Get your copy of the SaaS Attacks Report: 2024 edition

Video

The New SaaS Cyber Kill Chain: SO-CON 2024

Once upon a time, we thought of cyber attacks in terms of recon, port scanning, enumeration, vulnerability identification and exploitation and we had various approaches we would use to frustrate attackers at every phase.

As the cat and mouse game of security continued, this eventually morphed into an endpoint compromise focused process involving initial access, exploitation, persistence, command and control and lateral movement inside a complex internal network. But with the remote working and SaaS revolution, the way organizations work has changed radically – so what does the cyber kill chain look like now?

This talk considers what a new SaaS cyber kill chain looks like for modern organizations that are fully SaaS native without any concept of an internal network, and the surprising number of attacks that are possible without touching company owned endpoints or infrastructure.

We will consider topics like how the initial access stage is changing due to the availability of so many potential beachheads, what lateral movement looks like in a world with no internal infrastructure to migrate to and how persistence methods have changed and are much more resilient to common containment measures such as password resets and secure device wipes.

Finally, we'll consider how the open-source SaaS attacks matrix can be used by both red and blue teams to help navigate this new world.

Ready to take Push for a spin?
You've got 10 free licenses and nothing to lose

Similar content

Infostealers: How attackers are stealing your cookies and bypassing MFA
Video

Infostealers: How attackers are stealing your cookies and bypassing MFA

A few months ago, the Snowflake breach shone a light on the threats posed by infostealers. In it, 80% of the credentials used were seen in infostealer infections dating back to 2020. Naturally, the fact that the credentials that facilitated one of the largest breaches in history were just sitting around on the internet is seriously alarming.

Attackers are also increasingly using infostealers to steal authenticated user sessions, bypass MFA and take over corporate accounts. From there, they can access and steal sensitive data, take over critical functionality, and pivot to conduct more traditional attacks like deploying ransomware.

Join Luke Jennings, VP R&D at Push Security, as he rolls up his sleeves to demonstrate:

  • How attackers use infostealers to steal sessions and compromise MFA-protected services like M365.

  • How attackers use residential VPNs to bypass conditional access policies.

  • How downstream SaaS app sessions can be stolen to avoid the need to access highly protected IDPs like Microsoft and Okta.

Read more
Demonstrating ghost logins in Snowflake and how to remediate them.
Video

Demonstrating ghost logins in Snowflake and how to remediate them.

Ghost logins are additional login methods than can exist simultaneously to the preferred default login method (e.g. SSO). Ghost logins often lack robust authentication controls such as MFA, meaning that stolen credentials for local logins with a username and password will remain valid even if an SSO login also exists for that account. These accounts will lack MFA unless specifically adopted by the user.

This vulnerability affects the majority of SaaS apps, including Snowflake, which was recently subject to a massive malicious campaign in which accounts belonging to over 165 Snowflake customers have been compromised.

Luke Jennings, VP R&D at Push Security, demonstrates this vulnerability in Snowflake and what you can do about it.

The command run by Luke is:

SELECT
  NAME AS user_name,
  EMAIL AS email,
  DISABLED AS disabled,
  HAS_PASSWORD as has_password,
  EXT_AUTHN_DUO as mfa
FROM
  SNOWFLAKE.ACCOUNT_USAGE.USERS
WHERE
  DISABLED = false
  AND HAS_PASSWORD = true
  AND EXT_AUTHN_DUO = false

You can also check out the full webinar here.

Read more
Snowflake: The tip of the iceberg – Three practical takeaways from the Snowflake incident
Video

Snowflake: The tip of the iceberg – Three practical takeaways from the Snowflake incident

The Snowflake breach will be for cloud identity attacks what WannaCry was for Ransomware.

Touted as potentially the biggest breach in history, the Snowflake incident is a watershed moment for identity security, impacting ~165 organizations (so far) and millions of downstream customers.

Just as we had with OS security, this is the 'security by default' moment for SaaS.

Join Luke Jennings, VP R&D at Push Security, to explore the practical takeaways from the incident. He'll discuss what Snowflake shows us about the complexity of the identity attack surface, and discuss the practical steps that organizations can take to investigate and respond effectively.

Read more
Phishing 2.0 – Detecting Evilginx, EvilnoVNC, Muraena and Modlishka
Video

Phishing 2.0 – Detecting Evilginx, EvilnoVNC, Muraena and Modlishka

Attackers are increasingly using new phishing toolkits (open-source, commercial, and criminal) to execute AitM and BitM attacks and bypass traditional phishing prevention controls such as MFA, EDR, and email content filtering.

They're not only harvesting credentials, but stealing live session logins for high-value platforms like Okta and MS365.

In this webinar, our VP Research, Luke Jennings, demonstrates how these tools work as well as how Push uses browser telemetry to detect these toolkits running on webpages and block users from accessing them.

Read more
BlueHat 2023 - SaaS Cyber Kill Chain
Video

BlueHat 2023 - SaaS Cyber Kill Chain

Luke Jennings, Push's VP of R&D, explores the evolution of cyber attacks and the impact of the remote working and SaaS revolution on the cyber kill chain.

He discusses the new SaaS cyber kill chain for modern, fully SaaS native organizations and the surprising number of attacks possible without touching company-owned endpoints or infrastructure.

Luke discusses how initial access, lateral movement, and persistence methods have changed in a world with no internal infrastructure. He also introduces the open-source SaaS attacks matrix as a tool for both red and blue teams navigating this new landscape.

Read more
Shared Security - Compromising an Organization without Touching the Network
Video

Shared Security - Compromising an Organization without Touching the Network

In this episode of Shared Security Luke Jennings VP of Research & Development from Push Security joins us to discuss SaaS attacks and how its possible to compromise an organization without touching a single endpoint or network. Luke talks about his recent SaaS attack research, why SaaS based attacks are different than traditional network based attacks, the SaaS attack matrix which can be used by both red and blue teams, and why its important that this research is shared and talked about in the cybersecurity community.

Read more
Pain in the SaaS - Talk at WithSecure
Video

Pain in the SaaS - Talk at WithSecure

Luke Jennings, Vice President of R&D at Push Security, gives a talk about new SaaS attack techniques at WithSecure Conference

Read more
Understanding the New SaaS Cyber Kill Chain
Video

Understanding the New SaaS Cyber Kill Chain

This talk will consider what a new SaaS cyber kill chain looks like for modern organizations that are fully SaaS native without any concept of an internal network, and the surprising number of attacks that are possible without touching company owned endpoints or infrastructure. In this webinar, you will:

  • Discover how most organizations are already hybrid SaaS and are increasingly SaaS-native

  • Learn what the cyber kill chain looks like when applied to SaaS-native organizations

  • Understand both new variations of old attacks and brand new attack techniques against SaaS-native organizations

  • Discover how SaaS opens up serious persistence challenges even in traditional endpoint compromise scenarios

  • Learn what the SaaS attacks matrix is and how it can benefit your red and blue teams

Read more