27T00:00:00.000Z","saas-attack-techniques",{"items":1793},[1794,1798],{"sys":1795,"name":1797},{"id":1796},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks",{"sys":1799,"name":1801},{"id":1800},"4ksQNCFeBf8H4QIORqpRLw","Detection & response",{"items":1803},[1804],{"fullName":232,"firstName":233,"jobTitle":234,"profilePicture":1805},{"url":236},{"__typename":989,"sys":1807,"content":1809,"title":2134,"synopsis":1823,"hashTags":62,"publishedDate":2135,"slug":2136,"tagsCollection":2137,"authorsCollection":2147},{"id":1808},"3m48a0kFoN8gh0IZQBup5U",{"json":1810},{"nodeType":239,"data":1811,"content":1812},{},[1813,1819,1827,1839,1846,1853,1896,1902,1909,1916,1923,1930,1955,1962,1969,2041,2048,2055,2062,2068,2075,2082,2088,2095,2102,2108,2115],{"nodeType":389,"data":1814,"content":1818},{"target":1815},{"sys":1816},{"id":1817,"type":394,"linkType":395},"3OXZccsHUbm5vXq1Ouv9H8",[],{"nodeType":252,"data":1820,"content":1821},{},[1822],{"nodeType":247,"value":1823,"marks":1824,"data":1826},"Don’t leave it up to your employees to figure out how to use cloud apps securely. Guide them directly in their browsers when they access their apps.",[1825],{"type":438},{},{"nodeType":252,"data":1828,"content":1829},{},[1830,1834],{"nodeType":247,"value":1831,"marks":1832,"data":1833},"That’s the concept behind our latest feature, in-browser app banners. They allow you to",[],{},{"nodeType":247,"value":1835,"marks":1836,"data":1838}," create custom messages that guide employees to follow your security policies on the apps they use for work.",[1837],{"type":438},{},{"nodeType":252,"data":1840,"content":1841},{},[1842],{"nodeType":247,"value":1843,"marks":1844,"data":1845},"For example, at the top of this page you can see an app banner that tells employees using ChatGPT not to put company or customer data into the app, and provides a link to the company’s GenAI policy:",[],{},{"nodeType":252,"data":1847,"content":1848},{},[1849],{"nodeType":247,"value":1850,"marks":1851,"data":1852},"The banners are fully customizable, so you can enter whatever text you like. Here are a few ideas to get you started:",[],{},{"nodeType":504,"data":1854,"content":1855},{},[1856,1866,1876,1886],{"nodeType":508,"data":1857,"content":1858},{},[1859],{"nodeType":252,"data":1860,"content":1861},{},[1862],{"nodeType":247,"value":1863,"marks":1864,"data":1865},"Encourage employees to use an approved app over a new, unsupported alternative.",[],{},{"nodeType":508,"data":1867,"content":1868},{},[1869],{"nodeType":252,"data":1870,"content":1871},{},[1872],{"nodeType":247,"value":1873,"marks":1874,"data":1875},"Remind employees not to enter sensitive information into ChatGPT or other GenAI tools.",[],{},{"nodeType":508,"data":1877,"content":1878},{},[1879],{"nodeType":252,"data":1880,"content":1881},{},[1882],{"nodeType":247,"value":1883,"marks":1884,"data":1885},"Tell employees not to use an app until it can be reviewed by the security team.",[],{},{"nodeType":508,"data":1887,"content":1888},{},[1889],{"nodeType":252,"data":1890,"content":1891},{},[1892],{"nodeType":247,"value":1893,"marks":1894,"data":1895},"Ask employees to use their federated identity on apps supporting SSO.",[],{},{"nodeType":389,"data":1897,"content":1901},{"target":1898},{"sys":1899},{"id":1900,"type":394,"linkType":395},"6XuJbfjhrr9JDKY6fcD5hZ",[],{"nodeType":243,"data":1903,"content":1904},{},[1905],{"nodeType":247,"value":1906,"marks":1907,"data":1908},"Why did we build it?",[],{},{"nodeType":252,"data":1910,"content":1911},{},[1912],{"nodeType":247,"value":1913,"marks":1914,"data":1915},"We co-created this feature with our customers. They wanted a more flexible and nuanced way of managing the risks associated with using SaaS apps than just allowlisting or blocklisting apps. ",[],{},{"nodeType":252,"data":1917,"content":1918},{},[1919],{"nodeType":247,"value":1920,"marks":1921,"data":1922},"That means guiding employees to use apps more safely rather than just blocking new tools by default.",[],{},{"nodeType":252,"data":1924,"content":1925},{},[1926],{"nodeType":247,"value":1927,"marks":1928,"data":1929},"Now don’t get us wrong — there’s a time and a place for blocking. But for most organizations, there are more scenarios when it's better to help employees do something safely. ",[],{},{"nodeType":252,"data":1931,"content":1932},{},[1933,1937,1942,1946,1951],{"nodeType":247,"value":1934,"marks":1935,"data":1936},"That’s the reason why we ",[],{},{"nodeType":247,"value":1938,"marks":1939,"data":1941},"wanted",[1940],{"type":333},{},{"nodeType":247,"value":1943,"marks":1944,"data":1945}," to build the feature. The reason we were ",[],{},{"nodeType":247,"value":1947,"marks":1948,"data":1950},"able",[1949],{"type":333},{},{"nodeType":247,"value":1952,"marks":1953,"data":1954}," to build it is because Push’s superpower is a browser extension that detects signups and logins to supported and unsupported apps, and then helps you manage and secure accounts and identities on all of them. ",[],{},{"nodeType":252,"data":1956,"content":1957},{},[1958],{"nodeType":247,"value":1959,"marks":1960,"data":1961},"The Push browser extension gets you the closest to the user, providing the ideal platform for security teams to guide employees at exactly the right time and place — when they’re accessing an app in their browser.",[],{},{"nodeType":243,"data":1963,"content":1964},{},[1965],{"nodeType":247,"value":1966,"marks":1967,"data":1968},"How does it work?",[],{},{"nodeType":1970,"data":1971,"content":1972},"ordered-list",{},[1973,1983,1993,2012,2031],{"nodeType":508,"data":1974,"content":1975},{},[1976],{"nodeType":252,"data":1977,"content":1978},{},[1979],{"nodeType":247,"value":1980,"marks":1981,"data":1982},"You can configure an app banner in less than 1 minute. Here are the 4 steps, or just scroll down to the demos below to see for yourself. ",[],{},{"nodeType":508,"data":1984,"content":1985},{},[1986],{"nodeType":252,"data":1987,"content":1988},{},[1989],{"nodeType":247,"value":1990,"marks":1991,"data":1992},"Find an app in your app inventory on the Push platform.",[],{},{"nodeType":508,"data":1994,"content":1995},{},[1996],{"nodeType":252,"data":1997,"content":1998},{},[1999,2003,2008],{"nodeType":247,"value":2000,"marks":2001,"data":2002},"Hit ",[],{},{"nodeType":247,"value":2004,"marks":2005,"data":2007},"Configure on the app details slideout",[2006],{"type":438},{},{"nodeType":247,"value":2009,"marks":2010,"data":2011},", and then add your custom banner message. ",[],{},{"nodeType":508,"data":2013,"content":2014},{},[2015],{"nodeType":252,"data":2016,"content":2017},{},[2018,2022,2027],{"nodeType":247,"value":2019,"marks":2020,"data":2021},"Use the ",[],{},{"nodeType":247,"value":2023,"marks":2024,"data":2026},"Preview",[2025],{"type":438},{},{"nodeType":247,"value":2028,"marks":2029,"data":2030}," button to see what it will look like. ",[],{},{"nodeType":508,"data":2032,"content":2033},{},[2034],{"nodeType":252,"data":2035,"content":2036},{},[2037],{"nodeType":247,"value":2038,"marks":2039,"data":2040},"Then once you're happy, save it to enable it on the signup and login pages for that app. Now your banner will appear every time an employee accesses the app using a browser with the Push browser extension on it. ",[],{},{"nodeType":243,"data":2042,"content":2043},{},[2044],{"nodeType":247,"value":2045,"marks":2046,"data":2047},"Use case inspo",[],{},{"nodeType":301,"data":2049,"content":2050},{},[2051],{"nodeType":247,"value":2052,"marks":2053,"data":2054},"Help employees use ChatGPT and GenAI apps safely",[],{},{"nodeType":252,"data":2056,"content":2057},{},[2058],{"nodeType":247,"value":2059,"marks":2060,"data":2061},"Lots of security teams we speak to are happy for their employees to use GenAI apps like ChatGPT, as long as no sensitive data goes into them. Here we create a banner telling employees not to share sensitive information and to read the GenAI policy to understand how to use apps like this securely.",[],{},{"nodeType":389,"data":2063,"content":2067},{"target":2064},{"sys":2065},{"id":2066,"type":394,"linkType":395},"N6E38qUzEe8fNvpoJwBXH",[],{"nodeType":301,"data":2069,"content":2070},{},[2071],{"nodeType":247,"value":2072,"marks":2073,"data":2074},"Guide your employees toward approved apps and prevent SaaS sprawl",[],{},{"nodeType":252,"data":2076,"content":2077},{},[2078],{"nodeType":247,"value":2079,"marks":2080,"data":2081},"You’ll probably prefer that your employees use approved and supported apps, and not to self-adopt new duplicate apps that contribute to SaaS sprawl. Here we use a banner to tell employees to use an approved file-sharing app.",[],{},{"nodeType":389,"data":2083,"content":2087},{"target":2084},{"sys":2085},{"id":2086,"type":394,"linkType":395},"2VhggiMOWCu9ZXqh4U7pZ9",[],{"nodeType":301,"data":2089,"content":2090},{},[2091],{"nodeType":247,"value":2092,"marks":2093,"data":2094},"Encourage employees to use their federated identities instead of creating shadow identities",[],{},{"nodeType":252,"data":2096,"content":2097},{},[2098],{"nodeType":247,"value":2099,"marks":2100,"data":2101},"If you’ve invested in an SSO solution like Okta, you probably want to get as many of your apps and accounts behind it as possible. This banner tells employees to access the app using their Okta federated identity rather than using or creating a local account. ",[],{},{"nodeType":389,"data":2103,"content":2107},{"target":2104},{"sys":2105},{"id":2106,"type":394,"linkType":395},"6cJcIJ8GpsioU6JQs3afxy",[],{"nodeType":243,"data":2109,"content":2110},{},[2111],{"nodeType":247,"value":2112,"marks":2113,"data":2114},"Find out more",[],{},{"nodeType":252,"data":2116,"content":2117},{},[2118,2122,2130],{"nodeType":247,"value":2119,"marks":2120,"data":2121},"To see Push in action, ",[],{},{"nodeType":751,"data":2123,"content":2125},{"uri":2124},"https://pushsecurity.com/demo/",[2126],{"nodeType":247,"value":2127,"marks":2128,"data":2129},"book a demo",[],{},{"nodeType":247,"value":2131,"marks":2132,"data":2133},". We’ll be happy to show you this feature along with how we discover all the apps your employees are using and how we detect vulnerable identities. ",[],{},"Introducing in-browser app banners: Set guardrails for cloud apps","2024-02-06T00:00:00.000Z","introducing-in-browser-app-banners-set-guardrails-for-cloud-apps",{"items":2138},[2139,2143],{"sys":2140,"name":2142},{"id":2141},"3pjES4THCIfSAwhGdNwBcy","Browser security",{"sys":2144,"name":2146},{"id":2145},"5jk0kqjSdSK2L0YiistQjY","Release notes",{"items":2148},[2149],{"fullName":2150,"firstName":2151,"jobTitle":2152,"profilePicture":2153},"Alex Henshall","Alex","Product Team",{"url":2154},"https://images.ctfassets.net/y1cdw1ablpvd/2rz3Pre3b1MexPIQ4hzPUe/0ef8a092b7e7df00fbce3f7d1ccb96d1/Alex_Henshall.jpeg","5-ways-to-defeat-identity-based-attacks","blog/5-ways-to-defeat-identity-based-attacks",{"json":2158},{"data":2159,"content":2160,"nodeType":239},{},[2161,2168],{"data":2162,"content":2163,"nodeType":252},{},[2164],{"data":2165,"marks":2166,"value":2167,"nodeType":247},{},[],"In today's digital world, identities are the new frontier for attackers seeking to breach organizational perimeters. As the attack surface evolves, so too must our strategies for defending against threats. Below are five key tactics to bolster your defenses and thwart identity-based attacks.",{"data":2169,"content":2170,"nodeType":252},{},[2171],{"data":2172,"marks":2173,"value":29,"nodeType":247},{},[],"In this blog post we will cover what identities are, how we secure perimeters in general, and and how this maps to the identity space.\n",{"id":2176,"publishedAt":2177},"6rflXTFCRMvmM8JU8ZPSCt","2026-01-30T09:27:40.111Z",{"items":2179},[2180,2182],{"sys":2181,"name":2142},{"id":2141},{"sys":2183,"name":1801},{"id":1800},"4AeraWLHv7cZN9Q1uB-1ZgTXL3DeB-ks7cYNAsNpH3Y",1784196720487]