Video: Identity Under Siege: How Adversaries Exploit Identity Across the Attack Lifecycle | Duration: 3612s | Summary: Identity Under Siege: How Adversaries Exploit Identity Across the Attack Lifecycle | Chapters: Welcome and Introduction (29.85s), Identity Threat Detection (200.48s), Identity-Based Threat Landscape (462.20502s), Growth of Infostealers (812.61505s), Stolen Credential Marketplaces (1262.5651s), Evolving Credential Theft (1715.7749s), Cloud Identity Complexity (2235.17s), Identity-Based Threat Evolution (2465.6s)

Transcript for "Identity Under Siege: How Adversaries Exploit Identity Across the Attack Lifecycle": Hi, everyone. Welcome to this Sophos webinar entitled identity under siege. My name is Chris Yule. I'm the director of threat intelligence in the Sophos counter threat unit, and And we're here today to talk about all the different ways that identity is weaved into the cyberattacks that we see affecting, customers every day. And so we're gonna talk about some of the trends that we've seen, some of the learnings that we've had, and crucialize some of the ways that Softboss is working to protect our customers, from those threats. Before we dive into the topic, I'm conscious that, the CTU, the counter threat unit, is still reasonably new to Sophos. Some of you may not be familiar with us. We came from the SecureWorks acquisition. So I just wanna talk a little bit about who the CTU is and what we do. The CTU today is part of Sophos x ops. So within x ops, we have a large number of teams focused on, protecting customers, understanding the threat, and communicating that threat. You'll see the CTU in the bottom left of this. So our job is to track the threat landscape and make sure that we we understand the threats that our customers are facing, that we feed that into the wider parts of softball so that we're making sure that we're protecting all of our customers, and then crucially that we can communicate with customers about the threat like we're doing today. The CTU really takes our intelligence from, many different places. We collect as much intelligence as we can. We then process that into, various systems and then have a team of researchers focused on eCrime ransomware, state sponsored threats like China, Iran, and North Korea to really synthesize that, do our own original research, and then produce things like threat intelligence publications, indicators, things that talk about the threats that are available within Sophos products. As you can see, we take our intelligence from from many places, but some of our primary sources of intelligence include incident response engagements where we're seeing firsthand some of the the real incidents that are hitting our customers, a huge amount of telemetry that we have as part of softwalls to see if we get a new IP address. For example, we can immediately see who's talking to that IP address, how common is it, what what what kinds of things are are touching that. And we do things like botnet emulation, and also just by talking to our customers, we understand the kinds of threats that that many people are facing. As part of that job, we then track a number of threat groups. So we have over 240 threat groups that we have named. Over a 170 of those we class as active. And as I said, that includes eCrime groups that are looking to make money from their victims through to the highly sophisticated state sponsored actors, from China, Russia, and and other countries. So we're here to talk about identity. And why are we talking about identity? Well, one of the reasons is that Sophos has recently launched a new service called identity threat detection and response or ITDR for short. And so we wanted to discuss some of the reasons as to why we think this is a crucial offering right now and why this is the service that we've decided to build, this year. Identity really is a a core part of everything that we do as as technologists, and it plays a huge role in in cyberattacks, but it's continuing to grow and change how we react and how we we respond to cyberattacks. To start with, I wanna talk about one case study that we have from, this is a couple years ago now. This was a Chinese state sponsored actor against a government organization in Europe. And this was really one of the first examples that we saw of really sophisticated usage and manipulation of cloud permissions and user accounts to, to achieve the objectives of the threat actor. In this case, we saw the threat group compromise, an admin account. So they identified the username and password for that account, and they were able to log into it. They used the admin account to create a new user account in the victim's Entra ID environment, and that user account was given a special permission within Entra and for application impersonation. So that account was allowed to impersonate other applications that were tied to the Entra ID environment. They then used the admin account to register a custom made single tenant application within Entra, And this application was to store the permission of all required resource access. So this basically meant that if you logged in to that application, the application would have access to all of your resources. So your files, your mailboxes, things like that. And, crucially, the threat actor was then able to combine the user account and the tenant application that they've created in the environment to log in to end the user account, use that account to impersonate any other user that they wanted to within the environment, and then log in to the single tenant application and use the application's permission to access, read, and download the mailbox of that user. So by just logging in to this what appeared to be a legitimate user account and using an an application that they've registered, they did read the mailbox and download the mailbox of any user in that environment that they were interested in. Essentially enumerated through all the key target users and downloaded their mailbox. So this was really kind of for us one of the first cases that we've seen of, these cloud permissions and different, user accounts and applications being manipulated to to give them the permission and the access that they were looking for. As we've looked in the last couple of years at building an identity service, and we've looked at kind of the key statistics and the key things that we can see that that make that service compelling. This is a service that we launched at SecureWorks last year, and then this month, we've launched it as part of, Sophos. As we've done research and we've we've we've launched the service into customer base, we've identified that 95 of organizations that we've looked at have some type of misconfiguration in their identity and access management system that could allow a threat actor to manipulate or exploit permissions in in ways that aren't good for the defenders. When we surveyed, our customers, 90% of them said that they have experienced an identity breach in the past year. And as we look at stolen credentials on the dark web, we'll talk a lot about that today, but we've we've seen a doubling of the number of credentials available on the dark web in the last year, and that's just continuing a trend that we see to grow and grow. So it's clear that, identity and and the manipulation of of configuration and things like that is a key area for us to defend against sophisticated cyberattacks. So how are threat actors leveraging identities today? And this will range from the really simple things to very sophisticated things, and I'll try and cover all of that today. If we look at the initial access vector of the IAB across our incident response engagements, this data comes from the 2025. So this is very recent data, and we look for every incident response engagement that we was helped respond to. We try and identify how did it start, how did the threat actor get in. We can see 30% of those were phishing, 24% stolen credentials, 7% social engineering. All three of those, involve some component of identity. And so if you exclude the 5% drive by downloads and the 11% of exploitation and vulnerabilities, really over 60%, almost two thirds of incidents start with identity as the root cause of of how the actor got in. The number one threat facing our customers today continues to be ransomware both in terms of the the number of incidents that we see and the impact that it can have when it hits. And if we look at classic ransomware case study, we will see again how identity is is a key part of that kind of attack. This case study is from, I think about twelve months ago. This was a a US services organization. This attack started on a Friday morning when a threat actor logged into an admin account via remote desktop. So they obviously had stolen credentials somehow. It's not clear how they got those. It may have been through a phishing attack. It may have been purchased on the dark web. But this account was for a printer management service, so it wasn't leveraging multifactor authentication. So they were able to log in using remote desktop into the environment. Around twelve hours later, so almost 10PM at night, we then see them use that user account to deploy additional tools, and they're running NetScan, they're creating files, and they're deploying Mimikatz. So Mimikatz is a tool used to identify additional credentials, usernames, and passwords, ultimately looking for the the credentials that will give them access to the most systems possible. Just after 10PM, we see them run Mimikatz, and they're they've identified some privileged credentials. So, again, looking for privilege escalation at this point, and, taking the the single user account that they had and how do we get additional accounts that give us more permissions and privileges in the environment. We see them use those accounts to move lastly through the environment using remote desktop. A couple of minutes later, we see them continue to use Mimikatz to try and get more and more privileges on the system. And then just after midnight, around two hours after the the the main activity started, we see them use privilege accounts to deploy ransomware and delete logs, and use the batch script to deploy that ransomware to almost a 150 systems in the environment. So you can see here that this attack started with identity with the stolen credentials being used to log in to a legitimate account and then proceeded with more and more privilege escalation, lateral movement using those identity accounts. There was very little malicious code in use, and it was mainly just using privilege and trust to gain access to the environment and cause as much damage with that trust as possible. And this is classic of how we see many ransomware attacks, unfold. If we look holistically across the kill chain, there's a whole suite of areas that are linked or or directly related to identity. So before the breach happens, whether it's scanning repositories for hard coded credentials or API keys, looking for identity weaknesses in the cloud, harvesting credentials or stealing credentials from the dark web, and then doing brute force accounts and password spraying. Upon initial access, we'll see compromised credentials being used. We'll see phishing and spear phishing be used to try and obtain credentials, exploiting misconfigurations in the identity management systems, and then stealing tokens, and using access brokers to gain access to things. During the breach, as we've mentioned, privilege escalation, dumping credentials from active directory and using things like Mimikatz, using things like Kerberos to do pass the hash or ticket attacks, and then ultimately doing lateral movement using the identities that they've been able to compromise. And then once they're doing actions on objective, they're trying to achieve the the mission. We'll see them do data exfiltration, ransomware deployment, destruction of systems, and persistence using the accounts and the credentials that they have stolen. There's a lot of different dimensions there, but, really, it breaks down the key three things that we're gonna focus on today. The use and abuse of user accounts, privilege escalation, so ultimately, trying to identify accounts that have lots of privilege and maybe more privilege than they need. And then the misconfiguration and abuse of trust, which becomes much more complex, the more cloud environments and third parties that we're using and with SSO trust and things like that. So, ultimately, we're gonna look at stolen credentials being available on the dark web to obtain user accounts. We're gonna look at user and service accounts with excessive or unusual permissions, and we're looking at configuration issues and unusual or problematic application permissions. And these are the kind of three key things that the soft boss ITBR service has been designed to look for. So we really try to distill down what are the key ways that identity is used throughout the cyber attack and and what things can be put in place to help prevent those things from enabling a cyber attack in future. So the first thing I wanna talk about is the growth of infostealers. So we talk about stolen credentials being used, and infostealers today are really the the primary way that, credentials are being obtained and then made available for sale on the dark web. We're really seeing a huge growth in the market over the last few years in infostealers. Back in June 2022, we were talking about almost 3,000,000 credentials or sets of credentials being made available for sale on the dark web. By June 2023, that grew into over 7,000,000. So 3,000,000 to 7,000,000 in just over a year. When I checked the stats, earlier today, we're still seeing growth, not quite as explosive growth as we did during that period, but we're now sitting at over 9,000,000 sets of logs or sets of stolen credentials available, on the dark web. So the info stealers have really dramatically changed the malware landscape over the last five or so years. We used to talk a lot about banking trojans. We used to talk a lot about botnets, where you would have malware infections on machines that would continue to forward continuously, receive instructions, and then the access being used to facilitate ransomware attacks and data theft and other things. But those malware infections would sit, possibly being detected for days, weeks, months, and years, and infosteelers have really shifted that dynamic. So infosteelers are very small pieces of software that run for a short period of time, maybe ten or fifteen seconds, steal as much information as possible, and then exfiltrate it to a c two server. So this is a very short, sharp malware infection, and it's not something that can be detected over weeks and months. But, really, you're you're seeing, if we go left to right, info stealers being delivered through, spam and phishing emails, through malicious websites, and through trojanized mobile apps. They run for a short period of time on the compromised devices, stealing the information that they can get a hold of. And then as we move to the right, we see them infiltrating that to a command and control server and then making that available through the underground marketplaces and access brokers to potential buyers. What kinds of information do we see infrastealers take? And, generally, they're looking for anything that they can sell on the dark web. So we're looking at login credentials, any payment details, like credit card details, personal information relates to the user, browser data, so histories, cookies, browsing history, any files that might be valuable, and application data, and crypto wallets and things like that. So anything that might be intrinsically valuable or valuable if we sell that on the dark web. Generally, it just harvest it up into text files and then exfiltrates those into command and control servers. And there's a a large number of interest dealers that are available on the dark web. And all of them are made available for sale as a service. So you have things like Steelsea, LUMA, Poseidon, Vidar, Amade, and ACR, are all examples of, stealers that are made available on the dark web. If we drill into some of those, so let's start with with LUMA as a key example. So today, LUMA is responsible for the vast majority of logs that are available on the dark web. And of the 9,000,000 that I said we we currently have, over 7,000,000 of those have come from LUMA c two. LUMA was first released in December 2022, and it sold as a service in the undergrounds from anywhere between $250 to a thousand dollars per month depending on the services and features that that you want as a customer. It will collect and exfiltrate a profile of the infected system as well as sensitive data. It's distributed primarily through other malware loaders. And there has been a recent decline in LUMA. So and back in August, there was over 9,000,000 LUMA logs available. That decline has been attributed to decreased customer confidence because we've seen some law enforcement activity against Luma command and control servers this year, and a doxing campaign in September that outed some of the actors behind that. But despite that, you'll see on the chart on the right, these are the number of infections that we see and or tentative infections that we see across Softbox customer base, which we're still seeing in the order of hundreds of thousands of of potential infections every month of LUMA. Vercoon is another example. It was introduced in 2018 by a group that we track as Gold Lococo. It's deployed primarily through fake browser updates, phishing emails, and fake software installers. And then it like all of its dealers, it collects and exfiltrates, a profile of the infected system. And it can also instruct the malware to download and execute second stage malware. So it it may not just cease running as soon as it's got the info. It may lead to second stage, malware. Redline's another one active since March 2020. And until Raccoon was released, it was responsible for the largest share of logs sold in Russian markets. It's charged at $900 as a standalone product or available on a subscription basis. And, generally, it's distributed through crack games and applications as well as phishing campaigns and malicious adverts. So as we've kind of spoken about, there's a whole ecosystem built around infostealers and different actors responsible for different parts. It starts with a malware developer who creates the infostealer, they will then advertise, that infra stealer on the criminal marketplace. And so they'll list it for sale or rent. That will then be purchased by an initial access broker. So these are people that are trying to get access to the credentials, get access to systems that they can then resale. So they will take the malware and that they bought from the malware developer and use that to deploy it to victims and and ultimately harvest victim data. Like any good marketplace, there's a feedback system to leave reviews, so they will often leave reviews on the the different, interest dealers to build confidence in in that product. That might increase the reputation and the cost that they can sell that for, and it will also drive innovation as they get feedback from the malware developer. The victim data is then infiltrated to a command and control server that's, owned by the initial access broker, and they will then list all the logs that they have available for sale on the same criminal marketplaces. So they will sell the logs that they've stolen. In some cases where they've got complex logs, they may have acquired or or used the services of a specialist log parsers. They will go through all the data that's been stolen and identify valuable credentials or things that are highly sought after so they can sell those separately. And those parts logs and logs will then be available for sale on dark web forums, and purchased by customers who will then use the credentials to gain access to the victims and deploy whatever, their mechanism of making money is. It could be ransomware. It could be business email compromise or other types of fraud, or it might be espionage. So a huge ecosystem in play here, that's very mature. Like all good, ecosystems, they have good marketplaces. So today, Russian market is the primary marketplace for, infostealer data. It's the eBay of of infosteelers. Historically, it predominantly sold logs from Redline, Raccoon, Vidar, Torus, and Azerolt. They also offer the ability to preorder logs. And so if you pay a deposit, you can tell them which logs that you're interested in. And then once they become available, you will get priority notification that these are available for sale. As well as Russian market, we see a big growth in the availability of stolen credentials through Telegram. And so Telegram is obviously a chat channel. So you have less mature buying and selling capabilities that you have in a marketplace like Russian markets, but then you also have more private channels, more ability to interact directly with with customers, and maybe away from the prying eyes of researchers and and law enforcement. Russian market, as I say, is kinda like the eBay of stolen credentials. So you can search in the top left based on your interest dealer of choice. You can look for specific, domain names. So if we look at this top example here, this is one victim from South Africa. These are all the credentials that they have in their system. So you're essentially buying the whole zip of everything that they had in their system, for $10. So for that, you get all the Google accounts, usernames and passwords, and any other websites and cookies, that they had. The the preorderability that I mentioned is really for those highly sought after things. So there are some credentials that are more valuable because they're easier to monetize. And you can see here, some examples of things that people like to preorder. So business.facebook, Instagram, Uber accounts, Airbnb accounts, because these are not just looking to gain access to things to try and steal things. These are accounts that can be leveraged against, their customers and or the the victim themselves to try and make money. So one particular example that we have, is from two years ago, which was quite interesting. So this is a story about how identities have been used to abuse the trust that organizations might have with their customers. So this story started in October 2023, where, somebody pretending to be a a customer of a hotel, a guest at a hotel, emailed them and said, hi. We stayed in your hotel. We lost our passport. We're hoping you can help us. So no links, no end nothing bad to click on, just building rapport and trust. And then we sent a follow-up email saying, yep. Sorry. We've definitely lost our passport. We could really do with your help. I've attached all the necessary details. Please click on this link to to download the details. Here's the password. And so this was sent to the hotel's front desk, and when they opened the link, and this led to a VDAR Infostealer infection. And what the threat that we're looking for here was the the booking.com credentials for the hotel. So not your standard user level booking.com credentials where you can go book a hotel stay. These are the credentials that the hotel would use to manage their account and manage their customer stays within the booking.com admin platform. Once the threat actor obtained the credentials for the hotel, they were able to log in to the booking.com admin console as the hotel, so impersonating, somebody authorized from the hotel, Got all the contact details for guests who had future stays booked and then emailed out, to those customers saying, hi. This is the hotel you you booked from. The email comes from booking.com because it's sent from the legitimate admin platform, so it looks and feels legitimate. The user actually has a a a stay booked from that hotel. And they will say things like, there's a problem with our credit card processing. There's a problem with your stay. To confirm your stay, we need you to click on this link that looks like a booking.com link but isn't and give us your credit card details. And, of course, because they're abusing the trust that their customers have in the hotel and in booking.com, Lots of customers then clicked on that link and and gave them the credit card details to secure their booking. So just to replay what happened there, the criminal targeted the hotel and the property owners with a phishing campaign. The staff opened the malicious email, which led to a VDAR infosteeler infection. VDAR captured the credentials to the hotel's admin.booking.com account. They then used that access to log in to booking.com and then sell the access, for phishing of the hotel customers. And then the people who bought that access, then phish the customers, and did fake payment validation scams to get credit card details that they can then, either use to buy things or sell on the dark web for more money. And so because of scams like this, things like booking.com, airbnb.com, things like that are really valuable where you can get admin credentials for, a business account. And so we see lots of adverts on the dark web for people looking to buy up any, logs or credentials, for those, for those sites. And they crucially say it has to be admin.booking.com, not booking.com because we don't want gen generic credentials. We want the hotel credentials that manage the bookings. We do see lots of adverts like this where they advertise for with selling, like, some run of the mill user level at booking.com accounts, but the really valuable ones are the admin.com. So here's one example of somebody selling a a a set of stolen credentials. Most of them are worth $5, or, the Indeed is worth $20 because there may be sensitive information in there that they could leverage. But, interestingly, the admin.booking.com, log doesn't have a price against it. They say, if you want this, please check with us, which suggests they're trying to auction it off to the highest bidder because they know there's legitimate value in in these credentials. We see lots of adverts like these for people saying, I want, admin.booking.com accounts. Please, please sell them to me. Here we have up to $5,000 per log because they know how much money they can make if they get off these, so it's worth it. In some cases, we see some interest in cases like this where they work on a commission basis. So they won't offer to buy the logs for a fixed amount. They say give us your admin.booking.com credentials that you've stolen, and we'll work on our commission basis. So any money that we make, we will give you x percentage, that you can then the the potential income could be limitless. So as you can see, have hugely grown over the last, three or four years, and they're one of the primary ways that we see, stolen credentials being bought and then facilitated for, cyberattacks of all different kinds. If we look beyond info stealers at the other ways that credentials are stolen and harvested. Obviously, one big story this year has been the the campaign, by, the group known as Scatter Spider that we track as Gold Harvest. So earlier this year, there was a a campaign against, US and UK retailers and other verticals, where they were very successfully ransomware. Both attacks were widely attributed to social engineering of IT help desks. And so because this was an unusually, a western speaking group rather than the traditional Russian cybercrime groups that we we tend to see doing ransomware effects, They were able to successfully, identify these these organizations, IT help desk phone numbers, phone up the help desk, say, I'm this user, please can you reset my password. I've forgotten it. I can't access my systems. And because help desk are traditionally empowered to be helpful and not to be blockers to things, they were pretty successful in getting passwords reset and then using those usernames and passwords to gain access to the environment and follow the kill chain that we spoke about earlier. And because of that, we're seeing many organizations now revisiting how to authenticate help desk callers. So making sure that help desks are empowered to properly validate that they are talking to, who they think they're talking to. And crucial that they're empowered to say no so that they're not gonna be seen as a blocker if they don't let somebody change their passwords, but that there's clear processes and procedures in place to to properly validate and authenticate a user and to deny them access if they can't follow the correct processes. We've also seen a bunch of other attacks and just exfiltrating data and then extorting victims to to pay that. One example in March, we saw a campaign targeting Jira instances. And so, again, stolen credentials that probably have been bought on the dark web and maybe, specifically targeting Jira credentials that were available. And they then were able to get into organizations Jira instances that weren't protected by multifactor authentication, and essentially download as much data as possible, some of which may be sensitive, and then use the fact that they had the data to try and extort their victims, for a ransom. They they've successfully got gigabytes of data from a number of, victims. An interesting little touch, they left the ransom note by creating a service ticket in the Jira instance itself. So we had a a space of incidents earlier this year of of organizations who were affected, by this campaign, which is purely just I have a username and password. What can I get, and how much money can I make from it? And there's been a whole bunch of stories, like that. So we've had, a month or two ago, we had the shiny hunter, Salesforce, and drift, attack. We've had, the the Snowflake data storage exfiltration, earlier this year or late last year. And then going back a little while while back, maybe last year, we had an Okta breach where the identity provider was targeted, which then gave access to, a bunch of victim data because they were able to compromise, the identity provider. And so, again, a growing trend where we've seen just focusing on identity and just having the right credentials or the right access to the right systems enables, a whole series of different scenarios, that don't involve any malware or traditional things that we associate with cyber attacks. So we talk a lot about multi factor authentication, and, the question is, is it the answer? And so absolutely, it's the number one recommendation that we we give, our customers. And it is essential that anything external facing is protected by multifactor authentication. And we have seen time and time again that where there are exceptions to that because it's too hard because it's a third party and we can't manage MFA or it's, our maintenance company who don't know how to do MFA, so they still need single factor access. We will see that be exploited, somehow. We see that time and time again in incident response, engagements. The the the trend now, though, is that while multifactor authentication is essential, it is not always sufficient. So there are ways to bypass multifactor authentication. One interesting case that we had was a a spate of business email compromise attacks and just over twelve months ago. And so this started this is a screenshot from, Tejas XDR. And this started with a spate of alerts that we had for a number of different customers and for mailbox forwarding rules being created in the Office three six six five, mail environment. And so this is often a good indicator of potential business email compromise attacks. So, again, just using identities, they will use stolen credentials to log in to an email account and then set up a bunch of mail forwarding rules so that anything around invoices, purchases, etcetera, will get automatically forwarded to an external account so that, they can read your email without having to continually log in to your account. So in this case, we we we escalated a bunch of, mailbox forwarding rule alerts to customers. What was interesting is that when the customers investigated that, they said, yeah. These you're correct. These are BEC attacks. But what we don't understand is all of the user accounts in question are protected by multi factor authentication. We don't understand how they got in. So in in this case, before we get to the multi factor authentication piece, it's worth calling out that BEC campaigns are, again, all identity based. They're all levering stolen leveraging stolen credentials and for user accounts and key organizations to create inbox rules and then identify, the right PDFs, the right invoices that they can then inject themselves into the conversation with their own bank account details, and, ideally, get money sent to their bank account rather than the correct one. But a type of attack that is purely identity based with no malicious code and things like that. But in the case of with the multifactor authentication, when we, did a follow-up investigations on what happened and raised the findings to customers, we could see that prior to the successful authentication, we could see a series of logins were observed with the Axios user agent, which is a promise based HTTP library that can be used to forge requests to web applications and is commonly used by threat actors. So this type of behavior is indicative of what we call adversary in the middle attacks and where the threat actor uses a proxy to host the landing page and broker the authentication between the victim and Microsoft. So we're seeing this more and more where traditional phishing, we just send you a phishing email, you get to a landing page, you would accidentally put in your username and password. That would be stored in a database and the threat actor would come along hours, days, weeks later and use the credentials to try and log into something. And multifactor authentication will protect against that. With attacker in the adversary in the middle, what we see is much more dynamic interaction between the landing page and the the thing that we're authenticating to. So So the phishing email will be sent to the user. The user will then click on the link, enter their credentials into the the fakes the fake website. Rather than just statically storing these, it will use those forward requests to directly interact with the thing that we're authenticating with, and then including the the request and response for the multifactor authentication. And then once the the target application returns the session token, that is what the threat actor can then steal to log in to the environment, and gain persistent access by leveraging the session token that they can keep around for for a long time. So we see more and more recommendations now to make sure that we're using phishing resistant, multifactor authentication, which is often using things like hardware based, YubiKeys and things like that. So I'm not gonna go into the detail of that, but there's, there's definitely resources out there on on what that means. So that's the focus that we've had on stolen credentials and the different ways that threat actors, will get those credentials. What is more interesting is the increasing complexity of identity within the cloud. So as we increase trust on different things, things become more complicated, things become more opaque, and it becomes harder to know and identify these micro vulnerabilities that could be exploited with somebody who is smart enough to figure it out. So, typically, we're moving from a model where people are getting asked to submit credentials and sign in as themselves to a model where we have applications registered against, the environment, and the application will act on our behalf. So they may ask you for permissions to look at your mailbox and to read your profile. And once you grant these permissions, those applications have long lasting permission to, access those resources without needing your username and passwords and to do that. We mentioned this example earlier, and so this was the the Chinese, group targeting these. And China is kind of one of the classic sophisticated, adversaries that is really trying to understand and leverage these possible misconfigurations, that exist within cloud environments. And this is not new. So we've been tracking, for over a decade the different ways that the Chinese state sponsored threat groups have been using to subvert identity management and things like that. We, the the counter threat unit back when we were SecureWorks, we identified, what became known as skeleton key malware back in 2015. And this was when we were responding to an incident response engagement where, a victim had been widely compromised by Chinese state sponsored group, and it wasn't at all clear how they were getting into the environment. But, through a lot of research and a lot of analysis, we identified that they had essentially applied a custom patch to active directory that gave them a skeleton key password. So they could log in as any user to AD by using the same password and the patch that they applied would allow them to log in. So by just using this one password, they were able to log in to the environment, as any user. And that became widely publicized as as one of the ways that this really sophisticated ways that Chinese actors had, manipulated active directory in their victim environments to give them wide reaching access to their victims. And that kind of effort is is has only continued to grow in sophistication and move into the cloud as as all of us have moved into the cloud as defenders. So China really now has moved over the last five years from trying to steal intellectual property to gaining strategic access to edge and identity infrastructure, trying to, gain long standing access to systems potentially for prepositioning of of future actions. So we're seeing them targeting identity fabric and edge systems, like SharePoint, like VMware, f five recently. And these systems historically sit outside of endpoint level visibility. So things like your traditional endpoint detection and response won't see these kinds of threats. And the a compromise here will grant them control of all authentications, so not just a single host, which is why we think that moving threat detection and response into the identity space, is so crucial. Looking at one case recently of what China has done. So in July 2025 earlier this year, there was a campaign of them leveraging a newly patched vulnerability on SharePoint that became known as Tool Shell. And we saw a large number of customers being exploited by this, this chain of exploits that essentially gave, the threat actor that we believe was a Chinese state sponsored group access to on prem SharePoint instances. So this is a screenshot from a publication we published to customers in 2025 in July 2025. And a crucial paragraph of that, which I'll read, is the execution of the PowerShell command led to the creation of malware, which was unique malware designed to extract and expose sensitive cryptographic material from the host that could be reused to forge authentication or session tokens across SharePoint instances. This malware uses dot net reflection to read the server's machine key section, extracting the validation key, decryption key, and cryptographic mode settings. These keys allow attackers to forge valid payloads and authenticate without credentials even after the initial shells are removed. So a really good example of them doing wide ranging vulnerability exploits and using those to gain sort of persistent access to these even when the web shells are removed and allow them to authenticate to those SharePoint systems without credentials. And as I said, so China's objective now is really allowing is really around long term covert positioning from espionage to persistent leverage. So their objective isn't stealing data anymore. It's making sure that they can stay positioned to use when needed. So we need to do all the things that we've been doing before around, monitoring our environment and identifying these threats, but making sure that our threat monitoring expands into the identity perimeter and is really, really key to defending against this type of threat. And just an examples some examples of some of the key Chinese threat groups. If you Google these, you will find, our threat profiles of these, groups on our website and the kind of activities that they're up to. And the last thing I want to talk about, just without laboring the point, is that it's not just threat actors that have evolved. I had a chat with our red team, so we, again, as part of SecureWorks that has come across to to softbox as part of our new advisory services group. We now have a team of of red teamers that are, very, with with hacking into customer organizations and and giving them learnings that they can improve their defenses with. When I asked them how is your, playbook moved from, traditional cyber attack to identity based, they they agreed that, their model has evolved along with the the cyber attack model. The legacy approach was really trying to get domain admin via technical exploits. So using an external entry point, exploiting unpack servers, gaining an internal foothold, and then just doing vulnerability scans and trying to exploit systems and chain exploits to get onto the systems and that you wanted. The modern approach that they're leveraging is really accessing the key systems through identity without using any malicious code. So doing an external identity compromise through phishing or phoning up IT help desks, password spraying, things like that, and using the internal access as a legitimate user to gain access to VPN or valid SSO sessions, and then using the trust for those users to, abuse active directory certificate services, privilege escalation, SSO session writing, things like that. And then an example which looks very much like, the attacks that we saw earlier, but this this is the kind of play with with the red teams will use now. It's going after a victim on the left using a man in the middle, attack, brute forcing the the plain text hash the the passwords, and exploiting the vulnerability in ADCS, dumping the the MTBS file from AD, and then so on and so forth until ultimately bottom right discovery the master vault password and using that to compromise the cyber arc master vault. So even our red teams have clearly moved from, sort of exploit malware based attacks to identity based attacks. And and when I ask them why, the reason is because it works. It's it's it's it's what threat actors are doing, but it's also, a very effective way of breaching one breaching perimeters, and gaining access to victim environments. When we look at more stats related to ITDR and we look at more tactical stats, we see that 96% of of organizations that we've looked at have some kind of multitenant app present in their, their cloud environment. 80% have, somewhere the group dot read dot all permissions. So this is files that are maybe overshared, but if anyone has access to the network or the environment, those files would be visible to anybody. And 70% of organizations had app impersonation privileges. So, again, talking about that cyber attack earlier, that gives them the ability to, impersonate applications, which may have broader permissions than the user accounts. So these kinds of misconfigurations, which are hard to detect, are one of the key drivers that we had between our identity threat detection and response service. So my job today is to talk about the threat. I'm not gonna go into detail of what ITDR is or try and sell you on it, but just to give you a quick teaser of the philosophy behind it. Really, historically, identity and access management and security operations have always been largely separate things. And so what we've tried to do with ITDR is look at the overlap of those. So how do we have security operations supporting and monitoring the identity and access management thing? So XDR and MDR traditionally can identify malicious behavior and activity. And but what we're trying to do with ITDR is, not necessarily looking for activity, but identifying the enablers for activity. So misconfigurations, potential stolen credentials that could be enablers of future activity that you would then want XDR and MDR to detect. So MDR on the left will protect against identity threats by investigating and responding to the threats that are active in your environment. And then the Sophos IPDR add on on the right will attempt to reduce your identity attack surface, minimize the risk stolen credentials, and identify risky user behaviors and permissions. And we do that through continuous identity posture assessments of your entry ID environment, monitoring for stolen credentials and through our visibility on the dark web and monitoring, users that have been identified as risky based on their permissions or based on their, behaviors. So that's all I want to talk to you about today. And in summary, identities and privilege are a key target for all kinds of threat actors. The the move as an industry, as a society to opaque cloud environments makes managing privilege significantly harder, and it provides plenty of opportunities and, micro vulnerabilities that could be exploited. From the stop loss ITDR, we've tried to augment our detection of malicious activity, which we get through XDR and others with the ability to preemptively detect the enablers that allow threat actors to be successful. So I hope that was useful. By all means, look on our website, look at the ITDR and the links, and please do reach out if you have any more questions or if you'd like, to to to look at these products and solutions. And until next time, thank you all for listening. Bye.