Episode 176 - GluuFederation/identerati-office-hours GitHub Wiki

Title: All your accounts belong to us: IDP's under attack

• Host: Mike Schwartz, Founder/CEO Gluu
• Guest: Alex Weinert, Chief Product Officer Semperis

Channels

• Linkedin Event
• Youtube Video
• Short

Description

Identity Providers (IDPs) have become one of the most attractive targets for modern attackers—and the consequences of a successful compromise can be catastrophic.

In this session, Alex draws on firsthand experience from the front lines of identity security to unpack how today’s threat landscape has evolved. From nation-state actors and ransomware syndicates to opportunistic script kiddies, attackers are increasingly focusing on IDP compromise as the fastest path to total system access.

Having been in the hot seat during major incidents such as SolarWinds and the Storm-0558 attack, Alex shares real-world insights into how these attacks unfold, why traditional defenses fall short, and what “true identity resilience” really means in practice. The discussion will also cover emerging regulations, lessons learned from high-profile breaches, and concrete steps organizations can take to better protect their identity infrastructure.

Whether you’re responsible for IAM, security operations, or overall cyber resilience, this episode will help you understand what’s changing—and what you can do about it.

Homework

• DHS Press Release: Cyber Safety Review Board Releases Report on Microsoft Online Exchange Incident from Summer 2023

• Semperis Blog: The Security of Critical Infrastructure Act and Your Identity Infrastructure

• Wikipedia: ITDR

• IOH 92: Tracking Identity Threats Before They Track You, Verosint Co-Founder Mark Matchelor and Amie Dsouza

Takeaways

• ⚡ “Nothing ever gets through” is a fantasy. Identity resilience is a continuous loop: (1) Harden before an attack; (2) Detect/disrupt during it; (3) Be ready to recover after it. Cyber attackers are learning rapidly, for example, the SolarWinds attack was a template that turned into commodity tradecraft.

• ⚡ Legacy applications never get re-written to support the latest identity infrastructure. That means Kerberos/RADIUS/SAML won’t disappear when new tech (e.g. OAuth, Verifiable Credentials...) gets added on top. Despite wide cloud identity adoption, local Active Directory services are still run in 90% of enterprises.

• ⚡ Attackers are moving horizontally from human accounts to infrastructure. Identity infrastructure is a particularly attractive target. If an adversary can mint valid tokens, it becomes systemic compromise.

• ⚡ Detecting IDP attacks are hard, simply because it's hard to detect the signal from the noise with disparate authentication systems. In Solar Winds, the first clue about an attack were tokens issued without corresponding MFA events. In order to detect this threat, you need to join both event logs, and implement some simple sanity checks, for example, a declarative statement like "All tokens that protect email capabilities require verified MFA events".

Livestream Audio Archive

here