[{"data":1,"prerenderedAt":4114},["ShallowReactive",2],{"application-flags":3,"navbar":7,"always-visible-banner":36,"navbar-about-highlight":108,"navbar-resource-highlight":182,"blog/the-saas-attack-matrix-one-year-on":226},[4],{"name":5,"enabled":6},"maintenanceMode",false,[8],{"createdDate":9,"id":10,"name":11,"modelId":12,"published":13,"query":14,"data":15,"variations":20,"lastUpdated":21,"firstPublished":22,"testRatio":23,"createdBy":24,"lastUpdatedBy":25,"folders":26,"meta":27,"rev":35},1742208588866,"1c7a4e423bf54ac1a328bb4063459ef2","Banner","1c6207a5f24948ab82d4a0b17f251193","published",[],{"type":16,"url":17,"text":18,"link":19},"web-banner","https://pushsecurity.com/resources/browser-attacks-report","Get our latest report analyzing browser attack techniques in 2026",{},{},1774258294825,1742208637545,1,"CydmZnOWU1XuAaLhEDCoYNM4Z8W2","jKjF9r5jcvXU8tzZEfFQm31Iyvr2",[],{"kind":28,"lastPreviewUrl":29,"breakpoints":30,"hasAutosaves":34},"data","",{"xsmall":31,"small":32,"medium":33},320,640,768,true,"ga0kpxjhh76",{"createdDate":37,"id":38,"name":39,"modelId":40,"published":13,"stageModifiedSincePublish":6,"query":41,"data":42,"variations":97,"lastUpdated":98,"firstPublished":99,"testRatio":23,"createdBy":100,"lastUpdatedBy":101,"folders":102,"meta":103,"rev":107},1774965361051,"fd266d0172cc47429be7ad10f48c99ad","always visible banner","0678d178ec8b41efb8a23c09dba7874d",[],{"ctaText":43,"text":44,"url":29,"blocks":45,"state":93},"ewrererw","testrfesssssssssss",[46,73,81],{"@type":47,"@version":48,"id":49,"component":50,"responsiveStyles":63},"@builder.io/sdk:Element",2,"builder-ca12c06a52de41d7b8743da53118cd38",{"name":51,"tag":51,"options":52,"isRSC":62},"TopBannerContent",{"text":53,"ctaText":54,"url":55,"mainText":56,"cta":59},"New Webinar Series: Join John Hammond, Troy Hunt, and Matt Johansen for the State of Browser Attacks","Save Your Spot","https://pushsecurity.com/webinar/state-of-browser-security",{"content":57,"fontSize":58},"\u003Cp>Meet Push's browser security experts at BlackHat 2026.\u003C/p>","text-base",{"content":60,"fontSize":58,"url":61},"\u003Cp>Book a meeting →\u003C/p>","https://pushsecurity.com/events/blackhat-2026-meeting",null,{"large":64},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69,"marginTop":70,"marginBottom":70,"fontSize":71,"fontWeight":72},"flex","column","relative","0","border-box",".56rem","1.125rem","700",{"@type":47,"@version":48,"id":74,"component":75,"responsiveStyles":79},"builder-a2e1f4b9f30b464bb814d7f5de5b0aa7",{"name":76,"options":77,"isRSC":62},"Custom Code",{"code":78,"scriptsClientOnly":6},"\u003Cstyle>\n  .top-banner.bg-web-orange{background:rgb(114, 79, 255);}\n\u003C/style>\n",{"large":80},{"display":65,"flexDirection":66,"position":67,"flexShrink":68,"boxSizing":69},{"id":82,"@type":47,"tagName":83,"properties":84,"responsiveStyles":88},"builder-pixel-o503s4fpvk","img",{"src":85,"aria-hidden":86,"alt":29,"role":87,"width":68,"height":68},"https://cdn.builder.io/api/v1/pixel?apiKey=f3a1111ff5be48cdbb123cd9f5795a05","true","presentation",{"large":89},{"height":68,"width":68,"display":90,"opacity":68,"overflow":91,"pointerEvents":92},"block","hidden","none",{"deviceSize":94,"location":95},"large",{"path":29,"query":96},{},{},1783541846936,1774968080803,"ST0tXQM8slWpFrmioqKHmENB2qe2","kYgMv6WsbvfmlOUYqR2SFwGzw6e2",[],{"kind":104,"lastPreviewUrl":105,"hasLinks":6,"breakpoints":106,"hasErrors":6,"hasAutosaves":6},"component","https://pushsecurity.com/?builder.space=f3a1111ff5be48cdbb123cd9f5795a05&builder.user.permissions=read%2Ccreate%2Cpublish%2CeditDesigns%2CeditLayouts%2CeditLayers%2CeditContentPriority%2CeditFolders%2CcreateProjects%2CsendPullRequests&builder.user.role.name=Designer&builder.user.role.id=creator&builder.cachebust=true&builder.preview=always-visible-banner&builder.noCache=true&builder.allowTextEdit=true&__builder_editing__=true&builder.overrides.always-visible-banner=fd266d0172cc47429be7ad10f48c99ad&builder.overrides.fd266d0172cc47429be7ad10f48c99ad=fd266d0172cc47429be7ad10f48c99ad&builder.options.locale=Default",{"xsmall":31,"small":32,"medium":33},"kyujw1aptq",[109,145],{"createdDate":110,"id":111,"name":112,"modelId":113,"published":13,"stageModifiedSincePublish":6,"query":114,"data":115,"variations":138,"lastUpdated":139,"firstPublished":140,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":141,"meta":142,"rev":144},1776247359804,"9136a8f18b3b4a6ba29b8653a99372b1","testimonial-inductive-automation","20d9eaa352304613b3d1a794b400703d",[],{"link":116,"type":117,"testimonialLink":118,"testimonial":119},{},"testimonial","/customer-stories/inductive-automation",{"@type":120,"id":121,"model":117,"value":122},"@builder.io/core:Reference","f028f2b685bb47cd8bf9e82a26dd5a79",{"query":123,"folders":124,"createdDate":125,"id":121,"name":126,"modelId":127,"published":13,"data":128,"variations":132,"lastUpdated":133,"firstPublished":134,"testRatio":23,"createdBy":100,"lastUpdatedBy":100,"meta":135,"rev":137},[],[],1735823466309,"We found Push to be more accurate when compared to competitors and the browser agent offered features that others couldn’t match.","42035571a56940ac98bff4544aa79aa5",{"author":129,"jobTitle":130,"quote":126,"image":131},"Jason Waits","\u003Cp>CISO at Inductive Automation\u003C/p>","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2Ff04c0c0689ce4a89ac0f0708d78c0a07",{},1735910703862,1735823501152,{"kind":28,"lastPreviewUrl":29,"breakpoints":136,"hasAutosaves":34},{"small":32,"medium":33},"e8bsg4qrgtu",{},1776247404986,1776247404973,[],{"breakpoints":143,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},"g9lqcuxphw7",{"createdDate":146,"id":147,"name":148,"modelId":113,"published":13,"meta":149,"stageModifiedSincePublish":6,"query":151,"data":152,"variations":178,"lastUpdated":179,"firstPublished":180,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":181,"rev":144},1776255761419,"05a9322735fc427db12e2740e4302300","Report: 2026 Browser Attack Techniques",{"breakpoints":150,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":153,"link":172,"type":175,"title":148,"description":176,"image":177},{"@type":120,"id":154,"model":117,"value":155},"192acbb1f9ca4cac918c0ec435a8bae3",{"query":156,"folders":157,"createdDate":158,"id":154,"name":159,"modelId":127,"published":13,"data":160,"variations":166,"lastUpdated":167,"firstPublished":168,"testRatio":23,"createdBy":100,"lastUpdatedBy":24,"meta":169,"rev":171},[],[],1728981467463,"Push does for identity what CrowdStrike did for the endpoint",{"video":161,"jobTitle":162,"author":163,"qoute":29,"quote":164,"image":165},"https://cdn.builder.io/o/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F8b30e8ca50064058bbaef0f3c6164575%2Fcompressed?apiKey=f3a1111ff5be48cdbb123cd9f5795a05&token=8b30e8ca50064058bbaef0f3c6164575&alt=media&optimized=true","\u003Cp>Deputy CISO at Microsoft\u003C/p>\u003Cp>Former LinkedIn, Slack, Palantir\u003C/p>","Geoff Belknap","Push does for identity what CrowdStrike did for the endpoint.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F748f0ad0a5064a00a13f4721fcc8dea1",{},1742902158597,1728981782923,{"kind":28,"lastPreviewUrl":29,"breakpoints":170,"hasAutosaves":34},{"small":32,"medium":33},"ulhc0im1hfo",{"text":173,"url":174},"Download now","/resources/browser-attacks-report","resource","Learn about the latest techniques being used in the wild.","https://cdn.builder.io/api/v1/image/assets%2Ff3a1111ff5be48cdbb123cd9f5795a05%2F7b4a5ebf81d64e8c9d7fc35f6c96c4a9",{},1776255810913,1776255810900,[],[183,205],{"createdDate":184,"id":185,"name":148,"modelId":186,"published":13,"meta":187,"stageModifiedSincePublish":6,"query":189,"data":190,"variations":200,"lastUpdated":201,"firstPublished":202,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":203,"rev":204},1776256900280,"1f429607996e4e5fae8fe3f9b9610e55","4829faa81e7c4ee8bd2d000e160e8d3c",{"breakpoints":188,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},[],{"testimonial":191,"link":199,"type":175,"title":148,"description":176,"image":177},{"@type":120,"id":154,"model":117,"value":192},{"query":193,"folders":194,"createdDate":158,"id":154,"name":159,"modelId":127,"published":13,"data":195,"variations":196,"lastUpdated":167,"firstPublished":168,"testRatio":23,"createdBy":100,"lastUpdatedBy":24,"meta":197,"rev":171},[],[],{"video":161,"jobTitle":162,"author":163,"qoute":29,"quote":164,"image":165},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":198,"hasAutosaves":34},{"small":32,"medium":33},{"text":173,"url":174},{},1776256937553,1776256937540,[],"xggsv10v1q9",{"createdDate":206,"id":207,"name":208,"modelId":186,"published":13,"stageModifiedSincePublish":6,"query":209,"data":210,"variations":220,"lastUpdated":221,"firstPublished":222,"testRatio":23,"createdBy":24,"lastUpdatedBy":24,"folders":223,"meta":224,"rev":204},1776256949234,"ce043785b71b4ece98eac811ecf4ba10","inductive-automation",[],{"link":211,"type":117,"testimonial":212,"testimonialLink":118},{},{"@type":120,"id":121,"model":117,"value":213},{"query":214,"folders":215,"createdDate":125,"id":121,"name":126,"modelId":127,"published":13,"data":216,"variations":217,"lastUpdated":133,"firstPublished":134,"testRatio":23,"createdBy":100,"lastUpdatedBy":100,"meta":218,"rev":137},[],[],{"author":129,"jobTitle":130,"quote":126,"image":131},{},{"kind":28,"lastPreviewUrl":29,"breakpoints":219,"hasAutosaves":34},{"small":32,"medium":33},{},1776256974140,1776256974130,[],{"breakpoints":225,"kind":28,"lastPreviewUrl":29,"hasAutosaves":6},{"xsmall":31,"small":32,"medium":33},{"id":227,"title":228,"authorsCollection":229,"content":237,"extension":1347,"faqItemsCollection":1348,"faqTitle":62,"featured":6,"hashTags":62,"meta":1350,"metaTitle":1351,"ogImage":62,"publishedDate":1352,"relatedBlogPostsCollection":1353,"slug":4090,"stem":4091,"subtitle":62,"summary":4092,"synopsis":4103,"sys":4104,"tagsCollection":4107,"__hash__":4113},"blog/blog/the-saas-attack-matrix-one-year-on.json","The SaaS attack matrix: A year in review",{"items":230},[231],{"fullName":232,"firstName":233,"jobTitle":234,"profilePicture":235},"Dan Green","Dan","Threat Research",{"url":236},"https://images.ctfassets.net/y1cdw1ablpvd/7jik1VhFgA3kgzXBXTm2Vw/fcd8c171da644903d0827eafcfbcaad0/Dan_Headshot_2025.png",{"json":238,"links":1335},{"data":239,"content":240,"nodeType":1334},{},[241,265,272,279,286,293,297,305,400,407,415,422,439,459,466,469,476,483,490,507,531,538,545,578,611,618,636,643,650,657,665,672,705,712,729,762,769,788,795,802,820,827,834,837,844,851,858,861,868,875,882,901,1038,1045,1048,1055,1062,1166,1173,1180,1183,1190,1197,1250,1257,1264,1267,1274,1281,1300,1319,1328],{"data":242,"content":243,"nodeType":264},{},[244,249,260],{"data":245,"marks":246,"value":247,"nodeType":248},{},[],"When we created the ","text",{"data":250,"content":252,"nodeType":259},{"uri":251},"https://github.com/pushsecurity/saas-attacks",[253],{"data":254,"marks":255,"value":258,"nodeType":248},{},[256],{"type":257},"underline","SaaS attack matrix","hyperlink",{"data":261,"marks":262,"value":263,"nodeType":248},{},[],", we made a conscious break away from the endpoint-focused techniques captured in industry resources like the MITRE ATT&CK Framework. ","paragraph",{"data":266,"content":267,"nodeType":264},{},[268],{"data":269,"marks":270,"value":271,"nodeType":248},{},[],"At the time, we were anticipating a shift that was yet to fully materialize. But, a lot can change (and has changed) in the space of a year. We’ve seen the impact of SaaS account takeover attacks laid bare. Snowflake, billed one of the biggest breaches in history, is a telling example that we’ll no doubt look back on as a watershed moment. ",{"data":273,"content":274,"nodeType":264},{},[275],{"data":276,"marks":277,"value":278,"nodeType":248},{},[],"It isn’t an exaggeration or marketing fluff to say that identity attacks are the #1 threat facing organizations today. SaaS apps, and the identities that are used to access them, are clearly the weakest link – and therefore the lowest-hanging fruit for attackers to reach for. ",{"data":280,"content":281,"nodeType":264},{},[282],{"data":283,"marks":284,"value":285,"nodeType":248},{},[],"This makes resources like the SaaS attack matrix more relevant than ever – both for red teams seeking to emulate the latest offensive techniques, and blue teams trying to defend against them. Understanding these techniques is essential for building effective defenses, and identifying where new platforms and controls are required to do so. ",{"data":287,"content":288,"nodeType":264},{},[289],{"data":290,"marks":291,"value":292,"nodeType":248},{},[],"Let’s take a look at what we’ve learned so far.",{"data":294,"content":295,"nodeType":296},{},[],"hr",{"data":298,"content":299,"nodeType":304},{},[300],{"data":301,"marks":302,"value":303,"nodeType":248},{},[],"Hot right now: Initial access techniques","heading-1",{"data":306,"content":307,"nodeType":264},{},[308,312,321,325,334,337,346,349,358,362,371,375,384,388,396],{"data":309,"marks":310,"value":311,"nodeType":248},{},[],"The majority of techniques we've seen rise to prominence in 2023/4 sit predominantly in the initial access phase. Since the matrix first launched, we’ve added more techniques to initial access than any other category, including ",{"data":313,"content":315,"nodeType":259},{"uri":314},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/ghost_logins/description.md",[316],{"data":317,"marks":318,"value":320,"nodeType":248},{},[319],{"type":257},"ghost logins",{"data":322,"marks":323,"value":324,"nodeType":248},{},[],", ",{"data":326,"content":328,"nodeType":259},{"uri":327},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/aitm_phishing/description.md",[329],{"data":330,"marks":331,"value":333,"nodeType":248},{},[332],{"type":257},"AitM phishing",{"data":335,"marks":336,"value":324,"nodeType":248},{},[],{"data":338,"content":340,"nodeType":259},{"uri":339},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/session_cookie_theft/description.md",[341],{"data":342,"marks":343,"value":345,"nodeType":248},{},[344],{"type":257},"session cookie theft",{"data":347,"marks":348,"value":324,"nodeType":248},{},[],{"data":350,"content":352,"nodeType":259},{"uri":351},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/mfa_downgrade/description.md",[353],{"data":354,"marks":355,"value":357,"nodeType":248},{},[356],{"type":257},"MFA downgrade attacks",{"data":359,"marks":360,"value":361,"nodeType":248},{},[],", and ",{"data":363,"content":365,"nodeType":259},{"uri":364},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/guest_access_abuse/description.md",[366],{"data":367,"marks":368,"value":370,"nodeType":248},{},[369],{"type":257},"guest access abuse,",{"data":372,"marks":373,"value":374,"nodeType":248},{},[]," all of which are methods of account takeover – complementing the classics like ",{"data":376,"content":378,"nodeType":259},{"uri":377},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/credential_stuffing/description.md",[379],{"data":380,"marks":381,"value":383,"nodeType":248},{},[382],{"type":257},"credential stuffing",{"data":385,"marks":386,"value":387,"nodeType":248},{},[]," and ",{"data":389,"content":391,"nodeType":259},{"uri":390},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/email_phishing/description.md",[392],{"data":393,"marks":394,"value":395,"nodeType":248},{},[],"email phishing",{"data":397,"marks":398,"value":399,"nodeType":248},{},[],".",{"data":401,"content":402,"nodeType":264},{},[403],{"data":404,"marks":405,"value":406,"nodeType":248},{},[],"We’ll spend a bit of time delving into these techniques in the next section, but let’s first consider what this tells us about SaaS attacks. ",{"data":408,"content":409,"nodeType":414},{},[410],{"data":411,"marks":412,"value":413,"nodeType":248},{},[],"Identity attacks are the leading cause of SaaS breaches","heading-2",{"data":416,"content":417,"nodeType":264},{},[418],{"data":419,"marks":420,"value":421,"nodeType":248},{},[],"The initial identity attack designed to achieve account takeover is the most important part of the SaaS attack chain. The fact that attackers are focused on finding new ways of compromising identities illustrates the value, but also the fragility of the identity controls that most organizations are relying on (which may also be one of the reasons attackers are fixated on it). Whether we’re talking about anti-phishing protections, conditional access policies, or MFA – attackers are continually finding new ways of getting around them.",{"data":423,"content":424,"nodeType":264},{},[425,429,435],{"data":426,"marks":427,"value":428,"nodeType":248},{},[],"And, if all an attacker really needs to do to cause harm is log into an app and abuse its legitimate features and functions, there really is no margin for error – you need to successfully stop the initial identity attack ",{"data":430,"marks":431,"value":434,"nodeType":248},{},[432],{"type":433},"bold","every time",{"data":436,"marks":437,"value":438,"nodeType":248},{},[],". ",{"data":440,"content":441,"nodeType":264},{},[442,446,455],{"data":443,"marks":444,"value":445,"nodeType":248},{},[],"You can’t rely on your endpoint and network controls to catch them later like you used to. Equally, it’s unlikely that your CASB or DLP solution can stop a legitimate app using legitimate features like ",{"data":447,"content":449,"nodeType":259},{"uri":448},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/shadow_workflows/description.md",[450],{"data":451,"marks":452,"value":454,"nodeType":248},{},[453],{"type":257},"API-based workflows",{"data":456,"marks":457,"value":458,"nodeType":248},{},[]," from sending data to attacker-controlled infrastructure. ",{"data":460,"content":461,"nodeType":264},{},[462],{"data":463,"marks":464,"value":465,"nodeType":248},{},[],"It’s a classic case of attackers only needing to win once. And right now, it’s a numbers game that they’re winning enough to keep them coming back for more. ",{"data":467,"content":468,"nodeType":296},{},[],{"data":470,"content":471,"nodeType":304},{},[472],{"data":473,"marks":474,"value":475,"nodeType":248},{},[],"Most wanted: Techniques gaining notoriety in the wild",{"data":477,"content":478,"nodeType":264},{},[479],{"data":480,"marks":481,"value":482,"nodeType":248},{},[],"Let’s take a closer look at some of the techniques we’ve seen rise to prominence in 2023/4. ",{"data":484,"content":485,"nodeType":414},{},[486],{"data":487,"marks":488,"value":489,"nodeType":248},{},[],"Ghost logins",{"data":491,"content":492,"nodeType":264},{},[493,496,503],{"data":494,"marks":495,"value":29,"nodeType":248},{},[],{"data":497,"content":498,"nodeType":259},{"uri":314},[499],{"data":500,"marks":501,"value":489,"nodeType":248},{},[502],{"type":257},{"data":504,"marks":505,"value":506,"nodeType":248},{},[]," is a technique that exploits the fact that SaaS user accounts often enable multiple simultaneous logins using different sign-in methods. ",{"data":508,"content":509,"nodeType":264},{},[510,514,519,522,527],{"data":511,"marks":512,"value":513,"nodeType":248},{},[],"Ghost logins can be used for both the ",{"data":515,"marks":516,"value":518,"nodeType":248},{},[517],{"type":433},"initial access",{"data":520,"marks":521,"value":387,"nodeType":248},{},[],{"data":523,"marks":524,"value":526,"nodeType":248},{},[525],{"type":433},"persistence",{"data":528,"marks":529,"value":530,"nodeType":248},{},[]," stages of a cyber attack, doubling up as a defense evasion technique because of low login method visibility.",{"data":532,"content":533,"nodeType":264},{},[534],{"data":535,"marks":536,"value":537,"nodeType":248},{},[],"For initial access, the technique exploits the fact that local and SSO logins can exist simultaneously. Given that many apps are self-adopted by users, it’s likely that many users will default to a local username and password login at this stage. If the app is later adopted companywide and brought into SSO, the original local login will continue to exist unless explicitly disabled or deleted. ",{"data":539,"content":540,"nodeType":264},{},[541],{"data":542,"marks":543,"value":544,"nodeType":248},{},[],"Because MFA is applied at the app and IdP level independently, it is possible to end up with an SSO login that requires MFA (via the IdP login), but a local login that does not. This creates an easy target identity for attackers to look for. When combined with other identity vulnerabilities such as weak, breached, and/or reused passwords, attackers can easily automate ghost login discovery and exploitation at scale.  ",{"data":546,"content":547,"nodeType":264},{},[548,552,561,565,574],{"data":549,"marks":550,"value":551,"nodeType":248},{},[],"We saw the impact of ghost logins for initial access with ",{"data":553,"content":555,"nodeType":259},{"uri":554},"https://pushsecurity.com/blog/identity-attacks-in-the-wild/#id-snowflake-june-2024",[556],{"data":557,"marks":558,"value":560,"nodeType":248},{},[559],{"type":257},"the recent ShinyHunters campaign against Snowflake customers",{"data":562,"marks":563,"value":564,"nodeType":248},{},[],". Because Snowflake accounts did not require mandatory MFA for accounts, or give admins the ability to enforce MFA by default, attackers were able to find and exploit a large number of Snowflake accounts using breached credentials from historical data breach dumps. Much of the industry response focused on ensuring SSO and MFA were deployed, but ",{"data":566,"content":568,"nodeType":259},{"uri":567},"https://pushsecurity.com/resources/video/demonstrating-ghost-logins-in-snowflake-and-how-to-remediate-them/",[569],{"data":570,"marks":571,"value":573,"nodeType":248},{},[572],{"type":257},"the practicalities of gathering data and manually unsetting local passwords in Snowflake",{"data":575,"marks":576,"value":577,"nodeType":248},{},[]," meant that ghost logins were easy to overlook by organizations responding to the attacks.   ",{"data":579,"content":580,"nodeType":264},{},[581,585,594,598,607],{"data":582,"marks":583,"value":584,"nodeType":248},{},[],"Ghost logins can also be created after an attacker has established access to an app. For example, if a social login is used to access an account, an adversary may be able to configure a separate username/password login, or even (though much less commonly) connect a second social account that the adversary controls. If the account has sufficient privileges, it may also be possible to ",{"data":586,"content":588,"nodeType":259},{"uri":587},"https://pushsecurity.com/blog/samljacking-a-poisoned-tenant/",[589],{"data":590,"marks":591,"value":593,"nodeType":248},{},[592],{"type":257},"set up or change the SAML login settings to inject a malicious URL",{"data":595,"marks":596,"value":597,"nodeType":248},{},[]," (for example to an attacker controlled tenant) or simply ",{"data":599,"content":601,"nodeType":259},{"uri":600},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/api_keys/description.md",[602],{"data":603,"marks":604,"value":606,"nodeType":248},{},[605],{"type":257},"configure API access",{"data":608,"marks":609,"value":610,"nodeType":248},{},[]," to forgo the need to log in entirely. ",{"data":612,"content":613,"nodeType":414},{},[614],{"data":615,"marks":616,"value":617,"nodeType":248},{},[],"AitM phishing ",{"data":619,"content":620,"nodeType":264},{},[621,624,632],{"data":622,"marks":623,"value":29,"nodeType":248},{},[],{"data":625,"content":626,"nodeType":259},{"uri":327},[627],{"data":628,"marks":629,"value":631,"nodeType":248},{},[630],{"type":257},"Adversary-in-the-Middle (AitM) phishing",{"data":633,"marks":634,"value":635,"nodeType":248},{},[]," is a newer variant of phishing that uses dedicated tooling to act as a web proxy between the victim and a legitimate login portal for an application the victim has access to, principally to make it easier to defeat MFA protection (with the victim responding to the MFA request as part of the attack).",{"data":637,"content":638,"nodeType":264},{},[639],{"data":640,"marks":641,"value":642,"nodeType":248},{},[],"As it’s a proxy to the real application, the page will appear exactly as the user expects, because they are logging into the legitimate site – just taking a detour via the attacker’s device. For example, if accessing their webmail, the user will see all their real emails; if accessing their cloud file store then all their real files will be present, etc. ",{"data":644,"content":645,"nodeType":264},{},[646],{"data":647,"marks":648,"value":649,"nodeType":248},{},[],"This gives AitM an increased sense of authenticity and makes the compromise less obvious to the user. Because the attacker is sitting in the middle of this connection, they are able to observe all interactions and take control of the authenticated session. ",{"data":651,"content":652,"nodeType":264},{},[653],{"data":654,"marks":655,"value":656,"nodeType":248},{},[],"Alongside AitM phishing is Browser-in-the-Middle (BitM), really a form of sub-technique. Rather than act as a reverse web proxy, this technique tricks a target into directly controlling the attacker’s own browser remotely using desktop screen sharing and control approaches (such as VNC and RDP). ",{"data":658,"content":659,"nodeType":264},{},[660],{"data":661,"marks":662,"value":664,"nodeType":248},{},[663],{"type":433},"This is the virtual equivalent of an attacker handing their laptop to their victim, asking them to login to Okta for them, and then taking their laptop back afterwards.",{"data":666,"content":667,"nodeType":264},{},[668],{"data":669,"marks":670,"value":671,"nodeType":248},{},[],"A growing majority of modern phishing attacks typically leverage AitM or BitM tooling – they are now the standard choice for threat actors, offering the ability to bypass MFA without any real tradeoff. ",{"data":673,"content":674,"nodeType":264},{},[675,679,688,692,701],{"data":676,"marks":677,"value":678,"nodeType":248},{},[],"For more information you can ",{"data":680,"content":682,"nodeType":259},{"uri":681},"https://pushsecurity.com/blog/phishing-2-0-how-phishing-toolkits-are-evolving-with-aitm/",[683],{"data":684,"marks":685,"value":687,"nodeType":248},{},[686],{"type":257},"read our recent blog post",{"data":689,"marks":690,"value":691,"nodeType":248},{},[]," or ",{"data":693,"content":695,"nodeType":259},{"uri":694},"https://pushsecurity.com/resources/video/phishing-detecting-evilginx-evilnovnc-muraena-and-modlishka/",[696],{"data":697,"marks":698,"value":700,"nodeType":248},{},[699],{"type":257},"watch our on-demand webinar on Phishing 2.0 to see AitM and BitM tools like Evilginx and EvilnoVNC in action",{"data":702,"marks":703,"value":704,"nodeType":248},{},[],". ",{"data":706,"content":707,"nodeType":414},{},[708],{"data":709,"marks":710,"value":711,"nodeType":248},{},[],"Credential stuffing",{"data":713,"content":714,"nodeType":264},{},[715,718,725],{"data":716,"marks":717,"value":29,"nodeType":248},{},[],{"data":719,"content":720,"nodeType":259},{"uri":377},[721],{"data":722,"marks":723,"value":711,"nodeType":248},{},[724],{"type":257},{"data":726,"marks":727,"value":728,"nodeType":248},{},[]," attacks continue to pose a risk to organizations. Despite the fact that MFA has now become an expected control, accounts without MFA continue to be hacked as a result of using weak, reused, and/or previously breached credentials. ",{"data":730,"content":731,"nodeType":264},{},[732,736,745,749,758],{"data":733,"marks":734,"value":735,"nodeType":248},{},[],"Credential stuffing is being fed by an increase in the number of ",{"data":737,"content":739,"nodeType":259},{"uri":738},"https://pushsecurity.com/blog/what-the-rise-of-infostealers-says-about-identity-attacks/?utm_source=ebook&utm_medium=organic",[740],{"data":741,"marks":742,"value":744,"nodeType":248},{},[743],{"type":257},"infostealer",{"data":746,"marks":747,"value":748,"nodeType":248},{},[]," attacks designed to harvest credentials to be sold on criminal marketplaces. Infostealers have been boosted by the success of the Snowflake attacks (",{"data":750,"content":752,"nodeType":259},{"uri":751},"https://pushsecurity.com/blog/identity-attacks-in-the-wild/#id-snowflake-june-2024?utm_source=ebook&utm_medium=organic",[753],{"data":754,"marks":755,"value":757,"nodeType":248},{},[756],{"type":257},"where 80% of the credentials used to access accounts could be traced back to infostealer infections dating back to 2020",{"data":759,"marks":760,"value":761,"nodeType":248},{},[],"). ",{"data":763,"content":764,"nodeType":414},{},[765],{"data":766,"marks":767,"value":768,"nodeType":248},{},[],"Session cookie theft",{"data":770,"content":771,"nodeType":264},{},[772,776,784],{"data":773,"marks":774,"value":775,"nodeType":248},{},[],"Attackers are increasingly ",{"data":777,"content":778,"nodeType":259},{"uri":339},[779],{"data":780,"marks":781,"value":783,"nodeType":248},{},[782],{"type":257},"targeting session cookies",{"data":785,"marks":786,"value":787,"nodeType":248},{},[]," to be able to hijack live user sessions as a means of getting around MFA. Although session cookies are predominantly stolen via infostealers, techniques like AitM and BitM phishing described above are also methods of stealing session cookies and hijacking sessions.",{"data":789,"content":790,"nodeType":264},{},[791],{"data":792,"marks":793,"value":794,"nodeType":248},{},[],"While the majority of infostealer data dumps result in credential stuffing attacks rather than session hijacking, as the infostealer marketplace continues to heat up, it’s likely that more instances of session cookie theft will be the cause of breaches going forward. ",{"data":796,"content":797,"nodeType":414},{},[798],{"data":799,"marks":800,"value":801,"nodeType":248},{},[],"MFA downgrade",{"data":803,"content":804,"nodeType":264},{},[805,809,816],{"data":806,"marks":807,"value":808,"nodeType":248},{},[],"While many organizations are waking up to the fact that it’s not enough to have any old MFA method, it’s still often overlooked that you need to actually remove or disable the phishable methods. Otherwise, in many cases they remain valid, opening affected identities up to ",{"data":810,"content":811,"nodeType":259},{"uri":351},[812],{"data":813,"marks":814,"value":801,"nodeType":248},{},[815],{"type":257},{"data":817,"marks":818,"value":819,"nodeType":248},{},[]," attacks. ",{"data":821,"content":822,"nodeType":264},{},[823],{"data":824,"marks":825,"value":826,"nodeType":248},{},[],"Just because a user has a phishing-resistant factor setup (such as passkeys) and may use them by default, it does not mean they are necessarily enforced. Often, services support the use of multiple authentication options, particularly for second factors. In particular, passkeys are device-bound and so enforcing their use prevents logins from other devices and can cause recovery issues in a lost/broken device scenario. Therefore, it’s common for the default case to be that passkey authentication is optional, rather than required.",{"data":828,"content":829,"nodeType":264},{},[830],{"data":831,"marks":832,"value":833,"nodeType":248},{},[],"When used in combination with AitM phishing tools, it’s possible for attackers to modify requests/responses so as to prevent the ability of passkeys to be selected as a login option and prompting the user to use vulnerable factors, such as passwords, TOTPs and push notifications instead. Since the server-side supports other authentication options, if the user continues and enters one of these alternative factors then their authenticated session will be compromised – despite the fact they usually use phishing-resistant MFA methods like passkeys or similar.",{"data":835,"content":836,"nodeType":296},{},[],{"data":838,"content":839,"nodeType":304},{},[840],{"data":841,"marks":842,"value":843,"nodeType":248},{},[],"Use case inspo: How red teamers are using the SaaS attack matrix",{"data":845,"content":846,"nodeType":264},{},[847],{"data":848,"marks":849,"value":850,"nodeType":248},{},[],"The techniques that advanced red teams are using to (ethically) hack into their clients are always a good indicator of what direction hackers in the real world are headed.  ",{"data":852,"content":853,"nodeType":264},{},[854],{"data":855,"marks":856,"value":857,"nodeType":248},{},[],"We spoke to a few of the best red teams around to see how they are using the matrix: Let’s see what they had to say. ",{"data":859,"content":860,"nodeType":296},{},[],{"data":862,"content":863,"nodeType":414},{},[864],{"data":865,"marks":866,"value":867,"nodeType":248},{},[],"Rob Maslen | Managing Principal Consultant | MDSec",{"data":869,"content":870,"nodeType":264},{},[871],{"data":872,"marks":873,"value":874,"nodeType":248},{},[],"“We use the matrix throughout our engagements: When scoping and proposing projects to clients, during testing to assist our consultants in successfully utilizing novel SaaS-attack techniques, and for reporting to provide a common language across the vendors that they work with. ",{"data":876,"content":877,"nodeType":264},{},[878],{"data":879,"marks":880,"value":881,"nodeType":248},{},[],"It’s been most useful to us when performing engagements on more modern Zero Trust Environments where macOS is predominantly the Operating System of choice. The objectives tend to be either access to critical applications that reside within the cloud and require the compromise of SaaS credentials, or to gain privileged access to a SaaS application. Whilst resources like the MITRE ATT&CK Framework can help to describe the techniques that have been used against a more traditional environment, the SaaS Matrix aids with performing and describing attacks against a more modern infrastructure.  ",{"data":883,"content":884,"nodeType":264},{},[885,889,897],{"data":886,"marks":887,"value":888,"nodeType":248},{},[],"The technique we’ve seen most success with, across both traditional Active Directory attacks and more modern Zero Trust Environments, is ",{"data":890,"content":891,"nodeType":259},{"uri":339},[892],{"data":893,"marks":894,"value":896,"nodeType":248},{},[895],{"type":257},"Session Cookie Theft",{"data":898,"marks":899,"value":900,"nodeType":248},{},[],". The protection of browser cookies (for inexplicable reasons) has had less engineering attention than it should have, opening up opportunities for lateral movement using session cookies, credentials, or API keys recovered from a host becomes a key technique. In our experience defensive tooling has yet to catch up with this threat. ",{"data":902,"content":903,"nodeType":264},{},[904,908,917,920,929,932,941,944,953,956,965,968,976,979,987,990,999,1002,1010,1014,1023,1026,1035],{"data":905,"marks":906,"value":907,"nodeType":248},{},[],"We’ve also seen success with various techniques across Kill Chain stages, including ",{"data":909,"content":911,"nodeType":259},{"uri":910},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/subdomain_tenant_discovery/description.md",[912],{"data":913,"marks":914,"value":916,"nodeType":248},{},[915],{"type":257},"Subdomain tenant discovery",{"data":918,"marks":919,"value":324,"nodeType":248},{},[],{"data":921,"content":923,"nodeType":259},{"uri":922},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/dns_reconnaissance/description.md",[924],{"data":925,"marks":926,"value":928,"nodeType":248},{},[927],{"type":257},"DNS reconnaissance",{"data":930,"marks":931,"value":324,"nodeType":248},{},[],{"data":933,"content":935,"nodeType":259},{"uri":934},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/username_enumeration/description.md",[936],{"data":937,"marks":938,"value":940,"nodeType":248},{},[939],{"type":257},"username enumeration",{"data":942,"marks":943,"value":324,"nodeType":248},{},[],{"data":945,"content":947,"nodeType":259},{"uri":946},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/consent_phishing/description.md",[948],{"data":949,"marks":950,"value":952,"nodeType":248},{},[951],{"type":257},"consent phishing",{"data":954,"marks":955,"value":324,"nodeType":248},{},[],{"data":957,"content":959,"nodeType":259},{"uri":958},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/device_code_phishing/description.md",[960],{"data":961,"marks":962,"value":964,"nodeType":248},{},[963],{"type":257},"device code phishing",{"data":966,"marks":967,"value":324,"nodeType":248},{},[],{"data":969,"content":970,"nodeType":259},{"uri":364},[971],{"data":972,"marks":973,"value":975,"nodeType":248},{},[974],{"type":257},"guest access abuse",{"data":977,"marks":978,"value":324,"nodeType":248},{},[],{"data":980,"content":981,"nodeType":259},{"uri":448},[982],{"data":983,"marks":984,"value":986,"nodeType":248},{},[985],{"type":257},"shadow workflows",{"data":988,"marks":989,"value":324,"nodeType":248},{},[],{"data":991,"content":993,"nodeType":259},{"uri":992},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/oauth_tokens/description.md",[994],{"data":995,"marks":996,"value":998,"nodeType":248},{},[997],{"type":257},"OAuth tokens",{"data":1000,"marks":1001,"value":324,"nodeType":248},{},[],{"data":1003,"content":1004,"nodeType":259},{"uri":600},[1005],{"data":1006,"marks":1007,"value":1009,"nodeType":248},{},[1008],{"type":257},"API keys",{"data":1011,"marks":1012,"value":1013,"nodeType":248},{},[]," (as long as you ensure the target isn't notified – make sure you delete the notification of creation email!), ",{"data":1015,"content":1017,"nodeType":259},{"uri":1016},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/api_secret_theft/description.md",[1018],{"data":1019,"marks":1020,"value":1022,"nodeType":248},{},[1021],{"type":257},"API secret theft",{"data":1024,"marks":1025,"value":361,"nodeType":248},{},[],{"data":1027,"content":1029,"nodeType":259},{"uri":1028},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/link_backdooring/description.md",[1030],{"data":1031,"marks":1032,"value":1034,"nodeType":248},{},[1033],{"type":257},"link backdooring",{"data":1036,"marks":1037,"value":704,"nodeType":248},{},[],{"data":1039,"content":1040,"nodeType":264},{},[1041],{"data":1042,"marks":1043,"value":1044,"nodeType":248},{},[],"Embracing the modern Zero Trust architecture with its greater SaaS usage does not come without security risks, and while it does invalidate a large number of the attacks that can be performed within an AD environment, the SaaS attack matrix is a great way of illustrating how these attacks work, as well as helping red and blue teams respectively to simulate and defend against them.\" ",{"data":1046,"content":1047,"nodeType":296},{},[],{"data":1049,"content":1050,"nodeType":414},{},[1051],{"data":1052,"marks":1053,"value":1054,"nodeType":248},{},[],"Tom Ellson | Head of Offensive Security | Stripe OLT",{"data":1056,"content":1057,"nodeType":264},{},[1058],{"data":1059,"marks":1060,"value":1061,"nodeType":248},{},[],"“We've used the SaaS attack matrix across several cloud-native engagements, for both initial access and lateral movement. My go-to techniques so far have been:",{"data":1063,"content":1064,"nodeType":1165},{},[1065,1094,1116,1138],{"data":1066,"content":1067,"nodeType":1093},{},[1068],{"data":1069,"content":1070,"nodeType":264},{},[1071,1074,1084,1089],{"data":1072,"marks":1073,"value":29,"nodeType":248},{},[],{"data":1075,"content":1077,"nodeType":259},{"uri":1076},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/im_phishing/description.md",[1078],{"data":1079,"marks":1080,"value":1083,"nodeType":248},{},[1081,1082],{"type":257},{"type":433},"IM phishing:",{"data":1085,"marks":1086,"value":1088,"nodeType":248},{},[1087],{"type":433}," ",{"data":1090,"marks":1091,"value":1092,"nodeType":248},{},[],"Phishing via Microsoft Teams in particular has been highly successful, especially when paired with a number of abusable “features” (working as intended, clearly). ","list-item",{"data":1095,"content":1096,"nodeType":1093},{},[1097],{"data":1098,"content":1099,"nodeType":264},{},[1100,1103,1112],{"data":1101,"marks":1102,"value":29,"nodeType":248},{},[],{"data":1104,"content":1105,"nodeType":259},{"uri":958},[1106],{"data":1107,"marks":1108,"value":1111,"nodeType":248},{},[1109,1110],{"type":257},{"type":433},"Device code phishing:",{"data":1113,"marks":1114,"value":1115,"nodeType":248},{},[]," We use this for both initial access and persistence. It’s a great way of getting around MFA by tricking the victim into following the device approval process for our device, but using their device. ",{"data":1117,"content":1118,"nodeType":1093},{},[1119],{"data":1120,"content":1121,"nodeType":264},{},[1122,1125,1134],{"data":1123,"marks":1124,"value":29,"nodeType":248},{},[],{"data":1126,"content":1127,"nodeType":259},{"uri":327},[1128],{"data":1129,"marks":1130,"value":1133,"nodeType":248},{},[1131,1132],{"type":257},{"type":433},"AitM phishing:",{"data":1135,"marks":1136,"value":1137,"nodeType":248},{},[]," This is now a staple for credential harvesting. Better security controls force us to abuse other avenues to bypass conditional access policies, such as extraction of the PRT token from the end user device, thus granting us claimed access, which can be achieved using AitM and BitM techniques.",{"data":1139,"content":1140,"nodeType":1093},{},[1141],{"data":1142,"content":1143,"nodeType":264},{},[1144,1147,1157,1161],{"data":1145,"marks":1146,"value":29,"nodeType":248},{},[],{"data":1148,"content":1150,"nodeType":259},{"uri":1149},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/oauth_token_enumeration/description.md",[1151],{"data":1152,"marks":1153,"value":1156,"nodeType":248},{},[1154,1155],{"type":257},{"type":433},"OAuth token enumeration:",{"data":1158,"marks":1159,"value":1088,"nodeType":248},{},[1160],{"type":433},{"data":1162,"marks":1163,"value":1164,"nodeType":248},{},[],"Once an account has been compromised, the Myapps portal is commonly used to validate the accessible applications and further target downstream apps to access data and functionality. ","unordered-list",{"data":1167,"content":1168,"nodeType":264},{},[1169],{"data":1170,"marks":1171,"value":1172,"nodeType":248},{},[],"We’re usually targeting M365 environments but have still found these attack techniques to be highly effective. In some cases, we’ve leveraged other SaaS applications such as abusing in-app phishing via GitHub to compromise development pipelines. The matrix is particularly useful as a playbook of further attacks once initial access has been established. Even just the awareness of how to pivot from SaaS to SaaS (and sometimes back to Microsoft or Google) is really eye-opening for red teams, and adds a new dimension to the security testing that our clients are used to experiencing. ",{"data":1174,"content":1175,"nodeType":264},{},[1176],{"data":1177,"marks":1178,"value":1179,"nodeType":248},{},[],"Because of the success of using these methods, we’ve now incorporated the SaaS attack matrix techniques into our purple teaming methodology to ensure that our clients can build awareness of their detection visibility gaps when it comes to identity attacks, and are routinely benchmarked against them.”  ",{"data":1181,"content":1182,"nodeType":296},{},[],{"data":1184,"content":1185,"nodeType":414},{},[1186],{"data":1187,"marks":1188,"value":1189,"nodeType":248},{},[],"Max Corbridge | Head of Adversarial Simulation | JUMPSEC",{"data":1191,"content":1192,"nodeType":264},{},[1193],{"data":1194,"marks":1195,"value":1196,"nodeType":248},{},[],"“I’ve been a big fan of the matrix from day one. We use it for two main purposes – as a catalog of TTPs to apply during threat modeling exercises with cloud-native clients, and as a guide for how to apply novel TTPs to different apps and situations. The wiki descriptions, video demonstrations and references help enormously with this. ",{"data":1198,"content":1199,"nodeType":264},{},[1200,1204,1212,1215,1222,1225,1234,1237,1246],{"data":1201,"marks":1202,"value":1203,"nodeType":248},{},[],"We’ve mostly relied on ",{"data":1205,"content":1206,"nodeType":259},{"uri":1076},[1207],{"data":1208,"marks":1209,"value":1211,"nodeType":248},{},[1210],{"type":257},"IM phishing",{"data":1213,"marks":1214,"value":324,"nodeType":248},{},[],{"data":1216,"content":1217,"nodeType":259},{"uri":327},[1218],{"data":1219,"marks":1220,"value":333,"nodeType":248},{},[1221],{"type":257},{"data":1223,"marks":1224,"value":324,"nodeType":248},{},[],{"data":1226,"content":1228,"nodeType":259},{"uri":1227},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/abuse_existing_oauth_integrations/description.md",[1229],{"data":1230,"marks":1231,"value":1233,"nodeType":248},{},[1232],{"type":257},"abusing OAuth integrations",{"data":1235,"marks":1236,"value":361,"nodeType":248},{},[],{"data":1238,"content":1240,"nodeType":259},{"uri":1239},"https://github.com/pushsecurity/saas-attacks/blob/main/techniques/samljacking/description.md",[1241],{"data":1242,"marks":1243,"value":1245,"nodeType":248},{},[1244],{"type":257},"SAMLjacking",{"data":1247,"marks":1248,"value":1249,"nodeType":248},{},[],". In one recent engagement, we were able to compromise a cloud identity with limited permissions in the target Azure environment. We were able to enumerate additional OAuth integrations to laterally move to a third-party IT Service Management SaaS application, which presented a much easier target to elevate privileges. We actually ended up finding a number of 0-days in the application, which we then used as a trusted platform to launch a covert spear-phishing campaign against specific high-privilege users, communicating back-and-forth as though we were a genuine support team, and hiding risky changes to cover our tracks. Ultimately we were able to pivot back into the target Azure estate, but now with administrative privileges. ",{"data":1251,"content":1252,"nodeType":264},{},[1253],{"data":1254,"marks":1255,"value":1256,"nodeType":248},{},[],"This really shows how third-party identities and apps are often the soft underbelly for a lot of otherwise pretty secure orgs that we work with, and we’re enjoying the challenge of finding new ways of getting to the crown jewels. ",{"data":1258,"content":1259,"nodeType":264},{},[1260],{"data":1261,"marks":1262,"value":1263,"nodeType":248},{},[],"In my eyes the world of cloud and SaaS-native attack techniques is under-researched for how increasingly relevant it is becoming. Many of the older TTPs and tradecraft are no longer relevant in a cloud-native world, and even when the techniques are consistent with the ways we used to target networks and endpoints, the context and how it actually works is completely different. So, resources like the SaaS attack matrix will continue to be needed for both offensive and defensive security practitioners going forwards”.",{"data":1265,"content":1266,"nodeType":296},{},[],{"data":1268,"content":1269,"nodeType":304},{},[1270],{"data":1271,"marks":1272,"value":1273,"nodeType":248},{},[],"Get involved!",{"data":1275,"content":1276,"nodeType":264},{},[1277],{"data":1278,"marks":1279,"value":1280,"nodeType":248},{},[],"Hopefully you're now feeling inspired to get involved and start applying the SaaS attack matrix yourself. And if you’ve been using the matrix and want to share your experience with us, we’d love to hear from you. ",{"data":1282,"content":1283,"nodeType":264},{},[1284,1288,1296],{"data":1285,"marks":1286,"value":1287,"nodeType":248},{},[],"We hope to see your comments, discussions, or PRs on ",{"data":1289,"content":1290,"nodeType":259},{"uri":251},[1291],{"data":1292,"marks":1293,"value":1295,"nodeType":248},{},[1294],{"type":257},"GitHub",{"data":1297,"marks":1298,"value":1299,"nodeType":248},{},[],"!",{"data":1301,"content":1302,"nodeType":264},{},[1303,1307,1316],{"data":1304,"marks":1305,"value":1306,"nodeType":248},{},[],"If this has piqued your interest, we’ve just released a 2024 edition of our SaaS attacks report: ",{"data":1308,"content":1310,"nodeType":259},{"uri":1309},"https://pushsecurity.com/resources/book/saas-attacks-report/",[1311],{"data":1312,"marks":1313,"value":1315,"nodeType":248},{},[1314],{"type":257},"get your copy here",{"data":1317,"marks":1318,"value":704,"nodeType":248},{},[],{"data":1320,"content":1326,"nodeType":1327},{"target":1321},{"sys":1322},{"id":1323,"type":1324,"linkType":1325},"J11G6XCdDAYu0GQbKGCnm","Link","Entry",[],"embedded-entry-block",{"data":1329,"content":1330,"nodeType":264},{},[1331],{"data":1332,"marks":1333,"value":29,"nodeType":248},{},[],"document",{"entries":1336},{"hyperlink":1337,"inline":1338,"block":1339},[],[],[1340],{"sys":1341,"__typename":1342,"type":1343,"ctaText":1344,"buttonLabel":1345,"buttonColour":1346,"buttonUrl":1309},{"id":1323},"CtaWidget","Custom","Check out the SaaS Attacks Report to learn about how identity attacks are the leading cause of SaaS breaches in 2024","Download the report","sunny orange","json",{"items":1349},[],{},"Reflecting on a year of SaaS identity attacks","2024-08-27T00:00:00.000Z",{"items":1354},[1355,2612,3278],{"__typename":1356,"sys":1357,"content":1359,"title":2590,"synopsis":2591,"hashTags":62,"publishedDate":2592,"slug":2593,"tagsCollection":2594,"authorsCollection":2604},"BlogPosts",{"id":1358},"489LTCEVau7lh88tLgSPX5",{"json":1360},{"nodeType":1334,"data":1361,"content":1362},{},[1363,1370,1390,1397,1403,1410,1443,1449,1455,1462,1469,1475,1482,1502,1509,1516,1522,1529,1536,1584,1603,1610,1617,1624,1630,1637,1644,1651,1658,1665,1672,1684,1690,1697,1716,1735,1742,1749,1769,1776,1794,1801,1852,1859,1877,1884,1890,1907,1926,1933,1952,1959,1965,1972,1991,1998,2005,2011,2018,2025,2032,2039,2045,2052,2059,2066,2073,2079,2086,2093,2105,2121,2128,2135,2203,2210,2217,2224,2231,2238,2245,2252,2259,2278,2285,2291,2298,2304,2311,2318,2325,2331,2338,2345,2352,2385,2392,2399,2406,2413,2420,2427,2434,2441,2489,2495,2502,2546,2552,2559,2578,2584],{"nodeType":264,"data":1364,"content":1365},{},[1366],{"nodeType":248,"value":1367,"marks":1368,"data":1369},"The last time “hacking” topped the attacker actions chart in a Verizon DBIR, Gamestop was being saved by Redditors, ChatGPT didn’t exist, and Will Smith was welcome at the Oscars. ",[],{},{"nodeType":264,"data":1371,"content":1372},{},[1373,1377,1386],{"nodeType":248,"value":1374,"marks":1375,"data":1376},"That’s right, it was back in the ",[],{},{"nodeType":259,"data":1378,"content":1380},{"uri":1379},"https://www.verizon.com/business/resources/reports/dbir/2021/masters-guide/",[1381],{"nodeType":248,"value":1382,"marks":1383,"data":1385},"2021 DBIR",[1384],{"type":257},{},{"nodeType":248,"value":1387,"marks":1388,"data":1389}," that good old-fashioned hacking was the thing hackers did the most. ",[],{},{"nodeType":264,"data":1391,"content":1392},{},[1393],{"nodeType":248,"value":1394,"marks":1395,"data":1396},"In every report since, stolen credentials have been the most common “select way-in” (weird term, I know). In this year’s DBIR, stolen credentials accounted for roughly half of the breaches recorded. ",[],{},{"nodeType":1327,"data":1398,"content":1402},{"target":1399},{"sys":1400},{"id":1401,"type":1324,"linkType":1325},"16WQ5Siz92HZKCjDsxWBdr",[],{"nodeType":264,"data":1404,"content":1405},{},[1406],{"nodeType":248,"value":1407,"marks":1408,"data":1409},"These stats, along with others like CrowdStrike’s widely cited “80% of attacks involve identity and compromised credentials,” continue to prove that “hackers don’t hack in, they log in.” ",[],{},{"nodeType":264,"data":1411,"content":1412},{},[1413,1417,1426,1430,1439],{"nodeType":248,"value":1414,"marks":1415,"data":1416},"In the last year, more stories behind those statistics have started to emerge with a series of high profile “no-hack” identity attacks hitting the headlines – the most recent being the ",[],{},{"nodeType":259,"data":1418,"content":1420},{"uri":1419},"https://pushsecurity.com/resources/video/snowflake-the-tip-of-the-iceberg/",[1421],{"nodeType":248,"value":1422,"marks":1423,"data":1425},"Snowflake incident",[1424],{"type":257},{},{"nodeType":248,"value":1427,"marks":1428,"data":1429},". You can read more about that breach and others in our repository of ",[],{},{"nodeType":259,"data":1431,"content":1433},{"uri":1432},"https://pushsecurity.com/blog/identity-attacks-in-the-wild/",[1434],{"nodeType":248,"value":1435,"marks":1436,"data":1438},"identity attacks in the wild",[1437],{"type":257},{},{"nodeType":248,"value":1440,"marks":1441,"data":1442}," where we take a deep dive into the techniques attackers have been using. ",[],{},{"nodeType":1327,"data":1444,"content":1448},{"target":1445},{"sys":1446},{"id":1447,"type":1324,"linkType":1325},"6QY3hnMLMJvnk6zYHYa6pf",[],{"nodeType":1327,"data":1450,"content":1454},{"target":1451},{"sys":1452},{"id":1453,"type":1324,"linkType":1325},"7oAUuhbwgEH5XnDZrm5Zk9",[],{"nodeType":264,"data":1456,"content":1457},{},[1458],{"nodeType":248,"value":1459,"marks":1460,"data":1461},"Why should they go to the effort of targeting hardened and well-monitored attack surfaces like networks and endpoints with 0-day exploits or EDR-evading malware, when they can instead simply take a set of stolen credentials and fire them at popular business apps to see which pop open?",[],{},{"nodeType":264,"data":1463,"content":1464},{},[1465],{"nodeType":248,"value":1466,"marks":1467,"data":1468},"Taking over an account is the equivalent of compromising an endpoint or getting a foothold on a web-facing server. From this point, an attacker can move laterally, escalate their privileges, and achieve their objective of deploying ransomware, stealing data or disrupting business-critical systems. ",[],{},{"nodeType":1327,"data":1470,"content":1474},{"target":1471},{"sys":1472},{"id":1473,"type":1324,"linkType":1325},"3vdbE3kqFxvhE145q2CwOy",[],{"nodeType":264,"data":1476,"content":1477},{},[1478],{"nodeType":248,"value":1479,"marks":1480,"data":1481},"The data shows that account takeover, whether it’s using stolen credentials or session tokens, is now the route of least resistance for attackers, and the #1 attack vector for security teams to defend against.",[],{},{"nodeType":264,"data":1483,"content":1484},{},[1485,1489,1498],{"nodeType":248,"value":1486,"marks":1487,"data":1488},"I’m sure you already use a number of tools to secure your workforce identities – MFA, SSO, EDR, etc., and all of them have an important role to play. That said, they also have limitations that attackers are exploiting. We’ve laid out some of the ",[],{},{"nodeType":259,"data":1490,"content":1492},{"uri":1491},"https://pushsecurity.com/blog/5-reasons-why-push-security-shouldnt-exist/",[1493],{"nodeType":248,"value":1494,"marks":1495,"data":1497},"typical misconceptions that can undermine an identity security strategy",[1496],{"type":257},{},{"nodeType":248,"value":1499,"marks":1500,"data":1501}," so you can avoid the common pitfalls and achieve defense in depth.",[],{},{"nodeType":304,"data":1503,"content":1504},{},[1505],{"nodeType":248,"value":1506,"marks":1507,"data":1508},"Push vs. account takeover techniques",[],{},{"nodeType":264,"data":1510,"content":1511},{},[1512],{"nodeType":248,"value":1513,"marks":1514,"data":1515},"In this article, we’re going to show you how to use Push to bolster your identity security strategy and prevent account takeover. More specifically, we’ll cover how Push prevents, detects, and blocks some of the common attack techniques seen in this account takeover attack chain:",[],{},{"nodeType":1327,"data":1517,"content":1521},{"target":1518},{"sys":1519},{"id":1520,"type":1324,"linkType":1325},"1FPMzCU0mBgpg1GMSz1sJH",[],{"nodeType":264,"data":1523,"content":1524},{},[1525],{"nodeType":248,"value":1526,"marks":1527,"data":1528},"Push uses browser data collected by our browser agent to either detect the attack techniques directly, or identify the vulnerabilities being exploited. Upon making a detection, the browser agent enforces a relevant security control to either block the attack or prevent the user from introducing a vulnerability.",[],{},{"nodeType":264,"data":1530,"content":1531},{},[1532],{"nodeType":248,"value":1533,"marks":1534,"data":1535},"If you’re wondering why we’ve opted to build our tool in the browser, the short answer is that being in the browser gives us:",[],{},{"nodeType":1165,"data":1537,"content":1538},{},[1539,1554,1569],{"nodeType":1093,"data":1540,"content":1541},{},[1542],{"nodeType":264,"data":1543,"content":1544},{},[1545,1550],{"nodeType":248,"value":1546,"marks":1547,"data":1549},"The broadest visibility",[1548],{"type":433},{},{"nodeType":248,"value":1551,"marks":1552,"data":1553}," across all workforce identities, including unmanaged identities outside your IdP.",[],{},{"nodeType":1093,"data":1555,"content":1556},{},[1557],{"nodeType":264,"data":1558,"content":1559},{},[1560,1565],{"nodeType":248,"value":1561,"marks":1562,"data":1564},"The best telemetry",[1563],{"type":433},{},{"nodeType":248,"value":1566,"marks":1567,"data":1568}," for detecting identity attack TTPs and tools.",[],{},{"nodeType":1093,"data":1570,"content":1571},{},[1572],{"nodeType":264,"data":1573,"content":1574},{},[1575,1580],{"nodeType":248,"value":1576,"marks":1577,"data":1579},"The perfect enforcement point",[1578],{"type":433},{},{"nodeType":248,"value":1581,"marks":1582,"data":1583}," for stopping attacker actions or risky employee actions in real time. ",[],{},{"nodeType":264,"data":1585,"content":1586},{},[1587,1591,1600],{"nodeType":248,"value":1588,"marks":1589,"data":1590},"If you want a more detailed technical explanation, you can read this article by Dan on ",[],{},{"nodeType":259,"data":1592,"content":1594},{"uri":1593},"https://pushsecurity.com/blog/the-web-proxy-is-dead-long-live-the-browser-extension/",[1595],{"nodeType":248,"value":1596,"marks":1597,"data":1599},"why browser data is a better source of telemetry for detecting identity attacks than network, IdP and app logs",[1598],{"type":257},{},{"nodeType":248,"value":399,"marks":1601,"data":1602},[],{},{"nodeType":264,"data":1604,"content":1605},{},[1606],{"nodeType":248,"value":1607,"marks":1608,"data":1609},"Now we’ve cleared that up, let's look at some account takeover techniques.",[],{},{"nodeType":304,"data":1611,"content":1612},{},[1613],{"nodeType":248,"value":1614,"marks":1615,"data":1616},"Part 1: Phishing (including AitM and BitM toolkits)",[],{},{"nodeType":264,"data":1618,"content":1619},{},[1620],{"nodeType":248,"value":1621,"marks":1622,"data":1623},"Phishing has been around since forever and there’s a mature category of solutions that are designed to detect and prevent it. But despite solutions like security awareness training, phishing domain detection services and email filtering tools, phishing is still one of the top breach vectors. ",[],{},{"nodeType":1327,"data":1625,"content":1629},{"target":1626},{"sys":1627},{"id":1628,"type":1324,"linkType":1325},"4urh9lIuo0ePgVIJZNtP2B",[],{"nodeType":264,"data":1631,"content":1632},{},[1633],{"nodeType":248,"value":1634,"marks":1635,"data":1636},"We’ve all been conditioned to think about phishing as something that happens over email, but it’s actually the browser where most of the action happens, regardless of the initial delivery channel. Push’s position in the browser gives you the ideal vantage point for detecting and stopping phishing attacks.",[],{},{"nodeType":264,"data":1638,"content":1639},{},[1640],{"nodeType":248,"value":1641,"marks":1642,"data":1643},"The Push browser agent performs both passive observation and active interrogation in order to detect employees having their passwords harvested or visiting cloned app login pages or pages using AitM/BitM toolkits. Phishing attacks are detected in real time so Push blocks them before your employees can enter their credentials.",[],{},{"nodeType":414,"data":1645,"content":1646},{},[1647],{"nodeType":248,"value":1648,"marks":1649,"data":1650},"Detecting phishing through user behavior",[],{},{"nodeType":264,"data":1652,"content":1653},{},[1654],{"nodeType":248,"value":1655,"marks":1656,"data":1657},"Rather than trying to detect phishing websites and domains that constantly change, Push detects and blocks phishing attempts based on observing user behavior in the browser.",[],{},{"nodeType":264,"data":1659,"content":1660},{},[1661],{"nodeType":248,"value":1662,"marks":1663,"data":1664},"Push does this by observing all logins and generating a fingerprint (or technically a k-anonymized salted partial hash) of the user’s password. This fingerprint is then stored locally to allow Push to perform comparisons.",[],{},{"nodeType":264,"data":1666,"content":1667},{},[1668],{"nodeType":248,"value":1669,"marks":1670,"data":1671},"To detect potential phishing attacks, the browser agent compares the observed password fingerprint to known fingerprints for passwords that already exist in local storage.",[],{},{"nodeType":264,"data":1673,"content":1674},{},[1675,1680],{"nodeType":248,"value":1676,"marks":1677,"data":1679},"This means that it works even if that employee was the first person to get phished using a new attacker site: ",[1678],{"type":433},{},{"nodeType":248,"value":1681,"marks":1682,"data":1683},"Push still detects it and blocks it before your employee can submit their credentials. It also works regardless of the delivery vector used to get the phishing link to the intended victim.",[],{},{"nodeType":1327,"data":1685,"content":1689},{"target":1686},{"sys":1687},{"id":1688,"type":1324,"linkType":1325},"2V2My5IpdVUwh4QugqInUw",[],{"nodeType":264,"data":1691,"content":1692},{},[1693],{"nodeType":248,"value":1694,"marks":1695,"data":1696},"Once you’ve discovered a malicious site, you can use Push’s companion feature, URL blocking, to add the domain to a blocklist and prevent your other end-users from even visiting the site.",[],{},{"nodeType":264,"data":1698,"content":1699},{},[1700,1704,1712],{"nodeType":248,"value":1701,"marks":1702,"data":1703},"You can programmatically manage URL blocking as part of responding to an attempted phishing incident by using the ",[],{},{"nodeType":259,"data":1705,"content":1707},{"uri":1706},"https://pushsecurity.redoc.ly/rest-v1/",[1708],{"nodeType":248,"value":1709,"marks":1710,"data":1711},"Push REST API",[],{},{"nodeType":248,"value":1713,"marks":1714,"data":1715}," to automatically add URLs to the blocklist or to sync with other threat intelligence sources of known-bad sites.",[],{},{"nodeType":264,"data":1717,"content":1718},{},[1719,1723,1732],{"nodeType":248,"value":1720,"marks":1721,"data":1722},"You can find out more about this control in this ",[],{},{"nodeType":259,"data":1724,"content":1726},{"uri":1725},"https://pushsecurity.com/blog/introducing-sso-password-protection/",[1727],{"nodeType":248,"value":1728,"marks":1729,"data":1731},"deep-dive article",[1730],{"type":257},{},{"nodeType":248,"value":704,"marks":1733,"data":1734},[],{},{"nodeType":414,"data":1736,"content":1737},{},[1738],{"nodeType":248,"value":1739,"marks":1740,"data":1741},"Detecting cloned login pages",[],{},{"nodeType":264,"data":1743,"content":1744},{},[1745],{"nodeType":248,"value":1746,"marks":1747,"data":1748},"It’s now very easy for attackers to create cloned login pages that appear to be legitimate, tricking users into providing their credentials. ",[],{},{"nodeType":264,"data":1750,"content":1751},{},[1752,1756,1765],{"nodeType":248,"value":1753,"marks":1754,"data":1755},"There’s a number of phishing kits that allow the attacker to simply copy the HTML code from a legitimate website and duplicate it on the malicious site, creating a virtually identical interface that tricks users into entering their credentials. A final sprinkle of typosquatting techniques completes the illusion of legitimacy. The Federal Communications Commission (FCC) ",[],{},{"nodeType":259,"data":1757,"content":1759},{"uri":1758},"https://www.nextgov.com/cybersecurity/2024/03/fcc-staff-targeted-phishing-attack-cloned-agency-login-site/394609/",[1760],{"nodeType":248,"value":1761,"marks":1762,"data":1764},"was a recent target",[1763],{"type":257},{},{"nodeType":248,"value":1766,"marks":1767,"data":1768}," of this kind of attack. ",[],{},{"nodeType":264,"data":1770,"content":1771},{},[1772],{"nodeType":248,"value":1773,"marks":1774,"data":1775},"Push’s cloned app detection feature detects fraudulent login pages by inspecting the resources and structure of pages users log into and fingerprinting them so they can be used to detect when that action occurs on the wrong domain. ",[],{},{"nodeType":264,"data":1777,"content":1778},{},[1779,1783,1791],{"nodeType":248,"value":1780,"marks":1781,"data":1782},"You can ",[],{},{"nodeType":259,"data":1784,"content":1786},{"uri":1785},"https://pushsecurity.com/blog/introducing-cloned-login-page-detection/",[1787],{"nodeType":248,"value":1788,"marks":1789,"data":1790},"read more about this feature here",[],{},{"nodeType":248,"value":399,"marks":1792,"data":1793},[],{},{"nodeType":414,"data":1795,"content":1796},{},[1797],{"nodeType":248,"value":1798,"marks":1799,"data":1800},"Detecting AitM and BitM toolkits",[],{},{"nodeType":264,"data":1802,"content":1803},{},[1804,1808,1816,1819,1827,1830,1838,1841,1849],{"nodeType":248,"value":1805,"marks":1806,"data":1807},"Adversary-in-the-Middle (AitM) phishing is a technique that uses dedicated tooling to act as a proxy between the target and a legitimate login portal for an application, principally to bypass MFA. As it’s a proxy to the real application, the page will appear exactly as the user expects, making this technique difficult to spot. Popular AitM toolkits include ",[],{},{"nodeType":259,"data":1809,"content":1811},{"uri":1810},"https://github.com/drk1wi/Modlishka",[1812],{"nodeType":248,"value":1813,"marks":1814,"data":1815},"Modlishka",[],{},{"nodeType":248,"value":324,"marks":1817,"data":1818},[],{},{"nodeType":259,"data":1820,"content":1822},{"uri":1821},"https://github.com/muraenateam/muraena",[1823],{"nodeType":248,"value":1824,"marks":1825,"data":1826},"Muraena",[],{},{"nodeType":248,"value":324,"marks":1828,"data":1829},[],{},{"nodeType":259,"data":1831,"content":1833},{"uri":1832},"https://github.com/kgretzky/evilginx2",[1834],{"nodeType":248,"value":1835,"marks":1836,"data":1837},"Evilginx",[],{},{"nodeType":248,"value":387,"marks":1839,"data":1840},[],{},{"nodeType":259,"data":1842,"content":1844},{"uri":1843},"https://www.bleepingcomputer.com/news/security/evilproxy-uses-indeedcom-open-redirect-for-microsoft-365-phishing/",[1845],{"nodeType":248,"value":1846,"marks":1847,"data":1848},"Evilproxy",[],{},{"nodeType":248,"value":704,"marks":1850,"data":1851},[],{},{"nodeType":264,"data":1853,"content":1854},{},[1855],{"nodeType":248,"value":1856,"marks":1857,"data":1858},"Browser-in-the-Middle (BitM) toolkits are different to AitM toolkits because they don’t act as a reverse proxy. Instead, they trick their victim into directly controlling the attacker’s own browser using remote desktop screen sharing and control approaches — think of this like VNC or RDP but using the browser as a client. This is the virtual equivalent of an attacker handing their laptop to their victim, asking them to log in to an app for them, and then taking their laptop back afterwards.",[],{},{"nodeType":264,"data":1860,"content":1861},{},[1862,1866,1874],{"nodeType":248,"value":1863,"marks":1864,"data":1865},"We’ve conducted a lot of research into AitM and BitM toolkits recently. If you want to learn more about how they work and see a demo of them in action, ",[],{},{"nodeType":259,"data":1867,"content":1868},{"uri":694},[1869],{"nodeType":248,"value":1870,"marks":1871,"data":1873},"head over here",[1872],{"type":257},{},{"nodeType":248,"value":704,"marks":1875,"data":1876},[],{},{"nodeType":264,"data":1878,"content":1879},{},[1880],{"nodeType":248,"value":1881,"marks":1882,"data":1883},"Push gives you a preconfigured set of detections for AitM and BitM toolkits, informed by our threat detection team’s research into their behavior. This phishing tool detection feature will automatically prevent users from accessing a site that’s running one of these malicious tools, and display a custom warning message to your end-users.",[],{},{"nodeType":1327,"data":1885,"content":1889},{"target":1886},{"sys":1887},{"id":1888,"type":1324,"linkType":1325},"4ixcEsEW4EyqckOTmP5Pbb",[],{"nodeType":264,"data":1891,"content":1892},{},[1893,1897,1903],{"nodeType":248,"value":1894,"marks":1895,"data":1896},"Administrators can also consume phishing tool detection events via the ",[],{},{"nodeType":259,"data":1898,"content":1899},{"uri":1706},[1900],{"nodeType":248,"value":1709,"marks":1901,"data":1902},[],{},{"nodeType":248,"value":1904,"marks":1905,"data":1906}," into their SIEM or use Push’s webhooks to alert when a warn or block event has occurred.",[],{},{"nodeType":264,"data":1908,"content":1909},{},[1910,1914,1923],{"nodeType":248,"value":1911,"marks":1912,"data":1913},"You can read a full write-up of this feature if you want to ",[],{},{"nodeType":259,"data":1915,"content":1917},{"uri":1916},"https://pushsecurity.com/blog/introducing-aitm-phishing-toolkit-detection-powered-by-the-push-browser/",[1918],{"nodeType":248,"value":1919,"marks":1920,"data":1922},"learn more",[1921],{"type":257},{},{"nodeType":248,"value":704,"marks":1924,"data":1925},[],{},{"nodeType":304,"data":1927,"content":1928},{},[1929],{"nodeType":248,"value":1930,"marks":1931,"data":1932},"Part 2: Infostealer malware",[],{},{"nodeType":264,"data":1934,"content":1935},{},[1936,1940,1948],{"nodeType":248,"value":1937,"marks":1938,"data":1939},"The recent ",[],{},{"nodeType":259,"data":1941,"content":1942},{"uri":554},[1943],{"nodeType":248,"value":1944,"marks":1945,"data":1947},"Snowflake breach",[1946],{"type":257},{},{"nodeType":248,"value":1949,"marks":1950,"data":1951}," highlighted how infostealer malware is becoming a serious issue for security teams. As well as being able to steal credentials for account takeover, infostealers can also be used to steal session tokens which then allow the attacker to assume an already authorized session without needing to bypass MFA.   ",[],{},{"nodeType":264,"data":1953,"content":1954},{},[1955],{"nodeType":248,"value":1956,"marks":1957,"data":1958},"Nearly half of the malware detected last year by Sophos targeted victims’ data specifically, and the majority of that malware was classified as infostealers. ",[],{},{"nodeType":1327,"data":1960,"content":1964},{"target":1961},{"sys":1962},{"id":1963,"type":1324,"linkType":1325},"66B5MBFIhbmky7VuLGbuM3",[],{"nodeType":264,"data":1966,"content":1967},{},[1968],{"nodeType":248,"value":1969,"marks":1970,"data":1971},"Infostealers are primarily being used by Initial Access Brokers to harvest credentials and session tokens that they then sell to other threat actors intent on executing more penetrating attacks (e.g. ransomware).  ",[],{},{"nodeType":264,"data":1973,"content":1974},{},[1975,1979,1988],{"nodeType":248,"value":1976,"marks":1977,"data":1978},"EDR is seen as the go-to solution for defending against infostealer malware. However, attackers are always looking for ways to get around security controls by obfuscating malicious behavior and evading signature-based checks. For example, ",[],{},{"nodeType":259,"data":1980,"content":1982},{"uri":1981},"https://thehackernews.com/2024/07/microsoft-defender-flaw-exploited-to.html",[1983],{"nodeType":248,"value":1984,"marks":1985,"data":1987},"a flaw in Microsoft Defender SmartScreen was recently exploited to deliver infostealer malware",[1986],{"type":257},{},{"nodeType":248,"value":399,"marks":1989,"data":1990},[],{},{"nodeType":264,"data":1992,"content":1993},{},[1994],{"nodeType":248,"value":1995,"marks":1996,"data":1997},"Getting total coverage across your endpoint estate is notoriously difficult, if not totally unrealistic. Unless the malware is stopped on execution, then data will inevitably be stolen, and will continue to be taken until stopped (or it self-terminates). And once an attacker has stolen employee credentials or sessions, the credential stuffing and session hijacking attacks that come next won’t touch the endpoint. ",[],{},{"nodeType":264,"data":1999,"content":2000},{},[2001],{"nodeType":248,"value":2002,"marks":2003,"data":2004},"For those reasons, you can’t rely on EDR as a single line of defense against infostealers. Push gives you those extra layers of defense to stop account takeover attempts that use stolen credentials and sessions.",[],{},{"nodeType":1327,"data":2006,"content":2010},{"target":2007},{"sys":2008},{"id":2009,"type":1324,"linkType":1325},"4YB6DLIE5TvaAsAAUoJd5v",[],{"nodeType":414,"data":2012,"content":2013},{},[2014],{"nodeType":248,"value":2015,"marks":2016,"data":2017},"Detecting stolen sessions ",[],{},{"nodeType":264,"data":2019,"content":2020},{},[2021],{"nodeType":248,"value":2022,"marks":2023,"data":2024},"Push uses its browser agent to inject a unique marker into the user agent string of sessions that occur in browsers enrolled in Push. You then add the list of domains where you wish to inject the marker into sessions, such as an identity provider like Okta or Microsoft. ",[],{},{"nodeType":264,"data":2026,"content":2027},{},[2028],{"nodeType":248,"value":2029,"marks":2030,"data":2031},"By analyzing logs from the IdP, you can identify activity from the same session that both has the Push marker and that lacks the marker. This can only ever happen when a session is extracted from a browser and maliciously imported into a different browser.",[],{},{"nodeType":264,"data":2033,"content":2034},{},[2035],{"nodeType":248,"value":2036,"marks":2037,"data":2038},"This is a high-fidelity signal that a stolen session token is being used by an attacker. It’s certainly a lot cleaner than relying on IP-based or geolocation-based signals, which result in frequent false positives.",[],{},{"nodeType":1327,"data":2040,"content":2044},{"target":2041},{"sys":2042},{"id":2043,"type":1324,"linkType":1325},"1XNNkaoW64t3PPvC54KGXF",[],{"nodeType":414,"data":2046,"content":2047},{},[2048],{"nodeType":248,"value":2049,"marks":2050,"data":2051},"Detecting stolen credentials being sold on the dark web",[],{},{"nodeType":264,"data":2053,"content":2054},{},[2055],{"nodeType":248,"value":2056,"marks":2057,"data":2058},"Push integrates stolen credential threat intelligence and alerts you when your employees’ credentials are being sold on the dark web. ",[],{},{"nodeType":264,"data":2060,"content":2061},{},[2062],{"nodeType":248,"value":2063,"marks":2064,"data":2065},"Commercial TI feeds of stolen credentials have been available for some time. But what we’ve found is that the false-positive rate is incredibly high and the vast majority of credentials are no longer in use.",[],{},{"nodeType":264,"data":2067,"content":2068},{},[2069],{"nodeType":248,"value":2070,"marks":2071,"data":2072},"Push validates that leaked credentials match those that are currently being used by your employees to authenticate on any apps they are using in the browser. That means that any alerts or automated actions generated by Push are actionable true positives, cutting out a huge amount of noise and saving your security team time. ",[],{},{"nodeType":1327,"data":2074,"content":2078},{"target":2075},{"sys":2076},{"id":2077,"type":1324,"linkType":1325},"3RnPM0ioGWi3CFMLkxQanO",[],{"nodeType":304,"data":2080,"content":2081},{},[2082],{"nodeType":248,"value":2083,"marks":2084,"data":2085},"Part 3: Credential stuffing",[],{},{"nodeType":264,"data":2087,"content":2088},{},[2089],{"nodeType":248,"value":2090,"marks":2091,"data":2092},"The previous sections looked at how Push detects and stops common techniques used for stealing and acquiring credentials. We’re now going to cover how Push stops stolen credentials from being used to access and take over employee accounts. ",[],{},{"nodeType":264,"data":2094,"content":2095},{},[2096,2101],{"nodeType":248,"value":2097,"marks":2098,"data":2100},"Credential stuffing ",[2099],{"type":433},{},{"nodeType":248,"value":2102,"marks":2103,"data":2104},"is when attackers use tools that automate the process of taking a list of stolen passwords and retargeting those credentials against different apps.",[],{},{"nodeType":264,"data":2106,"content":2107},{},[2108,2112,2117],{"nodeType":248,"value":2109,"marks":2110,"data":2111},"Closely related to credential stuffing is ",[],{},{"nodeType":248,"value":2113,"marks":2114,"data":2116},"password spraying",[2115],{"type":433},{},{"nodeType":248,"value":2118,"marks":2119,"data":2120},". Instead of using stolen credentials, an attacker uses a list of commonly used usernames and passwords to attempt to compromise accounts. ",[],{},{"nodeType":264,"data":2122,"content":2123},{},[2124],{"nodeType":248,"value":2125,"marks":2126,"data":2127},"Both credential stuffing and password spraying are high-volume, automated attacks, and they are an unrelenting problem for most businesses. Microsoft observes 4,000 of them every second and nearly half of all login requests Auth0 receive each day are attempts at credential stuffing. ",[],{},{"nodeType":264,"data":2129,"content":2130},{},[2131],{"nodeType":248,"value":2132,"marks":2133,"data":2134},"The true scale of the problem is hard to grasp, as neither app vendors nor users have effective means of monitoring for unauthorized access. Typically these breaches are only detected when:",[],{},{"nodeType":1165,"data":2136,"content":2137},{},[2138,2158,2180],{"nodeType":1093,"data":2139,"content":2140},{},[2141],{"nodeType":264,"data":2142,"content":2143},{},[2144,2148,2155],{"nodeType":248,"value":2145,"marks":2146,"data":2147},"The attacker leaks the data they’ve stolen, like in the ",[],{},{"nodeType":259,"data":2149,"content":2150},{"uri":554},[2151],{"nodeType":248,"value":1944,"marks":2152,"data":2154},[2153],{"type":257},{},{"nodeType":248,"value":704,"marks":2156,"data":2157},[],{},{"nodeType":1093,"data":2159,"content":2160},{},[2161],{"nodeType":264,"data":2162,"content":2163},{},[2164,2168,2177],{"nodeType":248,"value":2165,"marks":2166,"data":2167},"The attacker deploys ransomware that results in business disruption, like that suffered by ",[],{},{"nodeType":259,"data":2169,"content":2171},{"uri":2170},"https://pushsecurity.com/blog/identity-attacks-in-the-wild/#id-mgm-resorts-september-2023",[2172],{"nodeType":248,"value":2173,"marks":2174,"data":2176},"MGM resorts",[2175],{"type":257},{},{"nodeType":248,"value":399,"marks":2178,"data":2179},[],{},{"nodeType":1093,"data":2181,"content":2182},{},[2183],{"nodeType":264,"data":2184,"content":2185},{},[2186,2190,2199],{"nodeType":248,"value":2187,"marks":2188,"data":2189},"The attackers use a compromised account to do something deliberately in the public eye. For example, when the SEC’s X (formerly Twitter) account was compromised and ",[],{},{"nodeType":259,"data":2191,"content":2193},{"uri":2192},"https://incyber.org/en/article/fake-sec-tweet-triggers-bitcoin-surge/#:~:text=The%20fake%20headline%20convinced%20a,an%20unauthorized%20tweet%20was%20posted.",[2194],{"nodeType":248,"value":2195,"marks":2196,"data":2198},"sent out a message announcing the approval of Bitcoin ETF",[2197],{"type":257},{},{"nodeType":248,"value":2200,"marks":2201,"data":2202},".  ",[],{},{"nodeType":264,"data":2204,"content":2205},{},[2206],{"nodeType":248,"value":2207,"marks":2208,"data":2209},"Push gives you a number of controls to combat attacks using stolen and guessed passwords, both to prevent them from occurring, and detect them when they do.",[],{},{"nodeType":414,"data":2211,"content":2212},{},[2213],{"nodeType":248,"value":2214,"marks":2215,"data":2216},"Prevent employees using credentials that have already been stolen and leaked",[],{},{"nodeType":264,"data":2218,"content":2219},{},[2220],{"nodeType":248,"value":2221,"marks":2222,"data":2223},"First, let's stop your employees from using any credentials that have already been stolen and are available to attackers for use in a credential-stuffing attack. ",[],{},{"nodeType":264,"data":2225,"content":2226},{},[2227],{"nodeType":248,"value":2228,"marks":2229,"data":2230},"Push monitors stolen credential threat intelligence and compares it to the credentials employees are currently using to access their apps. ",[],{},{"nodeType":264,"data":2232,"content":2233},{},[2234],{"nodeType":248,"value":2235,"marks":2236,"data":2237},"You might be wondering, “Does that mean Push sees all our employees’ passwords!?” No. Rather, we use a fingerprint of each password and it's checked locally in the users’ browser and never leaves it. ",[],{},{"nodeType":264,"data":2239,"content":2240},{},[2241],{"nodeType":248,"value":2242,"marks":2243,"data":2244},"When we get a match – a stolen password that could successfully be used in a credential-stuffing attack – Push alerts you.",[],{},{"nodeType":414,"data":2246,"content":2247},{},[2248],{"nodeType":248,"value":2249,"marks":2250,"data":2251},"Enforce MFA on all employee accounts",[],{},{"nodeType":264,"data":2253,"content":2254},{},[2255],{"nodeType":248,"value":2256,"marks":2257,"data":2258},"Next step is to secure the accounts most vulnerable to a credential stuffing attack – those that only use a password for single-factor authentication. ",[],{},{"nodeType":264,"data":2260,"content":2261},{},[2262,2266,2275],{"nodeType":248,"value":2263,"marks":2264,"data":2265},"If you’re using SSO to access apps, then it’s easy to overlook instances where local accounts (e.g. username and password logins) are missing MFA – particularly if you’re relying on an IdP solution to audit and enforce MFA. ",[],{},{"nodeType":259,"data":2267,"content":2269},{"uri":2268},"https://pushsecurity.com/blog/ghost-logins-when-forgotten-identities-come-back-to-haunt-you/",[2270],{"nodeType":248,"value":2271,"marks":2272,"data":2274},"You can read more about this problem in our blog post on ghost logins",[2273],{"type":257},{},{"nodeType":248,"value":704,"marks":2276,"data":2277},[],{},{"nodeType":264,"data":2279,"content":2280},{},[2281],{"nodeType":248,"value":2282,"marks":2283,"data":2284},"Push observes every login made by your employees (both inside and outside SSO) and inspects the authentication protocols used. Accounts that are missing MFA are identified and presented to you in the Push platform.",[],{},{"nodeType":1327,"data":2286,"content":2290},{"target":2287},{"sys":2288},{"id":2289,"type":1324,"linkType":1325},"4t1PHxzadoTBjtJua6dzuJ",[],{"nodeType":264,"data":2292,"content":2293},{},[2294],{"nodeType":248,"value":2295,"marks":2296,"data":2297},"You can then use Push to enforce MFA on employee accounts, or present them with in-browser guidance requesting that they enable it themselves.  ",[],{},{"nodeType":1327,"data":2299,"content":2303},{"target":2300},{"sys":2301},{"id":2302,"type":1324,"linkType":1325},"3JSTEJGtLT0hfwnkpLRP4K",[],{"nodeType":414,"data":2305,"content":2306},{},[2307],{"nodeType":248,"value":2308,"marks":2309,"data":2310},"Prevent multiple accounts being compromised by credential stuffing due to password reuse",[],{},{"nodeType":264,"data":2312,"content":2313},{},[2314],{"nodeType":248,"value":2315,"marks":2316,"data":2317},"The credential stuffing tools that attackers use will target a long list of popular business apps. If a password is reused across multiple apps and is breached, the blast radius is naturally increased – the attacker will be able to hijack multiple accounts, across numerous business applications.",[],{},{"nodeType":264,"data":2319,"content":2320},{},[2321],{"nodeType":248,"value":2322,"marks":2323,"data":2324},"Push detects when employees are trying to use the same password across multiple apps. When this happens, you can request that they change their password.",[],{},{"nodeType":1327,"data":2326,"content":2330},{"target":2327},{"sys":2328},{"id":2329,"type":1324,"linkType":1325},"7ARHp2JPiHeKRYHwa2jwIZ",[],{"nodeType":414,"data":2332,"content":2333},{},[2334],{"nodeType":248,"value":2335,"marks":2336,"data":2337},"Prevent password spraying breaches",[],{},{"nodeType":264,"data":2339,"content":2340},{},[2341],{"nodeType":248,"value":2342,"marks":2343,"data":2344},"To stop your employees’ accounts from being breached by password spraying attacks, Push checks every password to see if it is easily guessable for attackers.",[],{},{"nodeType":264,"data":2346,"content":2347},{},[2348],{"nodeType":248,"value":2349,"marks":2350,"data":2351},"To determine if a password is easily guessable, the Push browser agent automatically checks the password against:",[],{},{"nodeType":1165,"data":2353,"content":2354},{},[2355,2365,2375],{"nodeType":1093,"data":2356,"content":2357},{},[2358],{"nodeType":264,"data":2359,"content":2360},{},[2361],{"nodeType":248,"value":2362,"marks":2363,"data":2364},"A list of top 10,000 weak base passwords.",[],{},{"nodeType":1093,"data":2366,"content":2367},{},[2368],{"nodeType":264,"data":2369,"content":2370},{},[2371],{"nodeType":248,"value":2372,"marks":2373,"data":2374},"Number and special character variations on these weak base passwords, for example: Password1! or January2022.",[],{},{"nodeType":1093,"data":2376,"content":2377},{},[2378],{"nodeType":264,"data":2379,"content":2380},{},[2381],{"nodeType":248,"value":2382,"marks":2383,"data":2384},"Variations on these weak base passwords that replace letters with numerals (1337), for example: P455w0rd.",[],{},{"nodeType":264,"data":2386,"content":2387},{},[2388],{"nodeType":248,"value":2389,"marks":2390,"data":2391},"You can also add your own custom word list that employees and attackers will predictably try and use. Push will then stop those words being used as part of passwords.",[],{},{"nodeType":414,"data":2393,"content":2394},{},[2395],{"nodeType":248,"value":2396,"marks":2397,"data":2398},"Detect unauthorized sessions  ",[],{},{"nodeType":264,"data":2400,"content":2401},{},[2402],{"nodeType":248,"value":2403,"marks":2404,"data":2405},"Once you have enabled all the Push controls that prevent employees from creating and using accounts that can be easily compromised by credential stuffing and password spraying attacks, the next line of defense is to detect when accounts are taken over.",[],{},{"nodeType":264,"data":2407,"content":2408},{},[2409],{"nodeType":248,"value":2410,"marks":2411,"data":2412},"Push uses its browser agent to inject a unique marker into the user agent string of sessions that occur in browsers enrolled in Push. You then add the list of domains that you want to have injected with the session marker. ",[],{},{"nodeType":264,"data":2414,"content":2415},{},[2416],{"nodeType":248,"value":2417,"marks":2418,"data":2419},"By analyzing logs from the IdP, you can identify activity from the same session that both has the Push marker and that lacks the marker. This indicates that the session is not being used by the legitimate user (your employees) in their usual work browser, and could be an attacker using their account. ",[],{},{"nodeType":414,"data":2421,"content":2422},{},[2423],{"nodeType":248,"value":2424,"marks":2425,"data":2426},"Reduce your identity attack surface",[],{},{"nodeType":264,"data":2428,"content":2429},{},[2430],{"nodeType":248,"value":2431,"marks":2432,"data":2433},"Finally, you’ll likely want to reduce your attack surface that can be targeted by credential stuffing. In other words, reduce the number of username and password accounts your employees have. ",[],{},{"nodeType":264,"data":2435,"content":2436},{},[2437],{"nodeType":248,"value":2438,"marks":2439,"data":2440},"There are a few ways that Push can help you do this.",[],{},{"nodeType":1165,"data":2442,"content":2443},{},[2444,2459,2474],{"nodeType":1093,"data":2445,"content":2446},{},[2447],{"nodeType":264,"data":2448,"content":2449},{},[2450,2455],{"nodeType":248,"value":2451,"marks":2452,"data":2454},"Block access to unapproved apps",[2453],{"type":433},{},{"nodeType":248,"value":2456,"marks":2457,"data":2458},". Using Push, you can create a block list of apps that you don’t want your users to create accounts and identities on.",[],{},{"nodeType":1093,"data":2460,"content":2461},{},[2462],{"nodeType":264,"data":2463,"content":2464},{},[2465,2470],{"nodeType":248,"value":2466,"marks":2467,"data":2469},"Use app banners to stop users from creating local accounts",[2468],{"type":433},{},{"nodeType":248,"value":2471,"marks":2472,"data":2473},". When an employee goes to sign up to an app, Push will present an app banner that tells them to use their SSO identity and not to create a username and password account.",[],{},{"nodeType":1093,"data":2475,"content":2476},{},[2477],{"nodeType":264,"data":2478,"content":2479},{},[2480,2485],{"nodeType":248,"value":2481,"marks":2482,"data":2484},"Get existing accounts and apps behind SSO",[2483],{"type":433},{},{"nodeType":248,"value":2486,"marks":2487,"data":2488},". Push shows you how your employees are logging in to every account on every app, including whether they’re using SAML or OIDC SSO. Armed with this data, you can get your employees to use your preferred SSO solution on the apps where it’s already available, and look into whether other popular apps being used in the business offer SSO.",[],{},{"nodeType":1327,"data":2490,"content":2494},{"target":2491},{"sys":2492},{"id":2493,"type":1324,"linkType":1325},"3y8L55hbcQaRYPCdYYb3xA",[],{"nodeType":304,"data":2496,"content":2497},{},[2498],{"nodeType":248,"value":2499,"marks":2500,"data":2501},"Stop account takeover at the push of a button",[],{},{"nodeType":264,"data":2503,"content":2504},{},[2505,2509,2517,2521,2526,2529,2534,2538,2542],{"nodeType":248,"value":2506,"marks":2507,"data":2508},"We’ve described a lot of controls in this article. The good news is that they’re all pre-configured on the the ",[],{},{"nodeType":259,"data":2510,"content":2512},{"uri":2511},"https://pushsecurity.com/help/audience/administrators/docs/manage-security-controls/#start",[2513],{"nodeType":248,"value":2514,"marks":2515,"data":2516},"Controls",[],{},{"nodeType":248,"value":2518,"marks":2519,"data":2520}," page in the Push platform. When you get started with Push, you can simply turn on all the controls you want, and decide whether you want them to work in ",[],{},{"nodeType":248,"value":2522,"marks":2523,"data":2525},"monitor",[2524],{"type":433},{},{"nodeType":248,"value":324,"marks":2527,"data":2528},[],{},{"nodeType":248,"value":2530,"marks":2531,"data":2533},"warn",[2532],{"type":433},{},{"nodeType":248,"value":2535,"marks":2536,"data":2537}," mode or ",[],{},{"nodeType":248,"value":90,"marks":2539,"data":2541},[2540],{"type":433},{},{"nodeType":248,"value":2543,"marks":2544,"data":2545}," mode.    ",[],{},{"nodeType":1327,"data":2547,"content":2551},{"target":2548},{"sys":2549},{"id":2550,"type":1324,"linkType":1325},"6FCuO78yQMNZvkcbcALmis",[],{"nodeType":414,"data":2553,"content":2554},{},[2555],{"nodeType":248,"value":2556,"marks":2557,"data":2558},"See it for yourself",[],{},{"nodeType":264,"data":2560,"content":2561},{},[2562,2566,2574],{"nodeType":248,"value":2563,"marks":2564,"data":2565},"To learn more, ",[],{},{"nodeType":259,"data":2567,"content":2569},{"uri":2568},"https://pushsecurity.com/demo/",[2570],{"nodeType":248,"value":2571,"marks":2572,"data":2573},"book a demo",[],{},{"nodeType":248,"value":2575,"marks":2576,"data":2577},". We’ll be happy to show you these features, along with how we discover all the apps your employees are using, even the ones not behind SSO.",[],{},{"nodeType":1327,"data":2579,"content":2583},{"target":2580},{"sys":2581},{"id":2582,"type":1324,"linkType":1325},"4IRtR9zicpB7lXdz2RvIlK",[],{"nodeType":264,"data":2585,"content":2586},{},[2587],{"nodeType":248,"value":29,"marks":2588,"data":2589},[],{},"Hackers don’t hack in, they log in: How to prevent account takeover with Push","How Push stops attackers from using identity attack tools and techniques to compromise your employee user accounts. ","2024-08-19T00:00:00.000Z","how-to-prevent-account-takeover-with-push",{"items":2595},[2596,2600],{"sys":2597,"name":2599},{"id":2598},"4ksQNCFeBf8H4QIORqpRLw","Detection & response",{"sys":2601,"name":2603},{"id":2602},"6A5RXS31ZQx3PwryGb1IMy","Browser-based attacks",{"items":2605},[2606],{"fullName":2607,"firstName":2608,"jobTitle":2609,"profilePicture":2610},"Alex Henshall","Alex","Product Team",{"url":2611},"https://images.ctfassets.net/y1cdw1ablpvd/2rz3Pre3b1MexPIQ4hzPUe/0ef8a092b7e7df00fbce3f7d1ccb96d1/Alex_Henshall.jpeg",{"__typename":1356,"sys":2613,"content":2615,"title":3264,"synopsis":3265,"hashTags":62,"publishedDate":3266,"slug":3267,"tagsCollection":3268,"authorsCollection":3274},{"id":2614},"1qegIy4rMdm5XZXnIEoKpE",{"json":2616},{"nodeType":1334,"data":2617,"content":2618},{},[2619,2626,2633,2658,2664,2671,2678,2681,2688,2708,2714,2721,2763,2770,2777,2784,2791,2798,2805,2824,2832,2835,2842,2849,2856,2863,2870,2877,2884,2932,2939,2946,2953,2973,2980,2987,2994,3001,3008,3015,3022,3039,3057,3100,3107,3114,3177,3184,3187,3194,3210,3228,3235,3241,3247,3250,3257],{"nodeType":264,"data":2620,"content":2621},{},[2622],{"nodeType":248,"value":2623,"marks":2624,"data":2625},"The field of threat detection and security monitoring has changed significantly over the last decade. Security tools and product categories have been added and replaced, specialist disciplines established, and methodologies created. ",[],{},{"nodeType":264,"data":2627,"content":2628},{},[2629],{"nodeType":248,"value":2630,"marks":2631,"data":2632},"Naturally, defenders have had to mature their approach because of the changing nature of the threat facing organizations. Attackers have always looked for new ways to target their victims, and naturally, defenders have had to adapt, forcing attackers to change things up… it’s a cat and mouse game. ",[],{},{"nodeType":264,"data":2634,"content":2635},{},[2636,2640,2649,2653],{"nodeType":248,"value":2637,"marks":2638,"data":2639},"Blue teamers have used the concept of the ",[],{},{"nodeType":259,"data":2641,"content":2643},{"uri":2642},"https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html",[2644],{"nodeType":248,"value":2645,"marks":2646,"data":2648},"Pyramid of Pain",[2647],{"type":257},{},{"nodeType":248,"value":2650,"marks":2651,"data":2652}," for over a decade. The logic is simple: ",[],{},{"nodeType":248,"value":2654,"marks":2655,"data":2657},"Focus on detecting and responding to indicators that are hard for attackers to change. ",[2656],{"type":433},{},{"nodeType":1327,"data":2659,"content":2663},{"target":2660},{"sys":2661},{"id":2662,"type":1324,"linkType":1325},"6cG2fx3AikwptyEyXKrYCK",[],{"nodeType":264,"data":2665,"content":2666},{},[2667],{"nodeType":248,"value":2668,"marks":2669,"data":2670},"If an attacker only has to tweak a variable to get around your detection rule, like adding a space to change a hash value, it’s probably not a very good detection. It’s not going to remain effective for long and you’re always going to be one step behind the attacker – waiting for them to make their next move so you can react. This usually ends up meaning that attackers enjoy at least some success before they can be shut out again. ",[],{},{"nodeType":264,"data":2672,"content":2673},{},[2674],{"nodeType":248,"value":2675,"marks":2676,"data":2677},"The Pyramid of Pain – and the goal of implementing hard-to-bypass detections that hit attackers where it hurts – is central to our design philosophy. But before we get into how we apply this approach, and the types of controls we’ve created as a result, it’s useful to look at how IT and security have changed since the Pyramid was created more than a decade ago. ",[],{},{"nodeType":296,"data":2679,"content":2680},{},[],{"nodeType":304,"data":2682,"content":2683},{},[2684],{"nodeType":248,"value":2685,"marks":2686,"data":2687},"A new era for cyber security",[],{},{"nodeType":264,"data":2689,"content":2690},{},[2691,2695,2704],{"nodeType":248,"value":2692,"marks":2693,"data":2694},"We’ve spoken a lot about how we’re in the midst of a new era in cybersecurity, in which identity is now the outermost digital perimeter for security teams to defend. (",[],{},{"nodeType":259,"data":2696,"content":2698},{"uri":2697},"https://pushsecurity.com/resources/video/the-new-saas-cyber-kill-chain-so-con-2024/",[2699],{"nodeType":248,"value":2700,"marks":2701,"data":2703},"You’ll be familiar with this if you’ve seen any of Luke’s talks on the New SaaS Cyber Kill Chain.",[2702],{"type":257},{},{"nodeType":248,"value":2705,"marks":2706,"data":2707},") ",[],{},{"nodeType":1327,"data":2709,"content":2713},{"target":2710},{"sys":2711},{"id":2712,"type":1324,"linkType":1325},"6nYSZAYpsbj78jKm0q75zs",[],{"nodeType":264,"data":2715,"content":2716},{},[2717],{"nodeType":248,"value":2718,"marks":2719,"data":2720},"This is primarily because modern working is no longer contained to a heavily centralized corporate network, and instead happens primarily in applications accessed over the internet via web browser.",[],{},{"nodeType":264,"data":2722,"content":2723},{},[2724,2728,2736,2740,2747,2751,2759],{"nodeType":248,"value":2725,"marks":2726,"data":2727},"In this new world, attacks don’t even have to touch the old perimeters, because all the data and functionality they could want exists on the public internet. As a result, we’re seeing more and more ",[],{},{"nodeType":259,"data":2729,"content":2731},{"uri":2730},"https://pushsecurity.com/blog/saas-attack-techniques/",[2732],{"nodeType":248,"value":2733,"marks":2734,"data":2735},"attacks targeting SaaS apps",[],{},{"nodeType":248,"value":2737,"marks":2738,"data":2739},", with the entire attack chain being concluded outside customer networks, not touching any traditional endpoints or networks. The ",[],{},{"nodeType":259,"data":2741,"content":2742},{"uri":554},[2743],{"nodeType":248,"value":2744,"marks":2745,"data":2746},"recent attacks on Snowflake customers",[],{},{"nodeType":248,"value":2748,"marks":2749,"data":2750},", hailed ",[],{},{"nodeType":259,"data":2752,"content":2754},{"uri":2753},"https://www.wired.com/story/snowflake-breach-advanced-auto-parts-lendingtree/",[2755],{"nodeType":248,"value":2756,"marks":2757,"data":2758},"one of the biggest breaches in history",[],{},{"nodeType":248,"value":2760,"marks":2761,"data":2762},", demonstrate this risk all too well. ",[],{},{"nodeType":264,"data":2764,"content":2765},{},[2766],{"nodeType":248,"value":2767,"marks":2768,"data":2769},"This creates a problem for security teams looking to detect and respond to these attacks. ",[],{},{"nodeType":414,"data":2771,"content":2772},{},[2773],{"nodeType":248,"value":2774,"marks":2775,"data":2776},"Attacks today are shorter and faster, but just as dangerous",[],{},{"nodeType":264,"data":2778,"content":2779},{},[2780],{"nodeType":248,"value":2781,"marks":2782,"data":2783},"Detecting and responding to identity attacks – phishing, credential stuffing, etc. – used to be just one possible method of initial access in quite a lengthy Kill Chain that stretched from the compromise of the user device, pivoting to internal network resources, escalating privileges, moving laterally, and finally achieving their objectives.",[],{},{"nodeType":264,"data":2785,"content":2786},{},[2787],{"nodeType":248,"value":2788,"marks":2789,"data":2790},"This meant that defenders could adopt an assumed compromise mentality and build layered detections, as well as proactively hunting for threats across these various stages and layers of the network. The more actions an attacker has to perform, the more opportunities for detection, and the higher the likelihood that they’ll be caught in the act before any real, lasting damage can be caused. ",[],{},{"nodeType":264,"data":2792,"content":2793},{},[2794],{"nodeType":248,"value":2795,"marks":2796,"data":2797},"Today, attackers have a lot of opportunities to cause significant damage for much less effort than before. For example, if the goal is to compromise an app like Snowflake and dump the data from it, the Kill Chain is way shorter than a traditional network-based attack. And all the great tools and security products you have, like EDR, don’t come into play. ",[],{},{"nodeType":264,"data":2799,"content":2800},{},[2801],{"nodeType":248,"value":2802,"marks":2803,"data":2804},"This means that the initial layer of anti-account takeover controls are much more important in this context. But, the historical detections in this space – email gateway security products, analyzing web pages for malicious content, and URL blocklisting – are either less relevant, or built upon easy to bypass detections toward the bottom of the Pyramid of Pain. ",[],{},{"nodeType":264,"data":2806,"content":2807},{},[2808,2812,2820],{"nodeType":248,"value":2809,"marks":2810,"data":2811},"As an example, ",[],{},{"nodeType":259,"data":2813,"content":2815},{"uri":2814},"https://pushsecurity.com/blog/how-aitm-phishing-kits-evade-detection/",[2816],{"nodeType":248,"value":2817,"marks":2818,"data":2819},"we recently published an article on all the ways that AitM phishing sites are evading detection",[],{},{"nodeType":248,"value":2821,"marks":2822,"data":2823},". TL;DR – there are a lot, and they seem to be quite effective. But this is partly because the majority of the detections they're trying to avoid are built on shaky ground.   ",[],{},{"nodeType":264,"data":2825,"content":2826},{},[2827],{"nodeType":248,"value":2828,"marks":2829,"data":2831},"So what? Well, it’s clear that the controls that the industry has relied on in the past to stop identity attacks are too easy to bypass, and are no longer sufficient. ",[2830],{"type":433},{},{"nodeType":296,"data":2833,"content":2834},{},[],{"nodeType":304,"data":2836,"content":2837},{},[2838],{"nodeType":248,"value":2839,"marks":2840,"data":2841},"Building effective identity threat detection controls",[],{},{"nodeType":264,"data":2843,"content":2844},{},[2845],{"nodeType":248,"value":2846,"marks":2847,"data":2848},"Now we’ve covered the problem that we set out to solve, let’s look at what we’re doing differently. ",[],{},{"nodeType":264,"data":2850,"content":2851},{},[2852],{"nodeType":248,"value":2853,"marks":2854,"data":2855},"In order to climb the Pyramid toward the apex, you need to find ways to detect increasingly generic parts of an attack technique. So you want to avoid things like what a specific malware’s code looks like, or where it connects back to. But what the malware does, or what happens when it runs, is more generic, and therefore more interesting to us.  ",[],{},{"nodeType":264,"data":2857,"content":2858},{},[2859],{"nodeType":248,"value":2860,"marks":2861,"data":2862},"The shift from static code signatures and fuzzy hashes to dynamic analysis of what code does on a live system is at the heart of why EDR killed antivirus a decade ago. It proved at-scale the value of moving detections up the pyramid.",[],{},{"nodeType":264,"data":2864,"content":2865},{},[2866],{"nodeType":248,"value":2867,"marks":2868,"data":2869},"We’re always on the lookout for ways to move our detections up the pyramid as well. It’s easiest to explain how we’ve applied this by looking at an example. ",[],{},{"nodeType":414,"data":2871,"content":2872},{},[2873],{"nodeType":248,"value":2874,"marks":2875,"data":2876},"Scenario: Detecting a web-based phishing attack",[],{},{"nodeType":264,"data":2878,"content":2879},{},[2880],{"nodeType":248,"value":2881,"marks":2882,"data":2883},"Let’s break down the stages of a web-based phishing attack as an example. For a user to be successfully phished:",[],{},{"nodeType":1165,"data":2885,"content":2886},{},[2887,2902,2917],{"nodeType":1093,"data":2888,"content":2889},{},[2890],{"nodeType":264,"data":2891,"content":2892},{},[2893,2898],{"nodeType":248,"value":2894,"marks":2895,"data":2897},"Stage 1:",[2896],{"type":433},{},{"nodeType":248,"value":2899,"marks":2900,"data":2901}," The victim must be lured to visit a website.",[],{},{"nodeType":1093,"data":2903,"content":2904},{},[2905],{"nodeType":264,"data":2906,"content":2907},{},[2908,2913],{"nodeType":248,"value":2909,"marks":2910,"data":2912},"Stage 2:",[2911],{"type":433},{},{"nodeType":248,"value":2914,"marks":2915,"data":2916}," The website must somehow trick or convince the user that it’s legitimate and trustworthy, for example by mimicking a legitimate site.",[],{},{"nodeType":1093,"data":2918,"content":2919},{},[2920],{"nodeType":264,"data":2921,"content":2922},{},[2923,2928],{"nodeType":248,"value":2924,"marks":2925,"data":2927},"Stage 3:",[2926],{"type":433},{},{"nodeType":248,"value":2929,"marks":2930,"data":2931}," The user must enter their actual credentials into that website.",[],{},{"nodeType":264,"data":2933,"content":2934},{},[2935],{"nodeType":248,"value":2936,"marks":2937,"data":2938},"So, how might you go about detecting this attack? Let’s start from the bottom of the pyramid and work our way up.",[],{},{"nodeType":414,"data":2940,"content":2941},{},[2942],{"nodeType":248,"value":2943,"marks":2944,"data":2945},"Stage 1: Determining if a URL, IP, or domain is bad",[],{},{"nodeType":264,"data":2947,"content":2948},{},[2949],{"nodeType":248,"value":2950,"marks":2951,"data":2952},"You might start by looking for the lure – historically an email. You could look for links in emails, or links in attachments in an email and then check if they are bad (which is essentially what email security products do). You could look for known-bad URLs in emails, but these change for every phishing campaign. In modern attacks, every target can receive a unique email and link. Even just using a URL shortener can bypass this. It’s equivalent to a malware hash – trivial to change, and therefore not a great thing to pin your detections on. ",[],{},{"nodeType":264,"data":2954,"content":2955},{},[2956,2960,2969],{"nodeType":248,"value":2957,"marks":2958,"data":2959},"You could look at which IP address the user connects to, but these days it’s very simple for attackers to add a new IP to their cloud-hosted server. If a domain is flagged as known-bad, the attacker only has to register a new domain, or compromise a WordPress server on an already trusted domain. Both of these things are ",[],{},{"nodeType":259,"data":2961,"content":2963},{"uri":2962},"https://www.bleepingcomputer.com/news/security/revolver-rabbit-gang-registers-500-000-domains-for-malware-campaigns/",[2964],{"nodeType":248,"value":2965,"marks":2966,"data":2968},"happening on a massive scale",[2967],{"type":257},{},{"nodeType":248,"value":2970,"marks":2971,"data":2972}," as attackers pre-plan for the fact that their domains will be burned at some point. Attackers are more than happy to spend $10-$20 per new domain in the grand scheme of the potential proceeds of crime. ",[],{},{"nodeType":264,"data":2974,"content":2975},{},[2976],{"nodeType":248,"value":2977,"marks":2978,"data":2979},"But there’s a more fundamental flaw here – for defenders to know that a URL, IP, or domain name is bad, it needs to be reported first. When are things reported? Typically after being used in an attack – so unfortunately, someone always gets hurt.  ",[],{},{"nodeType":414,"data":2981,"content":2982},{},[2983],{"nodeType":248,"value":2984,"marks":2985,"data":2986},"Stage 2: Determining if a site is legitimate",[],{},{"nodeType":264,"data":2988,"content":2989},{},[2990],{"nodeType":248,"value":2991,"marks":2992,"data":2993},"So how can we detect a phishing website, on day-zero, the first time anyone runs into it? Well we can look at the second step – does the URL resemble a real website, does the HTML code for a page look similar to a legitimate login page for a known website, is it loading the same image files? This is not trivial to detect, but with the right fuzzy matches and image analysis it can be automated.",[],{},{"nodeType":264,"data":2995,"content":2996},{},[2997],{"nodeType":248,"value":2998,"marks":2999,"data":3000},"We’ve now moved up a level on the Pyramid – we’re detecting website artifacts. If we see a legitimate looking website on an unknown domain, it’s likely to be a malicious clone.",[],{},{"nodeType":264,"data":3002,"content":3003},{},[3004],{"nodeType":248,"value":3005,"marks":3006,"data":3007},"Unfortunately, the attacker’s website doesn’t need to send each visitor to the same website. It can change dynamically based on where the visitor is coming from – or even randomly, so that not all visitors are served the phishing page. This means that tools which resolve where the links in emails go to be able to analyze them (such as email security appliances) don’t necessarily see the same site the user is actually visiting – a fact that is commonly abused by attackers to bypass detection. It’s critical that detection happens on the actual web page that the victim sees.",[],{},{"nodeType":414,"data":3009,"content":3010},{},[3011],{"nodeType":248,"value":3012,"marks":3013,"data":3014},"Stage 3: Detecting the user entering their credentials",[],{},{"nodeType":264,"data":3016,"content":3017},{},[3018],{"nodeType":248,"value":3019,"marks":3020,"data":3021},"For a phishing attack to succeed, the victim must enter their actual credentials into the webpage. If you can stop the user entering their real password, there’s no attack. There’s no getting around it. ",[],{},{"nodeType":264,"data":3023,"content":3024},{},[3025,3029,3036],{"nodeType":248,"value":3026,"marks":3027,"data":3028},"So, this is exactly what we did: Earlier this year, we released a control which ",[],{},{"nodeType":259,"data":3030,"content":3031},{"uri":1725},[3032],{"nodeType":248,"value":3033,"marks":3034,"data":3035},"stops users from entering their password belonging to a particular login page anywhere else",[],{},{"nodeType":248,"value":399,"marks":3037,"data":3038},[],{},{"nodeType":264,"data":3040,"content":3041},{},[3042,3046,3053],{"nodeType":248,"value":3043,"marks":3044,"data":3045},"Seems simple, right? By focusing on this generic action, that always has to happen, you can essentially stop your users being phished altogether. This means, it doesn’t matter ",[],{},{"nodeType":259,"data":3047,"content":3048},{"uri":2814},[3049],{"nodeType":248,"value":3050,"marks":3051,"data":3052},"what the attacker does before that point",[],{},{"nodeType":248,"value":3054,"marks":3055,"data":3056},":",[],{},{"nodeType":1165,"data":3058,"content":3059},{},[3060,3070,3080,3090],{"nodeType":1093,"data":3061,"content":3062},{},[3063],{"nodeType":264,"data":3064,"content":3065},{},[3066],{"nodeType":248,"value":3067,"marks":3068,"data":3069},"It doesn't matter if they run the site using Cloudflare Workers to block automatic analysis.",[],{},{"nodeType":1093,"data":3071,"content":3072},{},[3073],{"nodeType":264,"data":3074,"content":3075},{},[3076],{"nodeType":248,"value":3077,"marks":3078,"data":3079},"It doesn’t matter if they hack a WordPress blog to get a reputable domain.",[],{},{"nodeType":1093,"data":3081,"content":3082},{},[3083],{"nodeType":264,"data":3084,"content":3085},{},[3086],{"nodeType":248,"value":3087,"marks":3088,"data":3089},"It doesn’t matter if they use clever redirects and rotate the URLs delivered to the user.",[],{},{"nodeType":1093,"data":3091,"content":3092},{},[3093],{"nodeType":264,"data":3094,"content":3095},{},[3096],{"nodeType":248,"value":3097,"marks":3098,"data":3099},"It doesn’t matter if they randomize the HTML title for the web page. ",[],{},{"nodeType":264,"data":3101,"content":3102},{},[3103],{"nodeType":248,"value":3104,"marks":3105,"data":3106},"They can’t avoid the fact that a user is required to enter their credentials on the page for the attack to succeed. ",[],{},{"nodeType":264,"data":3108,"content":3109},{},[3110],{"nodeType":248,"value":3111,"marks":3112,"data":3113},"So, when you apply the Pyramid of Pain to some of the controls we’ve shipped this year, we get a clear feel for the value, from highest to lowest:",[],{},{"nodeType":1165,"data":3115,"content":3116},{},[3117,3137,3157],{"nodeType":1093,"data":3118,"content":3119},{},[3120],{"nodeType":264,"data":3121,"content":3122},{},[3123,3127,3134],{"nodeType":248,"value":3124,"marks":3125,"data":3126},"User Behavior: ",[],{},{"nodeType":259,"data":3128,"content":3129},{"uri":1725},[3130],{"nodeType":248,"value":3131,"marks":3132,"data":3133},"Detecting and blocking the user behavior of entering their password into any site that the password doesn’t belong to",[],{},{"nodeType":248,"value":704,"marks":3135,"data":3136},[],{},{"nodeType":1093,"data":3138,"content":3139},{},[3140],{"nodeType":264,"data":3141,"content":3142},{},[3143,3147,3154],{"nodeType":248,"value":3144,"marks":3145,"data":3146},"Tool Behavior: ",[],{},{"nodeType":259,"data":3148,"content":3149},{"uri":1785},[3150],{"nodeType":248,"value":3151,"marks":3152,"data":3153},"Detecting when a login page that you access is cloned from a legitimate page.",[],{},{"nodeType":248,"value":29,"marks":3155,"data":3156},[],{},{"nodeType":1093,"data":3158,"content":3159},{},[3160],{"nodeType":264,"data":3161,"content":3162},{},[3163,3167,3174],{"nodeType":248,"value":3164,"marks":3165,"data":3166},"Tool Signature: ",[],{},{"nodeType":259,"data":3168,"content":3169},{"uri":1916},[3170],{"nodeType":248,"value":3171,"marks":3172,"data":3173},"Detecting and blocking access to a page with a known phishing kit signature present on the page",[],{},{"nodeType":248,"value":704,"marks":3175,"data":3176},[],{},{"nodeType":264,"data":3178,"content":3179},{},[3180],{"nodeType":248,"value":3181,"marks":3182,"data":3183},"Naturally, we want to continue focusing on the apex of the Pyramid – at TTPs and Tools – to ensure that the controls we build are as robust as possible, and can’t be bypassed by attackers. ",[],{},{"nodeType":296,"data":3185,"content":3186},{},[],{"nodeType":304,"data":3188,"content":3189},{},[3190],{"nodeType":248,"value":3191,"marks":3192,"data":3193},"The power of the Push browser agent",[],{},{"nodeType":264,"data":3195,"content":3196},{},[3197,3201,3206],{"nodeType":248,"value":3198,"marks":3199,"data":3200},"You might ask: ",[],{},{"nodeType":248,"value":3202,"marks":3203,"data":3205},"If it’s so simple, why hasn’t this been done yet?",[3204],{"type":433},{},{"nodeType":248,"value":3207,"marks":3208,"data":3209}," Well, before now, there was no good way of doing it! Teams simply didn’t have tools in the right place to be able to capture the level of data needed, or respond effectively (i.e. automatically, at the point of impact). ",[],{},{"nodeType":264,"data":3211,"content":3212},{},[3213,3217,3224],{"nodeType":248,"value":3214,"marks":3215,"data":3216},"This is where being in the browser comes into play. The browser is a great place to observe the behavior of a page in real time, without needing to reconstruct decrypted HTTP data post-TLS termination and try to guess what the rendered page in all its Javascript-infused glory actually does, ",[],{},{"nodeType":259,"data":3218,"content":3219},{"uri":1593},[3220],{"nodeType":248,"value":3221,"marks":3222,"data":3223},"as we’ve blogged about previously",[],{},{"nodeType":248,"value":3225,"marks":3226,"data":3227},". As we’ve seen through the ability to not only detect but prevent phishing attacks, it’s also a great control enforcement point, as you’re able to intercept the user at the point of impact, and you sit as closely as possible to where their work typically happens – in the browser. ",[],{},{"nodeType":264,"data":3229,"content":3230},{},[3231],{"nodeType":248,"value":3232,"marks":3233,"data":3234},"To illustrate how crucial the browser is to implementing controls that sit at the apex of the Pyramid of Pain, we created a modified version designed specifically for identity attacks. ",[],{},{"nodeType":1327,"data":3236,"content":3240},{"target":3237},{"sys":3238},{"id":3239,"type":1324,"linkType":1325},"HrK2xQak6KfjInDbeSgv8",[],{"nodeType":1327,"data":3242,"content":3246},{"target":3243},{"sys":3244},{"id":3245,"type":1324,"linkType":1325},"7kLilJ8Y08smUI9ttM3BSO",[],{"nodeType":296,"data":3248,"content":3249},{},[],{"nodeType":304,"data":3251,"content":3252},{},[3253],{"nodeType":248,"value":3254,"marks":3255,"data":3256},"Conclusion",[],{},{"nodeType":264,"data":3258,"content":3259},{},[3260],{"nodeType":248,"value":3261,"marks":3262,"data":3263},"Hopefully, this blog post has shone a light on why we do things the way we do here at Push. The goal of building generic detections that are difficult, painful, and costly for attackers to bypass is a key part of our design strategy, and we look forward to sharing many more controls with you that demonstrate this in the future.",[],{},"Our design philosophy: Detecting what matters","This is the first blog in a short series we’re putting together about the ‘why’ behind the ‘what’ at Push. This entry is focused on threat detection. ","2024-08-05T00:00:00.000Z","our-design-philosophy-detecting-what-matters",{"items":3269},[3270,3272],{"sys":3271,"name":2599},{"id":2598},{"sys":3273,"name":2603},{"id":2602},{"items":3275},[3276],{"fullName":232,"firstName":233,"jobTitle":234,"profilePicture":3277},{"url":236},{"__typename":1356,"sys":3279,"content":3281,"title":4071,"synopsis":4072,"hashTags":62,"publishedDate":4073,"slug":4074,"tagsCollection":4075,"authorsCollection":4083},{"id":3280},"20FcoPvHu7zXkTQyv9MmK0",{"json":3282},{"nodeType":1334,"data":3283,"content":3284},{},[3285,3291,3298,3350,3357,3364,3379,3386,3393,3476,3483,3489,3496,3503,3518,3525,3532,3555,3579,3585,3605,3612,3619,3650,3657,3664,3670,3688,3695,3702,3709,3716,3722,3740,3747,3754,3761,3768,3774,3793,3800,3807,3813,3832,3839,3846,3853,3901,3908,3979,3994,4000,4007,4014,4021,4028,4046,4053],{"nodeType":1327,"data":3286,"content":3290},{"target":3287},{"sys":3288},{"id":3289,"type":1324,"linkType":1325},"7rud2H1hcTAOhxh9zHzxP6",[],{"nodeType":264,"data":3292,"content":3293},{},[3294],{"nodeType":248,"value":3295,"marks":3296,"data":3297},"If someone asked you where you work, you probably wouldn’t answer, “My browser.” But that would be the truth.",[],{},{"nodeType":264,"data":3299,"content":3300},{},[3301,3305,3313,3316,3324,3327,3335,3338,3346],{"nodeType":248,"value":3302,"marks":3303,"data":3304},"(Threat actors already know where you work, of course, and they’ve been capitalizing on the massive shift to cloud-based workforces. Just look at any of the ",[],{},{"nodeType":259,"data":3306,"content":3308},{"uri":3307},"https://www.crowdstrike.com/global-threat-report/",[3309],{"nodeType":248,"value":3310,"marks":3311,"data":3312},"latest",[],{},{"nodeType":248,"value":1088,"marks":3314,"data":3315},[],{},{"nodeType":259,"data":3317,"content":3319},{"uri":3318},"https://redcanary.com/threat-detection-report/techniques/cloud-accounts/",[3320],{"nodeType":248,"value":3321,"marks":3322,"data":3323},"threat",[],{},{"nodeType":248,"value":1088,"marks":3325,"data":3326},[],{},{"nodeType":259,"data":3328,"content":3330},{"uri":3329},"https://www.verizon.com/business/resources/reports/dbir/",[3331],{"nodeType":248,"value":3332,"marks":3333,"data":3334},"research",[],{},{"nodeType":248,"value":1088,"marks":3336,"data":3337},[],{},{"nodeType":259,"data":3339,"content":3341},{"uri":3340},"https://www.lab539.com/blog/6-months-tracking-aitm-campaigns",[3342],{"nodeType":248,"value":3343,"marks":3344,"data":3345},"reports",[],{},{"nodeType":248,"value":3347,"marks":3348,"data":3349}," on identity-based attacks to see how good a job they’ve been doing.)",[],{},{"nodeType":264,"data":3351,"content":3352},{},[3353],{"nodeType":248,"value":3354,"marks":3355,"data":3356},"To get visibility of your infrastructure in order to build a strong detection and response program, the equation used to look something like:",[],{},{"nodeType":264,"data":3358,"content":3359},{},[3360],{"nodeType":248,"value":3361,"marks":3362,"data":3363},"Network traffic + Logs + Endpoints = Profit!",[],{},{"nodeType":264,"data":3365,"content":3366},{},[3367,3371,3376],{"nodeType":248,"value":3368,"marks":3369,"data":3370},"But now there’s a missing piece, as identity infrastructure sprawls across IdPs, core apps, shadow SaaS and third-party integrations: ",[],{},{"nodeType":248,"value":3372,"marks":3373,"data":3375},"Browser telemetry",[3374],{"type":433},{},{"nodeType":248,"value":399,"marks":3377,"data":3378},[],{},{"nodeType":264,"data":3380,"content":3381},{},[3382],{"nodeType":248,"value":3383,"marks":3384,"data":3385},"As a browser agent, Push is uniquely positioned to provide telemetry you can’t easily get anywhere else. We believe that this missing piece is the key to stopping identity attacks by providing the context both for first-class detections and security controls, as well as key correlations for events you observe in traditional log sources.",[],{},{"nodeType":264,"data":3387,"content":3388},{},[3389],{"nodeType":248,"value":3390,"marks":3391,"data":3392},"Now we have a better way to bring Push’s data to life to solve meaningful security challenges:",[],{},{"nodeType":1165,"data":3394,"content":3395},{},[3396,3426],{"nodeType":1093,"data":3397,"content":3398},{},[3399],{"nodeType":264,"data":3400,"content":3401},{},[3402,3407,3411,3422],{"nodeType":248,"value":3403,"marks":3404,"data":3406},"Plug-and-play security controls",[3405],{"type":433},{},{"nodeType":248,"value":3408,"marks":3409,"data":3410},", accessible from the new ",[],{},{"nodeType":3412,"data":3413,"content":3417},"entry-hyperlink",{"target":3414},{"sys":3415},{"id":3416,"type":1324,"linkType":1325},"BtDLgVZRWQ3Ov4WgDQX1W",[3418],{"nodeType":248,"value":2514,"marks":3419,"data":3421},[3420],{"type":433},{},{"nodeType":248,"value":3423,"marks":3424,"data":3425}," page in the Push platform",[],{},{"nodeType":1093,"data":3427,"content":3428},{},[3429],{"nodeType":264,"data":3430,"content":3431},{},[3432,3437,3441,3448,3451,3459,3463,3472],{"nodeType":248,"value":3433,"marks":3434,"data":3436},"Choose-your-own-adventure tooling",[3435],{"type":433},{},{"nodeType":248,"value":3438,"marks":3439,"data":3440},", including a ",[],{},{"nodeType":259,"data":3442,"content":3443},{"uri":1706},[3444],{"nodeType":248,"value":3445,"marks":3446,"data":3447},"REST API",[],{},{"nodeType":248,"value":324,"marks":3449,"data":3450},[],{},{"nodeType":259,"data":3452,"content":3454},{"uri":3453},"https://pushsecurity.redoc.ly/webhooks-v1/",[3455],{"nodeType":248,"value":3456,"marks":3457,"data":3458},"webhooks",[],{},{"nodeType":248,"value":3460,"marks":3461,"data":3462},", and a new ",[],{},{"nodeType":259,"data":3464,"content":3466},{"uri":3465},"/help/audience/administrators/docs/connect-to-siem-or-soar/#using-the-events-page",[3467],{"nodeType":248,"value":3468,"marks":3469,"data":3471},"Events",[3470],{"type":433},{},{"nodeType":248,"value":3473,"marks":3474,"data":3475}," page to help you visualize and build custom detections and automations.",[],{},{"nodeType":264,"data":3477,"content":3478},{},[3479],{"nodeType":248,"value":3480,"marks":3481,"data":3482},"Let’s take a closer look.",[],{},{"nodeType":1327,"data":3484,"content":3488},{"target":3485},{"sys":3486},{"id":3487,"type":1324,"linkType":1325},"6iKFd9Qys2SSuNqKVQB7ka",[],{"nodeType":304,"data":3490,"content":3491},{},[3492],{"nodeType":248,"value":3493,"marks":3494,"data":3495},"Plug-and-play controls",[],{},{"nodeType":264,"data":3497,"content":3498},{},[3499],{"nodeType":248,"value":3500,"marks":3501,"data":3502},"Security visibility without security control is a recipe for a stress headache, so we’re big believers in providing meaningful interventions that are easy to use.",[],{},{"nodeType":264,"data":3504,"content":3505},{},[3506,3510,3514],{"nodeType":248,"value":3507,"marks":3508,"data":3509},"With the new ",[],{},{"nodeType":248,"value":2514,"marks":3511,"data":3513},[3512],{"type":433},{},{"nodeType":248,"value":3515,"marks":3516,"data":3517}," page in the Push admin console, you can now find these preconfigured detections and interventions in one place. They cover use cases that any organization can benefit from, and take a unique browser-based approach to solving some thorny issues.",[],{},{"nodeType":264,"data":3519,"content":3520},{},[3521],{"nodeType":248,"value":3522,"marks":3523,"data":3524},"These controls include:",[],{},{"nodeType":414,"data":3526,"content":3527},{},[3528],{"nodeType":248,"value":3529,"marks":3530,"data":3531},"Phishing tool detection",[],{},{"nodeType":264,"data":3533,"content":3534},{},[3535,3539,3544,3547,3552],{"nodeType":248,"value":3536,"marks":3537,"data":3538},"Detect and block when employees visit webpages that use advanced phishing tools such as Evilginx or EvilNoVNC, among others. These adversary-in-the-middle (AitM) toolkits can mimic legitimate login screens, such as an Okta login page, to steal ",[],{},{"nodeType":248,"value":3540,"marks":3541,"data":3543},"credentials",[3542],{"type":433},{},{"nodeType":248,"value":387,"marks":3545,"data":3546},[],{},{"nodeType":248,"value":3548,"marks":3549,"data":3551},"MFA codes",[3550],{"type":433},{},{"nodeType":248,"value":399,"marks":3553,"data":3554},[],{},{"nodeType":264,"data":3556,"content":3557},{},[3558,3562,3567,3570,3575],{"nodeType":248,"value":3559,"marks":3560,"data":3561},"Push emits a webhook event when the browser agent detects attributes of these malware. You can also set Push to ",[],{},{"nodeType":248,"value":3563,"marks":3564,"data":3566},"Warn",[3565],{"type":433},{},{"nodeType":248,"value":691,"marks":3568,"data":3569},[],{},{"nodeType":248,"value":3571,"marks":3572,"data":3574},"Block",[3573],{"type":433},{},{"nodeType":248,"value":3576,"marks":3577,"data":3578}," mode to display a customizable message to end-users when they encounter a phishing site.",[],{},{"nodeType":1327,"data":3580,"content":3584},{"target":3581},{"sys":3582},{"id":3583,"type":1324,"linkType":1325},"2ylIkR0JXHkFStGuCFRjlN",[],{"nodeType":264,"data":3586,"content":3587},{},[3588,3592,3602],{"nodeType":248,"value":3589,"marks":3590,"data":3591},"More about ",[],{},{"nodeType":3412,"data":3593,"content":3597},{"target":3594},{"sys":3595},{"id":3596,"type":1324,"linkType":1325},"7KRnTSnJAbbiho69gNyN0B",[3598],{"nodeType":248,"value":3599,"marks":3600,"data":3601},"phishing tool detection",[],{},{"nodeType":248,"value":29,"marks":3603,"data":3604},[],{},{"nodeType":414,"data":3606,"content":3607},{},[3608],{"nodeType":248,"value":3609,"marks":3610,"data":3611},"SSO password protection",[],{},{"nodeType":264,"data":3613,"content":3614},{},[3615],{"nodeType":248,"value":3616,"marks":3617,"data":3618},"Prevent employees from reusing their corporate SSO password on any page that doesn’t belong to the identity provider, including phishing sites. This means that even if that employee was the first person to get phished using a new attacker site, Push still detects it and blocks it.",[],{},{"nodeType":264,"data":3620,"content":3621},{},[3622,3626,3630,3633,3637,3641,3646],{"nodeType":248,"value":3623,"marks":3624,"data":3625},"Customize the message that end-users see in ",[],{},{"nodeType":248,"value":3563,"marks":3627,"data":3629},[3628],{"type":433},{},{"nodeType":248,"value":691,"marks":3631,"data":3632},[],{},{"nodeType":248,"value":3571,"marks":3634,"data":3636},[3635],{"type":433},{},{"nodeType":248,"value":3638,"marks":3639,"data":3640}," mode, or start out in ",[],{},{"nodeType":248,"value":3642,"marks":3643,"data":3645},"Monitor",[3644],{"type":433},{},{"nodeType":248,"value":3647,"marks":3648,"data":3649}," mode to catch any false positives before you enforce the control.",[],{},{"nodeType":264,"data":3651,"content":3652},{},[3653],{"nodeType":248,"value":3654,"marks":3655,"data":3656},"This feature supports the following identity providers: Okta, Microsoft 365, Google Workspace, JumpCloud, Duo, and Ping Identity.",[],{},{"nodeType":264,"data":3658,"content":3659},{},[3660],{"nodeType":248,"value":3661,"marks":3662,"data":3663},"Push will also emit a webhook event when an SSO password is used, and if an employee clicks through the warning screen.",[],{},{"nodeType":1327,"data":3665,"content":3669},{"target":3666},{"sys":3667},{"id":3668,"type":1324,"linkType":1325},"25c8M2gWYFST7yYxGEji2s",[],{"nodeType":264,"data":3671,"content":3672},{},[3673,3676,3685],{"nodeType":248,"value":3589,"marks":3674,"data":3675},[],{},{"nodeType":3412,"data":3677,"content":3681},{"target":3678},{"sys":3679},{"id":3680,"type":1324,"linkType":1325},"6FYHbkcRUrtznPo7RarRsz",[3682],{"nodeType":248,"value":3609,"marks":3683,"data":3684},[],{},{"nodeType":248,"value":29,"marks":3686,"data":3687},[],{},{"nodeType":414,"data":3689,"content":3690},{},[3691],{"nodeType":248,"value":3692,"marks":3693,"data":3694},"URL blocking",[],{},{"nodeType":264,"data":3696,"content":3697},{},[3698],{"nodeType":248,"value":3699,"marks":3700,"data":3701},"When you find malicious sites you want to block, such as when responding to a phishing incident, add them to a blocklist and prevent other employees from accessing those sites. ",[],{},{"nodeType":264,"data":3703,"content":3704},{},[3705],{"nodeType":248,"value":3706,"marks":3707,"data":3708},"URL blocking can be used in tandem with Push’s anti-phishing controls, so that as you discover malicious sites, you can block them from a central blocklist. This offers a kind of herd immunity where you can block other users from visiting a malicious site as soon as you have a single incident.",[],{},{"nodeType":264,"data":3710,"content":3711},{},[3712],{"nodeType":248,"value":3713,"marks":3714,"data":3715},"You can programmatically manage the blocklist using the Push REST API or sync to other threat intelligence sources you consume.",[],{},{"nodeType":1327,"data":3717,"content":3721},{"target":3718},{"sys":3719},{"id":3720,"type":1324,"linkType":1325},"3m00cFiUDAnddsOBOpkeiZ",[],{"nodeType":264,"data":3723,"content":3724},{},[3725,3728,3737],{"nodeType":248,"value":3589,"marks":3726,"data":3727},[],{},{"nodeType":3412,"data":3729,"content":3733},{"target":3730},{"sys":3731},{"id":3732,"type":1324,"linkType":1325},"P0coHgQAdRL0YTu4Rwd4z",[3734],{"nodeType":248,"value":3692,"marks":3735,"data":3736},[],{},{"nodeType":248,"value":29,"marks":3738,"data":3739},[],{},{"nodeType":414,"data":3741,"content":3742},{},[3743],{"nodeType":248,"value":3744,"marks":3745,"data":3746},"Session token theft detection",[],{},{"nodeType":264,"data":3748,"content":3749},{},[3750],{"nodeType":248,"value":3751,"marks":3752,"data":3753},"Inject a unique marker provided by the Push browser agent into the User Agent string of sessions that occur in browsers enrolled in Push. ",[],{},{"nodeType":264,"data":3755,"content":3756},{},[3757],{"nodeType":248,"value":3758,"marks":3759,"data":3760},"By analyzing logs from your IdP, you can identify activity from the same session that both has the Push marker and that lacks the marker. This can only ever happen when a session is extracted from a browser and maliciously imported into a different browser.",[],{},{"nodeType":264,"data":3762,"content":3763},{},[3764],{"nodeType":248,"value":3765,"marks":3766,"data":3767},"This is a high-fidelity signal that a session token has been stolen and is being used.",[],{},{"nodeType":1327,"data":3769,"content":3773},{"target":3770},{"sys":3771},{"id":3772,"type":1324,"linkType":1325},"43rk3TCqN269Vr2YWT4llP",[],{"nodeType":264,"data":3775,"content":3776},{},[3777,3780,3790],{"nodeType":248,"value":3589,"marks":3778,"data":3779},[],{},{"nodeType":3412,"data":3781,"content":3785},{"target":3782},{"sys":3783},{"id":3784,"type":1324,"linkType":1325},"1UMZdjyNQt4Y7NBb2wuK4L",[3786],{"nodeType":248,"value":3787,"marks":3788,"data":3789},"session token theft detection",[],{},{"nodeType":248,"value":29,"marks":3791,"data":3792},[],{},{"nodeType":414,"data":3794,"content":3795},{},[3796],{"nodeType":248,"value":3797,"marks":3798,"data":3799},"App banners",[],{},{"nodeType":264,"data":3801,"content":3802},{},[3803],{"nodeType":248,"value":3804,"marks":3805,"data":3806},"Add guardrails to employees’ use of SaaS apps with in-browser app banner messages you customize with your own text. You can require users to acknowledge having read a message before they can access an app, or even require them to submit a reason for using an app before they can log in.",[],{},{"nodeType":1327,"data":3808,"content":3812},{"target":3809},{"sys":3810},{"id":3811,"type":1324,"linkType":1325},"5nEKTBz6mauHI5mg8jB4ea",[],{"nodeType":264,"data":3814,"content":3815},{},[3816,3819,3829],{"nodeType":248,"value":3589,"marks":3817,"data":3818},[],{},{"nodeType":3412,"data":3820,"content":3824},{"target":3821},{"sys":3822},{"id":3823,"type":1324,"linkType":1325},"2ZpKnuljaUH0jzVaae4SMN",[3825],{"nodeType":248,"value":3826,"marks":3827,"data":3828},"app banners",[],{},{"nodeType":248,"value":29,"marks":3830,"data":3831},[],{},{"nodeType":304,"data":3833,"content":3834},{},[3835],{"nodeType":248,"value":3836,"marks":3837,"data":3838},"Choose your own adventure",[],{},{"nodeType":264,"data":3840,"content":3841},{},[3842],{"nodeType":248,"value":3843,"marks":3844,"data":3845},"Want to do something creative? We've got you covered. Push provides a wealth of raw telemetry via the Push REST API and webhook events. Use this data to build both proactive and reactive security operations workflows, or add missing context to other sources, such as your IdP, application, or endpoint logs.",[],{},{"nodeType":264,"data":3847,"content":3848},{},[3849],{"nodeType":248,"value":3850,"marks":3851,"data":3852},"You can use this browser telemetry to:",[],{},{"nodeType":1165,"data":3854,"content":3855},{},[3856,3871,3886],{"nodeType":1093,"data":3857,"content":3858},{},[3859],{"nodeType":264,"data":3860,"content":3861},{},[3862,3867],{"nodeType":248,"value":3863,"marks":3864,"data":3866},"Harden identities and reduce account compromise",[3865],{"type":433},{},{"nodeType":248,"value":3868,"marks":3869,"data":3870},", such as alerting you when passwords are identified in public data breaches or when employees are using an unapproved app or when an SSO app is accessed via local account.",[],{},{"nodeType":1093,"data":3872,"content":3873},{},[3874],{"nodeType":264,"data":3875,"content":3876},{},[3877,3882],{"nodeType":248,"value":3878,"marks":3879,"data":3881},"Monitor for suspicious activity or high-risk changes",[3880],{"type":433},{},{"nodeType":248,"value":3883,"marks":3884,"data":3885},", such as checking for MFA method changes, or flagging when employees reuse corporate SSO passwords or visit sites running phishing malware.",[],{},{"nodeType":1093,"data":3887,"content":3888},{},[3889],{"nodeType":264,"data":3890,"content":3891},{},[3892,3897],{"nodeType":248,"value":3893,"marks":3894,"data":3896},"Investigate indicators of compromise",[3895],{"type":433},{},{"nodeType":248,"value":3898,"marks":3899,"data":3900},", such as correlating login events with platform logs, searching for recent signups to risky apps, or identifying post-compromise lateral movement opportunities.",[],{},{"nodeType":264,"data":3902,"content":3903},{},[3904],{"nodeType":248,"value":3905,"marks":3906,"data":3907},"In the “make my life easier” category, you can also use Push telemetry to:",[],{},{"nodeType":1165,"data":3909,"content":3910},{},[3911,3930,3949,3964],{"nodeType":1093,"data":3912,"content":3913},{},[3914],{"nodeType":264,"data":3915,"content":3916},{},[3917,3921,3926],{"nodeType":248,"value":3918,"marks":3919,"data":3920},"Automate a workflow ",[],{},{"nodeType":248,"value":3922,"marks":3923,"data":3925},"showing you all the accounts and apps used by an offboarded employee",[3924],{"type":433},{},{"nodeType":248,"value":3927,"marks":3928,"data":3929},", and their account login methods.",[],{},{"nodeType":1093,"data":3931,"content":3932},{},[3933],{"nodeType":264,"data":3934,"content":3935},{},[3936,3940,3945],{"nodeType":248,"value":3937,"marks":3938,"data":3939},"Automate a workflow to",[],{},{"nodeType":248,"value":3941,"marks":3942,"data":3944}," revoke licenses on SaaS after a period of inactivity",[3943],{"type":433},{},{"nodeType":248,"value":3946,"marks":3947,"data":3948},", saving money.",[],{},{"nodeType":1093,"data":3950,"content":3951},{},[3952],{"nodeType":264,"data":3953,"content":3954},{},[3955,3960],{"nodeType":248,"value":3956,"marks":3957,"data":3959},"Build an approved apps list in your company wiki",[3958],{"type":433},{},{"nodeType":248,"value":3961,"marks":3962,"data":3963},", synced from Push’s source of truth.",[],{},{"nodeType":1093,"data":3965,"content":3966},{},[3967],{"nodeType":264,"data":3968,"content":3969},{},[3970,3975],{"nodeType":248,"value":3971,"marks":3972,"data":3974},"Force-reset an IdP password if Push finds a compromised password",[3973],{"type":433},{},{"nodeType":248,"value":3976,"marks":3977,"data":3978}," on an employee account.",[],{},{"nodeType":264,"data":3980,"content":3981},{},[3982,3986,3990],{"nodeType":248,"value":3983,"marks":3984,"data":3985},"To help you visualize and plan how you will use this telemetry, Push also provides an ",[],{},{"nodeType":248,"value":3468,"marks":3987,"data":3989},[3988],{"type":433},{},{"nodeType":248,"value":3991,"marks":3992,"data":3993}," page in the admin console with a rolling 7-day snapshot of all the events in your environment.",[],{},{"nodeType":1327,"data":3995,"content":3999},{"target":3996},{"sys":3997},{"id":3998,"type":1324,"linkType":1325},"2a3bJ5sN8dJ0c1kQtZiag7",[],{"nodeType":264,"data":4001,"content":4002},{},[4003],{"nodeType":248,"value":4004,"marks":4005,"data":4006},"The Events page can help you see real-world examples, understand the attributes of each event, and gauge event volume before you ingest data into a SIEM or other platform.",[],{},{"nodeType":304,"data":4008,"content":4009},{},[4010],{"nodeType":248,"value":4011,"marks":4012,"data":4013},"What if you don’t have a SIEM?",[],{},{"nodeType":264,"data":4015,"content":4016},{},[4017],{"nodeType":248,"value":4018,"marks":4019,"data":4020},"While you’d need a SIEM for writing detections and performing log correlations, you can still get a lot of value out of Push telemetry if you don’t have one.",[],{},{"nodeType":264,"data":4022,"content":4023},{},[4024],{"nodeType":248,"value":4025,"marks":4026,"data":4027},"Use Push’s webhook events to send alerts directly to your Slack, Teams, or other chat platform, or build workflows that hook into your ticketing system or SOAR platform.",[],{},{"nodeType":264,"data":4029,"content":4030},{},[4031,4035,4042],{"nodeType":248,"value":4032,"marks":4033,"data":4034},"Review our ",[],{},{"nodeType":259,"data":4036,"content":4037},{"uri":3453},[4038],{"nodeType":248,"value":4039,"marks":4040,"data":4041},"webhooks documentation",[],{},{"nodeType":248,"value":4043,"marks":4044,"data":4045}," for a list of events.",[],{},{"nodeType":304,"data":4047,"content":4048},{},[4049],{"nodeType":248,"value":4050,"marks":4051,"data":4052},"Find out more",[],{},{"nodeType":264,"data":4054,"content":4055},{},[4056,4060,4067],{"nodeType":248,"value":4057,"marks":4058,"data":4059},"If you want to see Push in action, ",[],{},{"nodeType":259,"data":4061,"content":4063},{"uri":4062},"/demo/",[4064],{"nodeType":248,"value":2571,"marks":4065,"data":4066},[],{},{"nodeType":248,"value":4068,"marks":4069,"data":4070},". We’ll be happy to show you these features, along with how we discover all the apps your employees are using — even the ones not behind SSO.",[],{},"Introducing set-and-forget controls that stop real-world identity attacks","Enable detections and interventions in the browser using Push’s new security controls.","2024-07-02T00:00:00.000Z","introducing-set-and-forget-controls-that-stop-real-world-identity-attacks",{"items":4076},[4077,4081],{"sys":4078,"name":4080},{"id":4079},"5jk0kqjSdSK2L0YiistQjY","Release notes",{"sys":4082,"name":2599},{"id":2598},{"items":4084},[4085],{"fullName":4086,"firstName":4087,"jobTitle":2609,"profilePicture":4088},"Kelly Davenport","Kelly",{"url":4089},"https://images.ctfassets.net/y1cdw1ablpvd/1hi8bEuVfn5sF57LivAq6d/9a3b82426c697d765e2e450e33a18424/kelly_profile_pic.jpeg","the-saas-attack-matrix-one-year-on","blog/the-saas-attack-matrix-one-year-on",{"json":4093},{"data":4094,"content":4095,"nodeType":1334},{},[4096],{"data":4097,"content":4098,"nodeType":264},{},[4099],{"data":4100,"marks":4101,"value":4102,"nodeType":248},{},[],"It’s been almost exactly a year since we released the SaaS attack matrix – our open source repository of SaaS-native attack techniques. So, it’s a good time to look at what’s changed, and which techniques we’ve seen rise to prominence in the wild.","It’s been almost exactly a year since we released our open source repository of SaaS-native attack techniques. Let's reflect on what’s changed. ",{"id":4105,"publishedAt":4106},"1LxqUNZpD2VynzSqbv719Z","2024-08-28T14:24:56.222Z",{"items":4108},[4109,4111],{"sys":4110,"name":2603},{"id":2602},{"sys":4112,"name":2599},{"id":2598},"6EFFKlzKTPhqcgppOJkcmbP5_U8shsA_VOQW3gvf78U",1784196731020]