Hunting the Bad Guys Behind Golden SAML AttacksYonatan Khanashvili of Hunters on Using Cross-Correlation to Detect Complex Attacks Steve King (@sking1145) • August 8, 2022 25 Minutes
Golden SAML attacks are a big deal. The SolarWinds attackers used forged Security Assertion Markup Language tokens to gain access to networks. When CyberArk discovered the attack vector in 2017, the company said, "In a golden SAML attack, attackers can gain access to any application that supports SAML authentication (e.g. Azure, AWS, vSphere, etc.) with any privileges they desire and be any user on the targeted application (even one that is non-existent in the application in some cases)."
Yonatan Khanashvili, senior lead researcher at Israeli cybersecurity company Hunters, says Golden SAML is "a unique attack and technique" that few people except major security experts are even aware of. Hunters has done research on the attacks, he says, and determined that using "cross-correlation detection" is the key to "reliably detect and provide more context" about them.
In this episode of "Cybersecurity Unplugged," Khanashvili discusses:
- How Active Directory Federation Service, or AD FS, works with a service provider to share and authenticate digital identity via SAML tokens;
- How SAML tokens can be forged in a Golden SAML attack;
- How cross-correlating information obtained from single-service security products can give you "reliable detection logic" to detect such attacks.
Khanashvili spends every waking moment hunting bad actors in cyberspace. He is the senior research lead at Hunters, a venture capital-backed Israeli company with a SOC platform that empowers security teams to automatically identify and respond to security incidents across the entire attack surface.