Olivia
Online
Will Oram
@willoram
Cyber Incident Response Director at @PwC_UK | Tweets about cyber security, ransomware, and identity-based attacks | Opinions my own
London
Joined January 2015
907 Following
438 Followers
402 Posts
👋 Folks, I'm super excited to announce the launch of the Microsoft Zero Trust Assessment!
I've been working on this project for the past year at Microsoft with an extended team including our security researchers, product feature teams and docs
Here's what it does
🧵👇
Reading Microsoft’s new Void Blizzard report, one thing stands out (again): Everything is about credential theft, phishing, and tokens. Initial access comes from buying or stealing creds - often through low-effort phishing. All the real action happens in the cloud, not on endpoints.
Gone are the days of multi-stage attacks where you’d see lateral movement, privilege escalation, or fancy malware on file servers. Now it’s just: steal creds, log in to cloud, exfiltrate data, repeat. Detection? Only possible if you have access to expensive cloud logs. No logs, no chance.
The perimeter has shifted from endpoints to identity. The detection surface shrank from your whole network down to some logs you might get from your cloud provider if you pay extra. Honestly, not sure if that’s “progress” or just shifting the visibility problem somewhere else.
This is a great summary. We (and by we I mean mostly @willoram) have been using variants of this diagram to describe the inversion of attack paths to identity-based intrusions - a major trend in our incident response cases over the past year.
In the past, you had to:
phish a user, drop malware, escalate privileges, pivot to servers, evade EDR, dump creds, move laterally, exfiltrate quietly, clean up, leave a backdoor.
Today, you just:
phish a user, steal an OAuth token, access everything from anywhere.
Cloud breaches aren’t hacks. They’re logins.
Who to follow
Wietze
@Wietze
Threat Detection & Response. Views are my own, unless retweeted.
Maintainer of https://t.co/000t7J0NBR & https://t.co/thv6PP5C48
Co-maintainer of https://t.co/rXIxOggXs2
Dan Perez 
@MrDanPerez
Technical Lead, 🇨🇳 Mission @Google GTIG. Specializing in tracking and attribution of China-Nexus Threats, and making life difficult for them.
Kris McConkey
@smoothimpact
#threatintel and #dfir lead @ PwC. Blue team forever. Christian, husband, dad, coffee addict, bad photographer, awful cyclist. Tweets my own, not PwC's.
Credential and token theft are impacting nearly every organization. In this video I look at what we can do to try and protect against these threats.
https://t.co/CduYi0fwPf
00:00 - Introduction
00:49 - Credential protection
05:46 - Authentication strengths
07:32 - Protection for strong authentication method registration
08:54 - Additional protections
11:56 - Shift to token theft
12:19 - Tokens we get
13:24 - Secrets on the machine
15:45 - Primary Refresh Token
17:42 - Session Key
19:21 - Refresh and Access Tokens
21:51 - Token theft
24:02 - Protections
24:22 - Entra Internet Access
26:13 - Machine management
29:21 - Token binding
32:20 - Proof of Possession
37:50 - Token brokers and MSAL
39:41 - Requiring token binding
41:59 - Demonstrated Proof of Possession standard
45:13 - Detection
45:42 - Continuous Access Evaluation
46:39 - Identity Protection
48:16 - Summary
51:35 - Close
#security #identity #entraid #microsoft #oidc #oauth2 #microsoftdefender #azure #cloud #entra
Microsoft Incident Response provides a response playbook to empower defenders in tackling the challenges posed by Octo Tempest and evicting the threat actor from cloud and on-premises environments: https://t.co/n3xqBD31JV
It's mind blowing that such a highly privileged role hides who is assigned it in the portal by default 🤯
Great article... now I've even more things to monitor :)
The cost to run a company that has all the right cyber security tools and staff is absolutely obscene. It’s hard to describe the numbers I’ve seen. Even saying this is a gray area. But it is incredible headcount and spend. Non-keystone companies have no chance in normal paradigm.
For almost a year, invisible password spraying could be performed against any #Azure tenant due to a vulnerability in #MicrosoftGraph. In our latest blog, @nyxgeek walks us through how these attacks could have been carried out. Read it now! https://t.co/MFhwH4vZXy
We are proud to finally share some great research by Arnau Ortega on a 1-click #Azure tenant takeover attack. You can read all about it in our latest blog post. It explains how we could take over any Azure tenant; just by clicking one legitimate link 😨
https://t.co/WHMNJpPC7B
We’re delighted to announce that Richard Horne has been appointed as the NCSC’s new CEO and will take over in the autumn. Richard will join us from PwC UK, where he currently chairs the Cyber Security Practice.
More details here ⬇️
https://t.co/slh94apzzG
We are often engaged with organizations that have lost complete control of their Microsoft Entra ID tenant, I wrote a comprehensive blog post on lessons learned from real world engagements to try to help reduce the risk of the same happening to you https://t.co/Z00BulYbuN
The financially motivated threat actor tracked by Microsoft as Octo Tempest, whose evolving campaigns leverage tradecraft not seen in typical threat models, represents a growing concern for organizations. Get TTPs and protection info: https://t.co/YpGE33NaaN
I love this brave new world where a single leaked or stolen token can significantly impact cloud service providers, their customers, and even their customers' clients
#Okta #TokenBinding #DuckingTokens
If you need some help tracking down resources, links, blog posts etc to help address these issues, should you have them in environments you own or manage, I put together a list of the resources I usually share with customers during engagements - https://t.co/KXxxWabTAZ
Looks like a good time for a thread on token theft :)
Not all MFA is of the same quality, and anything using OTP (SMS, hardware/software tokens) or Push (MS Authenticator, Duo, etc.) is susceptible to AITM attacks
That doesn't mean it's useless, but it's becoming less useful
I can only strongly recommend to read #Microsoft Digital Defense Report 2023. It includes also many interesting insights and statistics on identity attacks. For example, methodology and overview of "return on mitigation" scoring. (1/2)
https://t.co/m3V5bM3vKm
Conditional Access – Common Microsoft 365 Security Mistakes Series https://t.co/YdErQOLpmW
#MicrosoftEntra #MicrosoftSecurity #Cybersecurity #Azure #AzureAD #Identity #CloudSecurity
A Zero Trust initiative is effectively working through a backlog of false assumptions of trust (trust debt).
Prioritization is critical for most organizations as they have 30+ years of IT decisions made when security wasn't considered/understood/prioritized/etc.
Beware of LUCR-3! 🚨 Threat actor that overlaps with Scattered Spider, Oktapus, UNC3944, & STORM-0875, they exploit IDPs for initial access & aim to steal IP for extortion. They use victims' tools and evade detection with expertise. @permisosecurity
https://t.co/WEbwLJkBWY
Last Seen Users on Sotwe
danyyblonde 😏 | OF🌎
Seen from Germany
teajustapel
Seen from Indonesia
pashto sex
Seen from Germany
xddd
Seen from Singapore
Chinnu Atluri
Seen from Indonesia
Manpreet Punjaban
Seen from United States
หลงใหลสาวอวบอ้วน
Seen from Thailand
控射遊戲|EdgeGame
Seen from Thailand
萝莉大片屋
Seen from Japan
Suami Istri Nachal
Seen from Netherlands
Most Popular Users
Elon Musk
@elonmusk
240.1M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
108.9M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
86.8M followers
Taylor Swift
@taylorswift13
80.6M followers
Lady Gaga
@ladygaga
72.2M followers
Kim Kardashian
@kimkardashian
69.4M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.5M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.1M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
59.9M followers