When a user authenticates to a SaaS application or identity provider (IDP) like Okta, Duo, or Microsoft Azure AD, they’re granted a unique session token. The increased adoption of security measures like multi-factor authentication (MFA) has driven attackers to target these session tokens instead of credentials. Recent notable breaches, including some of those perpetrated by the LAPSUS$ group, have used this exact technique to establish persistent access in the SaaS environment.
In this webinar, we’ll run through a live demonstration of a man-in-the-middle session hijacking attack. Along the way, we’ll explore a variety of interesting related topics, including:
- Who is LAPSUS$, the extortionist hacker group behind notable breaches of companies like Okta?
- What is session hijacking, and how exactly does it enable attackers to bypass security measures like MFA?
- How are stolen session tokens bought and sold across online exchanges like the Genesis Marketplace?
- What best practices can be implemented to help combat session hijacking, and how does Obsidian detect the reuse of a stolen token?