Hunting The Bad Guys

Steve King (00:13):

Good day, everyone. I’m Steve King, the director of Cybersecurity Advisory Services here at CyberTheory. Today’s episode will explore the Golden SAML internal attacks and the importance of cross data correlation. SAML is the acronym used to describe the Security Assertion Markup Language standard, used in an online security that enables folks to access multiple web applications using a single set of login credentials. This is a fantastic opportunity to demonstrate the power of detecting malicious threats, not only on a specific single vector, but also it raises research questions around the difficulties of traditional single service solutions to detect them. Joining me today is Yonatan Khanashvili, a senior research lead at Hunters and one of the few people on the planet who spends every waking moment hunting bad actors in cyberspace. Hunters is a VC-backed Israeli company with a SOC platform that empowers security teams to automatically identify and respond to security incidents across the entire attack surface. They mitigate real threats faster and more reliably than SIEMs and ultimately reduce the customer’s overall security risk. Welcome, Yonatan. I’m glad you could join us today.

Yonatan Khanashvili (01:47):

Hi, Steve. Thanks for having me and thanks for the lovely intro.

Steve King (01:51):

Sure. Let’s dive in here. If I’m not mistaken, you guys raised a $68-million Series C round in January of this year. What are your plans for that investment and what is your differentiator compared to your top legacy SIEM competitors, for example?

Yonatan Khanashvili (02:10):

Yeah. Hunters indeed raised $68 million in Series C earlier this year, which is very excited, obviously. The plans are to keep improving the product, developing any new features, while we keep feeding the Hunters platform with more cybersecurity knowledge and content, which will make the Hunters platform better and better when the time goes. I think that the main differentiator between us and legacy SIEM competitors are our ability to provide the product as a SaaS which simply put us in a different view of the old SIEM market… that’s simply based on premises or solutions that do not provide ingesting, engineering, and detection as a service, which is kind of a key point in fast-changing attack surface.

Steve King (03:08):

Just roughly… I’m not going to hold you to this, but how many customers do you have today?

Yonatan Khanashvili (03:14):

I think it’s kind of a questions that we are not able to answer, but there are dozens of customers that are using the product today and we’re rapidly growing on every quadrant.

Steve King (03:24):

How many employees and do you have offices outside of Israel?

Yonatan Khanashvili (03:30):

We have 150 employees worldwide. In Israel, in the R&D main location, they’re around 80.

Steve King (03:39):

Okay. That’s helpful. Thank you. Talk to me about the big Golden SAML attack and the Golden SAML attackers get access to any application that support SAML authentication that could be cloud-based, Azure, AWS with any privileges they desire and can be any user on the targeted application. Even one that’s nonexistent in the application, in some cases. How did Hunters deal with this?

Yonatan Khanashvili (04:08):

We started to research the Golden SAML attack earlier this year. With a few research questions that we had in our mind, that we want to see if we can answer and maybe solve with a better way. I guess the first one is, “What is the awareness of this attack at all in security operations worldwide?” It’s kind of a unique attack and technique that mostly security expert, even sometimes red humans are not aware. And the second one is actually if security products today, single surface security products, can detect it and if they can detect it reliably. What we try to do to deal with it is to develop a cross correlation detection that, I guess, we will discuss more in this talk and to be able to reliably detect and provide more context to the secured operations that use the product.

Steve King (05:02):

Okay. Can you explain to our audience, sort of in detail, how that attack works?

Yonatan Khanashvili (05:09):

Yeah. I think that we should start with a few terms to give a bit of background to the audience that maybe they’re not familiar with it. The first thing is IDP. So, IDP is simply identity provider that provides authentication layer to various of applications that you configured in your enterprise organization. For example, it can be Okta or Azure AD, which kind of a common managed IDP solutions. Another one, which is the one that we’ll discuss today, is ADFS. ADFS is simply a software developed by Microsoft that gives you the ability to have an unmanaged IDP, which means that it’s simply an IDP. But compared to others, like the examples that we gave such as Okta, for example, it’s an unmanaged solution. So you manage the server inside your own premise environment.

Yonatan Khanashvili (06:06):

The second term is actually service provider. The service provider is actually the applications that configured to the IDP and giving the user the ability to log in and using them. For example, it can be AWS, G Suite, O365, all the sales and cloud applications that organizations use on a daily basis. The ADFS simply gives the ability to having a trust between the service provider and the on-premises environment. So, how the tech simply works is with the ability to create a full sample that will allow an actor to authenticate and impersonate to any user in the federation service. Let’s try to examine a legitimate authentication that will happen when you use ADFS’ IDP. USC user will simply log into the service provider that you want to use, for example, G Suite. The G Suite will identify that you use the IDP that configure to it and will send the pocket to the ADFS server that located in the on-premises environment.

Yonatan Khanashvili (07:14):

The ADFS server will sign the SAML with a certificate that is stored on the ADFS server and will send it back to the service provider, in our case, G Suite, which will simply see that he knows the encryption, he has the key to decrypt it, and will let the user to authenticate. Where that text start to be, I guess, danger is when an act actor can put his hands on the certificate, which located on the ADFS server, we say, and simply create a forged SAML that’s signed with the certificate that they stole and just giving the ability to impersonate to any user in the domain, in the federation, and log into the service providers that configured to the ADFS.

Steve King (07:59):

I see. Okay. These things are multiple steps, right? For example, assuming that AWS trusts the domain, which you’ve compromised, you can then take advantage of the attack and kind of gain any permissions you want in a cloud environment. But you need a private key that signs the SAML objects. So, for the private key, you don’t need domain admin access, you only need Active Directory FS user account. How hard is that to get for an attacker?

Yonatan Khanashvili (08:32):

Yes. As you said, in order to obviously focus the SAML, as you said… To sign the sums, you will need to stall the certificate that’s stored on the ADFS. The only user that can export the certificate is the ADFS service account, which have a name pipe open to the database where the certificate is stored. I guess, to answer the question, how hard it is to get the certificate, we can mention briefly about an attack that involved the Golden SAML, which is known as SUNBURST attack that happened two years ago. They’re known as SolarWinds incidents that we all remember as security experts. We saw going on SAML attack in the wild. It happened. To answer the question about how hard it’s to get a certificate, we can simply, I guess, compare it to having a foothold on-premises, active directory environment, having domain admin credentials that can simply help you to gain any user object in the active directory. ADFS user account is simply an object in active directory. And we see those attacks happens on a daily basis, right? In one SAML activity and incident that we see, so it’s of course possible. And it’s that not that hard if you have hard access to the on-premises environment, indeed.

Steve King (09:56):

Yeah. It sounds like it’s not hard at all.

Yonatan Khanashvili (09:58):

Definitely. And I will mention that there is a lot of research papers that talking about the Golden SAML attack, including a great piece of research that Mandiant published and other security firms. This knowledge exists online and it’s not something that’s exclusive to specific actors. It really something that can be executed without a problem.

Steve King (10:25):

Yeah. The thing that bothers me about all of this, and not specifically SAML attacks, but everything that we do when we discover an attack vector that’s been successful, for example. We kind of scurry around and we kind of have a solution for it and then we talk about it. And then we sort of go away. I mean, we may be a couple of startups put together a company that focuses on solution, but we’ve just said here that we don’t really have a solution for this. Is that correct? I mean, you guys can detect these things. assuming you’re hunting for them. I guess part of my question is, what sort of detection and hunting techniques do you guys use to find and identify the bad guys doing this stuff?

Steve King (11:19):

And if a company like, let’s say, ABC Company, my company… Let’s say I don’t hire Hunters or I don’t buy your product. Does that mean I’m just ignoring this threat? And what does that mean for the industry? Does that mean I’m pretending that SAML attacks aren’t going to happen or they’re not going to happen to me? It’s bothersome to me anyway, and it’s not just… I mean, there’s hundreds of these where we say, “Yeah. Well, third party open source is a problem,” but then we never say how to deal with it because there is no way to deal with it. Is that true in your mind, as a researcher, as a guy that’s been around a space for a long time?

Yonatan Khanashvili (12:07):

Yeah. I think it makes sense. And I think that we as an industry always try to come with new solutions and also, I guess, kind of increase the awareness of this attacks. It’s not really that this attack can be detected. It just, I guess, challenging more than other simple detection logics that everyone know. We as an industry always need to keep educating each other with those new findings and giving them the ability to actually detect it. And if we discuss specifically about the Golden SAML attack, we came up with interesting detection logics that we obviously conducting in the product, which includes, for example, the ability to correlate between multiple data sources. For example, the ability to correlate between their Window’s ADFS event logs and the login to the service provider logs, which can provide a reliable coverage for it. And I will explain.

Yonatan Khanashvili (13:21):

We just spoke briefly about how detects works. And we know that in order to create the forged SAML to authenticate with a service provider, we don’t need to log into the ADFS server itself, right? Because if we have the certificate, we can simply create a forged SAML without authenticate with the ADFS server. What this meant is that we can assume that if we will see a login to the service provider, to the O365 login, to the O365 component without see the white windows event logs in the ADFS server, after we chatted, we can assume that someone has a certificate and just created a forged SAML. This is exactly the text logic that we are implementing at Hunters and we’re kind of sharing it with a community, and we’re suggesting to security operations to actually implement it.

Yonatan Khanashvili (14:25):

Another one, which is actually easier one, if you ask me, and also not only based on post correlation capabilities, like what I just mentioned, is monitor for suspicious logins to the ADFS service account itself. Which configured in a default, when you install ADFS server, you create a service account and it should only be with event login type of seven, which the service logo type. Any different logo type should be examined and investigated. I will say that if you see a RDP connection with event type of 10 to service accounts, to ADFS service account, it’s definitely a red flag that you should investigate it. And if it’s something that you found to be legitimate, you need to do some homework about your [inaudible 00:15:19] scope in your corporate and actually fix it. Those kind of things, how the small pieces of tasks that will stop the next attack, I guess.

Steve King (15:36):

Yeah. And how big a role is cross correlation in the process here?

Yonatan Khanashvili (15:43):

I think it actually plays a main key here because, at the end, there are a lot of really good single surf products that doing their job really well. If we take, for example, EDR solution, he should monitor about stuff that happens on the operating system. The problem is that he do not know anything that happens outside input. He do not know what happens when you are authenticate with a service provider. You do not know what happens on the ADFS event logs itself, maybe. And the ability to take the pieces of the piece of information that each good product provides and correlate between them can give you reliable detection logic that detect complex attack such as the Golden SAML. As we say, taking the event logs 1,200, that examine authentication to the ADFS correlating with the authentication with the service provider with O365 can give a reliable detection logic. And it’s really important to understand those concepts. And we actually suggest it to any audience that hear this talk and understand the importance of SAML, and specific Golden SAML attack, which security operations sometimes do not aware of, I guess.

Steve King (17:17):

Yeah. Right. I mean, SIEMs can’t do this today, right? I mean, there’s no SIEM that I’m aware of that can detect this kind of an attack. Is that correct?

Yonatan Khanashvili (17:33):

I won’t say that. I think that it’s possible. It will just requires a lot of team effort and people in order to do so, like ingesting the relevant logs to the SIEM storing and know how to correlate between the specific telemetry logs that required in order to detect it. I will say that it’s possible, definitely possible, but it will simply be time consuming and will require a lot of team of experts in order to do so.

Steve King (18:08):

Yeah. And I mean the typical… I guess I’m referring to the typical SIEM customer, which is not an expert. It’s CSO who is running a SIEM and they don’t have a technology background in many cases, but they know that they need some sort of monitoring and logging function and log collection function. And so they’ve installed whoever, pick your SIEM vendor. But without that kind of expertise, manipulating the SIEM, if there’s a way to even do that, I don’t think on a cross correlation basis, there is. Still, maybe you can do it single surface, but manipulating that takes a lot of work on behalf of the SIEM owner, doesn’t it?

Yonatan Khanashvili (19:05):

Yeah. Yeah, absolutely. And it’s not only about time, it’s about getting the right people in order to do so, which will require obviously a lot of security experience and knowledge about… first of all, from a security perspective, about how to conduct it; and also from engineering perspective, as you say, how to correlate between the different components.

Steve King (19:32):

Right. So does that mean that everybody that’s not a deep technical cybersecurity expert is at risk here for SAML attacks?

Yonatan Khanashvili (19:47):

Absolutely. I think that if you, as organization, are using ADFS specifically, you should take actions about examining the relevant logs and really see how you can have a better eyes and visibility on those type of text. It’s definitely happens. We saw how it happened in the SolarWinds attack, and I’m sure there are a lot of other incidents that obviously didn’t publish, and we should be aware of it. As an industry, always share research knowledge as you’re obviously doing here and have the awareness in the security operations to conduct those visibility and detection logics.

Steve King (20:36):

Yeah. I think we have fewer people today that understand this at that level than we did a couple of years ago. Yeah. I think we’re in the opposite direction. In a way, I mean, it’s terrific for you guys. You’ve focused on this area and you should sell lots of these to folks that are concerned about this, but it also seems like Microsoft’s active directory is one of the worst things that ever happened to the space. And I don’t mean that in a critical way, Microsoft, but there’s so many problems that tie directly to AD that it’s almost a joke.

Yonatan Khanashvili (21:19):

Oh, yeah. Definitely.

Steve King (21:19):

My final question… Because I see by the clock that we’re kind of running out of time here. Can you sort of tell us some of the difficulties when implementing these detections that you guys encounter, and how important is the fact that this is an out of the box detection solution?

Yonatan Khanashvili (21:40):

I think it’s a really important question, Steve. We just briefly discussed about it, the difficulties of implementing those detection, the amount of time and the amount of people that will require us to do so. And we discussed briefly about Golden SAML here, I think, for 20, 30 minutes. But in order to do the practical walk of implementing those things, it’s really a difficult and challenging tasks. If we will briefly reverse back the detection logic and what we say, it will start with scoping the ADFS servers and ingesting the relevant event logs, then powering the relevant event logs that have different properties than other event logs, then storing and aggregating them in the relevant SIEM that you’re using. Then start research, the relevant service provider, authentication logs, and see how you can correlate between them, and that will be only for the service provider that you’re researching.

Yonatan Khanashvili (22:44):

You need to do it for all the service providers that obviously you’re using in the federation. And it’s really challenging and takes out of time. And I think this is kind of the importance of out of the box detections and the detection engineering as a service that we are trying to do at Hunters. Simply giving our customers the ability to ingesting the relevant data, and then know that Hunters know how to power and how to detect and how to correlate between different things. And we really are believing in the message that we’re trying to give, and this is the kind of the power of providing security as a SaaS and not as an old on-premises solution.

Steve King (23:35):

Yeah. Well, you’ve convinced me. I’m ready to sign up for Hunters tomorrow. Thank you, Yonatan. Thanks for spending some time with us today. I appreciate you carving out the time. And then thanks to our listeners as well. We hope you learn something about one of the growing number of threat vectors in our complicated cybersecurity universe. Until next time. I’m Steve King, signing up.