Latest research, product updates and best practices on staying secure in the cloud | Permiso

All Categories

How Adversaries Abuse Serverless Services to Harvest Sensitive Data from Environment Variables

How Adversaries Abuse Serverless Services to Harvest Sensitive Data from Environment Variables

The Permiso Team 12.11.2024

Introduction In cloud computing, the evolution of serverless technology has significantly transformed how developers build and run applications. Over the years, the adoption of serverless computing...

Permiso Releases Suite of Open-Source Tools to Bolster Detection Capabilities for Past,Present and Future Attacks

Jared Elder

Permiso Releases Suite of Open-Source Tools to Bolster Detection Capabilities for Past,Present and Future Attacks

Jared Elder 11.07.2024

Release Marks Ten Open-Source Tools the Startup Has Launched So Far This Year PALO ALTO, CA – November 7, 2024 - Permiso, the leader in real-time identity security, has released a suite of three...

INTRODUCING CAPICHE DETECTION FRAMEWORK: AN OPEN-SOURCE TOOL TO SIMPLIFY CLOUD API-BASED HUNTING

Dredhza Braina

INTRODUCING CAPICHE DETECTION FRAMEWORK: AN OPEN-SOURCE TOOL TO SIMPLIFY CLOUD API-BASED HUNTING

Dredhza Braina 11.06.2024

Intro Attacks on cloud infrastructure have been steadily increasing in quantity, sophistication and scope. Common cryptomining attacks still exists, but the proliferation of BEC (Business Email...

BucketShield: Track Log Flow, Secure Buckets, Simulate Threats – All in One Open-Source Tool

Enisa Hoxhaxhiku

BucketShield: Track Log Flow, Secure Buckets, Simulate Threats – All in One Open-Source Tool

Enisa Hoxhaxhiku 11.05.2024

Introduction In today’s cloud-powered world, keeping your logs secure and intact is more important than ever. AWS CloudTrail serves as the backbone for tracking all activities across your cloud...

Breaking free from the chains of fate - Bypassing AWSCompromisedKeyQuarantineV2 Policy

Bleon Proko

Breaking free from the chains of fate - Bypassing AWSCompromisedKeyQuarantineV2 Policy

Bleon Proko 10.31.2024

Intro AWSCompromisedKeyQuarantineV2 (v3 was released during the creation of this article) is an AWS policy that attaches to identities whose credentials are leaked. It denies access to certain...

Introducing SkyScalpel: An Open-Source Tool to Combat Policy Obfuscation in Cloud Environments

Abian Morina

Introducing SkyScalpel: An Open-Source Tool to Combat Policy Obfuscation in Cloud Environments

Abian Morina 10.24.2024

At Permiso Security, we're committed to building and providing tools that empower teams to maintain high standards of cloud and identity security. Often inspired by a small mixture of in-the-wild...

Credits: Wilma Miranda

Ela Dogjani

Introducing CloudTail: An Open-Source Tool for Long-term Cloud Log Retention and Searchability

Ela Dogjani 10.21.2024

Introduction In the labyrinth of modern cloud infrastructure, effective log management is a cornerstone for ensuring operational security and compliance. However, small and medium-sized enterprises...

Permiso State of Identity Security 2024: A Shake-up in Identity Security Is Looming Large

John Filitz

Permiso State of Identity Security 2024: A Shake-up in Identity Security Is Looming Large

John Filitz 10.17.2024

Identity security is front, and center given all the recent breaches that include Microsoft, Okta, Cloudflare and Snowflake to name a few. Organizations are starting to realize that a shake-up is...

Survey Reveals Gaping Disconnect Between Existing Security Controls and the Identity Security Threat Reality

Jared Elder

Survey Reveals Gaping Disconnect Between Existing Security Controls and the Identity Security Threat Reality

Jared Elder 10.17.2024

Respondents are confident in their identity security posture, despite almost half reporting unauthorized access to their environment coupled with growing concerns over the ability to detect...

Product Update: IP and Code Threat Detection Now Available for GitHub and Atlassian’s Suite of Products, Including Confluence and Jira

John Filitz

Product Update: IP and Code Threat Detection Now Available for GitHub and Atlassian’s Suite of Products, Including Confluence and Jira

John Filitz 10.09.2024

Most organizations are unaware of how large their cloud identity attack surface is, specifically as it relates to the high number of human and non-human that exist in a typical environment. Many...

When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying

Ian Ahl

Featured, Research

When AI Gets Hijacked: Exploiting Hosted Models for Dark Roleplaying

Ian Ahl 10.03.2024

Key Takeaways Attacks against GenAI Infrastructure like AWS Bedrock have increased substantially over the last six (6) months. Particularly with exposed access keys. Attackers are hijacking victim...

Permiso Universal Identity Graph: Why Universal Identity Is Key to Solving Security Siloes

John Filitz

Permiso Universal Identity Graph: Why Universal Identity Is Key to Solving Security Siloes

John Filitz 09.19.2024

Permiso Security is excited to announce the release of the Universal Identity Graph, providing identity security risk visibility for all entity identities, including human and non-human, across all...

Permiso Launches Universal Identity Graph to Help Organizations Secure All Identities Across All Environments

Jared Elder

Permiso Launches Universal Identity Graph to Help Organizations Secure All Identities Across All Environments

Jared Elder 09.19.2024

Permiso’s recent product launch provides a centralized hub to secure all human and non-human identities across both cloud and on-premise environments PALO ALTO, CA – September 19, 2024 -- Permiso,...

Introducing Azure Activity Log Axe: An Open-Source Tool to simplify and improve the analysis of Azure Activity logs

Nathan Eades

Introducing Azure Activity Log Axe: An Open-Source Tool to simplify and improve the analysis of Azure Activity logs

Nathan Eades 09.16.2024

We are excited to formally announce the public availability of Azure Activity Log Axe, an open-source tool designed to simplify and improve the analysis of Azure Activity logs. The tool, initially...

Permiso Named SC Awards Finalist In Two Categories

Jared Elder

Permiso Named SC Awards Finalist In Two Categories

Jared Elder 08.30.2024

The identity security company has been named a finalist for both Most Promising Early Stage Startup and Best Threat Detection Technology categories

Strategies Used by Adversaries to Steal Application Access Tokens

Strategies Used by Adversaries to Steal Application Access Tokens

The Permiso Team 08.15.2024

Introduction In today's complex landscape of modern cybersecurity, organizations and cyber-defenders must remain vigilant as adversaries continuously refine their tactics, techniques, and procedures...

Exploiting Cloud Secrets Management Repositories: Adversary Tactics and Mitigation Strategies

Exploiting Cloud Secrets Management Repositories: Adversary Tactics and Mitigation Strategies

The Permiso Team 07.02.2024

Introduction Proper handling of sensitive information, such as passwords and API keys, is a crucial responsibility for any organization and cybersecurity professional using cloud services for their...

Introducing YetiHunter: An open-source tool to detect and hunt for suspicious activity in Snowflake

Bleon Proko

Introducing YetiHunter: An open-source tool to detect and hunt for suspicious activity in Snowflake

Bleon Proko 06.13.2024

Summary On May 30, 2024 Snowflake confirmed many clients were affected by an attacker leveraging compromised NHI credentials to perform data theft. In their notice, Snowflake included some indicators...

Extending Cloud Console Cartographer With New Mappings

Daniel Bohannon

Extending Cloud Console Cartographer With New Mappings

Daniel Bohannon 06.04.2024

Last month Permiso’s P0 Labs released the Cloud Console Cartographer open-source framework and corresponding research presentation at Black Hat Asia in Singapore. Recently we released our full suite...

Unmasking Adversary Cloud Defense Evasion Strategies: Modify Cloud Compute Infrastructure Part 2

Unmasking Adversary Cloud Defense Evasion Strategies: Modify Cloud Compute Infrastructure Part 2

The Permiso Team 05.21.2024

Detection and Mitigation The 'Create Snapshot', ‘Create Cloud Instance’, ‘Delete Cloud Instance’, ‘Revert Cloud Instance’ and ‘Modify Cloud Compute Configurations’ features are widely available...

Unmasking Adversary Cloud Defense Evasion Strategies: Modify Cloud Compute Infrastructure Part 1

Unmasking Adversary Cloud Defense Evasion Strategies: Modify Cloud Compute Infrastructure Part 1

The Permiso Team 05.06.2024

The MITRE ATT&CK (Adversarial Tactics, Techniques and Common Knowledge) Framework is a globally-accessible knowledge base of adversary tactics and techniques and procedures (TTPs) which are...

Credits: Brianne Cartwright

Ian Ahl

Déjà Vu or New View: Latest Okta Credential Stuffing Campaign

Ian Ahl 05.02.2024

Summary On April 26, 2024 Okta reported observing a large scale credential stuffing attack that shares infrastructure with a campaign previously reported by Cisco Talos. The campaign that Cisco...

Permiso Launches Cloud Console Cartographer to Help Security Teams Make Sense of Console Activity in Cloud Logs

Jared Elder

Permiso Launches Cloud Console Cartographer to Help Security Teams Make Sense of Console Activity in Cloud Logs

Jared Elder 04.18.2024

The open-source tool helps security teams easily transcribe log activity generated from events of AWS console sessions

Introducing Cloud Console Cartographer: An Open-Source Tool To Help Security Teams Easily Understand Log Events Generated by AWS Console Activity

Daniel Bohannon

Featured, Research

Introducing Cloud Console Cartographer: An Open-Source Tool To Help Security Teams Easily Understand Log Events Generated by AWS Console Activity

Daniel Bohannon 04.18.2024

Introduction While most cloud CLI tools provide a one-to-one correlation between an API being invoked and a single corresponding API event being generated in cloud log telemetry, browser-based...

An Adversary Adventure with Cloud Administration Command

An Adversary Adventure with Cloud Administration Command

The Permiso Team 04.11.2024

Introduction As the cybersecurity landscape rapidly evolves, organizations are implementing multi-cloud solutions to advance their digital transformation initiatives. On the other hand, threat actors...

Permiso Raises $18.5M Series A To Unify Threat Detection and Response In The Cloud

Jared Elder

Permiso Raises $18.5M Series A To Unify Threat Detection and Response In The Cloud

Jared Elder 04.03.2024

Permiso’s product offers a deep library of detection signals from known TTPs of modern threat actors and spans coverage across the cloud’s attack surface to detect threats in the cloud more quickly...

Credits: Wilma Miranda

Andi Ahmeti

Introducing CloudGrappler: A Powerful Open-Source Threat Detection Tool for Cloud Environments

Andi Ahmeti 03.07.2024

IntroductionWith the increased activity of threat actor groups like LUCR-3 (Scattered Spider) over the last year, being able to detect the presence of these threat groups in cloud environments...

Permiso Launches CloudGrappler To Help Security Teams Better Detect Threat Actors In Their Cloud Environments

Jared Elder

Permiso Launches CloudGrappler To Help Security Teams Better Detect Threat Actors In Their Cloud Environments

Jared Elder 03.07.2024

Free open source tool detects activity in cloud environments related to well-known threat actors such as LUCR-3 (Scattered Spider), the group responsible for MGM and Caesars breaches last September

Azure Logs: Breaking Through the Cloud Cover

Nathan Eades

Azure Logs: Breaking Through the Cloud Cover

Nathan Eades 01.17.2024

Permiso consistently observes that engineers and analysts often struggle with interpreting Azure Monitor Activity Logs, facing confusion and achieving only a partial understanding even after gaining...

Privileged Identity Management (PIM): For Many, a False Sense of Security

Nathan Eades

Privileged Identity Management (PIM): For Many, a False Sense of Security

Nathan Eades 12.07.2023

Privileged Identity Management (PIM): PIM is described as a service within Microsoft Entra ID, designed to manage, control, and monitor access to crucial organizational resources, encompassing...

Permiso Offers Complimentary Cloud Identity Threat Briefings in Wake of Okta Breaches

Jared Elder

Permiso Offers Complimentary Cloud Identity Threat Briefings in Wake of Okta Breaches

Jared Elder 12.07.2023

Cloud security company has been researching and detecting attacks against the identity provider control plane for last several years and built over a hundred detections and signals based on known...

Why Identity Providers Aren't Enough To Secure Identities In The Cloud - Part Two

Jared Elder

Why Identity Providers Aren't Enough To Secure Identities In The Cloud - Part Two

Jared Elder 11.09.2023

Your Identity Provider is a Security Guard Think about an identity provider as a security guard in an office building. The goal of the security guard is to ultimately monitor and regulate the access...

Why Identity Providers Aren't Enough to Secure Identities in the Cloud - Part One

Jared Elder

Why Identity Providers Aren't Enough to Secure Identities in the Cloud - Part One

Jared Elder 10.31.2023

In this two part series, we are going to analyze the role IdPs (identity providers) have played in some high-profile breaches over the last few years and perhaps, more specifically, the last few...

Permiso Offers Complimentary Threat Briefings on Scattered Spider

Jared Elder

Permiso Offers Complimentary Threat Briefings on Scattered Spider

Jared Elder 09.27.2023

Cloud security company has tracked the threat actor group for the past year and supported several organizations that have been targeted and impacted by recent attacks. The company's goal is to help...

LUCR-3: Scattered Spider Getting SaaS-y in the Cloud

Ian Ahl

Featured, Featured Research, Research

LUCR-3: Scattered Spider Getting SaaS-y in the Cloud

Ian Ahl 09.20.2023

Summary LUCR-3 overlaps with groups such as Scattered Spider, Oktapus, UNC3944, and STORM-0875 and is a financially motivated attacker that leverages the Identity Provider (IDP) as initial access...

Cloud Detection and Response Needs To Break Down Boundaries

Jared Elder

Cloud Detection and Response Needs To Break Down Boundaries

Jared Elder 08.31.2023

For the past several years, the security and engineering community have repeatedly heard the adage that "identity is the new perimeter." While identity has long been a pillar to managing security...

Intern Showcase: Anonymizing Logs Made Easy with LogLicker

Corey Ahl

Intern Showcase: Anonymizing Logs Made Easy with LogLicker

Corey Ahl 08.17.2023

LogLicker On GitHub: https://github.com/Permiso-io-tools/LogLicker Introduction Logs play a crucial role in monitoring and analyzing system activity, but handling sensitive information within...

Agile Approach to mass cloud credential harvesting and crypto mining sprints ahead

Abian Morina

Agile Approach to mass cloud credential harvesting and crypto mining sprints ahead

Abian Morina 07.16.2023

Summary Developers are not the only people who have adopted the agile methodology for their development processes. From 2023-06-15 to 2023-07-11, Permiso Security’s p0 Labs team identified and...

Cloud Detection and Response Survey Report 2023

Jared Elder

Cloud Detection and Response Survey Report 2023

Jared Elder 06.22.2023

In the first few years of Permiso’s journey as a cloud security startup, before raising venture capital and coming out of stealth mode in early 2022, the team spoke to 150-200 security and...

Unmasking GUI-Vil: Financially Motivated Cloud Threat Actor

Ian Ahl

Unmasking GUI-Vil: Financially Motivated Cloud Threat Actor

Ian Ahl 05.22.2023

Summary (the TL;DR) Permiso’s p0 Labs has been tracking a threat actor for the last 18 months. In this article we will describe the attack lifecycle and detection opportunities for the cloud-focused,...

New Phone, Who Dis? How Cloud Environments Are Exploited for Smishing Campaigns

Nathan Eades

New Phone, Who Dis? How Cloud Environments Are Exploited for Smishing Campaigns

Nathan Eades 04.14.2023

Commodity threat actors have recently begun to exploit cloud environments for smishing campaigns, employing techniques strikingly similar to those used in SES enumeration and abuse, as we've...

Legion: The Latest Threat in Mass Spam Attacks

Ian Ahl

Legion: The Latest Threat in Mass Spam Attacks

Ian Ahl 04.13.2023

Summary As the old proverb says, “Great minds think alike”. Many people may not know or remember the second half of that proverb, “Fools seldom differ.” Both sides of these adages are very well...

Permiso extends cloud threat detection and response capabilities with the addition of support for Azure, Azure AD, and Microsoft 365

Jason Martin

Permiso extends cloud threat detection and response capabilities with the addition of support for Azure, Azure AD, and Microsoft 365

Jason Martin 03.13.2023

Permiso is thrilled to announce our latest release, which includes support for Azure, Azure AD, and Microsoft 365. This release extends our powerful cloud detection and response capabilities by...

Our Approach to Detection: AndroxGh0st and GreenBot Edition

Ian Ahl

Our Approach to Detection: AndroxGh0st and GreenBot Edition

Ian Ahl 02.23.2023

Introduction The Permiso p0 Labs team has one core focus: know everything we can about cloud attacks, and make that knowledge actionable to our customers via detections in our CDR product. When we...

How Using Deprecated Policies Creates Overprivileged Permissions - AmazonEC2RoleforSSM vs AmazonSSMManagedInstanceCore

Bleon Proko

How Using Deprecated Policies Creates Overprivileged Permissions - AmazonEC2RoleforSSM vs AmazonSSMManagedInstanceCore

Bleon Proko 02.15.2023

Managed policies help AWS users simplify the way permissions are assigned. Periodically, AWS will add new permissions to active policies, which offer a new set of permissions to users. Because these...

Permiso 2022 - End of Year Observations

Ian Ahl

Press, Research

Permiso 2022 - End of Year Observations

Ian Ahl 02.06.2023

In 2022, Permiso's Cloud Detection & Response platform detected a multitude of different security events across client cloud infrastructure environments. In all cases, the detected suspicious and...

Gather Round the Watering Hole, We have a story to tell

Ian Ahl

Gather Round the Watering Hole, We have a story to tell

Ian Ahl 01.31.2023

Summary Watering hole attacks are an often underrated technique. On January 29th, 2023 Chris Farris reported to members of the “Cloud Security Forum” slack channel that he saw a google ad delivering...

SES-pionage

Nathan Eades

SES-pionage

Nathan Eades 01.12.2023

Exposed and stolen long lived keys are often the source of incidents we identify in our client’s cloud environments. Detecting the abuse of these keys is an area we focus a lot of effort in. After...

Cloud Cred Harvesting Campaign - Grinch Edition

Ian Ahl

Cloud Cred Harvesting Campaign - Grinch Edition

Ian Ahl 12.29.2022

Summary Attacks during the holidays are more reliable than Santa eating cookies. On December 28, 2022, Permiso Security’s p0 Labs team identified a credential harvesting campaign targeting cloud...

AWS Enhancements to UpdateLoginProfile and CreateLoginProfile logging

Nathan Eades

AWS Enhancements to UpdateLoginProfile and CreateLoginProfile logging

Nathan Eades 10.25.2022

Introduction While working on detection content for our clients, we often come across situations where logging from cloud providers and identity providers does not contain the level of detail needed....

Password spray enters the Okta-gon

Ian Ahl

Password spray enters the Okta-gon

Ian Ahl 09.16.2022

Identity Providers (IDPs), like Okta have always been a juicy target for threat actors of all skill levels. Attackers often still find success with low sophistication techniques like password...

You down with IDP? Impersonate me!

Ian Ahl

You down with IDP? Impersonate me!

Ian Ahl 08.29.2022

Summary Permiso Security and ACV Auctions, while collaborating on cloud detection efforts, discovered an impersonation technique in Okta application user assignments. Based on “in the wild”...

Achieving SOC 2 Type 1 Certification - Helping companies feel more secure about Permiso while we help them secure their public cloud

Jason Martin

Achieving SOC 2 Type 1 Certification - Helping companies feel more secure about Permiso while we help them secure their public cloud

Jason Martin 08.15.2022

We're excited to announce that Permiso is now SOC 2 Type I certified. This certification signifies that an independent third-party auditor has validated the design of our security program controls...

Permiso Alerts Module v1 Launched

Ian Ahl & Jason Martin

Permiso Alerts Module v1 Launched

Ian Ahl & Jason Martin 07.20.2022

We are very excited to announce a major release to our Permiso Alerts Module. This release currently includes dozens of unique cloud detection rules born from the front lines experience of our P0...

P0 Labs: Helping stay ahead of cloud adversaries

Ian Ahl

Press, Research

P0 Labs: Helping stay ahead of cloud adversaries

Ian Ahl 06.21.2022

As organizations continue to accelerate the shift to cloud, adversaries are following. Over the past ten (10) years I have had the opportunity to lead some of the largest and most impactful public...

Anatomy of an Attack: Exposed keys to Crypto Mining

Ian Ahl

Anatomy of an Attack: Exposed keys to Crypto Mining

Ian Ahl 06.20.2022

At Permiso, we find that the majority of incidents we discover or respond to, start with exposed access keys. Attackers leverage these keys to gain access, then setup a mechanism to establish...

Cloud vendor supply chain risk - Forecast: Foggy with a chance of thunderstorms

Ian Ahl

Cloud vendor supply chain risk - Forecast: Foggy with a chance of thunderstorms

Ian Ahl 05.05.2022

Attackers are increasingly taking advantage of trusted vendor relationships to perform software and service based supply chain attacks. As cloud adoption continues to grow, we will see sophisticated...

Permiso weighs in on CrowdStrike's LemonDuck malware finding

Ian Ahl

Permiso weighs in on CrowdStrike's LemonDuck malware finding

Ian Ahl 05.03.2022

On April 22, Permiso provided their perspective of CrowdStrike’s recent publication on LemonDuck malware shifting targeting to container and cloud technologies in the CSO Online article “Cryptomining...

Former FireEye Executives Emerge from Stealth with $10M Seed Round to Tackle Cloud Detection and Response

Paul Nguyen

Former FireEye Executives Emerge from Stealth with $10M Seed Round to Tackle Cloud Detection and Response

Paul Nguyen 01.18.2022

PALO ALTO, CA – January 18, 2022 – Permiso.io, a Palo Alto-based startup that provides the first of its kind in cloud identity detection and response for cloud infrastructures, today announced a $10...