When a user authenticates to a SaaS application or identity provider (IDP) like Okta, Duo, or Microsoft Azure AD, they’re granted a unique session token. The increased adoption of security measures like multi-factor authentication (MFA) has driven attackers to target these session tokens instead of credentials. Recent notable breaches, including some of those perpetrated by the LAPSUS$ group, have used this exact technique to establish persistent access in the SaaS environment.

In this webinar, we’ll run through a live demonstration of a man-in-the-middle session hijacking attack. Along the way, we’ll explore a variety of interesting related topics, including:

  • Who is LAPSUS$, the extortionist hacker group behind notable breaches of companies like Okta?
  • What is session hijacking, and how exactly does it enable attackers to bypass security measures like MFA?
  • How are stolen session tokens bought and sold across online exchanges like the Genesis Marketplace?
  • What best practices can be implemented to help combat session hijacking, and how does Obsidian detect the reuse of a stolen token?