[{"data":1,"prerenderedAt":3348},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":36,"navbar-about-highlight":108,"navbar-resource-highlight":182,"blog/fixing-secops-alert-fatigue-with-browser-telemetry":226},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"query":14,"data":15,"variations":20,"lastUpdated":21,"firstPublished":22,"testRatio":23,"createdBy":24,"lastUpdatedBy":25,"folders":26,"meta":27,"rev":35},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner","1c6207a5f24948ab82d4a0b17f251193","published",[],{"type":16,"url":17,"text":18,"link":19},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,1,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2","jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":28,"lastPreviewUrl":29,"breakpoints":30,"hasAutosaves":34},"data","",{"xsmall":31,"small":32,"medium":33},320,640,768,true,"ga0kpxjhh76",{"createdDate":37,"id":38,"name":39,"modelId":40,"published":13,"stageModifiedSincePublish":6,"query":41,"data":42,"variations":97,"lastUpdated":98,"firstPublished":99,"testRatio":23,"createdBy":100,"lastUpdatedBy":101,"folders":102,"meta":103,"rev":107},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":43,"text":44,"url":29,"blocks":45,"state":93},"ewrererw","testrfesssssssssss",[46,73,81],{"@type":47,"@version":48,"id":49,"component":50,"responsiveStyles":63},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":51,"tag":51,"options":52,"isRSC":62},"TopBannerContent",{"text":53,"ctaText":54,"url":55,"mainText":56,"cta":59},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks","Save Your Spot","https://pushsecurity.com/webinar/state-of-browser-security",{"content":57,"fontSize":58},"\u003Cp>Meet Push's browser security experts at BlackHat 2026.\u003C/p>","text-base",{"content":60,"fontSize":58,"url":61},"\u003Cp>Book a meeting →\u003C/p>","https://pushsecurity.com/events/blackhat-2026-meeting",null,{"large":64},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"marginTop":70,"marginBottom":70,"fontSize":71,"fontWeight":72},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"@type":47,"@version":48,"id":74,"component":75,"responsiveStyles":79},"builder-a2e1f4b9f30b464bb814d7f5de5b0aa7",{"name":76,"options":77,"isRSC":62},"Custom Code",{"code":78,"scriptsClientOnly":6},"\u003Cstyle>\n  .top-banner.bg-web-orange{background:rgb(114, 79, 255);}\n\u003C/style>\n",{"large":80},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69},{"id":82,"@type":47,"tagName":83,"properties":84,"responsiveStyles":88},"builder-pixel-o503s4fpvk","img",{"src":85,"aria-hidden":86,"alt":29,"role":87,"width":68,"height":68},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":89},{"height":68,"width":68,"display":90,"opacity":68,"overflow":91,"pointerEvents":92},"block","hidden","none",{"deviceSize":94,"location":95},"large",{"path":29,"query":96},{},{},1783541846936,1774968080803,"ST0tXQM8slWpFrmioqKHmENB2qe2","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"kind":104,"lastPreviewUrl":105,"hasLinks":6,"breakpoints":106,"hasErrors":6,"hasAutosaves":6},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},"kyujw1aptq",[109,145],{"createdDate":110,"id":111,"name":112,"modelId":113,"published":13,"stageModifiedSincePublish":6,"query":114,"data":115,"variations":138,"lastUpdated":139,"firstPublished":140,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":141,"meta":142,"rev":144},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":116,"type":117,"testimonialLink":118,"testimonial":119},{},"testimonial","/customer-stories/inductive-automation",{"@type":120,"id":121,"model":117,"value":122},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79",{"query":123,"folders":124,"createdDate":125,"id":121,"name":126,"modelId":127,"published":13,"data":128,"variations":132,"lastUpdated":133,"firstPublished":134,"testRatio":23,"createdBy":100,"lastUpdatedBy":100,"meta":135,"rev":137},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":129,"jobTitle":130,"quote":126,"image":131},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,{"kind":28,"lastPreviewUrl":29,"breakpoints":136,"hasAutosaves":34},{"small":32,"medium":33},"e8bsg4qrgtu",{},1776247404986,1776247404973,[],{"breakpoints":143,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"g9lqcuxphw7",{"createdDate":146,"id":147,"name":148,"modelId":113,"published":13,"meta":149,"stageModifiedSincePublish":6,"query":151,"data":152,"variations":178,"lastUpdated":179,"firstPublished":180,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":181,"rev":144},1776255761419,"05a9322735fc427db12e2740e4302300","Report: 2026 Browser Attack Techniques",{"breakpoints":150,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":153,"link":172,"type":175,"title":148,"description":176,"image":177},{"@type":120,"id":154,"model":117,"value":155},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":156,"folders":157,"createdDate":158,"id":154,"name":159,"modelId":127,"published":13,"data":160,"variations":166,"lastUpdated":167,"firstPublished":168,"testRatio":23,"createdBy":100,"lastUpdatedBy":24,"meta":169,"rev":171},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":161,"jobTitle":162,"author":163,"qoute":29,"quote":164,"image":165},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":28,"lastPreviewUrl":29,"breakpoints":170,"hasAutosaves":34},{"small":32,"medium":33},"ulhc0im1hfo",{"text":173,"url":174},"Download now","/resources/browser-attacks-report","resource","Learn about the latest techniques being used in the wild.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9",{},1776255810913,1776255810900,[],[183,205],{"createdDate":184,"id":185,"name":148,"modelId":186,"published":13,"meta":187,"stageModifiedSincePublish":6,"query":189,"data":190,"variations":200,"lastUpdated":201,"firstPublished":202,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":203,"rev":204},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":188,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":191,"link":199,"type":175,"title":148,"description":176,"image":177},{"@type":120,"id":154,"model":117,"value":192},{"query":193,"folders":194,"createdDate":158,"id":154,"name":159,"modelId":127,"published":13,"data":195,"variations":196,"lastUpdated":167,"firstPublished":168,"testRatio":23,"createdBy":100,"lastUpdatedBy":24,"meta":197,"rev":171},[],[],{"video":161,"jobTitle":162,"author":163,"qoute":29,"quote":164,"image":165},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":198,"hasAutosaves":34},{"small":32,"medium":33},{"text":173,"url":174},{},1776256937553,1776256937540,[],"xggsv10v1q9",{"createdDate":206,"id":207,"name":208,"modelId":186,"published":13,"stageModifiedSincePublish":6,"query":209,"data":210,"variations":220,"lastUpdated":221,"firstPublished":222,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":223,"meta":224,"rev":204},1776256949234,"ce043785b71b4ece98eac811ecf4ba10","inductive-automation",[],{"link":211,"type":117,"testimonial":212,"testimonialLink":118},{},{"@type":120,"id":121,"model":117,"value":213},{"query":214,"folders":215,"createdDate":125,"id":121,"name":126,"modelId":127,"published":13,"data":216,"variations":217,"lastUpdated":133,"firstPublished":134,"testRatio":23,"createdBy":100,"lastUpdatedBy":100,"meta":218,"rev":137},[],[],{"author":129,"jobTitle":130,"quote":126,"image":131},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":219,"hasAutosaves":34},{"small":32,"medium":33},{},1776256974140,1776256974130,[],{"breakpoints":225,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},{"id":227,"title":228,"authorsCollection":229,"content":237,"extension":865,"faqItemsCollection":866,"faqTitle":62,"featured":6,"hashTags":62,"meta":868,"metaTitle":228,"ogImage":62,"publishedDate":869,"relatedBlogPostsCollection":870,"slug":3324,"stem":3325,"subtitle":62,"summary":3326,"synopsis":3337,"sys":3338,"tagsCollection":3341,"__hash__":3347},"blog/blog/fixing-secops-alert-fatigue-with-browser-telemetry.json","Fixing SecOps alert fatigue with browser telemetry",{"items":230},[231],{"fullName":232,"firstName":233,"jobTitle":234,"profilePicture":235},"Mark Orlando","Mark","Field CTO",{"url":236},"https://images.ctfassets.net/y1cdw1ablpvd/592PMwIQQFaa24k5SKBEKF/a33090d0ad95d1e3081f5d16a46ba826/image__68_.png",{"json":238,"links":749},{"nodeType":239,"data":240,"content":241},"document",{},[242,251,258,262,270,306,318,345,352,355,362,369,376,385,393,426,432,439,459,465,472,478,481,488,525,532,577,584,590,597,604,607,614,621,628,648,654,661,668,675,681,688,694,697,704,711,718],{"nodeType":243,"data":244,"content":245},"paragraph",{},[246],{"nodeType":247,"value":248,"marks":249,"data":250},"text","After more than two decades in cybersecurity, I’ve witnessed the evolution (and at times, devolution) of detection and response capabilities. I’ve sat in countless SOCs watching analysts drown in a sea of alerts, spent hours chasing false positives, and seen talented security professionals burn out from the relentless noise of low-fidelity detection systems. ",[],{},{"nodeType":243,"data":252,"content":253},{},[254],{"nodeType":247,"value":255,"marks":256,"data":257},"It’s a problem that’s reached crisis proportions, and it’s exactly why our approach to browser security represents not just a technological shift, but a philosophical one.",[],{},{"nodeType":259,"data":260,"content":261},"hr",{},[],{"nodeType":263,"data":264,"content":265},"heading-1",{},[266],{"nodeType":247,"value":267,"marks":268,"data":269},"The alert fatigue epidemic",[],{},{"nodeType":243,"data":271,"content":272},{},[273,277,283,287,293,297,302],{"nodeType":247,"value":274,"marks":275,"data":276},"Early in my career, getting ",[],{},{"nodeType":247,"value":278,"marks":279,"data":282},"any",[280],{"type":281},"italic",{},{"nodeType":247,"value":284,"marks":285,"data":286}," alert felt like a victory. We were flying blind outside of our small windows of network traffic. But as the industry matured, something troubling happened: we began equating ",[],{},{"nodeType":247,"value":288,"marks":289,"data":292},"volume",[290],{"type":291},"bold",{},{"nodeType":247,"value":294,"marks":295,"data":296}," with ",[],{},{"nodeType":247,"value":298,"marks":299,"data":301},"value",[300],{"type":291},{},{"nodeType":247,"value":303,"marks":304,"data":305},". Vendors started competing on how many alerts they could generate, how much data they could collect, and how comprehensive their “visibility” could be. ",[],{},{"nodeType":243,"data":307,"content":308},{},[309,313],{"nodeType":247,"value":310,"marks":311,"data":312},"Security teams followed suit with operational metrics that captured how many alerts they’d resolved, how many “attacks” they’d stopped, and how many tickets they’d opened and closed in a given work cycle. But as many teams have now realized, ",[],{},{"nodeType":247,"value":314,"marks":315,"data":317},"volume is a vanity metric; fidelity is what keeps you safe.",[316],{"type":291},{},{"nodeType":243,"data":319,"content":320},{},[321,325,336,340],{"nodeType":247,"value":322,"marks":323,"data":324},"In my course on ",[],{},{"nodeType":326,"data":327,"content":329},"hyperlink",{"uri":328},"https://www.sans.org/cyber-security-courses/building-leading-security-operations-centers",[330],{"nodeType":247,"value":331,"marks":332,"data":335},"Building and Leading Security Operations teams",[333],{"type":334},"underline",{},{"nodeType":247,"value":337,"marks":338,"data":339},", we discuss the importance of analytic outcomes and addressing ineffective alerts to continuously improve fidelity. My students often find it hard to believe how much time and effort it takes to audit alert quality and implement continuous improvements on a large scale. This isn’t just an operational problem — it’s an existential threat to effective security. ",[],{},{"nodeType":247,"value":341,"marks":342,"data":344},"When everything is an alert, nothing is. ",[343],{"type":291},{},{"nodeType":243,"data":346,"content":347},{},[348],{"nodeType":247,"value":349,"marks":350,"data":351},"And while we have been busy focusing on more (and occasionally, better) detections at the endpoint and network layers, attackers have shifted to infrastructure that isn’t as well-instrumented: SaaS and the browser.",[],{},{"nodeType":259,"data":353,"content":354},{},[],{"nodeType":263,"data":356,"content":357},{},[358],{"nodeType":247,"value":359,"marks":360,"data":361},"The browser: a new frontier in detection and response",[],{},{"nodeType":243,"data":363,"content":364},{},[365],{"nodeType":247,"value":366,"marks":367,"data":368},"Today, the browser is the place where most cyber attacks happen. It’s where users interact with the applications that your business runs on, handle sensitive data, and unfortunately, where they encounter sophisticated phishing campaigns, credential harvesting attacks, and malicious downloads. ",[],{},{"nodeType":243,"data":370,"content":371},{},[372],{"nodeType":247,"value":373,"marks":374,"data":375},"Yet for most security teams, the browser remains a black box, obscured from the view from the network and the endpoint. Even worse, attack models often applied to detection engineering for endpoint or network-centric threats don’t really apply; modern identity attacks skip entire phases of the attack chain, eliminating many detection opportunities along the way. The modern attack path doesn’t need to touch the endpoint or your network at all — it can happen entirely over the internet. ",[],{},{"nodeType":377,"data":378,"content":384},"embedded-entry-block",{"target":379},{"sys":380},{"id":381,"type":382,"linkType":383},"4wYYgbKmmVAZTF7niXJEGc","Link","Entry",[],{"nodeType":386,"data":387,"content":388},"heading-2",{},[389],{"nodeType":247,"value":390,"marks":391,"data":392},"Attackers are exploiting the detection gap",[],{},{"nodeType":243,"data":394,"content":395},{},[396,400,409,413,422],{"nodeType":247,"value":397,"marks":398,"data":399},"You only need to look at in-the-wild breaches such as last year’s ",[],{},{"nodeType":326,"data":401,"content":403},{"uri":402},"https://pushsecurity.com/blog/snowflake-retro/",[404],{"nodeType":247,"value":405,"marks":406,"data":408},"Snowflake",[407],{"type":334},{},{"nodeType":247,"value":410,"marks":411,"data":412}," attacks, or the recent ",[],{},{"nodeType":326,"data":414,"content":416},{"uri":415},"https://www.bleepingcomputer.com/news/security/shinyhunters-claims-15-billion-salesforce-records-stolen-in-drift-hacks/",[417],{"nodeType":247,"value":418,"marks":419,"data":421},"Salesforce",[420],{"type":334},{},{"nodeType":247,"value":423,"marks":424,"data":425}," breaches to see the impact that attackers can have by executing attacks entirely over the internet, without touching traditional network devices or user endpoints. ",[],{},{"nodeType":377,"data":427,"content":431},{"target":428},{"sys":429},{"id":430,"type":382,"linkType":383},"VfTps3SGKJDlhFcmh42d9",[],{"nodeType":243,"data":433,"content":434},{},[435],{"nodeType":247,"value":436,"marks":437,"data":438},"But even in the context of more “conventional” attacks (e.g. the classic route of compromising an endpoint, moving laterally through an environment, taking control of a domain, and deploying ransomware), most of the time, these attacks begin in the browser with identities and cloud apps rather than exploit-driven initial access — such as with the recent attacks on Marks & Spencer, Co-op, and Jaguar Land Rover. ",[],{},{"nodeType":243,"data":440,"content":441},{},[442,446,455],{"nodeType":247,"value":443,"marks":444,"data":445},"While the ",[],{},{"nodeType":326,"data":447,"content":449},{"uri":448},"https://cloud.google.com/security/resources/insights/targeted-attack-lifecycle",[450],{"nodeType":247,"value":451,"marks":452,"data":454},"attack cycle",[453],{"type":334},{},{"nodeType":247,"value":456,"marks":457,"data":458}," and similar mental models are valuable for planning in-depth detections of sophisticated, multi-stage attacks, focusing too heavily on them can lead to overlooked scenarios. These high-profile incidents have demonstrated the opportunity cost of neglecting visibility into attacks that don't perfectly align with these models. ",[],{},{"nodeType":377,"data":460,"content":464},{"target":461},{"sys":462},{"id":463,"type":382,"linkType":383},"3TsKtoWuxQMFl1xd3w1j86",[],{"nodeType":243,"data":466,"content":467},{},[468],{"nodeType":247,"value":469,"marks":470,"data":471},"Just as endpoint detection and response revolutionized host-based security by providing visibility and control directly at the point of attack, browser-based security platforms can do the same for web-borne threats. It’s an important addition to the detection and response stack that illuminates a “missing middle” in modern attack investigations, and intervenes in real time, much like traditional EDR did for the endpoint years ago.",[],{},{"nodeType":377,"data":473,"content":477},{"target":474},{"sys":475},{"id":476,"type":382,"linkType":383},"1eCXGC6U6SdzHmOH1gv24O",[],{"nodeType":259,"data":479,"content":480},{},[],{"nodeType":263,"data":482,"content":483},{},[484],{"nodeType":247,"value":485,"marks":486,"data":487},"High-fidelity detection: quality over quantity",[],{},{"nodeType":243,"data":489,"content":490},{},[491,495,503,507,512,516,521],{"nodeType":247,"value":492,"marks":493,"data":494},"Our ",[],{},{"nodeType":326,"data":496,"content":498},{"uri":497},"https://pushsecurity.com/blog/our-design-philosophy-detecting-what-matters/",[499],{"nodeType":247,"value":500,"marks":501,"data":502},"design philosophy",[],{},{"nodeType":247,"value":504,"marks":505,"data":506}," centers on a principle often overlooked in the security industry: prioritizing actionable problems for security teams. This involves differentiating between \"",[],{},{"nodeType":247,"value":508,"marks":509,"data":511},"events",[510],{"type":291},{},{"nodeType":247,"value":513,"marks":514,"data":515},"\" – environment data that may or may not be useful – and \"",[],{},{"nodeType":247,"value":517,"marks":518,"data":520},"detections",[519],{"type":291},{},{"nodeType":247,"value":522,"marks":523,"data":524},"\" – high-fidelity, actionable signals with a negligible false positive rate. We also empower our customers with the ability to intervene in real-time when there are high-confidence indicators of an attack. We focus on detecting not atomic indicators, but on attacker tooling and behaviors.",[],{},{"nodeType":243,"data":526,"content":527},{},[528],{"nodeType":247,"value":529,"marks":530,"data":531},"Compare this to traditional approaches that might generate alerts for:",[],{},{"nodeType":533,"data":534,"content":535},"unordered-list",{},[536,547,557,567],{"nodeType":537,"data":538,"content":539},"list-item",{},[540],{"nodeType":243,"data":541,"content":542},{},[543],{"nodeType":247,"value":544,"marks":545,"data":546},"Visiting domains with low reputation scores (but not necessarily malicious)",[],{},{"nodeType":537,"data":548,"content":549},{},[550],{"nodeType":243,"data":551,"content":552},{},[553],{"nodeType":247,"value":554,"marks":555,"data":556},"Downloading files that match certain heuristics (but may be legitimate)",[],{},{"nodeType":537,"data":558,"content":559},{},[560],{"nodeType":243,"data":561,"content":562},{},[563],{"nodeType":247,"value":564,"marks":565,"data":566},"Accessing new web applications (that may be approved, or tacitly allowed, shadow IT)",[],{},{"nodeType":537,"data":568,"content":569},{},[570],{"nodeType":243,"data":571,"content":572},{},[573],{"nodeType":247,"value":574,"marks":575,"data":576},"Employee usernames, passwords, and email addresses for sale on the dark web (which may no longer be valid)",[],{},{"nodeType":243,"data":578,"content":579},{},[580],{"nodeType":247,"value":581,"marks":582,"data":583},"These low-fidelity alerts create work without providing solutions. They force analysts to become investigators rather than responders, spending precious time determining whether an alert represents a genuine threat rather than focusing on mitigation and recovery. ",[],{},{"nodeType":377,"data":585,"content":589},{"target":586},{"sys":587},{"id":588,"type":382,"linkType":383},"4MydcqvHnWsziCOPUNC3YS",[],{"nodeType":243,"data":591,"content":592},{},[593],{"nodeType":247,"value":594,"marks":595,"data":596},"Poor quality detections also present an easy opportunity for security teams to commit a cardinal sin: disrupting users and business processes without a clear justification for doing so. User trust and support should always be treated as a finite resource, and every account locked, website blocked, and laptop reimaged chips away at that resource. ",[],{},{"nodeType":243,"data":598,"content":599},{},[600],{"nodeType":247,"value":601,"marks":602,"data":603},"Likewise, the more disruptive, the more likely users will look for ways around said controls. If your users are actively working against you, and feel you are preventing them from doing their jobs, they’ll always find new and unexpected ways around security blocks. ",[],{},{"nodeType":259,"data":605,"content":606},{},[],{"nodeType":263,"data":608,"content":609},{},[610],{"nodeType":247,"value":611,"marks":612,"data":613},"The SOC analyst's perspective",[],{},{"nodeType":243,"data":615,"content":616},{},[617],{"nodeType":247,"value":618,"marks":619,"data":620},"The most successful SOC analysts share a common trait: they’re extraordinarily good at quickly distinguishing signal from noise. But this skill shouldn’t be required! It’s a failure of our detection systems that we’re forcing human analysts to perform pattern matching that our technology should handle. ",[],{},{"nodeType":243,"data":622,"content":623},{},[624],{"nodeType":247,"value":625,"marks":626,"data":627},"But even for the most skilled analyst, it’s a tall order to ask your security team to also be experts in every cloud app your business relies on, making it even harder than normal to build context-driven alerts. Most of the time, the information required simply doesn't exist, with logs simply not available (generally, or at your product tier) or the work required to extract the logs and turn them into context-driven alerts hasn’t happened yet. If your team is under-resourced and drowning in low-fidelity alerts already, then realistically it might never happen. ",[],{},{"nodeType":243,"data":629,"content":630},{},[631,635,644],{"nodeType":247,"value":632,"marks":633,"data":634},"Effective browser security changes this dynamic. Instead of presenting analysts with hundreds of “suspicious web activity” alerts that require investigation, ",[],{},{"nodeType":326,"data":636,"content":638},{"uri":637},"https://pushsecurity.com/blog/detecting-and-blocking-phishing-attacks-in-the-browser/",[639],{"nodeType":247,"value":640,"marks":641,"data":643},"our platform focuses on high-reliability indicators",[642],{"type":334},{},{"nodeType":247,"value":645,"marks":646,"data":647}," like whether a phishing kit was observed running on the page, or whether the page was cloned from a legitimate site. We even detect user behaviors that could indicate a risk in the context of a phishing attack, like when a user attempts to authenticate with credentials that have been previously used on another page — either a sign of credential reuse (bad) or a phishing attack (even worse) — at which point Push can be set to block the attack in real time. ",[],{},{"nodeType":377,"data":649,"content":653},{"target":650},{"sys":651},{"id":652,"type":382,"linkType":383},"3998Iy2kp9MW0HFeqmo900",[],{"nodeType":386,"data":655,"content":656},{},[657],{"nodeType":247,"value":658,"marks":659,"data":660},"Browser security provides a new layer of protection, reducing the risk of breach",[],{},{"nodeType":243,"data":662,"content":663},{},[664],{"nodeType":247,"value":665,"marks":666,"data":667},"Attack detection has always been a cat-and-mouse game. For years, attackers have grappled with endpoint and network security vendors. And sometimes, the attackers win. The fact is that a lot of attacker innovation has gone into sandbox aware malware, breaking detection signatures, disabling security tools, and so on.    ",[],{},{"nodeType":243,"data":669,"content":670},{},[671],{"nodeType":247,"value":672,"marks":673,"data":674},"But with so many attacks now passing through the browser, defending it enables badness to be filtered out before it reaches the endpoint or network controls that attackers are looking to consciously evade. By preventing malware being delivered, or identities from being compromised, attacks otherwise crafted to evade traditional security controls can be intercepted early — making the crucial difference in whether a breach happens or not.",[],{},{"nodeType":377,"data":676,"content":680},{"target":677},{"sys":678},{"id":679,"type":382,"linkType":383},"4Bh7uOkeguNJFmJ1XUQ317",[],{"nodeType":243,"data":682,"content":683},{},[684],{"nodeType":247,"value":685,"marks":686,"data":687},"And when it comes to the cloud-centric attacks that attackers are finding so much success with today, this is in effect a net new capability. ",[],{},{"nodeType":377,"data":689,"content":693},{"target":690},{"sys":691},{"id":692,"type":382,"linkType":383},"4JdaY8I3f6Ub2Kifc9Rsj9",[],{"nodeType":259,"data":695,"content":696},{},[],{"nodeType":263,"data":698,"content":699},{},[700],{"nodeType":247,"value":701,"marks":702,"data":703},"Learn more about Push Security",[],{},{"nodeType":243,"data":705,"content":706},{},[707],{"nodeType":247,"value":708,"marks":709,"data":710},"The browser represents one of the most significant opportunities in cybersecurity today. As we continue to expand our browser-based security capabilities, we remain committed to this high-fidelity approach. We’re building features that not only detect and prevent attacks but also provide security teams with the rich telemetry they need to develop custom queries and detections.",[],{},{"nodeType":243,"data":712,"content":713},{},[714],{"nodeType":247,"value":715,"marks":716,"data":717},"Push Security’s browser-based security platform provides comprehensive detection and response capabilities against techniques like AiTM phishing, credential stuffing, ClickFixing, malicious browser extensions, and session hijacking using stolen session tokens. You can also use Push to find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, risky OAuth integrations, and more to harden your identity attack surface.",[],{},{"nodeType":243,"data":719,"content":720},{},[721,725,733,737,745],{"nodeType":247,"value":722,"marks":723,"data":724},"To learn more about Push, ",[],{},{"nodeType":326,"data":726,"content":728},{"uri":727},"https://pushsecurity.com/resources/product-brochure",[729],{"nodeType":247,"value":730,"marks":731,"data":732},"check out our latest product overview",[],{},{"nodeType":247,"value":734,"marks":735,"data":736}," or ",[],{},{"nodeType":326,"data":738,"content":740},{"uri":739},"https://pushsecurity.com/demo",[741],{"nodeType":247,"value":742,"marks":743,"data":744},"book some time with one of our team for a live demo",[],{},{"nodeType":247,"value":746,"marks":747,"data":748},".",[],{},{"entries":750},{"hyperlink":751,"inline":752,"block":753},[],[],[754,763,771,778,793,838,844,851],{"sys":755,"__typename":756,"title":757,"caption":758,"layoutMode":62,"file":759},{"id":381},"Image","Account takeover on third-party web app","Modern attack paths usually involve direct in-app compromise following account takeover, skipping several phases (and detection opportunities) in traditional “attack chain” models.",{"url":760,"width":761,"height":762},"https://images.ctfassets.net/y1cdw1ablpvd/3DOQd2fcWYdjMSVBZZvHHU/2cd487cb316aef8acd77e14a1960c391/SaaS_attack_path.png",1362,458,{"sys":764,"__typename":765,"type":766,"ctaText":767,"buttonLabel":768,"buttonColour":769,"buttonUrl":770},{"id":430},"CtaWidget","Custom","Read about \"Scattered Lapsus$ Hunters\", the cybercrime supergroup behind the biggest breaches since 2021. ","Read More","sunny orange","https://pushsecurity.com/blog/scattered-lapsus-hunters/",{"sys":772,"__typename":756,"title":773,"caption":773,"layoutMode":62,"file":774},{"id":463},"Modern attacks start in the browser, and can traverse multiple environments/domains, simultaneously. Not every attack takes the same, linear route through your environment. ",{"url":775,"width":776,"height":777},"https://images.ctfassets.net/y1cdw1ablpvd/5EFB28UzL8aSaZJ18pJKSa/cb7375e4e3ecc7bd7eb5b422fa9cdcd5/image5.png",1999,1102,{"sys":779,"__typename":780,"content":781,"name":792,"title":62},{"id":476},"InsightTextBlockComponent",{"json":782},{"nodeType":239,"data":783,"content":784},{},[785],{"nodeType":243,"data":786,"content":787},{},[788],{"nodeType":247,"value":789,"marks":790,"data":791},"To tackle attacks that are designed to evade traditional detection surfaces and take place mostly over the internet, we must integrate browser telemetry into our detection and response framework, and expand detection engineering and threat hunting processes to incorporate this new dataset. ",[],{},"Fixing SecOps alert fatigue insight box 1",{"sys":794,"__typename":780,"content":795,"name":837,"title":62},{"id":588},{"json":796},{"nodeType":239,"data":797,"content":798},{},[799],{"nodeType":243,"data":800,"content":801},{},[802,805,814,818,823,827,833],{"nodeType":247,"value":29,"marks":803,"data":804},[],{},{"nodeType":326,"data":806,"content":808},{"uri":807},"https://medium.com/starting-up-security/lessons-learned-in-detection-engineering-304aec709856",[809],{"nodeType":247,"value":810,"marks":811,"data":813},"This is what Ryan McGeehan called",[812],{"type":334},{},{"nodeType":247,"value":815,"marks":816,"data":817}," the “Law of the Lever” several years ago, and it still holds true today: The time spent creating a poor quality detection rule will likely create a significant amount of work for someone responding to the follow up alert. ",[],{},{"nodeType":247,"value":819,"marks":820,"data":822},"This doesn’t mean that only high fidelity analytics have value",[821],{"type":291},{},{"nodeType":247,"value":824,"marks":825,"data":826},"; we still need general environment telemetry to test investigative hypotheses and identify new use cases. But we can’t allocate sufficient resources to those tasks while ",[],{},{"nodeType":247,"value":828,"marks":829,"data":832},"also",[830,831],{"type":291},{"type":334},{},{"nodeType":247,"value":834,"marks":835,"data":836}," dealing with low quality alerts.",[],{},"secops article insight box 2",{"sys":839,"__typename":756,"title":840,"caption":840,"layoutMode":62,"file":841},{"id":652},"Being in the browser provides new opportunities to detect and block attacks like phishing.",{"url":842,"width":776,"height":843},"https://images.ctfassets.net/y1cdw1ablpvd/7jo4A0IFI3Z3mLqDki64zz/fb13af5af1443e71a7d113022eda2a62/image4.png",1469,{"sys":845,"__typename":756,"title":846,"caption":847,"layoutMode":62,"file":848},{"id":679},"Defending the browser reduces the risk of breach","Defending the browser reduces the risk of breach by tackling the earliest indicators of attack.",{"url":849,"width":776,"height":850},"https://images.ctfassets.net/y1cdw1ablpvd/2ryvgEISjcNDDvcPEptdzy/ce1bfaf82f09684515fa0e9ecd86f6c3/image1.png",1209,{"sys":852,"__typename":780,"content":853,"name":864,"title":62},{"id":692},{"json":854},{"nodeType":239,"data":855,"content":856},{},[857],{"nodeType":243,"data":858,"content":859},{},[860],{"nodeType":247,"value":861,"marks":862,"data":863},"The psychological impact of this shift cannot be overstated. When analysts know that every alert represents a genuine threat that was successfully mitigated, their job satisfaction increases, burnout decreases, and the overall security posture improves dramatically.",[],{},"secops article insight box 3","json",{"items":867},[],{},"2025-10-07T00:00:00.000Z",{"items":871},[872,1849,2653],{"__typename":873,"sys":874,"content":876,"title":1827,"synopsis":1828,"hashTags":62,"publishedDate":1829,"slug":1830,"tagsCollection":1831,"authorsCollection":1841},"BlogPosts",{"id":875},"2sFCww9xnI8okIxhtOaiY1",{"json":877},{"nodeType":239,"data":878,"content":879},{},[880,887,894,901,904,912,919,926,932,939,945,964,971,983,986,994,1001,1017,1024,1036,1042,1045,1053,1061,1067,1076,1096,1105,1112,1121,1140,1149,1156,1165,1197,1206,1213,1222,1240,1246,1255,1262,1271,1314,1317,1325,1334,1354,1363,1370,1379,1412,1418,1427,1434,1440,1443,1451,1460,1467,1527,1533,1536,1544,1553,1560,1566,1569,1577,1584,1591,1661,1668,1731,1738,1741,1749,1756,1763,1769,1772,1780,1787,1794,1801],{"nodeType":243,"data":881,"content":882},{},[883],{"nodeType":247,"value":884,"marks":885,"data":886},"The biggest cybersecurity story this year (so far) has been the emergence of “Scattered Lapsus$ Hunters” and their record-breaking worldwide hacking spree. ",[],{},{"nodeType":243,"data":888,"content":889},{},[890],{"nodeType":247,"value":891,"marks":892,"data":893},"Scattered Lapsus$ Hunters is part of “The Com”, the name for the broad community of English-speaking cybercriminals with international criminal connections — including with nation-state sponsored groups. They are also known to collaborate with a range of cybercrime “as-a-Service” organizations for phishing, initial access, ransomware, and more. ",[],{},{"nodeType":243,"data":895,"content":896},{},[897],{"nodeType":247,"value":898,"marks":899,"data":900},"It’s difficult to pin down exactly who the individuals are that make up this criminal collective. But what is known is their MO — making money through extortion by means of account takeover, mass data theft, and ransomware deployment. ",[],{},{"nodeType":259,"data":902,"content":903},{},[],{"nodeType":263,"data":905,"content":906},{},[907],{"nodeType":247,"value":908,"marks":909,"data":911},"How did we get here? ",[910],{"type":291},{},{"nodeType":243,"data":913,"content":914},{},[915],{"nodeType":247,"value":916,"marks":917,"data":918},"Earlier this year, the threat group known to most analysts as Scattered Spider (also tracked as 0ktapus, Octo Tempest, Scatter Swine, Muddled Libra, and UNC3944) re-emerged after a series of arrests in late 2024. ",[],{},{"nodeType":243,"data":920,"content":921},{},[922],{"nodeType":247,"value":923,"marks":924,"data":925},"This group has been active in peaks and troughs over the years, but are mainly known for high-profile ransomware attacks on Caesars and MGM Resorts in 2024. ",[],{},{"nodeType":377,"data":927,"content":931},{"target":928},{"sys":929},{"id":930,"type":382,"linkType":383},"1Vt269d7n6IGMzOrJs1FDx",[],{"nodeType":243,"data":933,"content":934},{},[935],{"nodeType":247,"value":936,"marks":937,"data":938},"Scattered Spider hit the headlines again in April 2025 with attacks on UK retailers Marks & Spencer and Co-op, which resulted in significant, prolonged disruption, and a serious downstream impact on the retail supply chain. ",[],{},{"nodeType":377,"data":940,"content":944},{"target":941},{"sys":942},{"id":943,"type":382,"linkType":383},"3kvcGV2zZZUPnM8IK04Y1O",[],{"nodeType":243,"data":946,"content":947},{},[948,952,960],{"nodeType":247,"value":949,"marks":950,"data":951},"It didn’t stop there, though. What followed was a wide-scale campaign targeting Salesforce customers, with the attackers claiming to have stolen ",[],{},{"nodeType":326,"data":953,"content":954},{"uri":415},[955],{"nodeType":247,"value":956,"marks":957,"data":959},"over 1.5 billion records from 1000+ companies",[958],{"type":334},{},{"nodeType":247,"value":961,"marks":962,"data":963}," across multiple verticals, including heavyweights like Google, Cloudflare, Workday, Adidas, FedEx, Disney, LVMH, and many more.",[],{},{"nodeType":243,"data":965,"content":966},{},[967],{"nodeType":247,"value":968,"marks":969,"data":970},"Around this time, the attackers began to refer to themselves as part of a wider collective, assuming the moniker “Scattered Lapsus$ Hunters” (a mash-up of names given by analysts and self-adopted by attackers — Scattered Spider, ShinyHunters, and Lapsus$).",[],{},{"nodeType":243,"data":972,"content":973},{},[974,978],{"nodeType":247,"value":975,"marks":976,"data":977},"The most significant breach this year to-date impacted Jaguar Land Rover. A ransomware attack resulted in months of disruption that directly impacted the UK’s GDP, with the government underwriting a $1.5B loan to alleviate the supply chain impact. ",[],{},{"nodeType":247,"value":979,"marks":980,"data":982},"In fact, this was the most economically consequential cyber attack yet recorded in a G7 economy. ",[981],{"type":291},{},{"nodeType":259,"data":984,"content":985},{},[],{"nodeType":263,"data":987,"content":988},{},[989],{"nodeType":247,"value":990,"marks":991,"data":993},"2025 wasn’t a one-off",[992],{"type":291},{},{"nodeType":243,"data":995,"content":996},{},[997],{"nodeType":247,"value":998,"marks":999,"data":1000},"The developments through 2025 have presented a stronger picture than ever before that cybercriminal operations are heavily interlinked. Groups overlap considerably, and individuals freely move between different cells. ",[],{},{"nodeType":243,"data":1002,"content":1003},{},[1004,1008,1013],{"nodeType":247,"value":1005,"marks":1006,"data":1007},"When we scratch beneath the surface, this is evident in the tactics, techniques and procedures (TTPs) used by these attackers — even stretching as far back as 2021 with the initial rise of Lapsus$. This is not an accident. ",[],{},{"nodeType":247,"value":1009,"marks":1010,"data":1012},"The TTPs used show a conscious move by attackers to move away from environments that are well-protected by traditional security tools. ",[1011],{"type":291},{},{"nodeType":247,"value":1014,"marks":1015,"data":1016},"This means avoiding targeting endpoints with malware, and not relying on software-based exploits. Instead, these attackers look to take over apps and services directly over the internet. ",[],{},{"nodeType":243,"data":1018,"content":1019},{},[1020],{"nodeType":247,"value":1021,"marks":1022,"data":1023},"Most of the time, this is as simple as logging in to a SaaS app, or an enterprise SSO account (e.g. Microsoft, Okta, or Google) and dumping the data. For attackers that want to take it further, they can abuse the sprawl of interconnected apps that make up modern business IT, seeking out specific data or exploitable functionality. Or, they can leverage internet-accessible management portals to chart a path back to your on-premise assets, giving them everything they need to pivot toward more conventional methods such as ransomware deployment. ",[],{},{"nodeType":243,"data":1025,"content":1026},{},[1027,1031],{"nodeType":247,"value":1028,"marks":1029,"data":1030},"When we look at historical breaches, the pattern is clear. ",[],{},{"nodeType":247,"value":1032,"marks":1033,"data":1035},"Not one of the attacks attributed to Scattered Lapsus$ Hunters, or its predecessors, started with an endpoint or network attack — they all began with account takeover. ",[1034],{"type":291},{},{"nodeType":377,"data":1037,"content":1041},{"target":1038},{"sys":1039},{"id":1040,"type":382,"linkType":383},"6poP5VM2ARrEvwKEG42HgK",[],{"nodeType":259,"data":1043,"content":1044},{},[],{"nodeType":263,"data":1046,"content":1047},{},[1048],{"nodeType":247,"value":1049,"marks":1050,"data":1052},"TTP breakdown: Analyzing the top “Scattered Lapsus$ Hunters” breaches since 2021",[1051],{"type":291},{},{"nodeType":386,"data":1054,"content":1055},{},[1056],{"nodeType":247,"value":1057,"marks":1058,"data":1060},"Phishing and stolen credentials",[1059],{"type":291},{},{"nodeType":377,"data":1062,"content":1066},{"target":1063},{"sys":1064},{"id":1065,"type":382,"linkType":383},"4SNOanDIdGZsvRRnMYQVSo",[],{"nodeType":243,"data":1068,"content":1069},{},[1070],{"nodeType":247,"value":1071,"marks":1072,"data":1075},"EA Games (2021)",[1073,1074],{"type":291},{"type":334},{},{"nodeType":243,"data":1077,"content":1078},{},[1079,1083,1092],{"nodeType":247,"value":1080,"marks":1081,"data":1082},"Attackers used stolen session cookies to log into EA’s Slack instance, purchased on a criminal forum. Combined with ",[],{},{"nodeType":326,"data":1084,"content":1086},{"uri":1085},"https://pushsecurity.com/blog/phishing-slack-persistence/",[1087],{"nodeType":247,"value":1088,"marks":1089,"data":1091},"social engineering via Slack",[1090],{"type":334},{},{"nodeType":247,"value":1093,"marks":1094,"data":1095},", this was used to steal 750GB of data, including video game source code. ",[],{},{"nodeType":243,"data":1097,"content":1098},{},[1099],{"nodeType":247,"value":1100,"marks":1101,"data":1104},"Nvidia (2022)",[1102,1103],{"type":291},{"type":334},{},{"nodeType":243,"data":1106,"content":1107},{},[1108],{"nodeType":247,"value":1109,"marks":1110,"data":1111},"Attackers used stolen credentials to steal 1TB of data from Nvidia’s internal shares, including a significant amount of sensitive information about the designs of Nvidia graphics cards, source code, and the usernames and passwords of more than 71,000 Nvidia employees.",[],{},{"nodeType":243,"data":1113,"content":1114},{},[1115],{"nodeType":247,"value":1116,"marks":1117,"data":1120},"Microsoft (2022)",[1118,1119],{"type":291},{"type":334},{},{"nodeType":243,"data":1122,"content":1123},{},[1124,1128,1136],{"nodeType":247,"value":1125,"marks":1126,"data":1127},"Attackers used stolen credentials combined with SIM swapping and ",[],{},{"nodeType":326,"data":1129,"content":1131},{"uri":1130},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/mfa_fatigue/description.md",[1132],{"nodeType":247,"value":1133,"marks":1134,"data":1135},"MFA fatigue",[],{},{"nodeType":247,"value":1137,"marks":1138,"data":1139}," attacks to steal Azure DevOps source code — leaked a 9GB archive of Microsoft source code – including ~90% of Bing and 45% of Cortana code. ",[],{},{"nodeType":243,"data":1141,"content":1142},{},[1143],{"nodeType":247,"value":1144,"marks":1145,"data":1148},"T-Mobile (2022)",[1146,1147],{"type":291},{"type":334},{},{"nodeType":243,"data":1150,"content":1151},{},[1152],{"nodeType":247,"value":1153,"marks":1154,"data":1155},"Attackers used stolen credentials to establish initial access, coupled with social engineering T-Mobile staff into approving the attacker’s device for VPN access. This resulted in source code being stolen from over 30,000 repositories. ",[],{},{"nodeType":243,"data":1157,"content":1158},{},[1159],{"nodeType":247,"value":1160,"marks":1161,"data":1164},"Snowflake (165 customers) (2024)",[1162,1163],{"type":291},{"type":334},{},{"nodeType":243,"data":1166,"content":1167},{},[1168,1172,1180,1184,1193],{"nodeType":247,"value":1169,"marks":1170,"data":1171},"Attackers targeted ",[],{},{"nodeType":326,"data":1173,"content":1174},{"uri":402},[1175],{"nodeType":247,"value":1176,"marks":1177,"data":1179},"165 Snowflake customers",[1178],{"type":334},{},{"nodeType":247,"value":1181,"marks":1182,"data":1183}," using stolen credentials from credential breaches dating back as far as 2020. Due to widespread MFA gaps and the presence of ",[],{},{"nodeType":326,"data":1185,"content":1187},{"uri":1186},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/ghost_logins/description.md",[1188],{"nodeType":247,"value":1189,"marks":1190,"data":1192},"ghost logins",[1191],{"type":334},{},{"nodeType":247,"value":1194,"marks":1195,"data":1196},", attackers were able to simply log in to individual customer tenants, dump the data, and use it to extort the companies. In total, 9 public victims were named following the breach, with over 1B breached customer records. ",[],{},{"nodeType":243,"data":1198,"content":1199},{},[1200],{"nodeType":247,"value":1201,"marks":1202,"data":1205},"PowerSchool (2024)",[1203,1204],{"type":291},{"type":334},{},{"nodeType":243,"data":1207,"content":1208},{},[1209],{"nodeType":247,"value":1210,"marks":1211,"data":1212},"Attackers gained access to a community-focused customer support portal, PowerSource, using compromised credentials and stole data using an \"export data manager\" customer support tool, stealing the data of 62.4 million students and 9.5 million teachers. PowerSchool paid an undisclosed ransom fee, but hackers returned later to extort schools and individuals separately anyway.",[],{},{"nodeType":243,"data":1214,"content":1215},{},[1216],{"nodeType":247,"value":1217,"marks":1218,"data":1221},"Red Hat (2025)",[1219,1220],{"type":291},{"type":334},{},{"nodeType":243,"data":1223,"content":1224},{},[1225,1229,1236],{"nodeType":247,"value":1226,"marks":1227,"data":1228},"Attackers breached Red Hat’s GitLab instance via a compromised account — the result of ",[],{},{"nodeType":326,"data":1230,"content":1231},{"uri":1186},[1232],{"nodeType":247,"value":1189,"marks":1233,"data":1235},[1234],{"type":334},{},{"nodeType":247,"value":1237,"marks":1238,"data":1239}," providing a backdoor to access an otherwise secure, SSO-connected account. Stolen data included approximately 800 Customer Engagement Reports (CERs), authentication tokens, full database URIs, and other private information in Red Hat code and CERs, which they claimed to use to gain access to downstream customer infrastructure. ",[],{},{"nodeType":377,"data":1241,"content":1245},{"target":1242},{"sys":1243},{"id":1244,"type":382,"linkType":383},"G1V7d5Dvevmr9p0YXElPX",[],{"nodeType":243,"data":1247,"content":1248},{},[1249],{"nodeType":247,"value":1250,"marks":1251,"data":1254},"Discord (2025)",[1252,1253],{"type":291},{"type":334},{},{"nodeType":243,"data":1256,"content":1257},{},[1258],{"nodeType":247,"value":1259,"marks":1260,"data":1261},"Attackers compromised a Zendesk customer support account, stealing 1.6TB of data. The hackers say this consisted of roughly 8.4 million tickets affecting 5.5 million unique users, and that about 580,000 users contained payment information.",[],{},{"nodeType":243,"data":1263,"content":1264},{},[1265],{"nodeType":247,"value":1266,"marks":1267,"data":1270},"SoundCloud, MatchGroup, Crunchbase, Betterment... (2026)",[1268,1269],{"type":291},{"type":334},{},{"nodeType":243,"data":1272,"content":1273},{},[1274,1278,1286,1290,1298,1302,1310],{"nodeType":247,"value":1275,"marks":1276,"data":1277},"Scattered Lapsus$ Hunters have already claimed several public victims in 2026, with over 60 million breached records. ",[],{},{"nodeType":326,"data":1279,"content":1281},{"uri":1280},"https://www.bleepingcomputer.com/news/security/shinyhunters-claim-to-be-behind-sso-account-data-theft-attacks/",[1282],{"nodeType":247,"value":1283,"marks":1284,"data":1285},"SoundCloud, Betterment, Crunchbase",[],{},{"nodeType":247,"value":1287,"marks":1288,"data":1289}," and ",[],{},{"nodeType":326,"data":1291,"content":1293},{"uri":1292},"https://www.bleepingcomputer.com/news/security/match-group-breach-exposes-data-from-hinge-tinder-okcupid-and-match/",[1294],{"nodeType":247,"value":1295,"marks":1296,"data":1297},"MatchGroup",[],{},{"nodeType":247,"value":1299,"marks":1300,"data":1301}," have all reported breaches this month, powered by a brand ",[],{},{"nodeType":326,"data":1303,"content":1305},{"uri":1304},"https://pushsecurity.com/blog/unpacking-the-latest-slh-campaign/",[1306],{"nodeType":247,"value":1307,"marks":1308,"data":1309},"new real-time-operated AiTM phishing kit",[],{},{"nodeType":247,"value":1311,"marks":1312,"data":1313}," targeting Okta, Entra, and Google SSO accounts. This is a developing situation, with more victims expected to be announced publicly soon.",[],{},{"nodeType":259,"data":1315,"content":1316},{},[],{"nodeType":386,"data":1318,"content":1319},{},[1320],{"nodeType":247,"value":1321,"marks":1322,"data":1324},"Vishing and help desk scams",[1323],{"type":291},{},{"nodeType":243,"data":1326,"content":1327},{},[1328],{"nodeType":247,"value":1329,"marks":1330,"data":1333},"MGM Resorts & Caesars (2023)",[1331,1332],{"type":291},{"type":334},{},{"nodeType":243,"data":1335,"content":1336},{},[1337,1341,1350],{"nodeType":247,"value":1338,"marks":1339,"data":1340},"MGM Resorts and Caesars were hit with twin breaches in 2023. Attackers socially engineered help desk personnel to take over accounts with Super Administrator privileges within MGM Resorts’ Okta tenant, which they then used to register a second, attacker-controlled IdP via ",[],{},{"nodeType":326,"data":1342,"content":1344},{"uri":1343},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/inbound_federation/description.md",[1345],{"nodeType":247,"value":1346,"marks":1347,"data":1349},"inbound federation",[1348],{"type":334},{},{"nodeType":247,"value":1351,"marks":1352,"data":1353}," — granting comprehensive access that was used to deploy ransomware. ",[],{},{"nodeType":243,"data":1355,"content":1356},{},[1357],{"nodeType":247,"value":1358,"marks":1359,"data":1362},"Transport for London (2024)",[1360,1361],{"type":291},{"type":334},{},{"nodeType":243,"data":1364,"content":1365},{},[1366],{"nodeType":247,"value":1367,"marks":1368,"data":1369},"Attackers socially engineered the Transport for London help desk to gain privileged access to the IT environment, resulting in prolonged disruption to key online services underpinning London’s public transport network, theft of 5,000 users bank details, and all 30,000 staff members having to reset their online credentials in person.",[],{},{"nodeType":243,"data":1371,"content":1372},{},[1373],{"nodeType":247,"value":1374,"marks":1375,"data":1378},"Marks & Spencer (2025)",[1376,1377],{"type":291},{"type":334},{},{"nodeType":243,"data":1380,"content":1381},{},[1382,1386,1395,1399,1408],{"nodeType":247,"value":1383,"marks":1384,"data":1385},"Attackers compromised a Microsoft Entra account belonging to a privileged user via a ",[],{},{"nodeType":326,"data":1387,"content":1389},{"uri":1388},"https://pushsecurity.com/blog/scattered-spider-defending-against-help-desk-scams/",[1390],{"nodeType":247,"value":1391,"marks":1392,"data":1394},"help desk scam",[1393],{"type":334},{},{"nodeType":247,"value":1396,"marks":1397,"data":1398},", which enabled them to steal sensitive data from cloud environments, as well as pivot to deploy ransomware via the ",[],{},{"nodeType":326,"data":1400,"content":1402},{"uri":1401},"https://cloud.google.com/blog/topics/threat-intelligence/vsphere-active-directory-integration-risks",[1403],{"nodeType":247,"value":1404,"marks":1405,"data":1407},"VMware admin console",[1406],{"type":334},{},{"nodeType":247,"value":1409,"marks":1410,"data":1411},". This enabled ransomware to be deployed at the hypervisor layer, evading host-based protections like EDR. ",[],{},{"nodeType":377,"data":1413,"content":1417},{"target":1414},{"sys":1415},{"id":1416,"type":382,"linkType":383},"7hBdHG74NaA3bQfOMpYA9o",[],{"nodeType":243,"data":1419,"content":1420},{},[1421],{"nodeType":247,"value":1422,"marks":1423,"data":1426},"Jaguar Land Rover (2025)",[1424,1425],{"type":291},{"type":334},{},{"nodeType":243,"data":1428,"content":1429},{},[1430],{"nodeType":247,"value":1431,"marks":1432,"data":1433},"Attackers compromised highly privileged admin accounts via a help desk scam, which they leveraged to access and deploy ransomware to all aspects of Jaguar’s business, from CAD and engineering software, to payments tracking, to customer car delivery, using similar techniques to the Marks & Spencer breach. ",[],{},{"nodeType":377,"data":1435,"content":1439},{"target":1436},{"sys":1437},{"id":1438,"type":382,"linkType":383},"6s1X2fo4K9EeVLBmHm4YXb",[],{"nodeType":259,"data":1441,"content":1442},{},[],{"nodeType":386,"data":1444,"content":1445},{},[1446],{"nodeType":247,"value":1447,"marks":1448,"data":1450},"Malicious OAuth integrations",[1449],{"type":291},{},{"nodeType":243,"data":1452,"content":1453},{},[1454],{"nodeType":247,"value":1455,"marks":1456,"data":1459},"Salesforce & Salesloft (1000+ customers) (2025)",[1457,1458],{"type":291},{"type":334},{},{"nodeType":243,"data":1461,"content":1462},{},[1463],{"nodeType":247,"value":1464,"marks":1465,"data":1466},"A vast campaign against Salesforce customers resulted in the compromise of 1000+ Salesforce tenants (according to the attacker) with more than 1.5 billion records stolen. This campaign can consisted of three phases:",[],{},{"nodeType":533,"data":1468,"content":1469},{},[1470,1485,1500],{"nodeType":537,"data":1471,"content":1472},{},[1473],{"nodeType":243,"data":1474,"content":1475},{},[1476,1481],{"nodeType":247,"value":1477,"marks":1478,"data":1480},"Phase 1:",[1479],{"type":291},{},{"nodeType":247,"value":1482,"marks":1483,"data":1484}," The attacker conducted a large-scale vishing campaign against Salesforce customers, calling up users and socially engineering them into connecting a malicious version of the “Data Loader” app into their tenant. This was in fact an attacker-controlled app that enabled data to be mass-exfiltrated via API. ",[],{},{"nodeType":537,"data":1486,"content":1487},{},[1488],{"nodeType":243,"data":1489,"content":1490},{},[1491,1496],{"nodeType":247,"value":1492,"marks":1493,"data":1495},"Phase 2: ",[1494],{"type":291},{},{"nodeType":247,"value":1497,"marks":1498,"data":1499},"The attacker conducted a supply-chain compromise against customers of Salesloft. Users of Salesloft’s “Drift” integration were impacted by attackers stealing access tokens from Salesloft’s AWS environment. This integration allowed the attacker to steal data from customers that had deployed Drift to connected environments — namely, Salesforce, and Google Workspace. ",[],{},{"nodeType":537,"data":1501,"content":1502},{},[1503],{"nodeType":243,"data":1504,"content":1505},{},[1506,1511,1515,1523],{"nodeType":247,"value":1507,"marks":1508,"data":1510},"Phase 3:",[1509],{"type":291},{},{"nodeType":247,"value":1512,"marks":1513,"data":1514}," The attacker then conducted a separate supply-chain compromise involving Gainsight (allegedly using OAuth tokens stolen in the Salesloft attack) which enabled them to ",[],{},{"nodeType":326,"data":1516,"content":1518},{"uri":1517},"https://www.bleepingcomputer.com/news/security/salesforce-investigates-customer-data-theft-via-gainsight-breach/",[1519],{"nodeType":247,"value":1520,"marks":1521,"data":1522},"breach a further 285 Salesforce instances",[],{},{"nodeType":247,"value":1524,"marks":1525,"data":1526}," using stolen OAuth tokens from Gainsight's integrations. ",[],{},{"nodeType":377,"data":1528,"content":1532},{"target":1529},{"sys":1530},{"id":1531,"type":382,"linkType":383},"3TwjpVKQ42SwQRhvGFbZdn",[],{"nodeType":259,"data":1534,"content":1535},{},[],{"nodeType":386,"data":1537,"content":1538},{},[1539],{"nodeType":247,"value":1540,"marks":1541,"data":1543},"Malicious browser extensions",[1542],{"type":291},{},{"nodeType":243,"data":1545,"content":1546},{},[1547],{"nodeType":247,"value":1548,"marks":1549,"data":1552},"CyberHaven (2024)",[1550,1551],{"type":291},{"type":334},{},{"nodeType":243,"data":1554,"content":1555},{},[1556],{"nodeType":247,"value":1557,"marks":1558,"data":1559},"Hackers phished a CyberHaven extension developer and uploaded a malicious version of the CyberHaven extension to the Chrome Web Store, leading to customer data breaches where installed in user browsers, impacting CyberHaven’s estimated ~400 business customers. This was part of a broader campaign that targeted 35 Chrome extensions, collectively impacting over 2.5 million users.",[],{},{"nodeType":377,"data":1561,"content":1565},{"target":1562},{"sys":1563},{"id":1564,"type":382,"linkType":383},"4ErDI0xi0Vj2Zrk8Qsb2NB",[],{"nodeType":259,"data":1567,"content":1568},{},[],{"nodeType":263,"data":1570,"content":1571},{},[1572],{"nodeType":247,"value":1573,"marks":1574,"data":1576},"The bigger picture",[1575],{"type":291},{},{"nodeType":243,"data":1578,"content":1579},{},[1580],{"nodeType":247,"value":1581,"marks":1582,"data":1583},"Scattered Lapsus$ Hunters are dominating the headlines right now, but they aren’t the only attackers using these modern techniques and consciously evading established security controls. ",[],{},{"nodeType":243,"data":1585,"content":1586},{},[1587],{"nodeType":247,"value":1588,"marks":1589,"data":1590},"Threat reports agree that attackers are steering away from traditional exploit and malware-driven breaches towards identities:",[],{},{"nodeType":533,"data":1592,"content":1593},{},[1594,1617,1639],{"nodeType":537,"data":1595,"content":1596},{},[1597],{"nodeType":243,"data":1598,"content":1599},{},[1600,1604,1613],{"nodeType":247,"value":1601,"marks":1602,"data":1603},"Identity-based attacks surged 32% in the last year, while 97% of identity attacks are password-based, driven by credential leaks and infostealer malware. (",[],{},{"nodeType":326,"data":1605,"content":1607},{"uri":1606},"https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/microsoft/msc/documents/presentations/CSR/Microsoft-Digital-Defense-Report-2025.pdf#page=1",[1608],{"nodeType":247,"value":1609,"marks":1610,"data":1612},"Microsoft",[1611],{"type":334},{},{"nodeType":247,"value":1614,"marks":1615,"data":1616},")",[],{},{"nodeType":537,"data":1618,"content":1619},{},[1620],{"nodeType":243,"data":1621,"content":1622},{},[1623,1627,1636],{"nodeType":247,"value":1624,"marks":1625,"data":1626},"79% of detections were malware-free in the last year, up from 40% in 2019. (",[],{},{"nodeType":326,"data":1628,"content":1630},{"uri":1629},"https://www.crowdstrike.com/en-gb/global-threat-report/",[1631],{"nodeType":247,"value":1632,"marks":1633,"data":1635},"CrowdStrike",[1634],{"type":334},{},{"nodeType":247,"value":1614,"marks":1637,"data":1638},[],{},{"nodeType":537,"data":1640,"content":1641},{},[1642],{"nodeType":243,"data":1643,"content":1644},{},[1645,1649,1658],{"nodeType":247,"value":1646,"marks":1647,"data":1648},"Credential abuse and phishing combined accounted for 38% of breaches, making identity the primary breach vector observed. (",[],{},{"nodeType":326,"data":1650,"content":1652},{"uri":1651},"https://www.verizon.com/business/resources/reports/dbir/",[1653],{"nodeType":247,"value":1654,"marks":1655,"data":1657},"Verizon",[1656],{"type":334},{},{"nodeType":247,"value":1614,"marks":1659,"data":1660},[],{},{"nodeType":243,"data":1662,"content":1663},{},[1664],{"nodeType":247,"value":1665,"marks":1666,"data":1667},"And other public breaches from this year alone demonstrate similar TTPs from outside of the Scattered Lapsus$ Hunters orbit:",[],{},{"nodeType":533,"data":1669,"content":1670},{},[1671,1686,1701,1716],{"nodeType":537,"data":1672,"content":1673},{},[1674],{"nodeType":243,"data":1675,"content":1676},{},[1677,1682],{"nodeType":247,"value":1678,"marks":1679,"data":1681},"Nikkei",[1680],{"type":291},{},{"nodeType":247,"value":1683,"marks":1684,"data":1685},": Japanese publishing giant Nikkei’s Slack messaging platform was compromised using stolen credentials, leaking the names, email addresses, and chat histories for 17,368 individuals registered on Slack.",[],{},{"nodeType":537,"data":1687,"content":1688},{},[1689],{"nodeType":243,"data":1690,"content":1691},{},[1692,1697],{"nodeType":247,"value":1693,"marks":1694,"data":1696},"Evertec",[1695],{"type":291},{},{"nodeType":247,"value":1698,"marks":1699,"data":1700},": Hackers tried to steal $130 million from Evertec’s Brazilian subsidiary Sinqia S.A.after gaining unauthorized access to its environment on the central bank’s real-time payment system (Pix) using stolen credentials.",[],{},{"nodeType":537,"data":1702,"content":1703},{},[1704],{"nodeType":243,"data":1705,"content":1706},{},[1707,1712],{"nodeType":247,"value":1708,"marks":1709,"data":1711},"Hy-Vee:",[1710],{"type":291},{},{"nodeType":247,"value":1713,"marks":1714,"data":1715}," Was hit with a data breach after hackers logged in with stolen credentials, exposing 53GB of sensitive data.",[],{},{"nodeType":537,"data":1717,"content":1718},{},[1719],{"nodeType":243,"data":1720,"content":1721},{},[1722,1727],{"nodeType":247,"value":1723,"marks":1724,"data":1726},"Scania: ",[1725],{"type":291},{},{"nodeType":247,"value":1728,"marks":1729,"data":1730},"Automotive giant Scania confirmed it suffered a cybersecurity incident where threat actors used compromised credentials to breach its Financial Services systems and steal insurance claim documents.",[],{},{"nodeType":243,"data":1732,"content":1733},{},[1734],{"nodeType":247,"value":1735,"marks":1736,"data":1737},"Scattered Lapsus$ Hunters may be grabbing the headlines — but this a huge movement in a vast and flexible community of attackers. And criminals around the world are learning from their success. ",[],{},{"nodeType":259,"data":1739,"content":1740},{},[],{"nodeType":263,"data":1742,"content":1743},{},[1744],{"nodeType":247,"value":1745,"marks":1746,"data":1748},"Lessons learned",[1747],{"type":291},{},{"nodeType":243,"data":1750,"content":1751},{},[1752],{"nodeType":247,"value":1753,"marks":1754,"data":1755},"The common thread with all of these attacks is that they are evading established security controls by targeting applications directly, over the internet, via account takeover.",[],{},{"nodeType":243,"data":1757,"content":1758},{},[1759],{"nodeType":247,"value":1760,"marks":1761,"data":1762},"Clearly, the success of these attacks shows the limitations of multiple control layers. Endpoint and network layer controls have no visibility of this attack surface. Identity-focused controls are being undermined by ghost logins and shadow IT. And the limitations of cloud security controls in their ability to encompass all apps, and detect and stop malicious actions in real-time (that often blend in seamlessly with normal user activity). ",[],{},{"nodeType":377,"data":1764,"content":1768},{"target":1765},{"sys":1766},{"id":1767,"type":382,"linkType":383},"4Dg3fZEGf7ShyQJ8jlNDME",[],{"nodeType":259,"data":1770,"content":1771},{},[],{"nodeType":263,"data":1773,"content":1774},{},[1775],{"nodeType":247,"value":1776,"marks":1777,"data":1779},"How Push can help",[1778],{"type":291},{},{"nodeType":243,"data":1781,"content":1782},{},[1783],{"nodeType":247,"value":1784,"marks":1785,"data":1786},"Stopping attacks that are designed to evade established controls is in our DNA — it’s the reason Push was founded. ",[],{},{"nodeType":243,"data":1788,"content":1789},{},[1790],{"nodeType":247,"value":1791,"marks":1792,"data":1793},"The browser is the gateway to to the apps and identities that attackers are now targeting, with many attacks taking place inside the user’s browser — whether that’s entering credentials onto a phishing page, approving a malicious OAuth grant, installing a risky browser extension, or insecurely accessing an app with a weak password and no MFA. ",[],{},{"nodeType":243,"data":1795,"content":1796},{},[1797],{"nodeType":247,"value":1798,"marks":1799,"data":1800},"Push’s browser-based security platform provides comprehensive detection and response capabilities against attacks like AiTM phishing, credential stuffing, malicious browser extensions, malicious OAuth grants, ClickFix, and session hijacking. You don’t need to wait until it all goes wrong either — you can use Push to proactively find and fix vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, and more to harden your attack surface.",[],{},{"nodeType":243,"data":1802,"content":1803},{},[1804,1807,1814,1817,1824],{"nodeType":247,"value":722,"marks":1805,"data":1806},[],{},{"nodeType":326,"data":1808,"content":1809},{"uri":727},[1810],{"nodeType":247,"value":730,"marks":1811,"data":1813},[1812],{"type":334},{},{"nodeType":247,"value":734,"marks":1815,"data":1816},[],{},{"nodeType":326,"data":1818,"content":1819},{"uri":739},[1820],{"nodeType":247,"value":742,"marks":1821,"data":1823},[1822],{"type":334},{},{"nodeType":247,"value":746,"marks":1825,"data":1826},[],{},"\"Scattered Lapsus$ Hunters\" — how modern attackers exploit the gaps in your security stack ","How Scattered Lapsus$ Hunters breaches demonstrate the evolution of attacker TTPs, shaping the future of cyber attacks.","2025-11-13T00:00:00.000Z","scattered-lapsus-hunters",{"items":1832},[1833,1837],{"sys":1834,"name":1836},{"id":1835},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks",{"sys":1838,"name":1840},{"id":1839},"4ksQNCFeBf8H4QIORqpRLw","Detection & response",{"items":1842},[1843],{"fullName":1844,"firstName":1845,"jobTitle":1846,"profilePicture":1847},"Dan Green","Dan","Threat Research",{"url":1848},"https://images.ctfassets.net/y1cdw1ablpvd/7jik1VhFgA3kgzXBXTm2Vw/fcd8c171da644903d0827eafcfbcaad0/Dan_Headshot_2025.png",{"__typename":873,"sys":1850,"content":1852,"title":2639,"synopsis":2640,"hashTags":62,"publishedDate":2641,"slug":2642,"tagsCollection":2643,"authorsCollection":2649},{"id":1851},"31m73YMGdCyqVmjHulBwER",{"json":1853},{"nodeType":239,"data":1854,"content":1855},{},[1856,1863,1896,1903,1909,1916,1948,1955,1961,1964,1972,1979,1986,2045,2063,2075,2082,2088,2091,2099,2115,2121,2128,2134,2141,2179,2185,2188,2196,2203,2210,2338,2344,2375,2382,2385,2393,2400,2407,2449,2477,2484,2560,2566,2569,2577,2584,2604,2607,2615,2622],{"nodeType":243,"data":1857,"content":1858},{},[1859],{"nodeType":247,"value":1860,"marks":1861,"data":1862},"Until recently, the cyber attacker methodology behind the biggest breaches of the last decade or so has been pretty consistent:",[],{},{"nodeType":533,"data":1864,"content":1865},{},[1866,1876,1886],{"nodeType":537,"data":1867,"content":1868},{},[1869],{"nodeType":243,"data":1870,"content":1871},{},[1872],{"nodeType":247,"value":1873,"marks":1874,"data":1875},"Compromise an endpoint via software exploit, or social engineering a user to run malware on their device; ",[],{},{"nodeType":537,"data":1877,"content":1878},{},[1879],{"nodeType":243,"data":1880,"content":1881},{},[1882],{"nodeType":247,"value":1883,"marks":1884,"data":1885},"Find ways to move laterally inside the network and compromise privileged identities;",[],{},{"nodeType":537,"data":1887,"content":1888},{},[1889],{"nodeType":243,"data":1890,"content":1891},{},[1892],{"nodeType":247,"value":1893,"marks":1894,"data":1895},"Repeat as needed until you can execute your desired attack — usually stealing data from file shares, deploying ransomware, or both. ",[],{},{"nodeType":243,"data":1897,"content":1898},{},[1899],{"nodeType":247,"value":1900,"marks":1901,"data":1902},"But attacks have fundamentally changed as networks have evolved. With the SaaS-ification of enterprise IT, core business systems aren’t locally deployed and centrally managed in the way they used to be. Instead, they’re logged into over the internet, via a web browser.",[],{},{"nodeType":377,"data":1904,"content":1908},{"target":1905},{"sys":1906},{"id":1907,"type":382,"linkType":383},"4h4hUYAghbZavOwjRTnBe2",[],{"nodeType":243,"data":1910,"content":1911},{},[1912],{"nodeType":247,"value":1913,"marks":1914,"data":1915},"Under the shared responsibility model, the part that’s left to the business consuming a SaaS service is mostly constrained to how they manage identities — the vehicle by which the app is accessed and used by the workforce. It’s no surprise that this has become the soft underbelly in the crosshairs of attackers. ",[],{},{"nodeType":243,"data":1917,"content":1918},{},[1919,1923,1931,1935,1944],{"nodeType":247,"value":1920,"marks":1921,"data":1922},"We’ve seen this time and again in the biggest breaches of recent years, with the highlights including the massive ",[],{},{"nodeType":326,"data":1924,"content":1925},{"uri":402},[1926],{"nodeType":247,"value":1927,"marks":1928,"data":1930},"Snowflake campaign in 2024",[1929],{"type":334},{},{"nodeType":247,"value":1932,"marks":1933,"data":1934}," and the ",[],{},{"nodeType":326,"data":1936,"content":1938},{"uri":1937},"https://pushsecurity.com/blog/key-takeaways-from-the-scattered-spider-attacks-on-insurance-firms/",[1939],{"nodeType":247,"value":1940,"marks":1941,"data":1943},"2025 crime wave attributed to Scattered Spider",[1942],{"type":334},{},{"nodeType":247,"value":1945,"marks":1946,"data":1947},".   ",[],{},{"nodeType":243,"data":1949,"content":1950},{},[1951],{"nodeType":247,"value":1952,"marks":1953,"data":1954},"These attacks are so successful because while attackers have moved with the changes to enterprise IT, security hasn’t really kept up. ",[],{},{"nodeType":377,"data":1956,"content":1960},{"target":1957},{"sys":1958},{"id":1959,"type":382,"linkType":383},"xH0ZqgKQXCRRZGYVs6xt6",[],{"nodeType":259,"data":1962,"content":1963},{},[],{"nodeType":263,"data":1965,"content":1966},{},[1967],{"nodeType":247,"value":1968,"marks":1969,"data":1971},"The browser is the new battleground — and a security blind spot",[1970],{"type":291},{},{"nodeType":243,"data":1973,"content":1974},{},[1975],{"nodeType":247,"value":1976,"marks":1977,"data":1978},"Taking over workforce identities is the first objective for attackers looking to target an organization, and the browser is the place where the attacks against users happen. This is because it’s where these digital identities are created and used — and their credentials and sessions live. This is what the attacker wants to get their hands on. ",[],{},{"nodeType":243,"data":1980,"content":1981},{},[1982],{"nodeType":247,"value":1983,"marks":1984,"data":1985},"Stolen credentials can be used as part of targeted attacks or in broader credential stuffing (cycling known username and credential pairs against various apps and platforms), while stolen session tokens can be used to log in directly to an active session, bypassing the authentication process. ",[],{},{"nodeType":243,"data":1987,"content":1988},{},[1989,1993,1998,2002,2007,2011,2016,2019,2024,2027,2032,2036,2041],{"nodeType":247,"value":1990,"marks":1991,"data":1992},"There are a few different techniques that attackers can use to get access to these identities. Attackers harvest stolen credentials from various places — ",[],{},{"nodeType":247,"value":1994,"marks":1995,"data":1997},"data breach dumps",[1996],{"type":291},{},{"nodeType":247,"value":1999,"marks":2000,"data":2001},", ",[],{},{"nodeType":247,"value":2003,"marks":2004,"data":2006},"mass",[2005],{"type":291},{},{"nodeType":247,"value":2008,"marks":2009,"data":2010}," ",[],{},{"nodeType":247,"value":2012,"marks":2013,"data":2015},"credential",[2014],{"type":291},{},{"nodeType":247,"value":2008,"marks":2017,"data":2018},[],{},{"nodeType":247,"value":2020,"marks":2021,"data":2023},"phishing campaigns,",[2022],{"type":291},{},{"nodeType":247,"value":2008,"marks":2025,"data":2026},[],{},{"nodeType":247,"value":2028,"marks":2029,"data":2031},"infostealer logs",[2030],{"type":291},{},{"nodeType":247,"value":2033,"marks":2034,"data":2035},", even ",[],{},{"nodeType":247,"value":2037,"marks":2038,"data":2040},"malicious browser extensions",[2039],{"type":291},{},{"nodeType":247,"value":2042,"marks":2043,"data":2044}," that they’ve tricked an employee into installing. In fact, the cyber crime ecosystem itself has shifted on its axis to cater to this, with hackers specifically taking on the role of harvesting credentials and establishing account access for others to exploit. ",[],{},{"nodeType":243,"data":2046,"content":2047},{},[2048,2052,2059],{"nodeType":247,"value":2049,"marks":2050,"data":2051},"The high-profile ",[],{},{"nodeType":326,"data":2053,"content":2054},{"uri":402},[2055],{"nodeType":247,"value":405,"marks":2056,"data":2058},[2057],{"type":334},{},{"nodeType":247,"value":2060,"marks":2061,"data":2062}," breaches in 2024 signalled a watershed moment in the shift to identity-driven breaches, where attackers logged into accounts across hundreds of customer tenants using stolen credentials. One of the primary sources of the stolen credentials used in the attacks were infostealer logs dating back to 2020 — breached passwords that hadn’t been rotated or mitigated with MFA. ",[],{},{"nodeType":243,"data":2064,"content":2065},{},[2066,2070],{"nodeType":247,"value":2067,"marks":2068,"data":2069},"Infostealers are notable because they’re an endpoint malware attack designed to harvest credentials and session tokens (often from the browser) to enable the attacker to then log into those services… through their own web browser. ",[],{},{"nodeType":247,"value":2071,"marks":2072,"data":2074},"So, even today’s endpoint attacks are seeing the attacker pivot back into the browser in order to get to identities — the key to the online apps and services where exploitable data and functionality now resides. ",[2073],{"type":291},{},{"nodeType":243,"data":2076,"content":2077},{},[2078],{"nodeType":247,"value":2079,"marks":2080,"data":2081},"The problem here is that this is a blind spot for the security tools we’re currently reliant upon — which don’t have the fine-grained visibility required. This is very similar to the challenge that the industry faced prior to the introduction of EDR in the 2010s — the main sources of data are looking from the outside-in, lacking the process-level visibility and context to be able to detect and stop attacks as they happen.",[],{},{"nodeType":377,"data":2083,"content":2087},{"target":2084},{"sys":2085},{"id":2086,"type":382,"linkType":383},"2qoMH6qCNJc7it7sTuKl4F",[],{"nodeType":259,"data":2089,"content":2090},{},[],{"nodeType":263,"data":2092,"content":2093},{},[2094],{"nodeType":247,"value":2095,"marks":2096,"data":2098},"Identity is the prize, browser is the platform — and phishing is the weapon of choice",[2097],{"type":291},{},{"nodeType":243,"data":2100,"content":2101},{},[2102,2106,2111],{"nodeType":247,"value":2103,"marks":2104,"data":2105},"But the technique that’s STILL driving the most impactful identity-driven breaches? ",[],{},{"nodeType":247,"value":2107,"marks":2108,"data":2110},"It’s phishing",[2109],{"type":291},{},{"nodeType":247,"value":2112,"marks":2113,"data":2114},". Phishing for credentials, sessions, OAuth consent, authorization codes. Phishing via email, instant messenger, social media, malicious Google ads… it all happens in, or leads to, the browser. ",[],{},{"nodeType":377,"data":2116,"content":2120},{"target":2117},{"sys":2118},{"id":2119,"type":382,"linkType":383},"6Gsd3G0sOibNxgVLimb2wV",[],{"nodeType":243,"data":2122,"content":2123},{},[2124],{"nodeType":247,"value":2125,"marks":2126,"data":2127},"And modern phishing attacks are more effective than ever. Today, phishing operates on an industrial scale, using an array of obfuscation and detection evasion techniques to block email and network security tools from intercepting them. Probably the most common example today is the use of bot protection (think CAPTCHA or Cloudflare Turnstile), using legitimate anti-spam features to block security tools. ",[],{},{"nodeType":377,"data":2129,"content":2133},{"target":2130},{"sys":2131},{"id":2132,"type":382,"linkType":383},"6M1My4lSKItu6Qdv4hO1RA",[],{"nodeType":243,"data":2135,"content":2136},{},[2137],{"nodeType":247,"value":2138,"marks":2139,"data":2140},"The latest generation of fully customized AitM phishing kits are dynamically obfuscating the code that loads the web page, implementing custom CAPTCHA, and using runtime anti-analysis features, making them increasingly difficult to detect. The ways in which links are delivered has also increased in sophistication, with more delivery channels (as we showed above) and the use of legitimate SaaS services for camouflage. ",[],{},{"nodeType":243,"data":2142,"content":2143},{},[2144,2148,2153,2157,2162,2166,2175],{"nodeType":247,"value":2145,"marks":2146,"data":2147},"And the latest trends indicate that attackers are responding to increasingly hardened IdP/SSO configuration by exploiting alternative phishing techniques that ",[],{},{"nodeType":247,"value":2149,"marks":2150,"data":2152},"circumvent MFA and passkeys",[2151],{"type":291},{},{"nodeType":247,"value":2154,"marks":2155,"data":2156},", most commonly by ",[],{},{"nodeType":247,"value":2158,"marks":2159,"data":2161},"downgrading to a phishable backup authentication method",[2160],{"type":291},{},{"nodeType":247,"value":2163,"marks":2164,"data":2165}," — which you can see in action below, and ",[],{},{"nodeType":326,"data":2167,"content":2169},{"uri":2168},"https://pushsecurity.com/blog/mfa-downgrade-attacks/",[2170],{"nodeType":247,"value":2171,"marks":2172,"data":2174},"read more about here",[2173],{"type":334},{},{"nodeType":247,"value":2176,"marks":2177,"data":2178},".  ",[],{},{"nodeType":377,"data":2180,"content":2184},{"target":2181},{"sys":2182},{"id":2183,"type":382,"linkType":383},"54I3YQ2gK26a8FIocQ3WYT",[],{"nodeType":259,"data":2186,"content":2187},{},[],{"nodeType":263,"data":2189,"content":2190},{},[2191],{"nodeType":247,"value":2192,"marks":2193,"data":2195},"Identities are the lowest-hanging fruit for attackers to aim for",[2194],{"type":291},{},{"nodeType":243,"data":2197,"content":2198},{},[2199],{"nodeType":247,"value":2200,"marks":2201,"data":2202},"The goal of the modern attacker, and the easiest way into your business’s digital environment, is to compromise identities. Whether you’re dealing with phishing attacks, malicious browser extensions, or infostealer malware, the objective remains the same — account takeover. ",[],{},{"nodeType":243,"data":2204,"content":2205},{},[2206],{"nodeType":247,"value":2207,"marks":2208,"data":2209},"Organizations are dealing with a vast and vulnerable attack surface consisting of:",[],{},{"nodeType":533,"data":2211,"content":2212},{},[2213,2235,2256,2278],{"nodeType":537,"data":2214,"content":2215},{},[2216],{"nodeType":243,"data":2217,"content":2218},{},[2219,2222,2231],{"nodeType":247,"value":29,"marks":2220,"data":2221},[],{},{"nodeType":326,"data":2223,"content":2225},{"uri":2224},"https://pushsecurity.com/blog/how-many-vulnerable-identities-do-you-have/",[2226],{"nodeType":247,"value":2227,"marks":2228,"data":2230},"Hundreds of applications, with thousands of accounts",[2229],{"type":334},{},{"nodeType":247,"value":2232,"marks":2233,"data":2234}," spread across the app estate.",[],{},{"nodeType":537,"data":2236,"content":2237},{},[2238],{"nodeType":243,"data":2239,"content":2240},{},[2241,2245,2253],{"nodeType":247,"value":2242,"marks":2243,"data":2244},"Accounts vulnerable to MFA-bypass phishing kits, because they are using a login method that is not phishing-resistant, or because ",[],{},{"nodeType":326,"data":2246,"content":2247},{"uri":2168},[2248],{"nodeType":247,"value":2249,"marks":2250,"data":2252},"the login method can be downgraded",[2251],{"type":334},{},{"nodeType":247,"value":746,"marks":2254,"data":2255},[],{},{"nodeType":537,"data":2257,"content":2258},{},[2259],{"nodeType":243,"data":2260,"content":2261},{},[2262,2266,2274],{"nodeType":247,"value":2263,"marks":2264,"data":2265},"Accounts with a weak, reused, or breached password and no MFA altogether (usually the result of a forgotten-about ",[],{},{"nodeType":326,"data":2267,"content":2268},{"uri":1186},[2269],{"nodeType":247,"value":2270,"marks":2271,"data":2273},"ghost login",[2272],{"type":334},{},{"nodeType":247,"value":2275,"marks":2276,"data":2277},").",[],{},{"nodeType":537,"data":2279,"content":2280},{},[2281],{"nodeType":243,"data":2282,"content":2283},{},[2284,2288,2297,2300,2309,2313,2322,2325,2334],{"nodeType":247,"value":2285,"marks":2286,"data":2287},"Bypassing the authentication process entirely to evade otherwise phishing-resistant authentication methods, by abusing features like ",[],{},{"nodeType":326,"data":2289,"content":2291},{"uri":2290},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/api_keys/description.md",[2292],{"nodeType":247,"value":2293,"marks":2294,"data":2296},"API key creation",[2295],{"type":334},{},{"nodeType":247,"value":1999,"marks":2298,"data":2299},[],{},{"nodeType":326,"data":2301,"content":2303},{"uri":2302},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/app_specific_password_phishing/description.md",[2304],{"nodeType":247,"value":2305,"marks":2306,"data":2308},"app-specific passwords",[2307],{"type":334},{},{"nodeType":247,"value":2310,"marks":2311,"data":2312},", OAuth ",[],{},{"nodeType":326,"data":2314,"content":2316},{"uri":2315},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/consent_phishing/description.md",[2317],{"nodeType":247,"value":2318,"marks":2319,"data":2321},"consent phishing",[2320],{"type":334},{},{"nodeType":247,"value":1999,"marks":2323,"data":2324},[],{},{"nodeType":326,"data":2326,"content":2328},{"uri":2327},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/cross-idp_impersonation/description.md",[2329],{"nodeType":247,"value":2330,"marks":2331,"data":2333},"cross-IdP impersonation",[2332],{"type":334},{},{"nodeType":247,"value":2335,"marks":2336,"data":2337},", and more.  ",[],{},{"nodeType":377,"data":2339,"content":2343},{"target":2340},{"sys":2341},{"id":2342,"type":382,"linkType":383},"3WFzina1t5j6bDlTlGQA0l",[],{"nodeType":243,"data":2345,"content":2346},{},[2347,2351,2360,2364,2371],{"nodeType":247,"value":2348,"marks":2349,"data":2350},"A key driver of identity vulnerability is the ",[],{},{"nodeType":326,"data":2352,"content":2354},{"uri":2353},"https://pushsecurity.com/blog/minimum-viable-identity-security/",[2355],{"nodeType":247,"value":2356,"marks":2357,"data":2359},"huge variance in the configurability of accounts per application",[2358],{"type":334},{},{"nodeType":247,"value":2361,"marks":2362,"data":2363},", with different levels of centralized visibility and security control of identities provided — for example, while one app can be locked down to only accept SSO logins via SAML and automatically remove any unused passwords, another provides no control or visibility of login method or MFA status (another big driver of the ",[],{},{"nodeType":326,"data":2365,"content":2366},{"uri":402},[2367],{"nodeType":247,"value":405,"marks":2368,"data":2370},[2369],{"type":334},{},{"nodeType":247,"value":2372,"marks":2373,"data":2374}," breaches last year). Unfortunately, as a by-product of product-led growth and something that is compounded by every new SaaS startup that hits the market, this situation doesn’t look like it’s going to change anytime soon. ",[],{},{"nodeType":243,"data":2376,"content":2377},{},[2378],{"nodeType":247,"value":2379,"marks":2380,"data":2381},"The end result is that identities are misconfigured, invisible to the security team, and routinely exploited by commodity attacker tooling. It’s no surprise that they’re the primary target for attackers today. ",[],{},{"nodeType":259,"data":2383,"content":2384},{},[],{"nodeType":263,"data":2386,"content":2387},{},[2388],{"nodeType":247,"value":2389,"marks":2390,"data":2392},"The solution: The browser as a telemetry source and control point",[2391],{"type":291},{},{"nodeType":243,"data":2394,"content":2395},{},[2396],{"nodeType":247,"value":2397,"marks":2398,"data":2399},"Because identity attacks play out in the browser, it’s the perfect place for security teams to observe, intercept, and shut down these attacks. ",[],{},{"nodeType":243,"data":2401,"content":2402},{},[2403],{"nodeType":247,"value":2404,"marks":2405,"data":2406},"The browser has a number of advantages over the different places where identity can be observed and protected, because:",[],{},{"nodeType":533,"data":2408,"content":2409},{},[2410,2420,2430],{"nodeType":537,"data":2411,"content":2412},{},[2413],{"nodeType":243,"data":2414,"content":2415},{},[2416],{"nodeType":247,"value":2417,"marks":2418,"data":2419},"You aren’t limited to the apps and identities directly connected to your IdP (a fraction of your workforce identity sprawl). ",[],{},{"nodeType":537,"data":2421,"content":2422},{},[2423],{"nodeType":243,"data":2424,"content":2425},{},[2426],{"nodeType":247,"value":2427,"marks":2428,"data":2429},"You aren’t limited to the apps that you know about and manage centrally — you can observe every login that passes through the browser.",[],{},{"nodeType":537,"data":2431,"content":2432},{},[2433],{"nodeType":243,"data":2434,"content":2435},{},[2436,2440,2445],{"nodeType":247,"value":2437,"marks":2438,"data":2439},"You can observe all the properties of a login, including the login method, MFA method, etc. You’d otherwise need API access to ",[],{},{"nodeType":247,"value":2441,"marks":2442,"data":2444},"maybe",[2443],{"type":281},{},{"nodeType":247,"value":2446,"marks":2447,"data":2448}," get this information (depending on whether an API is provided and whether this specific data can be interrogated, also not standard for many apps). ",[],{},{"nodeType":243,"data":2450,"content":2451},{},[2452,2456,2461,2465,2473],{"nodeType":247,"value":2453,"marks":2454,"data":2455},"It’s obvious with all that we’ve covered so far that fixing every identity vulnerability is an ominous task — the SaaS ecosystem itself is working against you. ",[],{},{"nodeType":247,"value":2457,"marks":2458,"data":2460},"This is why detecting and responding to identity attacks is essential. ",[2459],{"type":291},{},{"nodeType":247,"value":2462,"marks":2463,"data":2464},"Because identity compromise almost always involves phishing or social engineering a user to perform an action in their browser (with some exceptions — like the ",[],{},{"nodeType":326,"data":2466,"content":2467},{"uri":1388},[2468],{"nodeType":247,"value":2469,"marks":2470,"data":2472},"Scattered Spider-related help desk attacks",[2471],{"type":334},{},{"nodeType":247,"value":2474,"marks":2475,"data":2476}," seen recently), it’s also the perfect place to monitor for and intercept attacks. ",[],{},{"nodeType":243,"data":2478,"content":2479},{},[2480],{"nodeType":247,"value":2481,"marks":2482,"data":2483},"In the browser, you gather deep, contextualized information about page behavior and user inputs that can be used to detect and shut down risky scenarios in real time. Take the example of phishing pages. Because Push operates in the browser, it sees everything:",[],{},{"nodeType":533,"data":2485,"content":2486},{},[2487,2497,2507,2517,2540,2550],{"nodeType":537,"data":2488,"content":2489},{},[2490],{"nodeType":243,"data":2491,"content":2492},{},[2493],{"nodeType":247,"value":2494,"marks":2495,"data":2496},"The page layout.",[],{},{"nodeType":537,"data":2498,"content":2499},{},[2500],{"nodeType":243,"data":2501,"content":2502},{},[2503],{"nodeType":247,"value":2504,"marks":2505,"data":2506},"Where the user came from (through the whole redirect chain).",[],{},{"nodeType":537,"data":2508,"content":2509},{},[2510],{"nodeType":243,"data":2511,"content":2512},{},[2513],{"nodeType":247,"value":2514,"marks":2515,"data":2516},"Page interaction events — e.g. tabs opened and closed, popup windows, forms submitted, etc.",[],{},{"nodeType":537,"data":2518,"content":2519},{},[2520],{"nodeType":243,"data":2521,"content":2522},{},[2523,2527,2536],{"nodeType":247,"value":2524,"marks":2525,"data":2526},"The password they enter ",[],{},{"nodeType":326,"data":2528,"content":2530},{"uri":2529},"https://pushsecurity.com/help/10043/#how-push-securely-analyzes-passwords",[2531],{"nodeType":247,"value":2532,"marks":2533,"data":2535},"(as a salted, abbreviated hash)",[2534],{"type":334},{},{"nodeType":247,"value":2537,"marks":2538,"data":2539},", and whether a password was typed or copied, and where from.",[],{},{"nodeType":537,"data":2541,"content":2542},{},[2543],{"nodeType":243,"data":2544,"content":2545},{},[2546],{"nodeType":247,"value":2547,"marks":2548,"data":2549},"What scripts are running on the page and whether they are potentially malicious.",[],{},{"nodeType":537,"data":2551,"content":2552},{},[2553],{"nodeType":243,"data":2554,"content":2555},{},[2556],{"nodeType":247,"value":2557,"marks":2558,"data":2559},"Where credentials are being sent.",[],{},{"nodeType":377,"data":2561,"content":2565},{"target":2562},{"sys":2563},{"id":2564,"type":382,"linkType":383},"6kQejVS63FQ6Oy8nIm6UlV",[],{"nodeType":259,"data":2567,"content":2568},{},[],{"nodeType":263,"data":2570,"content":2571},{},[2572],{"nodeType":247,"value":2573,"marks":2574,"data":2576},"Conclusion",[2575],{"type":291},{},{"nodeType":243,"data":2578,"content":2579},{},[2580],{"nodeType":247,"value":2581,"marks":2582,"data":2583},"Identity attacks are the biggest unsolved problem facing security teams today and the leading cause of security breaches. At the same time, the browser presents security teams with all the tools they need to prevent, detect, and respond to identity-based attacks — proactively by finding and fixing identity vulnerabilities, and reactively by detecting and blocking attacks against users in real time. ",[],{},{"nodeType":243,"data":2585,"content":2586},{},[2587,2591,2600],{"nodeType":247,"value":2588,"marks":2589,"data":2590},"Organizations need to move past the old ways of doing identity security — relying on MFA attestations, identity management dashboards, and ",[],{},{"nodeType":326,"data":2592,"content":2594},{"uri":2593},"https://pushsecurity.com/blog/three-reasons-why-browser-is-best-for-stopping-phishing-attacks/",[2595],{"nodeType":247,"value":2596,"marks":2597,"data":2599},"legacy email and network anti-phishing tools",[2598],{"type":334},{},{"nodeType":247,"value":2601,"marks":2602,"data":2603},". And there’s no better place to stop these attacks than in the browser. ",[],{},{"nodeType":259,"data":2605,"content":2606},{},[],{"nodeType":263,"data":2608,"content":2609},{},[2610],{"nodeType":247,"value":2611,"marks":2612,"data":2614},"Find out more",[2613],{"type":291},{},{"nodeType":243,"data":2616,"content":2617},{},[2618],{"nodeType":247,"value":2619,"marks":2620,"data":2621},"Push Security’s browser-based security platform provides comprehensive detection and response capabilities against the leading cause of breaches. Push blocks identity attacks like AiTM phishing, credential stuffing, password spraying and session hijacking using stolen session tokens. You can also use Push to find and fix identity vulnerabilities across the apps that your employees use, like ghost logins, SSO coverage gaps, MFA gaps, vulnerable passwords, risky OAuth integrations, and more.",[],{},{"nodeType":243,"data":2623,"content":2624},{},[2625,2629,2636],{"nodeType":247,"value":2626,"marks":2627,"data":2628},"If you want to learn more about how Push helps you to detect and stop attacks in the browser, ",[],{},{"nodeType":326,"data":2630,"content":2631},{"uri":739},[2632],{"nodeType":247,"value":742,"marks":2633,"data":2635},[2634],{"type":334},{},{"nodeType":247,"value":746,"marks":2637,"data":2638},[],{},"How the browser became the main cyber battleground","How attacks have moved away from endpoints and internal networks to the browser — a blind spot for traditional security tools.","2025-08-15T00:00:00.000Z","how-the-browser-became-the-main-cyber-battleground",{"items":2644},[2645,2647],{"sys":2646,"name":1840},{"id":1839},{"sys":2648,"name":1836},{"id":1835},{"items":2650},[2651],{"fullName":1844,"firstName":1845,"jobTitle":1846,"profilePicture":2652},{"url":1848},{"__typename":873,"sys":2654,"content":2656,"title":3310,"synopsis":3311,"hashTags":62,"publishedDate":3312,"slug":3313,"tagsCollection":3314,"authorsCollection":3320},{"id":2655},"1qegIy4rMdm5XZXnIEoKpE",{"json":2657},{"nodeType":239,"data":2658,"content":2659},{},[2660,2667,2674,2699,2705,2712,2719,2722,2729,2749,2755,2762,2805,2812,2819,2826,2833,2840,2847,2866,2874,2877,2884,2891,2898,2905,2912,2919,2926,2974,2981,2988,2995,3015,3022,3029,3036,3043,3050,3057,3064,3082,3100,3143,3150,3157,3223,3230,3233,3240,3256,3275,3282,3288,3294,3297,3303],{"nodeType":243,"data":2661,"content":2662},{},[2663],{"nodeType":247,"value":2664,"marks":2665,"data":2666},"The field of threat detection and security monitoring has changed significantly over the last decade. Security tools and product categories have been added and replaced, specialist disciplines established, and methodologies created. ",[],{},{"nodeType":243,"data":2668,"content":2669},{},[2670],{"nodeType":247,"value":2671,"marks":2672,"data":2673},"Naturally, defenders have had to mature their approach because of the changing nature of the threat facing organizations. Attackers have always looked for new ways to target their victims, and naturally, defenders have had to adapt, forcing attackers to change things up… it’s a cat and mouse game. ",[],{},{"nodeType":243,"data":2675,"content":2676},{},[2677,2681,2690,2694],{"nodeType":247,"value":2678,"marks":2679,"data":2680},"Blue teamers have used the concept of the ",[],{},{"nodeType":326,"data":2682,"content":2684},{"uri":2683},"https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html",[2685],{"nodeType":247,"value":2686,"marks":2687,"data":2689},"Pyramid of Pain",[2688],{"type":334},{},{"nodeType":247,"value":2691,"marks":2692,"data":2693}," for over a decade. The logic is simple: ",[],{},{"nodeType":247,"value":2695,"marks":2696,"data":2698},"Focus on detecting and responding to indicators that are hard for attackers to change. ",[2697],{"type":291},{},{"nodeType":377,"data":2700,"content":2704},{"target":2701},{"sys":2702},{"id":2703,"type":382,"linkType":383},"6cG2fx3AikwptyEyXKrYCK",[],{"nodeType":243,"data":2706,"content":2707},{},[2708],{"nodeType":247,"value":2709,"marks":2710,"data":2711},"If an attacker only has to tweak a variable to get around your detection rule, like adding a space to change a hash value, it’s probably not a very good detection. It’s not going to remain effective for long and you’re always going to be one step behind the attacker – waiting for them to make their next move so you can react. This usually ends up meaning that attackers enjoy at least some success before they can be shut out again. ",[],{},{"nodeType":243,"data":2713,"content":2714},{},[2715],{"nodeType":247,"value":2716,"marks":2717,"data":2718},"The Pyramid of Pain – and the goal of implementing hard-to-bypass detections that hit attackers where it hurts – is central to our design philosophy. But before we get into how we apply this approach, and the types of controls we’ve created as a result, it’s useful to look at how IT and security have changed since the Pyramid was created more than a decade ago. ",[],{},{"nodeType":259,"data":2720,"content":2721},{},[],{"nodeType":263,"data":2723,"content":2724},{},[2725],{"nodeType":247,"value":2726,"marks":2727,"data":2728},"A new era for cyber security",[],{},{"nodeType":243,"data":2730,"content":2731},{},[2732,2736,2745],{"nodeType":247,"value":2733,"marks":2734,"data":2735},"We’ve spoken a lot about how we’re in the midst of a new era in cybersecurity, in which identity is now the outermost digital perimeter for security teams to defend. (",[],{},{"nodeType":326,"data":2737,"content":2739},{"uri":2738},"https://pushsecurity.com/resources/video/the-new-saas-cyber-kill-chain-so-con-2024/",[2740],{"nodeType":247,"value":2741,"marks":2742,"data":2744},"You’ll be familiar with this if you’ve seen any of Luke’s talks on the New SaaS Cyber Kill Chain.",[2743],{"type":334},{},{"nodeType":247,"value":2746,"marks":2747,"data":2748},") ",[],{},{"nodeType":377,"data":2750,"content":2754},{"target":2751},{"sys":2752},{"id":2753,"type":382,"linkType":383},"6nYSZAYpsbj78jKm0q75zs",[],{"nodeType":243,"data":2756,"content":2757},{},[2758],{"nodeType":247,"value":2759,"marks":2760,"data":2761},"This is primarily because modern working is no longer contained to a heavily centralized corporate network, and instead happens primarily in applications accessed over the internet via web browser.",[],{},{"nodeType":243,"data":2763,"content":2764},{},[2765,2769,2777,2781,2789,2793,2801],{"nodeType":247,"value":2766,"marks":2767,"data":2768},"In this new world, attacks don’t even have to touch the old perimeters, because all the data and functionality they could want exists on the public internet. As a result, we’re seeing more and more ",[],{},{"nodeType":326,"data":2770,"content":2772},{"uri":2771},"https://pushsecurity.com/blog/saas-attack-techniques/",[2773],{"nodeType":247,"value":2774,"marks":2775,"data":2776},"attacks targeting SaaS apps",[],{},{"nodeType":247,"value":2778,"marks":2779,"data":2780},", with the entire attack chain being concluded outside customer networks, not touching any traditional endpoints or networks. The ",[],{},{"nodeType":326,"data":2782,"content":2784},{"uri":2783},"https://pushsecurity.com/blog/identity-attacks-in-the-wild/#id-snowflake-june-2024",[2785],{"nodeType":247,"value":2786,"marks":2787,"data":2788},"recent attacks on Snowflake customers",[],{},{"nodeType":247,"value":2790,"marks":2791,"data":2792},", hailed ",[],{},{"nodeType":326,"data":2794,"content":2796},{"uri":2795},"https://www.wired.com/story/snowflake-breach-advanced-auto-parts-lendingtree/",[2797],{"nodeType":247,"value":2798,"marks":2799,"data":2800},"one of the biggest breaches in history",[],{},{"nodeType":247,"value":2802,"marks":2803,"data":2804},", demonstrate this risk all too well. ",[],{},{"nodeType":243,"data":2806,"content":2807},{},[2808],{"nodeType":247,"value":2809,"marks":2810,"data":2811},"This creates a problem for security teams looking to detect and respond to these attacks. ",[],{},{"nodeType":386,"data":2813,"content":2814},{},[2815],{"nodeType":247,"value":2816,"marks":2817,"data":2818},"Attacks today are shorter and faster, but just as dangerous",[],{},{"nodeType":243,"data":2820,"content":2821},{},[2822],{"nodeType":247,"value":2823,"marks":2824,"data":2825},"Detecting and responding to identity attacks – phishing, credential stuffing, etc. – used to be just one possible method of initial access in quite a lengthy Kill Chain that stretched from the compromise of the user device, pivoting to internal network resources, escalating privileges, moving laterally, and finally achieving their objectives.",[],{},{"nodeType":243,"data":2827,"content":2828},{},[2829],{"nodeType":247,"value":2830,"marks":2831,"data":2832},"This meant that defenders could adopt an assumed compromise mentality and build layered detections, as well as proactively hunting for threats across these various stages and layers of the network. The more actions an attacker has to perform, the more opportunities for detection, and the higher the likelihood that they’ll be caught in the act before any real, lasting damage can be caused. ",[],{},{"nodeType":243,"data":2834,"content":2835},{},[2836],{"nodeType":247,"value":2837,"marks":2838,"data":2839},"Today, attackers have a lot of opportunities to cause significant damage for much less effort than before. For example, if the goal is to compromise an app like Snowflake and dump the data from it, the Kill Chain is way shorter than a traditional network-based attack. And all the great tools and security products you have, like EDR, don’t come into play. ",[],{},{"nodeType":243,"data":2841,"content":2842},{},[2843],{"nodeType":247,"value":2844,"marks":2845,"data":2846},"This means that the initial layer of anti-account takeover controls are much more important in this context. But, the historical detections in this space – email gateway security products, analyzing web pages for malicious content, and URL blocklisting – are either less relevant, or built upon easy to bypass detections toward the bottom of the Pyramid of Pain. ",[],{},{"nodeType":243,"data":2848,"content":2849},{},[2850,2854,2862],{"nodeType":247,"value":2851,"marks":2852,"data":2853},"As an example, ",[],{},{"nodeType":326,"data":2855,"content":2857},{"uri":2856},"https://pushsecurity.com/blog/how-aitm-phishing-kits-evade-detection/",[2858],{"nodeType":247,"value":2859,"marks":2860,"data":2861},"we recently published an article on all the ways that AitM phishing sites are evading detection",[],{},{"nodeType":247,"value":2863,"marks":2864,"data":2865},". TL;DR – there are a lot, and they seem to be quite effective. But this is partly because the majority of the detections they're trying to avoid are built on shaky ground.   ",[],{},{"nodeType":243,"data":2867,"content":2868},{},[2869],{"nodeType":247,"value":2870,"marks":2871,"data":2873},"So what? Well, it’s clear that the controls that the industry has relied on in the past to stop identity attacks are too easy to bypass, and are no longer sufficient. ",[2872],{"type":291},{},{"nodeType":259,"data":2875,"content":2876},{},[],{"nodeType":263,"data":2878,"content":2879},{},[2880],{"nodeType":247,"value":2881,"marks":2882,"data":2883},"Building effective identity threat detection controls",[],{},{"nodeType":243,"data":2885,"content":2886},{},[2887],{"nodeType":247,"value":2888,"marks":2889,"data":2890},"Now we’ve covered the problem that we set out to solve, let’s look at what we’re doing differently. ",[],{},{"nodeType":243,"data":2892,"content":2893},{},[2894],{"nodeType":247,"value":2895,"marks":2896,"data":2897},"In order to climb the Pyramid toward the apex, you need to find ways to detect increasingly generic parts of an attack technique. So you want to avoid things like what a specific malware’s code looks like, or where it connects back to. But what the malware does, or what happens when it runs, is more generic, and therefore more interesting to us.  ",[],{},{"nodeType":243,"data":2899,"content":2900},{},[2901],{"nodeType":247,"value":2902,"marks":2903,"data":2904},"The shift from static code signatures and fuzzy hashes to dynamic analysis of what code does on a live system is at the heart of why EDR killed antivirus a decade ago. It proved at-scale the value of moving detections up the pyramid.",[],{},{"nodeType":243,"data":2906,"content":2907},{},[2908],{"nodeType":247,"value":2909,"marks":2910,"data":2911},"We’re always on the lookout for ways to move our detections up the pyramid as well. It’s easiest to explain how we’ve applied this by looking at an example. ",[],{},{"nodeType":386,"data":2913,"content":2914},{},[2915],{"nodeType":247,"value":2916,"marks":2917,"data":2918},"Scenario: Detecting a web-based phishing attack",[],{},{"nodeType":243,"data":2920,"content":2921},{},[2922],{"nodeType":247,"value":2923,"marks":2924,"data":2925},"Let’s break down the stages of a web-based phishing attack as an example. For a user to be successfully phished:",[],{},{"nodeType":533,"data":2927,"content":2928},{},[2929,2944,2959],{"nodeType":537,"data":2930,"content":2931},{},[2932],{"nodeType":243,"data":2933,"content":2934},{},[2935,2940],{"nodeType":247,"value":2936,"marks":2937,"data":2939},"Stage 1:",[2938],{"type":291},{},{"nodeType":247,"value":2941,"marks":2942,"data":2943}," The victim must be lured to visit a website.",[],{},{"nodeType":537,"data":2945,"content":2946},{},[2947],{"nodeType":243,"data":2948,"content":2949},{},[2950,2955],{"nodeType":247,"value":2951,"marks":2952,"data":2954},"Stage 2:",[2953],{"type":291},{},{"nodeType":247,"value":2956,"marks":2957,"data":2958}," The website must somehow trick or convince the user that it’s legitimate and trustworthy, for example by mimicking a legitimate site.",[],{},{"nodeType":537,"data":2960,"content":2961},{},[2962],{"nodeType":243,"data":2963,"content":2964},{},[2965,2970],{"nodeType":247,"value":2966,"marks":2967,"data":2969},"Stage 3:",[2968],{"type":291},{},{"nodeType":247,"value":2971,"marks":2972,"data":2973}," The user must enter their actual credentials into that website.",[],{},{"nodeType":243,"data":2975,"content":2976},{},[2977],{"nodeType":247,"value":2978,"marks":2979,"data":2980},"So, how might you go about detecting this attack? Let’s start from the bottom of the pyramid and work our way up.",[],{},{"nodeType":386,"data":2982,"content":2983},{},[2984],{"nodeType":247,"value":2985,"marks":2986,"data":2987},"Stage 1: Determining if a URL, IP, or domain is bad",[],{},{"nodeType":243,"data":2989,"content":2990},{},[2991],{"nodeType":247,"value":2992,"marks":2993,"data":2994},"You might start by looking for the lure – historically an email. You could look for links in emails, or links in attachments in an email and then check if they are bad (which is essentially what email security products do). You could look for known-bad URLs in emails, but these change for every phishing campaign. In modern attacks, every target can receive a unique email and link. Even just using a URL shortener can bypass this. It’s equivalent to a malware hash – trivial to change, and therefore not a great thing to pin your detections on. ",[],{},{"nodeType":243,"data":2996,"content":2997},{},[2998,3002,3011],{"nodeType":247,"value":2999,"marks":3000,"data":3001},"You could look at which IP address the user connects to, but these days it’s very simple for attackers to add a new IP to their cloud-hosted server. If a domain is flagged as known-bad, the attacker only has to register a new domain, or compromise a WordPress server on an already trusted domain. Both of these things are ",[],{},{"nodeType":326,"data":3003,"content":3005},{"uri":3004},"https://www.bleepingcomputer.com/news/security/revolver-rabbit-gang-registers-500-000-domains-for-malware-campaigns/",[3006],{"nodeType":247,"value":3007,"marks":3008,"data":3010},"happening on a massive scale",[3009],{"type":334},{},{"nodeType":247,"value":3012,"marks":3013,"data":3014}," as attackers pre-plan for the fact that their domains will be burned at some point. Attackers are more than happy to spend $10-$20 per new domain in the grand scheme of the potential proceeds of crime. ",[],{},{"nodeType":243,"data":3016,"content":3017},{},[3018],{"nodeType":247,"value":3019,"marks":3020,"data":3021},"But there’s a more fundamental flaw here – for defenders to know that a URL, IP, or domain name is bad, it needs to be reported first. When are things reported? Typically after being used in an attack – so unfortunately, someone always gets hurt.  ",[],{},{"nodeType":386,"data":3023,"content":3024},{},[3025],{"nodeType":247,"value":3026,"marks":3027,"data":3028},"Stage 2: Determining if a site is legitimate",[],{},{"nodeType":243,"data":3030,"content":3031},{},[3032],{"nodeType":247,"value":3033,"marks":3034,"data":3035},"So how can we detect a phishing website, on day-zero, the first time anyone runs into it? Well we can look at the second step – does the URL resemble a real website, does the HTML code for a page look similar to a legitimate login page for a known website, is it loading the same image files? This is not trivial to detect, but with the right fuzzy matches and image analysis it can be automated.",[],{},{"nodeType":243,"data":3037,"content":3038},{},[3039],{"nodeType":247,"value":3040,"marks":3041,"data":3042},"We’ve now moved up a level on the Pyramid – we’re detecting website artifacts. If we see a legitimate looking website on an unknown domain, it’s likely to be a malicious clone.",[],{},{"nodeType":243,"data":3044,"content":3045},{},[3046],{"nodeType":247,"value":3047,"marks":3048,"data":3049},"Unfortunately, the attacker’s website doesn’t need to send each visitor to the same website. It can change dynamically based on where the visitor is coming from – or even randomly, so that not all visitors are served the phishing page. This means that tools which resolve where the links in emails go to be able to analyze them (such as email security appliances) don’t necessarily see the same site the user is actually visiting – a fact that is commonly abused by attackers to bypass detection. It’s critical that detection happens on the actual web page that the victim sees.",[],{},{"nodeType":386,"data":3051,"content":3052},{},[3053],{"nodeType":247,"value":3054,"marks":3055,"data":3056},"Stage 3: Detecting the user entering their credentials",[],{},{"nodeType":243,"data":3058,"content":3059},{},[3060],{"nodeType":247,"value":3061,"marks":3062,"data":3063},"For a phishing attack to succeed, the victim must enter their actual credentials into the webpage. If you can stop the user entering their real password, there’s no attack. There’s no getting around it. ",[],{},{"nodeType":243,"data":3065,"content":3066},{},[3067,3071,3079],{"nodeType":247,"value":3068,"marks":3069,"data":3070},"So, this is exactly what we did: Earlier this year, we released a control which ",[],{},{"nodeType":326,"data":3072,"content":3074},{"uri":3073},"https://pushsecurity.com/blog/introducing-sso-password-protection/",[3075],{"nodeType":247,"value":3076,"marks":3077,"data":3078},"stops users from entering their password belonging to a particular login page anywhere else",[],{},{"nodeType":247,"value":746,"marks":3080,"data":3081},[],{},{"nodeType":243,"data":3083,"content":3084},{},[3085,3089,3096],{"nodeType":247,"value":3086,"marks":3087,"data":3088},"Seems simple, right? By focusing on this generic action, that always has to happen, you can essentially stop your users being phished altogether. This means, it doesn’t matter ",[],{},{"nodeType":326,"data":3090,"content":3091},{"uri":2856},[3092],{"nodeType":247,"value":3093,"marks":3094,"data":3095},"what the attacker does before that point",[],{},{"nodeType":247,"value":3097,"marks":3098,"data":3099},":",[],{},{"nodeType":533,"data":3101,"content":3102},{},[3103,3113,3123,3133],{"nodeType":537,"data":3104,"content":3105},{},[3106],{"nodeType":243,"data":3107,"content":3108},{},[3109],{"nodeType":247,"value":3110,"marks":3111,"data":3112},"It doesn't matter if they run the site using Cloudflare Workers to block automatic analysis.",[],{},{"nodeType":537,"data":3114,"content":3115},{},[3116],{"nodeType":243,"data":3117,"content":3118},{},[3119],{"nodeType":247,"value":3120,"marks":3121,"data":3122},"It doesn’t matter if they hack a WordPress blog to get a reputable domain.",[],{},{"nodeType":537,"data":3124,"content":3125},{},[3126],{"nodeType":243,"data":3127,"content":3128},{},[3129],{"nodeType":247,"value":3130,"marks":3131,"data":3132},"It doesn’t matter if they use clever redirects and rotate the URLs delivered to the user.",[],{},{"nodeType":537,"data":3134,"content":3135},{},[3136],{"nodeType":243,"data":3137,"content":3138},{},[3139],{"nodeType":247,"value":3140,"marks":3141,"data":3142},"It doesn’t matter if they randomize the HTML title for the web page. ",[],{},{"nodeType":243,"data":3144,"content":3145},{},[3146],{"nodeType":247,"value":3147,"marks":3148,"data":3149},"They can’t avoid the fact that a user is required to enter their credentials on the page for the attack to succeed. ",[],{},{"nodeType":243,"data":3151,"content":3152},{},[3153],{"nodeType":247,"value":3154,"marks":3155,"data":3156},"So, when you apply the Pyramid of Pain to some of the controls we’ve shipped this year, we get a clear feel for the value, from highest to lowest:",[],{},{"nodeType":533,"data":3158,"content":3159},{},[3160,3181,3202],{"nodeType":537,"data":3161,"content":3162},{},[3163],{"nodeType":243,"data":3164,"content":3165},{},[3166,3170,3177],{"nodeType":247,"value":3167,"marks":3168,"data":3169},"User Behavior: ",[],{},{"nodeType":326,"data":3171,"content":3172},{"uri":3073},[3173],{"nodeType":247,"value":3174,"marks":3175,"data":3176},"Detecting and blocking the user behavior of entering their password into any site that the password doesn’t belong to",[],{},{"nodeType":247,"value":3178,"marks":3179,"data":3180},". ",[],{},{"nodeType":537,"data":3182,"content":3183},{},[3184],{"nodeType":243,"data":3185,"content":3186},{},[3187,3191,3199],{"nodeType":247,"value":3188,"marks":3189,"data":3190},"Tool Behavior: ",[],{},{"nodeType":326,"data":3192,"content":3194},{"uri":3193},"https://pushsecurity.com/blog/introducing-cloned-login-page-detection/",[3195],{"nodeType":247,"value":3196,"marks":3197,"data":3198},"Detecting when a login page that you access is cloned from a legitimate page.",[],{},{"nodeType":247,"value":29,"marks":3200,"data":3201},[],{},{"nodeType":537,"data":3203,"content":3204},{},[3205],{"nodeType":243,"data":3206,"content":3207},{},[3208,3212,3220],{"nodeType":247,"value":3209,"marks":3210,"data":3211},"Tool Signature: ",[],{},{"nodeType":326,"data":3213,"content":3215},{"uri":3214},"https://pushsecurity.com/blog/introducing-aitm-phishing-toolkit-detection-powered-by-the-push-browser/",[3216],{"nodeType":247,"value":3217,"marks":3218,"data":3219},"Detecting and blocking access to a page with a known phishing kit signature present on the page",[],{},{"nodeType":247,"value":3178,"marks":3221,"data":3222},[],{},{"nodeType":243,"data":3224,"content":3225},{},[3226],{"nodeType":247,"value":3227,"marks":3228,"data":3229},"Naturally, we want to continue focusing on the apex of the Pyramid – at TTPs and Tools – to ensure that the controls we build are as robust as possible, and can’t be bypassed by attackers. ",[],{},{"nodeType":259,"data":3231,"content":3232},{},[],{"nodeType":263,"data":3234,"content":3235},{},[3236],{"nodeType":247,"value":3237,"marks":3238,"data":3239},"The power of the Push browser agent",[],{},{"nodeType":243,"data":3241,"content":3242},{},[3243,3247,3252],{"nodeType":247,"value":3244,"marks":3245,"data":3246},"You might ask: ",[],{},{"nodeType":247,"value":3248,"marks":3249,"data":3251},"If it’s so simple, why hasn’t this been done yet?",[3250],{"type":291},{},{"nodeType":247,"value":3253,"marks":3254,"data":3255}," Well, before now, there was no good way of doing it! Teams simply didn’t have tools in the right place to be able to capture the level of data needed, or respond effectively (i.e. automatically, at the point of impact). ",[],{},{"nodeType":243,"data":3257,"content":3258},{},[3259,3263,3271],{"nodeType":247,"value":3260,"marks":3261,"data":3262},"This is where being in the browser comes into play. The browser is a great place to observe the behavior of a page in real time, without needing to reconstruct decrypted HTTP data post-TLS termination and try to guess what the rendered page in all its Javascript-infused glory actually does, ",[],{},{"nodeType":326,"data":3264,"content":3266},{"uri":3265},"https://pushsecurity.com/blog/the-web-proxy-is-dead-long-live-the-browser-extension/",[3267],{"nodeType":247,"value":3268,"marks":3269,"data":3270},"as we’ve blogged about previously",[],{},{"nodeType":247,"value":3272,"marks":3273,"data":3274},". As we’ve seen through the ability to not only detect but prevent phishing attacks, it’s also a great control enforcement point, as you’re able to intercept the user at the point of impact, and you sit as closely as possible to where their work typically happens – in the browser. ",[],{},{"nodeType":243,"data":3276,"content":3277},{},[3278],{"nodeType":247,"value":3279,"marks":3280,"data":3281},"To illustrate how crucial the browser is to implementing controls that sit at the apex of the Pyramid of Pain, we created a modified version designed specifically for identity attacks. ",[],{},{"nodeType":377,"data":3283,"content":3287},{"target":3284},{"sys":3285},{"id":3286,"type":382,"linkType":383},"HrK2xQak6KfjInDbeSgv8",[],{"nodeType":377,"data":3289,"content":3293},{"target":3290},{"sys":3291},{"id":3292,"type":382,"linkType":383},"7kLilJ8Y08smUI9ttM3BSO",[],{"nodeType":259,"data":3295,"content":3296},{},[],{"nodeType":263,"data":3298,"content":3299},{},[3300],{"nodeType":247,"value":2573,"marks":3301,"data":3302},[],{},{"nodeType":243,"data":3304,"content":3305},{},[3306],{"nodeType":247,"value":3307,"marks":3308,"data":3309},"Hopefully, this blog post has shone a light on why we do things the way we do here at Push. The goal of building generic detections that are difficult, painful, and costly for attackers to bypass is a key part of our design strategy, and we look forward to sharing many more controls with you that demonstrate this in the future.",[],{},"Our design philosophy: Detecting what matters","This is the first blog in a short series we’re putting together about the ‘why’ behind the ‘what’ at Push. This entry is focused on threat detection. ","2024-08-05T00:00:00.000Z","our-design-philosophy-detecting-what-matters",{"items":3315},[3316,3318],{"sys":3317,"name":1840},{"id":1839},{"sys":3319,"name":1836},{"id":1835},{"items":3321},[3322],{"fullName":1844,"firstName":1845,"jobTitle":1846,"profilePicture":3323},{"url":1848},"fixing-secops-alert-fatigue-with-browser-telemetry","blog/fixing-secops-alert-fatigue-with-browser-telemetry",{"json":3327},{"data":3328,"content":3329,"nodeType":239},{},[3330],{"data":3331,"content":3332,"nodeType":243},{},[3333],{"data":3334,"marks":3335,"value":3336,"nodeType":247},{},[],"The alert fatigue epidemic has reached crisis proportions, fueled by an expanding attack surface and telemetry gaps. But it's not all doom and gloom: the browser presents security teams with a net-new data source that is objectively better at detecting early-stage indicators of attack. Here's what you need to know. ","How browser data can improve detection fidelity and reduce alert fatigue, enabling SecOps teams to save time and detect more attacks.",{"id":3339,"publishedAt":3340},"6jYmU1ROpwI41mmzk7ioKd","2025-11-18T10:17:09.351Z",{"items":3342},[3343,3345],{"sys":3344,"name":1840},{"id":1839},{"sys":3346,"name":1836},{"id":1835},"vZQJVknCmohxsQXlczrq3Gsfe-XWy9k_CvBjBkbkP_o",1784196721054]