Cloud security company has been researching and detecting attacks against the identity provider control plane for last several years and built over a hundred detections and signals based on known TTPs from advanced threat actor groups

PALO ALTO, Calif. – December 7, 2023 – Permiso, an identity threat detection and response startup, is offering complimentary, private threat briefings with the P0 Labs team on attacks against the identity provider (IdP) control plane, a common attack vector by multiple threat groups over the last few months. Attacks against identity providers have been responsible for breaching environments in several high-profile attacks over the last months including MGM and Caesars back in September.

"An identity-first security strategy is paramount to defending against modern threat actors. P0 labs is at the forefront of understanding these attacks by making identity a pillar in their research. Identity is as close to a silver bullet as it gets in the cloud. If you get it wrong, you face significant risks and challenges in securing your enterprise effectively," said Jason Chan, former Head of Security at Netflix.

The free briefings, conducted by Ian Ahl, SVP of P0 Labs and former Head of Advanced Practices at Mandiant, and his team will demonstrate what typical cloud attacks against the identity provider's control plane look like, and provide hunting tips on what to look for in an environment to develop effective detections. The team will also offer strategies for securely configuring the identity layer of a cloud environment in order to better defend against common attacks against identity providers like Okta and Entra ID (formerly Azure AD).

“Threat actor groups have been very successful at bypassing identity providers. They strategically target admin level identities and are able to compromise credentials and bypass MFA with ease. The convenience of centralized authentication has proven to be a significant security risk to many organizations because they simply aren't monitoring the control plane of their identity provider. Security teams are starting to realize that the native security features of these IdPs are not nearly enough to secure their identities in the cloud. The P0 Labs team has been researching and responding to attacks against the IdP control plane for a while now and it's generated more than a hundred detections and signals for our product. As we have in the past, we want to share this with the broader security community,” said Permiso Co-founder and Co-CEO Paul Nguyen.

In July of last year, the P0 labs team discovered an impersonation technique in Okta whereby when an Okta Administrator changes their or another’s username assignment to another existing user, an unexpected impersonation event can occur that allows the impersonator to authenticate and assume the permissions of the impersonated user in the target application. Permiso disclosed their findings to Okta and were told that this is expected behavior for the edit user assignments functionality.

Back in October, Okta notified its users of a breach to their customer support system. At the time, the company reported that 1% of their 18,400 customers were impacted by the incident. After further investigation, the company issued another statement last week claiming they had discovered that in fact, all of its customers had data stolen during the course of the breach. Okta isn't the only identity provider that has been impacted by these attacks. In July of 2023, both JumpCloud and Azure AD were the targets of nation state threat actors. North Korean state sponsored threat groups breached JumpCloud where the attack reportedly impacted a handful of customers. Threat actors from the Chinese government were able to access email accounts of 25 organizations including the US Department of State and Commerce when Azure AD was breached at the same time earlier this year.

Crowdstrike has reported that 80% of breaches used compromised identities, of which 62% of interactive intrusions involve the abuse of valid accounts, with 34% of intrusions specifically involved with the use of domain accounts or default accounts. The continued focus on identity related attacks is also coupled with a 160% increase in attempts to gather secret keys and other credentials. The report also noted a 147% increase in access broker advertisements for credentials for purchase in criminal or underground communities, demonstrating how valued these credentials are to threat actors that leverage them to complete their mission in the shortest amount of time possible.

Earlier this year, Permiso released their Cloud Detection and Response Survey Report , where they found that more than 80% of respondents expressed confidence that their current team and tools would be able to prevent a threat actor from being able to breach their environment. 95% of the respondents, however, expressed concern with their ability to detect a threat actor in the event that they were able to gain access to their environment. 55% of those expressed their concern as ‘very concerned’ and ‘extremely concerned.’

To schedule a free threat briefing for your organization, you can go to permiso.io/idp to get started.

About Permiso

Permiso is an identity threat detection company that finds evil in cloud environments. Permiso creates session constructs for the identities across cloud and SaaS applications to break down visibility boundaries and understand user behavior and intent across your environment. These session constructs are developed by stitching together activity across cloud applications, services, and providers to create an immutable ledger of activity in an environment. Permiso creates a unified identity across authentication boundaries and presents this as a forensically sound access chain. By tying all activity back to a singular identity, Permiso is able to detect access anomalies, behavioral anomalies, or specific activities associated with compromised credentials. For more information, please visit our website or find us on Twitter and LinkedIn.