A Golden Ticket to the Cloud

In a post-pandemic world, more and more organizations are moving to the cloud. Due to this rapid migration, we have also observed an influx of cloud-based breaches that we have been requested to investigate and respond.

Late last year, the SolarWinds breach introduced another novel method of gaining access to a cloud environment bypassing Federation Services in a technique dubbed the Golden SAML attack. Hope is not lost, though, because even if the federation certificates are compromised, these unauthorized logins are still detectable, as long as authentication logs are correlated between the federation and the cloud environment. By abstracting the attack technique to its core components, using open-source tools, we can engineer detection events relevant to multiple providers and environments.

The presenters will also provide a case study of this novel attack technique (Golden SAML) and demonstrate high-fidelity detection approaches to assist the Security Operations in defending against adversaries. We also will be discussing multiple open-source tools an organization can utilize to assist their understanding of their cloud environments and provide the possibility to identify misconfigurations.

Omar Toor
Mandiant / FireEye

Omar Toor is a Principal Cyber Defense Consultant based out of Philadelphia, Pennsylvania. As part of the Cyber Defense Operations team, Mr. Toor provides strategic guidance to clients to help build, mature, and expand their cyber defense programs. This includes developing incident response plans, improving processes and procedures, identifying use cases, and providing forensic investigation best practices. Mr. Toor has a strong background in incident response, threat hunting, use case development, and years of expertise with a variety of security operations tools.

Nader Zaveri
Mandiant / FireEye

Nader Zaveri has over 14 years of experience in IT security, infrastructure, and risk management.
Nader has assisted client’s incident response investigations to help investigate and understand the storyline of the attack for most allusive nation-state threat actors that are associated with infamous on-prem and cloud-based breaches. He also leads the remediation efforts with his knowledge and experience by providing strategic short, medium, and long-term remediation recommendations to directors and C-level executives. He also leads the efforts in providing tactical recommendations to specialists, to improve the security posture of an organization. Nader also has experience with leading transformational projects over infrastructure and processes with technical and organizational change components in response to rapidly evolving business needs and regulatory requirements.

Nader Zaveri conducted interviews and presentations for dozens of organizations and conferences regarding cloud and on-prem Incident Response and Remediation topics. He regularly provides security updates and briefings to C-Suite personnel during and after an incident, as well as assist with post-remediation and hardening efforts for the organization.

Prior to joining Mandiant, Nader Zaveri spent several years in leadership positions at major cyber security consulting firms. Before joining consulting, Nader worked as a lead practitioner for multi-national organizations.