Announcing YetiHunter: An open-source tool to detect and hunt for suspicious activity in Snowflake

Illustration Cloud

Permiso Offers Complimentary Cloud Identity Threat Briefings in Wake of Okta Breaches

Cloud security company has been researching and detecting attacks against the identity provider control plane for last several years and built over a hundred detections and signals based on known TTPs from advanced threat actor groups

PALO ALTO, Calif. – December 7, 2023 – Permiso, an identity threat detection and response startup, is offering complimentary, private threat briefings with the P0 Labs team on attacks against the identity provider (IdP) control plane, a common attack vector by multiple threat groups over the last few months. Attacks against identity providers have been responsible for breaching environments in several high-profile attacks over the last months including MGM and Caesars back in September.

"An identity-first security strategy is paramount to defending against modern threat actors. P0 labs is at the forefront of understanding these attacks by making identity a pillar in their research. Identity is as close to a silver bullet as it gets in the cloud. If you get it wrong, you face significant risks and challenges in securing your enterprise effectively," said Jason Chan, former Head of Security at Netflix.

The free briefings, conducted by Ian Ahl, SVP of P0 Labs and former Head of Advanced Practices at Mandiant, and his team will demonstrate what typical cloud attacks against the identity provider's control plane look like, and provide hunting tips on what to look for in an environment to develop effective detections. The team will also offer strategies for securely configuring the identity layer of a cloud environment in order to better defend against common attacks against identity providers like Okta and Entra ID (formerly Azure AD).

“Threat actor groups have been very successful at bypassing identity providers. They strategically target admin level identities and are able to compromise credentials and bypass MFA with ease. The convenience of centralized authentication has proven to be a significant security risk to many organizations because they simply aren't monitoring the control plane of their identity provider. Security teams are starting to realize that the native security features of these IdPs are not nearly enough to secure their identities in the cloud. The P0 Labs team has been researching and responding to attacks against the IdP control plane for a while now and it's generated more than a hundred detections and signals for our product. As we have in the past, we want to share this with the broader security community,” said Permiso Co-founder and Co-CEO Paul Nguyen.

In July of last year, the P0 labs team discovered an impersonation technique in Okta whereby when an Okta Administrator changes their or another’s username assignment to another existing user, an unexpected impersonation event can occur that allows the impersonator to authenticate and assume the permissions of the impersonated user in the target application. Permiso disclosed their findings to Okta and were told that this is expected behavior for the edit user assignments functionality.

Back in October, Okta notified its users of a breach to their customer support system. At the time, the company reported that 1% of their 18,400 customers were impacted by the incident. After further investigation, the company issued another statement last week claiming they had discovered that in fact, all of its customers had data stolen during the course of the breach. Okta isn't the only identity provider that has been impacted by these attacks. In July of 2023, both JumpCloud and Azure AD were the targets of nation state threat actors. North Korean state sponsored threat groups breached JumpCloud where the attack reportedly impacted a handful of customers. Threat actors from the Chinese government were able to access email accounts of 25 organizations including the US Department of State and Commerce when Azure AD was breached at the same time earlier this year.

Crowdstrike has reported that 80% of breaches used compromised identities, of which 62% of interactive intrusions involve the abuse of valid accounts, with 34% of intrusions specifically involved with the use of domain accounts or default accounts. The continued focus on identity related attacks is also coupled with a 160% increase in attempts to gather secret keys and other credentials. The report also noted a 147% increase in access broker advertisements for credentials for purchase in criminal or underground communities, demonstrating how valued these credentials are to threat actors that leverage them to complete their mission in the shortest amount of time possible.

Earlier this year, Permiso released their Cloud Detection and Response Survey Report , where they found that more than 80% of respondents expressed confidence that their current team and tools would be able to prevent a threat actor from being able to breach their environment. 95% of the respondents, however, expressed concern with their ability to detect a threat actor in the event that they were able to gain access to their environment. 55% of those expressed their concern as ‘very concerned’ and ‘extremely concerned.’

To schedule a free threat briefing for your organization, you can go to to get started.

About Permiso

Permiso is an identity threat detection company that finds evil in cloud environments. Permiso creates session constructs for the identities across cloud and SaaS applications to break down visibility boundaries and understand user behavior and intent across your environment. These session constructs are developed by stitching together activity across cloud applications, services, and providers to create an immutable ledger of activity in an environment. Permiso creates a unified identity across authentication boundaries and presents this as a forensically sound access chain. By tying all activity back to a singular identity, Permiso is able to detect access anomalies, behavioral anomalies, or specific activities associated with compromised credentials. For more information, please visit our website or find us on Twitter and LinkedIn.


Illustration Cloud

Related Articles

Permiso Launches Cloud Console Cartographer to Help Security Teams Make Sense of Console Activity in Cloud Logs

The open-source tool helps security teams easily transcribe log activity generated from events of AWS console sessions

Permiso Raises $18.5M Series A To Unify Threat Detection and Response In The Cloud

Permiso’s product offers a deep library of detection signals from known TTPs of modern threat actors and spans coverage across the cloud’s attack surface to detect threats in the cloud more quickly than ever

Permiso Launches CloudGrappler To Help Security Teams Better Detect Threat Actors In Their Cloud Environments

Free open source tool detects activity in cloud environments related to well-known threat actors such as LUCR-3 (Scattered Spider), the group responsible for MGM and Caesars breaches last September

View more posts