2024-12-14 –, Rookie track 2
This talk delves into the post-compromise tactics employed by threat actors following Business Email Compromise (BEC) incidents, drawing from our experience as a Managed Security Service Provider (MSSP).
We will discuss how some legitimate OAuth applications are used in post compromise for persistence and data exfiltration.
In this talk, we will begin by sharing insights gained from our experience as a Managed Security Service Provider (MSSP), highlighting trends observed across various client environments after Business Email Compromise (BEC) incidents. While the mechanisms of BEC are well understood, we will take a deeper look at the actions threat actors typically take post-compromise, particularly focusing on how they leverage OAuth for persistence within victim networks. OAuth applications are designed to enhance user convenience and are not inherently evil; however, they can be maliciously abused to gain persistence and facilitate data exfiltration. Because these applications are legitimate, they often go undetected and fly under the radar of security systems.
We will discuss the emergence of compromised OAuth applications that attackers exploit to gain unauthorised access and maintain control over compromised accounts. Drawing on our research and real-world case studies, we will analyse common OAuth applications that are abused in these scenarios,Furthermore, we will discuss best practices for securing OAuth implementations, including proactive monitoring, user education, and effective access management strategies.
This talk is specifically focused on Microsoft 365, with techniques, trends, and recommendations tailored to Microsoft technologies.
Yes
Umair is a Senior Cyber Security Responder working at JUMPSEC with 5 years of experience in Defensive Security including Incident Response, Threat Hunting, Security Operations and Security Engineering.