Latest research, product updates and best practices on staying secure in the cloud | Permiso

All Categories

LUCR-3: Scattered Spider Getting SaaS-y in the Cloud

Ian Ahl

Featured, Featured Research, Research

LUCR-3: Scattered Spider Getting SaaS-y in the Cloud

Ian Ahl 09.20.2023

Summary LUCR-3 overlaps with groups such as Scattered Spider, Oktapus, UNC3944, and STORM-0875 and is a financially motivated attacker that leverages the Identity Provider (IDP) as initial access...

Cloud Detection and Response Needs To Break Down Boundaries

Jared Elder

Cloud Detection and Response Needs To Break Down Boundaries

Jared Elder 08.31.2023

For the past several years, the security and engineering community have repeatedly heard the adage that "identity is the new perimeter." While identity has long been a pillar to managing security...

Intern Showcase: Anonymizing Logs Made Easy with LogLicker

Corey Ahl

Intern Showcase: Anonymizing Logs Made Easy with LogLicker

Corey Ahl 08.17.2023

LogLicker On GitHub: https://github.com/Permiso-io-tools/LogLicker Introduction Logs play a crucial role in monitoring and analyzing system activity, but handling sensitive information within...

Agile Approach to mass cloud credential harvesting and crypto mining sprints ahead

Abian Morina

Agile Approach to mass cloud credential harvesting and crypto mining sprints ahead

Abian Morina 07.16.2023

Summary Developers are not the only people who have adopted the agile methodology for their development processes. From 2023-06-15 to 2023-07-11, Permiso Security’s p0 Labs team identified and...

Cloud Detection and Response Survey Report 2023

Jared Elder

Cloud Detection and Response Survey Report 2023

Jared Elder 06.22.2023

In the first few years of Permiso’s journey as a cloud security startup, before raising venture capital and coming out of stealth mode in early 2022, the team spoke to 150-200 security and...

Unmasking GUI-Vil: Financially Motivated Cloud Threat Actor

Ian Ahl

Unmasking GUI-Vil: Financially Motivated Cloud Threat Actor

Ian Ahl 05.22.2023

Summary (the TL;DR) Permiso’s p0 Labs has been tracking a threat actor for the last 18 months. In this article we will describe the attack lifecycle and detection opportunities for the cloud-focused,...

New Phone, Who Dis? How Cloud Environments Are Exploited for Smishing Campaigns

Nathan Eades

New Phone, Who Dis? How Cloud Environments Are Exploited for Smishing Campaigns

Nathan Eades 04.14.2023

Commodity threat actors have recently begun to exploit cloud environments for smishing campaigns, employing techniques strikingly similar to those used in SES enumeration and abuse, as we've...

Legion: The Latest Threat in Mass Spam Attacks

Ian Ahl

Legion: The Latest Threat in Mass Spam Attacks

Ian Ahl 04.13.2023

Summary As the old proverb says, “Great minds think alike”. Many people may not know or remember the second half of that proverb, “Fools seldom differ.” Both sides of these adages are very well...

Permiso extends cloud threat detection and response capabilities with the addition of support for Azure, Azure AD, and Microsoft 365

Jason Martin

Permiso extends cloud threat detection and response capabilities with the addition of support for Azure, Azure AD, and Microsoft 365

Jason Martin 03.13.2023

Permiso is thrilled to announce our latest release, which includes support for Azure, Azure AD, and Microsoft 365. This release extends our powerful cloud detection and response capabilities by...

Our Approach to Detection: AndroxGh0st and GreenBot Edition

Ian Ahl

Our Approach to Detection: AndroxGh0st and GreenBot Edition

Ian Ahl 02.23.2023

Introduction The Permiso p0 Labs team has one core focus: know everything we can about cloud attacks, and make that knowledge actionable to our customers via detections in our CDR product. When we...

How Using Deprecated Policies Creates Overprivileged Permissions - AmazonEC2RoleforSSM vs AmazonSSMManagedInstanceCore

Bleon Proko

How Using Deprecated Policies Creates Overprivileged Permissions - AmazonEC2RoleforSSM vs AmazonSSMManagedInstanceCore

Bleon Proko 02.15.2023

Managed policies help AWS users simplify the way permissions are assigned. Periodically, AWS will add new permissions to active policies, which offer a new set of permissions to users. Because these...

Permiso 2022 - End of Year Observations

Ian Ahl

Press, Research

Permiso 2022 - End of Year Observations

Ian Ahl 02.06.2023

In 2022, Permiso's Cloud Detection & Response platform detected a multitude of different security events across client cloud infrastructure environments. In all cases, the detected suspicious and...

Gather Round the Watering Hole, We have a story to tell

Ian Ahl

Gather Round the Watering Hole, We have a story to tell

Ian Ahl 01.31.2023

Summary Watering hole attacks are an often underrated technique. On January 29th, 2023 Chris Farris reported to members of the “Cloud Security Forum” slack channel that he saw a google ad delivering...

SES-pionage

Nathan Eades

SES-pionage

Nathan Eades 01.12.2023

Exposed and stolen long lived keys are often the source of incidents we identify in our client’s cloud environments. Detecting the abuse of these keys is an area we focus a lot of effort in. After...

Cloud Cred Harvesting Campaign - Grinch Edition

Ian Ahl

Cloud Cred Harvesting Campaign - Grinch Edition

Ian Ahl 12.29.2022

Summary Attacks during the holidays are more reliable than Santa eating cookies. On December 28, 2022, Permiso Security’s p0 Labs team identified a credential harvesting campaign targeting cloud...

AWS Enhancements to UpdateLoginProfile and CreateLoginProfile logging

Nathan Eades

AWS Enhancements to UpdateLoginProfile and CreateLoginProfile logging

Nathan Eades 10.25.2022

Introduction While working on detection content for our clients, we often come across situations where logging from cloud providers and identity providers does not contain the level of detail needed....

Password spray enters the Okta-gon

Ian Ahl

Password spray enters the Okta-gon

Ian Ahl 09.16.2022

Identity Providers (IDPs), like Okta have always been a juicy target for threat actors of all skill levels. Attackers often still find success with low sophistication techniques like password...

You down with IDP? Impersonate me!

Ian Ahl

You down with IDP? Impersonate me!

Ian Ahl 08.29.2022

Summary Permiso Security and ACV Auctions, while collaborating on cloud detection efforts, discovered an impersonation technique in Okta application user assignments. Based on “in the wild”...

Achieving SOC 2 Type 1 Certification - Helping companies feel more secure about Permiso while we help them secure their public cloud

Jason Martin

Achieving SOC 2 Type 1 Certification - Helping companies feel more secure about Permiso while we help them secure their public cloud

Jason Martin 08.15.2022

We're excited to announce that Permiso is now SOC 2 Type I certified. This certification signifies that an independent third-party auditor has validated the design of our security program controls...

Permiso Alerts Module v1 Launched

Ian Ahl & Jason Martin

Permiso Alerts Module v1 Launched

Ian Ahl & Jason Martin 07.20.2022

We are very excited to announce a major release to our Permiso Alerts Module. This release currently includes dozens of unique cloud detection rules born from the front lines experience of our P0...

P0 Labs: Helping stay ahead of cloud adversaries

Ian Ahl

Press, Research

P0 Labs: Helping stay ahead of cloud adversaries

Ian Ahl 06.21.2022

As organizations continue to accelerate the shift to cloud, adversaries are following. Over the past ten (10) years I have had the opportunity to lead some of the largest and most impactful public...

Anatomy of an Attack: Exposed keys to Crypto Mining

Ian Ahl

Anatomy of an Attack: Exposed keys to Crypto Mining

Ian Ahl 06.20.2022

At Permiso, we find that the majority of incidents we discover or respond to, start with exposed access keys. Attackers leverage these keys to gain access, then setup a mechanism to establish...

Cloud vendor supply chain risk - Forecast: Foggy with a chance of thunderstorms

Ian Ahl

Cloud vendor supply chain risk - Forecast: Foggy with a chance of thunderstorms

Ian Ahl 05.05.2022

Attackers are increasingly taking advantage of trusted vendor relationships to perform software and service based supply chain attacks. As cloud adoption continues to grow, we will see sophisticated...

Permiso weighs in on CrowdStrike's LemonDuck malware finding

Ian Ahl

Permiso weighs in on CrowdStrike's LemonDuck malware finding

Ian Ahl 05.03.2022

On April 22, Permiso provided their perspective of CrowdStrike’s recent publication on LemonDuck malware shifting targeting to container and cloud technologies in the CSO Online article “Cryptomining...

Former FireEye Executives Emerge from Stealth with $10M Seed Round to Tackle Cloud Detection and Response

Paul Nguyen

Former FireEye Executives Emerge from Stealth with $10M Seed Round to Tackle Cloud Detection and Response

Paul Nguyen 01.18.2022

PALO ALTO, CA – January 18, 2022 – Permiso.io, a Palo Alto-based startup that provides the first of its kind in cloud identity detection and response for cloud infrastructures, today announced a $10...