Fraud Management & Cybercrime , Network Detection & Response , Next-Generation Technologies & Secure Development

Hunting the Bad Guys Behind Golden SAML Attacks

Yonatan Khanashvili of Hunters on Using Cross-Correlation to Detect Complex Attacks
Hunting the Bad Guys Behind Golden SAML Attacks
Yonatan Khanashvili, senior research lead, Hunters

Golden SAML attacks are a big deal. The SolarWinds attackers used forged Security Assertion Markup Language tokens to gain access to networks. When CyberArk discovered the attack vector in 2017, the company said, "In a golden SAML attack, attackers can gain access to any application that supports SAML authentication (e.g. Azure, AWS, vSphere, etc.) with any privileges they desire and be any user on the targeted application (even one that is non-existent in the application in some cases)."

Yonatan Khanashvili, senior lead researcher at Israeli cybersecurity company Hunters, says Golden SAML is "a unique attack and technique" that few people except major security experts are even aware of. Hunters has done research on the attacks, he says, and determined that using "cross-correlation detection" is the key to "reliably detect and provide more context" about them.

In this episode of "Cybersecurity Unplugged," Khanashvili discusses:

  • How Active Directory Federation Service, or AD FS, works with a service provider to share and authenticate digital identity via SAML tokens;
  • How SAML tokens can be forged in a Golden SAML attack;
  • How cross-correlating information obtained from single-service security products can give you "reliable detection logic" to detect such attacks.

Khanashvili spends every waking moment hunting bad actors in cyberspace. He is the senior research lead at Hunters, a venture capital-backed Israeli company with a SOC platform that empowers security teams to automatically identify and respond to security incidents across the entire attack surface.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.