On today’s #dogWalkingThread, let’s talk about the recently disclosed abuse of SAML by attackers to “bypass” MFA.

For those not familiar with the concept, SAML allows the separation of identity providers (IDP) and service providers (SP). Why the separation? 1/
Suppose you want to access a service, and the service needs to authenticate you, but you really don’t want the service ever having your credentials (EVER). As long as the SP trusts the IDP, this is no problem. You authenticate with the IDP and the IDP tells the SP “trust them” 2/
Let’s consider passports as an analogue. I’ve traveled to many countries I wouldn’t want to have all my identity data, but the State Department serves as my identity provider. Because the country I’m entering trusts the US State Department, the passport is enough. 3/
How does immigration know the passport is legitimate? The anti-forgery tech like watermarks, holograms, etc. ensure it’s legit (forget e-passports for a minute, nuance will break the analogy). So long as these features are present, the passport is trusted to validate identity. 4/
The passport application process is very analogous to multi factor authentication. You must provide a photo, information, and a county certified birth certificate. The State Department trusts the county seals. The birth certificate is the second factor here. 5/
And yet you never provide the birth certificate to immigration. They trust that your IDP (State Department) validated this.

Back to reality, the service provider (SP) constructs a SAML request to the IDP. The IDP validates that you have authenticated successfully. 6/
The SP generally doesn’t care what the IDP has validated - password, palm print, retina scan, or forehead temp. And it doesn’t matter to the SP whether these things were really verified, only that the IDP *says* it did. Now how does the SP know the IDP’s assertion is legit? 7/
The IDP signs the assertion (SAML uses XML) with a private key and the SP has a corresponding public key that validates that trust.

Here’s the rub: the whole system relies on the private key remaining private. If an attacker compromises the IDP and takes the key, game over. 8/
When you hear “ZOMG they bypassed MFA” this is what is meant in this case. The attackers compromised the IDP and took the private key. Now they can sign their own assertions, claiming they completed the MFA challenge without actually doing so. 9/
Back to our passport analogue. Suppose a criminal steals boxes of actual blank passport books and the machine(s) used to create real passports. At this point the attacker can create fake passports. But are they really fake? Only in that they weren’t issued by the State Dept. 10/
From the perspective of foreign immigration, they are legit in every way that matters. Our analogy breaks down when the SP (immigration) calls the State Department (IDP) and asks “did you issue this?” No big deal though, because that’s not how SAML works. 11/
So how do you, the victim, detect this in the real world? You generally need logs from the IDP *and* the SP. Generally speaking, you are looking for resource usage at the SP for which there is no corresponding assertion signed at the IDP. This sounds easy. It is not. 12/
Most intrusion analysis involves looking for something in the logs, but this is looking for something that ISN’T in the logs.

Once the attacker has stolen the signing private key from the IDP, the attacker need not have any persistence on the IDP, in fact that’s a liability. 13/
The whole reason to steal the private key from the IDP to sign your own SAML assertions is to remove the need to retain access to the IDP.

This thread brought to you by best boi Cypher. Not as good tonight, but good enough to get this out. /FIN

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Jake Williams

Jake Williams Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @MalwareJake

24 Dec
Twas the night before Christmas and all over the ‘net,
Not a creature was stirring except a few cyber threats
The firewalls were configured at the egress with care,
But that wouldn’t stop us from being hit by ransomware. 1/
The children were nestled all snug in their beds,
While attackers hit the web server and established a beachhead
Mama with her EDR and I with my IDS
Were ready to tackle this hot infosec mess. /2
Down in the SOC there arose such a clatter,
I logged into my dashboard to see what was the matter.
This thing had better work, it cost so much cash.
How in 2020 can this thing STILL require Flash?! 3/
Read 16 tweets
24 Dec
Alrighty - here's my $.02 on the topic (was trying not to poison the well, but will also use this thread to collect my thoughts).

First, it's important to note that Facebook not is suing NSO just because it created and sold an exploit. That's lost in so much of the discussion 1/
Now governments have sovereign immunity in most matters under international law. Mercenaries, not so much (IANAL, talk to yours).

But certainly suppliers of weapons to a government wouldn't be held liable if they are used against another nation, right? 2/
That's what NSO is arguing - they are just a provider of weapons. The problem is that NSO went far beyond "just providing the exploit." It appears that in most (if not all) cases they delivered the exploit and managed collection from targets as well. 3/
Read 10 tweets
23 Dec
There’s an additional aspect to this particular government shutdown: these disruptions are favorable operating conditions for cyber adversaries. I hear we’re in the middle of investigating a fairly large breach...

A shutdown now will ABSOLUTELY harm our ability to remediate. 1/
Yes, I know “essential personnel” will still report to work. But as a former fed myself (who was always considered essential), I can tell you that things obviously don’t function as normal, even for your “mission essential” activities. 2/
And some of the damage is already done. Managers are already preparing for shutdowns, distracting them from focusing on where they need to be placing effort on breach investigation and response. The damage will be so much worse if the shutdown starts though. 3/
Read 4 tweets
23 Dec
Got this in my mail today and it’s some next level BS. Shame on these people for trying to threaten people into voting. Image
That’s right “Club for Growth” - I’m getting your message out there, but perhaps not in the way you hoped... Image
I'm not saying that you should sign up for Club For Growth's email updates, but if you had the desire to do so using, oh I don't know, any email address, here's the link to do so:
clubforgrowth.org/user-registrat…
Read 4 tweets
21 Dec
I’ve had multiple people (mostly executive leadership) ask me whether they should be concerned about destructive cyberattacks in the #SolarWinds incident. Two have cited elevated concerns because of attribution to Russia and the history of NotPetya. 1/
Obviously predictions in cyber age REALLY poorly, so evaluate this as lower quality as time marches on.

That said, I define a threat as the intersection of intent, opportunity, and capability. Let’s discuss each of these in the context of what we know about this threat actor. 2/
Capability: there’s no question that this very capable threat actor has the capability to perform destructive cyberattacks. Ignoring the fact that almost everyone does, Russia has demonstrated the ability with NotPetya and even against critical infrastructure with LightsOut. 3/
Read 11 tweets
19 Dec
For laypeople demanding evidence that Russia is responsible for the #SolarWinds breach (and subsequent operations), be patient, it will come.

As an analogue, prosecutors typically don’t discuss specifics of ongoing investigations. This is because the target may interfere. 1/
This analogy unfortunately breaks down precipitously. First, this is less like a robbery than a set of ongoing hostage situations. The problem is that we don’t know how many hostage situations we have yet. Every piece of evidence we discuss publicly can hurt us. 2/
With the release of every indicator of compromise, we always must balance the value of helping victims with the risk that the attacker will change their tradecraft to prevent future detection.

This adversary has shown that they practice counterintelligence and WILL change. 3/
Read 13 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!