Hunting Down Rogue Managed Identities

OVERVIEW

Usage of Cloud managed-identities is on the rise in all cloud providers. But are they really as secure as we assume them to be?
Recently, more and more attacks have been leveraging legitimate usage of managed identities to advance the attack and pivot across multiple resources. Managed identities are the latest phase in the evolution of protecting secrets, but without being properly protected, they themselves can serve as double edged swords introducing new risks and vulnerabilities. Powered by OAuth 2.0, Cloud managed identities blur the distinction between Identity protection and Endpoint solutions leaving crucial terrain unclaimed.

OAuth 2.0 introduces an authorization layer and separates the role of the client from that of the resource owner. In this session I will dive into delegation flows and together we will understand how they are related to ghost managed identities which pop-up on a compromised network. Together, we will extract Cloud-unique aspects out of known attacks, isolating managed identities as overlooked soft spots.
We will wrap-up with several high-fidelity detections giving every blue-side attendee, practical tools to implement in their own environment.

Presented By

RAM PLISKIN
RAM PLISKIN
Principal Security Researcher, Microsoft