Adam Bateman: [00:00:00] The reality of it is, you know, security team is just constantly fighting the force. Do we have patch management programs? Yes. Does it actually work in reality? No. An IDP is not a firewall. You can still just log in with the local admin password and compromise a server. Attackers just hop straight underneath the IDP.

We've now seen a, a big increase of attackers using legitimate SaaS applications to phish people. So what ends up in the inbox is a completely legitimate app that you can't block.

Ashish Rajan: Email is no longer target anymore. Phishing has evolved to a lot more things happening inside the browser.

Adam Bateman: Click Fix Attack, it's tricking, runs the Windows Command prompts Control V, which pastes it, and you press enter it downloads and runs malware.

We found a new attack, consent fix, which tricked them to run a command or enter ERL, which did a full Azure compromise a hundred percent inside the browser.

Ashish Rajan: I don't know about you, but you definitely have seen a rise of most applications these days are being produced for Web First, and a lot of the AI applications these days are on the browser as well, which led me to a conversation with Adam Bateman from Push Security.

He has been a red teamer for some time, and over the past [00:01:00] few years, they focus their attention specifically on browser security because their research discovered that a lot of the attacks that are happening seem to be oriented and focused primarily. Browser as a mechanism to initiate and execute that, not your email.

Obviously there's a space for email, but when was the last time you actually came across an exchange server? That is, if you know what an exchange server is to begin with, we spoke about identity driven attacks and how there's a blind spot at the moment and some of the attacks that you see, especially if you're an organization that has a lot of SaaS applications.

This is definitely an episode for you. If you're someone who's looking at this evolving surface beyond just the endpoint security that we have, all loved and treasured for all this. While this is definitely in the conversation, I would encourage you to listen and probably share with other people who may be looking at identity initiated attacks as well.

Some of the popular ones these days are examples, including the one that happened, MGM Casino, the one in the UK for M&S, Marks and Spencer, and many more that happened across the board, which have clear patterns of where this is heading towards as well. As always, if you are here for a second or third time and have [00:02:00] been.

Finding the podcast episode valuable. I would really appreciate if it take a quick second to subscribe or follow. It's a free activity for you and means a lot because we get shown to more people. Thank you so much for taking that quick. Second to hit the subscribe, follow. We are on Apple, Spotify, YouTube, LinkedIn, and wherever you consume me a podcast.

Thank you for taking that quick. Second to subscribe and follow. I hope you enjoy this conversation with Adam and I'll talk to you soon. Peace. Hello. Welcome to another episode. I have Adam with me today. Hey man, thanks for coming on the show.

Adam Bateman: Hey man. Great. Thanks for having me. It's great to be on.

Ashish Rajan: Maybe to set some context, if you can share a bit about yourself, where you are, what your journey in cybersecurity so people have some sense of where you're from it.

Adam Bateman: Yeah, so I'm, uh, I'm in St. Alban, which is just north of, of London. Background, I been security practitioner for forever, basically since I was, I was one of those like, you know, teenage hackers. Got into the industry through doing a bit of ethical hacking, self experimentation, and then, uh, got into very heavy red teaming type background.

So I joined a company called MWR, which is always amuses me because no one's [00:03:00] ever heard of them. And the reason for that is because we were super like specialist red team outfit. Really, really amazing group of, uh, honestly a lot of graduates, like people like, like me, who self-taught a lot of the red teaming engagements and came up and they just built this incredible culture.

Of incubating heavy research and just diving into the unknown all the time, and it made this really incredible culture of just very, very curious, highly technical individuals. So we ended up being very, very well known for being the team You call when you really felt like your security was good and you wanted to understand what it was like to undergo.

An attack from a big nation state adversary. And so you'd be in a position where, you know, fortune 100 would call us up and say like, right here's an objective, here's a timeline. Go. And we'd break in within a few days and like take full control of the network and sort of present back. And we commonly got mistaken, um, by big threat, our teams for real nation states and Oh really?

Wow. Even saw the, yeah, we even saw like the, you know, the odd public report go up [00:04:00] online. Talking about this new mo and it was actually us and we had to sort of mention and go, Hey, this was a simulation and you know, and bring that back. So really fun time, but it's, yeah, I've just always been fascinated by attacker tactics and so founded really Push security.

Then based upon that, that premise and understanding of how attackers operate.

Ashish Rajan: Oh man, that's but pretty cool background to come from, and you guys are being misunderstood to be a nation state than a group of really motivated individuals.

Adam Bateman: Yeah, it was a really fun time. It's like, kind of like Oceans 11 come real, you know?

But the, and it's come up, come up through that side is really interesting because I, I, I personally think, I mean everyone many, many ways into founding, uh, into being a founder, but I kind of feel like when you have a very intimate understanding of the problem, like actually as attacks and how they operate, you then can come up with multiple ideas to solve that problem.

Right? Whereas if you don't intimately understand it, you are really instead sort of going. This looks like a hot, interesting space and then you are going [00:05:00] into that space. You know what I'm saying? Yeah. It's kind of like you sort of have to take and reinvent an area, but Yeah, so for us, it, especially during detection response as our background, we found it to be a very, very, uh, you know, real strength and advantage for our team.

Ashish Rajan: Talking to you about the whole identity IDP and how that kind of world has changed. What landed you in that identity space that is today? Well, lemme just reset some context. People assume, and for me as well, I've come from an identity background.

That's where I started my career. People assume that identity, MFA, this is like all problem, that's all been solved for a long time. Conditional access, all of that. But I guess we, we were talking about this, how this model is trying to break down and. You had some interesting thoughts on why is this breaking down today versus like, why are username password not enough?

IDP is not enough. MFA is not enough for an identity compromise today.

Adam Bateman: Yeah, it, it is funny because, I dunno, there's definitely is huge feeling that, you know, MFA's being [00:06:00] solved, but for me it's the same. Category is kind of patching's been solved. It's like, do we have patch management programs?

Yes. Can we patch things? Yes. But does it actually work in reality? No. And like, you know, there, there's, there's always lag times in patching and, and systems that have to be excluded and shadow it, that ends up outside of the, of the patch manage. It's, it's just the same thing, right. Do we now have very, very good solutions around MFA and the abilities to sort of deploy centralized identity through, through IDPs and that sort of Yeah, totally.

But the reality of it is, is you're just co, you know, security team is just constantly fighting the force. So there's been numerous things that, I mean, we can dig really deep into this, but I think if you, if you like put it this way, taking the old attack surface, which was open ports on the internet, if you went to your IT team and you said to them, Hey.

Gimme a diagram for how the network looks. They draw this really pretty diagram with like x number of hosts in the network with a couple of ports exposed. And then you do a [00:07:00] vulnerability scan. You're like, yeah, it looks nothing like this at all. Right? And, and it's exactly the same with, uh, with this sort of IDP, now we're in the cloud world.

People take their IDP, whether it be Okta entry, whatever it might be, and they would say, yeah, it's this with, you know, a hundred SaaS applications behind it and everything's got MFA on it when you actually dig into it. Wow. Like, you know. I mean ChatGPT was a good indicator. Everyone just signed up to it completely outside the IDP loads of different areas.

Then people integrate into loads of other stuff and everything goes crazy. So I think you've got the situation where, yes, there are good controls for things like MFA, but what you have now is this massively complex distributed identity network and it's very hard to actually get MFA enforced across all of those in one go, if that makes sense.

Ashish Rajan: And to your point that when you say these are blind spots, are they. Changing the way attacks are done today. Is that why they don't work, or do they don't work because I guess these are not strong enough?

Adam Bateman: Well, there's a couple of, there's there's a lot to unpack. I'll, I'll pick a couple of [00:08:00] angles. So I'd say one of the things is that, that there's a perception that within IDP, that it's like a firewall for your identities.

So you log into an Okta. It prompts you for MFA, and then you get some tiles and you click on one, it logs you in. All right? And the security and IT team do that every day. So they assume that that's what everyone else is doing. The reality is, is that an IDP is actually a lot more like a domain controller, right?

So it allows you to globally manage identities, but you can still just log in with a local admin password and compromise a server. So exactly the same thing's. True is what, because we're in the browser, we actually see users do this regularly. What they will do is ignore Okta altogether and just Google for the login page.

Right? So they'll look, look, you know, Microsoft 3 6 5 login or whatever, or like Dropbox login page. And when you click the login button, it pops up and says, how would you like to log in with Google, with Microsoft, with GitHub, with a username, with a password, or with SSO, and people just go log in with Google and then just, you know, [00:09:00] it's two clicks to create an account and then you have another identity.

Yeah. Now attackers that come along and then do cred stuffing, for example. What they do is just hop straight underneath the IDP and log in with a local account. They don't even know it's connected to SSO. Right. So I'm saying that a hundred percent. Having centralized identities in an IDP is really valuable.

Of course it is. But it's just that I think it's not a firewall, it's an overarching management layer. If you gained access to Okta, you could compromise everything beneath it, but you can also get into those underlying apps in lots of other ways as well.

Ashish Rajan: Interesting. Do you find that the I guess the AI world, you can use the example of chat GPD and third party logging with Google instead of trying to put my own unique username password for ChatGPT, I guess, is the way to detect identity compromise different now?

Uh, now that we in this AI world.

Adam Bateman: Yeah, I mean, well, I think the, the thing that's interesting, we, because we've been had this, you know, telemetry inside the browser for a long time, we see everything in real data. And I think the thing is, is that people don't necessarily have that level of visibility into the browser yet to actually see it for [00:10:00] themselves.

Ashish Rajan: Oh,

Adam Bateman: the reason I highlight something like ChatGPT is because. That was the thing that, you know, they knew that the whole company was just sort of signing up to gen AI apps and it was like, oh my goodness, this is happening outside of my IDP, and people are stuffing company data into this on mass. For us, we were just like, look, there's 10,000 specifications.

This has been happening for years. That's just one which people became aware of because of a huge trend. But actually it's the same for like, and this is a lot of stuff that's a lot worse than ChatGPT, like people self-service sign up to, like Zapier for example.

Ashish Rajan: Yeah. And

Adam Bateman: with Zapier you can, with a low PRI user, integrate it back to Slack and teams.

So an attacker can then compromise, you know, Zapier log in with a local weak credential and actually use the integration to then start sending, um, slack messages and start phishing people inside Slack. Right. That, that's much worse than, you know, company. That being in chat, GVT. So, yeah, I just, it, it's kind of like, um, I just mean that the gen AI beam was actually a good thing in that way because it brought it to everyone's attention.

This was [00:11:00] happening without technical controls, just from awareness, and then it shined a light on quite a big quite a big problem. Also, the rise of LLM has made doing attacks against identity much more feasible now. I think that identity attacks have become much easier to pull off by using LLMs as an offensive tool, which is kind of an interesting space.

Ashish Rajan: I mean, I guess, 'cause as you were saying that in my mind, I'm like, wait, so does that mean the same applies for things like, OAuth obviously A DFS that people may have, or any first party application people may have? Does this apply to them as well?

Adam Bateman: Yeah, so I mean, that adds to the, the complexity as well. I mean, I think, um, when it comes to things like.

OAuth, I mean, what we've seen like a rise in, in stuff like, uh, what they call consent phishing. So you know, you, let's say you are in a good state where you do have MFA locked down and across absolutely everything you can do things like, you know, we've seen attackers routinely saying, okay, well now I can't log in because you've got a Yuba key, [00:12:00] or whatever it might be.

Or pass keys set. So what I'll do instead is trick you into installing this OAuth app, and then the OAuth app has access to that person's account. So you could just, you know, send someone a link. They open it up and it says, Hey, you need to install this app to continue it. Integrates it into M 365. And then they can control the app through graph API, and the app has access to your email into your inbox.

At that point, you can just go off and click password reset across loads of applications and 'cause you control the inbox, you can just reset it and pull it all back out of MFA and, and that kind of thing as well. So, so yeah, I mean it's, it is a lot more complicated than people think and that's the thing that's interesting, but that's why I say the reality of having the network diagram from it versus doing a vulnerability scan, the two things are quite different.

And, uh, you know, it's, it's always been like that, right? You, you apply security controls. And you verify identity in the cloud's exactly the same. You apply security controls. We should also verify.

Ashish Rajan: And so are we saying that obviously you've, you've been done, you've done a lot of work in this browser space for this specifically.

[00:13:00] Is that why your focus today has gone into, after all the experience that you've had gone into the whole browser space? 'cause I guess. A lot of people have always, and even I'm guilty of this as well. Initially, the whole idea of it, phishing, or any of this was email was my quote unquote the attack vector that people most people cared about.

That's where I was assuming things are gonna start. That's where I wanted to stop my PII being distributed. That's where I wanted to stop ish from clicking on that link that was sent over, because that installs some malware on his machine, all of that. So I, I guess where you're going with this is that.

The, the modern workflows have changed so much. That email is no longer the, I mean, it's not that the target anymore. It still may be a case, but phishing has evolved to a lot more things happening inside the browser. Is that what you're getting at?

Adam Bateman: Yeah, I mean, I, I think mainly there's just been this enormous architectural shift, right?

We used to work on app, on our laptops with applications, talking to network.

Ashish Rajan: Yeah.

Adam Bateman: And [00:14:00] now we work inside our browsers with our browsers talking to the cloud, right? And so the laptop to network was bound together with the ports and protocols. The browser to cloud is bound together with identity. So the, so the modern attacks are now how do I get access to this identity in a creative way to either or to get access to the cloud services where all the critical data is.

Now, you can either do that by targeting the identity on the cloud end, or you can do it by phishing a user outside the browser or increasingly installing a malicious browser extension or compromising a legitimate browser extension and then doing a supply chain attack. To get access to the identity inside, inside the browser.

And so like I think the thing for us is being from a red team background, our whole world was network orientated. When we then started a company, we were like, look, everyone's shifting to cloud. The whole ecosystem is gonna be there. And I think like attacks are gonna move in this direction and. Honestly, at the time it was based upon a theory that this is how we would attack a modern company.

Yeah. There were [00:15:00] no, like, you know, when we started, there were no real attacks out there at all. So people just thought we were a bit crazy, you know, at the time. Yeah. But it just made logical sense to us. We started building what we considered to be EDR in the browser and it wasn't the endpoint. Now it's there and then all of a sudden groups like Scattered Spider and Lapsis, and you know, now they've joined a coalition group called, they're called Scattered Lapsis Hunters, and they're like dominating everything.

For this reason 'cause they just hook, I don't need straight out the browser and they log straight in, doesn't see a A DR or anything. So it, it's just like, I think the architectural shift of how companies now look becoming more cloud focused has then brought with it a weak spot where there's an underinvestment in security, which has then brought about a big wave of attacks from these very high profile groups that are now incredibly successful.

There needs to be a lot more innovation in this whole area for that reason because. Where all the modern breaches are happening now. Like, you know, none of them had hit

Ashish Rajan: the network. They all hit the browser. Oh. I'm, uh, maybe worthwhile explaining the whole scatter spider, uh, incident as well. 'cause I, I, I mean, [00:16:00] people like you and I probably are aware of it, but maybe many people may not be.

Could you just expand on that example, like what those, uh, scatter spider people are, are doing?

Adam Bateman: Yeah. So the, there are a few different groups, so, um. The, so Lapsis shiny hunters and sced spider are the ones that are the most famous. There's, there's another group called Hellcat that tends to go after, you know, JIRA instances using the techniques that we were just discussing.

They're vulnerable,

Ashish Rajan: so they're specializing in individuals services as well.

Adam Bateman: Well, they, I mean, they, they tend to have a particular mo. Um, but their MO tends to be just to go straight for identity. So they, what they're doing is either phishing campaigns to get directly to, you know, taking over identity.

Obviously, one of the things they're quite famous for is, is help desk calls for like, you know, tricking service desks to reset MFA. The, the thing that's interesting about the service desk thing is that's the thing that hits the headlines. That's the technique that hits [00:17:00] the headlines. But the reason it hits the headlines is 'cause it's very understandable for like, you know, your, your mom and dad to understand.

And so the, the press tend to sort of hook onto that. 'cause it's a nice story to tell that is non-technical. So that happens. Yeah. You also then see people saying, oh, there's been a 400% increase in help desk calls, but it's came off as tiny base of like five that have happened in the past. Right. So it is prolific and it is something that you should solve, but.

I think people tend to sort of be like, oh, to stop against these to, to protect against these groups, you have to solve help desk. And it's like, well no, that's one mo that they do. If they can silently fish, they'll do that too, right? So anyway, these groups have sort of adopted this whole, this whole mindset.

And I, and I think it's, it's because of the fact that they know the sensitive data is now in cloud, but also because of the fact it's getting more and more expensive to hit the network and bypass EDR and these big MDR services that are over, over watching everything. So they, between them collectively, they've compromised, you know, [00:18:00] Microsoft, they, they were the ones that broke into Okta.

MGM Resorts was, was a big you know, hit the news at the time. JLR more recently, you know, Marks and Spencers. They've dominated the UK infrastructure unfortunately, which is like really, really, really hurt. So being, you know, both of us living here as well in, in Britain. But, um, and then most recently there was a big campaign against Salesforce.

Um, so it's a very interesting thing about how high profile those attacks are. They're very successful and none of them started on the network at all. So anyway, the reason now, um, they have a Telegram channel and they recently, you know, posted some messages taunting a particular company. Under the name scattered lapses Hunters.

Ashish Rajan: Right?

Adam Bateman: And that's how we know that all those groups have been successful individually, but they've now formed a coalition group and now they're, they're all dominating together as one. So it is a real convergence at the moment. I think that's why a lot of people are starting to really think about identity a lot more than they used to.[00:19:00]

Ashish Rajan: I guess to what you were saying earlier, because most of the logging we have is based on the application. We are looking for software vulnerabilities. We're looking for to, to what you were saying, a shei, they're trying to have access to the network or fuzzing on the web application that I, that is exposed, but it's not, and I, I'm assuming at that point in time, the assumption we make over there is that, oh, uh, if I try a SQL injection, if get picked up by my WAF.

What is a WAF doing in all of this then? Isn't that supposed to be, or that doesn't play any role in this? I mean, I, I'm, I think I know my answer, but I'm just curious as to what you think of this.

Adam Bateman: Yeah, I mean, it is interesting 'cause if you, if you are talking, the reality is everyone is like a blur between on-prem and cloud and there are certain way through their transition.

Ashish Rajan: Yeah.

Adam Bateman: But it's, it gets confusing if you think about that type of company. So it's much better to think in. Pure terms, right? So think about someone that's very on-prem, hosts everything on their own, and then on the other end, [00:20:00] think of a company who is 100% Chromebooks. Can't even install EDR because it doesn't really run, you know, only, it's kind of limited in what it can do on, on such just basically big phone.

They're inside the browser talking a hundred percent to cloud and SaaS services with no network and that all of their offices are no, no more than just internet access. Right? Yeah. If you think about those two things and, and what kind of defenses you'd need and how you would target them, right? On the legacy on-prem side, you would do a browser exploit, you would trick them, is spear phishing to run some kind of malware?

You would have hosted applications on, on, you know, on the, on the network perimeter, and you would port scan and vuln scan looking for weak services and find applications that you could exploit through things like SQL injection.

Ashish Rajan: Yeah.

Adam Bateman: And you'd have a WAF to protect against that. If you think about the other company, like the really modern how do you attack a company like that, right?

Like the endpoint attacks are fairly limited. It's, it's not really the same in the sense that yes, you can get a shell on a Chromebook, but it's. [00:21:00] It's like a read only operating system. You can't really talk out to the network, you can talk back to the cloud, whatever all the value is in the cloud, right?

Yeah. So the, the, I think the thing is, is if you are using a hundred percent cloud and SaaS service, it's their responsibility to run things like WAFs. It's their responsibility to patch and, and secure the, there's no responsibility for you as a consumer of those applications. Really, the bit that's your responsibility is making sure users don't fit, get phished.

And basically all of the identities, right? Yeah. Like, so it's, you know, it's all malicious extensions and, and, and everything else. So the, the shift has happened, as I said. There aren't, you know, I'm not saying that there's huge swaths of companies that are a hundred percent Chromebook orientated. There's always a blend of those architectures.

Yeah. But it's just helpful to think in pure terms when you start thinking about the attacks.

Ashish Rajan: Yeah, and I think it's a good distinction also, because even the people. Who are quote unquote hybrid. I may have a cloud application or even cloud AWS hosted application, which is someone is accessing it through a browser.

They're not like, I mean, there's obviously the engineers [00:22:00] going to the backend of whatever, but primarily speaking, a lot of people are concerned about the application on the web front rather than 'cause the, the, the network part. I would imagine is covered to a large extent. Uh, I love the example that you had between the two distinction between the Chromebook first people as well as the on-premise, first people and I, I guess, I think in the middle where the cloud people are even then.

I would say that now that identity has been highlighted as settled the single thread across all three of them, which is quite common. And I guess if you compromise that, you basically compromise everything. What is, I'm, I'm curious. A, is there a detection today that is possible for this thing in this world of cloud and hybrid?

Because a lot of, I mean I think, I can't remember the start, but 70% applications are SaaS applications in most organizations. 'cause there was this wave before the AI wave, there was another wave where SaaS first, cloud, second and third was something else. Whatever that architecture move was. So as [00:23:00] part of that movement, a lot of people did move to SaaS services.

Which kind of, to your point, you may have a Chromebook, mostly SaaS application. Now you're perfectly in that hybrid slice of, oh, well I don't have anything apart from SaaS services. Is in that world. Was detection already possible or We never got the logs or what? Why was this not possible then?

Adam Bateman: Yeah, it's really interesting space, so, so yeah, it's really good to focus in on that area because as I said, even if you are not.

Hundred percent working the browser, and you are part partway through your transition, your company will be 50% or 70% or whatever on-prem.

Ashish Rajan: Yeah.

Adam Bateman: And 30% like this new world, right? That's right. Whatever that percentage is. Yeah.

Ashish Rajan: Yeah.

Adam Bateman: That's the weak spot of the company, and that's the way that attackers can get, even if it's 5%, it's still part of an attack surface which is uncovered.

And so really understanding that is, is something that people are, are focused on. So to answer your question about how those attacks are done [00:24:00] now, there was the rise of the sort of SSPM space.

Ashish Rajan: Yeah.

Adam Bateman: There was the rise of the sort of CNAPP and cloud space. I think Wiz of demonstrated incredibly great, brilliant product for actually locking down your cloud applications.

Great. Like you can do a lot of that stuff on the server side. When you try and translate that into the SSPM world, the reason it really didn't get a massive amount of traction is, I think actually having explored this area is because actually it's hard to get the same level of access to the data. Right?

So cloud is, you know, a lot of self-hosted apps and lots of customization. You can get really deep into it.

Ashish Rajan: Yeah. But

Adam Bateman: with SaaS applications, you are really dependent on the APIs. That's the only way you can integrate with them. So if you're talking about Azure and interim Microsoft Graph API, there's a lot of lucrative information you can get out that.

Similarly for Google Workspace, similarly for company, you know, things like Salesforce, but after that it's diminishing, right? Mm-hmm. And so you get companies that start to do integrations and with these other areas, and it gets harder and harder. I mean, you can't even [00:25:00] really find, you know, you can find out what user accounts are there, but they won't give you the MFA stays a lot of the time.

They certainly won't tell you if the password's weak or not, right? Yeah. So, so you're just sort of beholden to having to get to the APIs. Then on top of that, if you think that. You know from our data, 40% of your SaaS application plus, you know, that's minimum is shadow. So people just signing up to things like the chat gpt services, you don't even get the opportunity to integrate with those because you don't know about them.

Right? So, so it's kind of like, it's very difficult to get to the attack service as we saw it from the server side for the SaaS side. The reason we decided to move into the browser was because. It is the ingress point for every identity and every service that happens. And so as a user logs into a SaaS application, there you can see, hey, a user logged in, you can fire a log and you can go, yes, it has or doesn't have a, you can even inspect the password securely to know whether it's weak or not.

Ashish Rajan: Yeah.

So

Adam Bateman: you can do everything across all of them, if you see what I'm saying. So to, to answer your question about how the [00:26:00] attacks, uh, are done. If you're inside the browser, you can actually, very generally speaking, you can detect Phish kit. So we'll do things like as users log into these SaaS applications, we see a successful login.

We therefore know that's a business app. We'll then profile the application. We're inspect the dom, we do visual recognition, and we understand what that login page looks like. If then we see, you know, all of the users logging through, that that information is shared down to every extension. It's like this is a primary business application that's being used.

If you then see an attacker try to clone one of those pages to try and trick someone that is an anomaly. It's something that's happening outside of that, and we can block that from happening, if that makes sense. Yeah. So, yeah, so when it comes to Phish, there's having that tight ecosystem around SaaS applications that actually can be an advantage.

For finding anomalies where people may have cloned and trying to steal credentials,

Ashish Rajan: as, as you said, that, uh, I think one thing that was coming to my mind was I clearly spent way too much time on LinkedIn than I should, [00:27:00] but it's, it's one of those, it's one of those things where a lot of people access things like even LinkedIn on their personal browser.

And there's, there's a while ago where, we responded to an incident in my previous role as a CISO somewhere, I can't remember which year was it, but, but I remember the, the space, the case specifically where the person was in a browser doing work hours and was offered a job with a PDF or sendo, which is, which is quote unquote roles, roles and responsibilities for this new job, or whatever you wanna call it, the.

The reason I'm using that example here is it almost from what you're saying and what I'm hearing is that if the profile of your organization has a lot of SaaS applications, AI or not, ai. Or maybe a SaaS application enabled by AI that the threat model is now different. I think the, the, a preexisting threat model of network is my, whatever the example was, coconut kind of structure where you have a hard interior, hard exterior, and soft interior that maybe still works on, on-premise, but the SaaS [00:28:00] application you, it's like your front door.

So how has the threat model changed with this approach and maybe how should people think about threat model in this particular scenario?

Adam Bateman: Yeah, it's wildly different. And, and the thing is, is that it's one of those, I liken it a lot to when EDR emerged, right? If you, if you think back to when everything, you know, there, there was a world when I was red teaming and pen testing my whole life was trying to break through the dmz.

You know, it was like, is RDP exposed to the internet and like, can you break, break past or is there like some kind of exploit. That you can get into. And it was all just perimeter orientated. And I, and I really clearly remember the time where it got harder and harder and harder. And frankly, pen testing got way more boring 'cause you were just reporting loads of low and medium risks.

And then we just sat there one day and said, Hey, like why are we doing this? Why don't we just like do a client side attack and compromise the endpoint? It was like shooting fish in a barrel because there was no EDR. You know, most you had to do was sort of malm your payloads to get around AV or whatever.[00:29:00]

Anyway, the point is, is it was just obviously true that it was possible to attack companies in this way. And then, but no one knew, like, you know, as far as everyone's concerned, all the attacks against the endpoint. Anyway, EDR emerged and guess what? It's the main reason, but what came first, the chicken of the egg, you know, was it, it's kind of a, if as soon as you spot it, you've actually got the visibility.

People saw all the attacks all the time. And then once you saw all the attacks, everyone was like, wow, you know, the more got developed there. So anyway, over now, over a decade, the attacks against the endpoint have become much, much harder to do and much more expensive. And now the same thing's happened inside the browser, right?

So we're definitely in this era now where once people get visibility in the browser, they start seeing the attacks and oh my goodness, this makes so much sense.

Ashish Rajan: Yeah.

Adam Bateman: But the, the understanding is lagging behind it, right? So in the old world, the threat model was malware. Spear phishing.

Ashish Rajan: Yep.

Adam Bateman: Browser exploitation, although that's diminishing quite a lot now, you know, that it was all kind of network oriented [00:30:00] attacks.

The, the threat model when it comes to these sorts of attacks is, is mainly phishing browser extension, credential stuffing consent phishing, like tricking people to install OAuth apps.

Ashish Rajan: Mm-hmm.

Adam Bateman: And things like, you know, session hijacking. So info steel is run on the endpoint, still sessions out of the browser and then you can use those to access, kind of blurs the line with endpoint.

But what we've seen, I think the most interesting couple of things we've seen is two things. One is the radical evolution of phishing has got way different, you know, it's gone outside of the mailbox. It's really, and we can dig into that if there's something of interest you, it's um, it's really interesting how that's evolved.

And the second thing is the evolution of these sort of click fix attacks. You've seen those where. A user hits a website and it pops up and it injects a payload using JavaScript onto the user clipboard. Yeah. And then it says, please verify you are human and makes you go. Windows R runs the Windows command prompt.

Ashish Rajan: Yeah,

Adam Bateman: control V, which pastes it, and you press [00:31:00] enter, it downloads and runs malware. So phishing has gone really advanced and that that click fix type attack has gone. We've just seen it take off in sophistication over the last year or so.

Ashish Rajan: I mean, yeah, I, I would love to double click on the phishing one.

Also because I feel like a lot of the funny enough all the emails have moved on to office 3, 6, 5 being online as well. There's no one, there's no exchange anymore from what I hear. Exchange is like on the, on the down. Like everyone's being, uh, Microsoft has been Pushing everyone to start using Office 365 the SaaS version of it as well.

So technically emails these days are also not an exchange server that I need to take over. How, how much more has changed with phishing now? Because a lot of people still probably have the, maybe the same way I did a belief in, uh, in the whole I-D-S-I-P-S for phishing and, hey, my ID P's gonna take care of me for the phishing.

How much has that changed?

Adam Bateman: Yeah, it's, it's super interesting. So I will first of all say. Email [00:32:00] security is not going anywhere, right? It, it's the vast volume of phishing remains to come through email. And also there's different types of phishing. So for example, one that's trying to trick A CFO to transfer funds out, that happens through the inbox.

There isn't a link or whatever that happens. So it's absolutely needed. What I would say is because of the fact that more data has moved to cloud. Therefore more credential phishing needs to happen to get access to identity. We've started to see a huge evolution in that area. And so in, in that context, the email inbox is, remember, it doesn't happen in email.

It's a delivery mechanism. It's one of the delivery mechanisms. But when you click on the link, it detonates inside the browser, right? It doesn't matter whether you click it on-prem or you click on a cloud-based one, it opens the browser and then the phish phishing happens there. So what we are now seeing is there's a couple of trends.

There's [00:33:00] evolution of attacks that get through email, which I'll talk about in a second, and then there's what I'm calling omnichannel phishing. So we're now seeing phishing attacks like we reported recently, A, a very high profile campaign where an attacker took control of someone's LinkedIn account method unknown, but probably cred, stuffing, or some other phishing.

Then they DMed all of the quite high profile CEOs of various tech companies with a phishing link with an investment opportunity.

Ashish Rajan: Oh,

Adam Bateman: the CEO's got got this from a known, you know, contact, and they're like, oh, of course, open the investment, which it was a phishing link. They actually used that to then gain access to the organization.

Now the ones we know about, thankfully we blocked those and so there was no, which is why it's okay to talk about it. It's been out quite publicly. But it's interesting 'cause it blurs the line between personal and business at this point, right? Like these people opened their personal LinkedIn account, got a link, and then logged in using their Google [00:34:00] workspace account, right?

You also think SMS phishing, we catch phishing links that come through people's personal email inboxes, like through social media comments. You even see people doing things like they hack, um, mic. So marketing teams take control of their Google Ads accounts and then use that to distribute phishing links across the Google Ads network.

So it comes up as sponsored results, right? So omnichannel just means yes, email is a prolific source of phishing. But it's also spread out through lots of other areas as well. So that's one innovation there. The other thing that's happened with phishing is that I think, um, traditional phishing would do things like impersonation.

So it would pretend to be DocuSign, but come from some other domain. So you are able in email security then to look at this and go, well, you know, this isn't a legitimate domain or whatever, and you can block this. We've now seen a, a big increase of attackers using legitimate SaaS applications to phish people.

So you'll use like. Microsoft Dynamics or sites.google.com or sign up to a DocuSign, pay the [00:35:00] $20, right? Create a document with a blurred out court order. Put a big button in the middle, which is a phishing link, and then just send it to someone for signing. So what ends up in the inbox is a completely legitimate app that you can't block because it's, it's from a real SA application.

There's nothing wrong. But when they use it, clicks to go and sign the document, they get phished. You know? So, so it's just, it's just, yeah. And it is natural innovation. 'cause the target is now identity and therefore cloud. It's natural that there's been a huge increase in these, in these sorts of attacks.

So yeah, that's the sort of traditional phishing and it goes very, very deep. But it's uh, it's really interesting.

Ashish Rajan: Yeah. You had another phishing example that you were giving earlier, so that was the traditional one. You had another one

Adam Bateman: Click fix. Yeah. This is a, this is a, so when we first saw Click Fix Circling, honestly we shared it on our internal Slack channel and we were laughing about it 'cause it just seemed like a novelty.

The fact that you could trick someone to copy and paste and run a command, which just seemed wild. But then. It was prolific. Right? And, and the reason it's so successful people don't realize is that the early [00:36:00] incarnations would, would trick someone to download, well run PowerShell to download malware, basically, right?

And, and people thought, oh, well, you know, EDR stops this or designed for The problem is, is that actually this, the, if you look at the data, it speaks for itself. It doesn't stop it in a lot of cases. And the reason for that is because. I'm really taking a, a sort of basic example here, but one of the things EDR will do is look at, look at the parent process.

If it, if it sees Chrome X'S warning PowerShell, that's bad. But you think what happens with the click fix attack, it's tricking the user to actually copy and run the command so it comes directly from the user. Right? So

Ashish Rajan: it

Adam Bateman: is it, and, and you've Is it nuance there? It's like, what do I block the user from doing this or not?

Right? So anyway, that, that was the earlier incarnation and it but it, it, the reason it's become so prolific is. We've now started to see a professionalization of this, so we're seeing attackers target legitimate sites like WordPress sites, backdoor them with a bit of JavaScript, so it's like a watering hole attack.

People are then doing organic Google searches, hitting a legitimate site, and it'll pop up and say, [00:37:00] Hey, please verify you're human to continue, and it'll show like a little video of what to do with a countdown timer. Which urges the user to quickly do it fast.

Ashish Rajan: Oh my God. Okay.

Adam Bateman: Yeah. And then, and then it will, the, the payloads that are being executed on to download malware, they're things like run an embedded browser with M-S-H-G-A and trick the user to enter the credentials into it or like, and all this different stuff.

Anyway, point being is, I mentioned about consent phishing earlier, where you trick a user to, you know, grant OAuth access. Now we're talking about click fix. A few weeks ago, we just published some research on this. We found a new attack, which we named Consent Fix, which effectively is a combined a combination of click fix and, uh, consent phishing.

Together. We worked with some very high profile companies that we can very much trust attribution as far as you can trust attribution, and it was confirmed to be, you know, midnight Blizzard, big Russian threat actor. The reason this was really interesting is because it [00:38:00] didn't, it was a click fix campaign.

It didn't trick the user to execute command on their host. What it effectively did was trick them to run a command or enter ERL, which did a full Azure compromise, right? So the user came along and they were tricked to performing some actions which would take control of the company's Azure. But the thing that's wild about that is it's a hundred percent inside the browser.

Like there's no command executing on the endpoint at all. User organic search hits a watering hole, site, runs a command, which then takes full control of Azure in the cloud. Nothing leaves the browser. It's a hundred percent browser native. So this sophistication is just going up and up, and I think that's the future of what we're gonna see.

It's just getting more and more prolific now, these types of attacks.

Ashish Rajan: I think one of the things that as, as we are talking about this, one thing that is top of mind for me at the moment is that a lot of people probably don't have. Legitimate owner for browser security. Like there's a corporate IT person [00:39:00] who's responsible for deploying browsers across the organization, standardization, all of that.

But who owns this browser security piece? Is that clear today because, or is that even understood?

Adam Bateman: Yeah, that's interesting. So it depends on how you look at it. This is a fast evolving space to today we are positioned as a detection and response tool because that's our blood. It's what we're the best at.

We're often bought by, you know, the same people that would run your EDR Really. So in a very large organization, that would be the soc. You know, in a smaller organization, people, you know, it's whoever deals with sort of threat prevention. Ultimately though this space is a disruption of the SWG space, right?

The secure web gateways and sort of proxies. And the reason for that is because proxies and s Secure web gateways is ultimately about safe web browsing.

Ashish Rajan: Yeah.

Adam Bateman: Browser is ultimately about safe browsing as well. They, they were born in a time where, you know, people were SSHing and Rd ping [00:40:00] out and, you know, bit torrent and stuff like that.

Now, 95% of the tra of the traffic happens through the web. Yeah. And so what they're doing is like doing SSL interception to sort of break the encryption streams so they can get inside the and see, which is difficult. The problem is, is that modern applications, even if you do do SSL interception. It used to be that your browser would fetch this entire app, and as it traversed the proxy, you could inspect it.

Modern day, it's like a very light HTML page that comes down as initial payload and then JavaScript stages. The rest of the application increasing the agent stages the rest of the application. So you can never see the whole thing from, you know, from a secure of gateway. Once it's loaded inside the browser, there you have the full context, so you can do dynamic analysis on it to stop the attacks.

Way more effective. You don't have to do TL ception 'cause you're in the browser. Right. So the point being is this is like, I think, um, you know, EDR started as like a flight recorder on your endpoint and ultimately it became endpoint security. [00:41:00] I think the same treats true here. It's like browser based EDR for detection response tools.

But longer term it comes about a whole secure web browsing and like a new secure web gateway type category.

Ashish Rajan: Yeah, I think the way we explained that, the evolving nature of it, as well as people who are. Predominantly in the space of SaaS. They probably have some corporate IT person who's looking after all this, but it sounds like they should definitely revisit this conversation on, um, how the browser security is evolving for them specifically.

They're primarily the SaaS space. I mean, those are, uh, most of the technical questions I had. I've got three fun questions for you as well, man. First one being, what do you spend most time on when you are not trying to solve the EDR problem? Solve the browsers of the world.

Adam Bateman: On a plane to America. Well, half my time, I swear I'm sitting there, my first name basis with all the, all the airline staff at this point.

But no, honestly, like the honest answer is, is that so I'm obsessed with anything to do with the water. So like I, you know, wakeboarding, sailing, all that kind of stuff. But I, um, the honest, [00:42:00] honest truth is being a founder takes everything you got. So I've got two young kids. Five and eight all my time is Push security, uh, and them at the moment.

But yeah, that is the, that is the thing that I love, so.

Ashish Rajan: Fair, fair. And the second question, what is something that you're proud of that is not on your social media?

Adam Bateman: That's not on social media?

Ashish Rajan: Yeah.

Adam Bateman: Honestly, it's the culture that we've built inside the company. And I, I don't talk about that on social media myself because I think it's more impactful coming from the team, but I think that.

So a lot of rewarding things, being a founder, I think some people, you know, do it for a financial payout. That's not me. I've never been that. I've always been a missionary. For me, it's like the mission and, and sort of divining this category is very much on social media, but the, honestly, the most rewarding thing about being a founder is like having this opportunity that you can bring all these.

All these people up and they're all in the sort of mission with you, and they're sort of progressing the, and the, the triumph of sort of building something new and everyone progressing their careers all the [00:43:00] time. We've been very intentional about the culture in Push and uh, yeah, we're just really proud to have incubated.

That is something we're, we're continuing to be very intentional about.

Ashish Rajan: That's a good, good one to share. The third question I have is what's your favorite cuisine or restaurant that you can share?

Adam Bateman: Do, I'm a, I'm a really big fan of, uh, of brats in, have you been there?

Ashish Rajan: Oh, no, I haven't tried it yet.

Okay.

Adam Bateman: I really like it. Yeah. I, um, it's been, um, it's, it, it's a, the reason I like it so much is, so it, it is actually now a Michelin star restaurant, but I'll just say this for, to, to paint the image here is that I didn't know that, and that's the thing that's, that's brilliant about it, is that it's this really kind of.

Casual vibe restaurant inside shortage for like an open grill, uh, fire place. And you, and it, they serve kind of like meat and fish, you know, like, that's it, but really, really well, well cooked. That's great. Yeah. And it's really, really casual place and you kind of go there. And I actually went there and then after [00:44:00] after I pay the bill, and then I realized and I was like, looked, and it was like, then the point is they're not like, it's not like one of those like real glowy.

Restaurants with like, you know, five, five forks and five knives and really sort of talking about the fact that it's mission starts is kind of understated, which is what's so great about it. So, yeah.

Ashish Rajan: Wow.

Adam Bateman: I would, uh, I'm not on commission there, but I would check that out.

Ashish Rajan: I mean, at this point in time, they should just give you some, uh, some stocks in there as well while there now.

Well, thank you for sharing that. I'm gonna check that out as well. I have, I have not checked that out yet, so I'm gonna just check that out. For, for people who probably wanna connect with you and learn more about this evolving space with browser security specifically, where can they learn about more, more about you, connect with you and learn about Push security as well?

Adam Bateman: Best place is is probably via LinkedIn Can email me on adam@pushsecurity.com. Very, very interested in collaborating with people in this space. It is, it is a very fast evolving space because of our background, as we said at the start. We are very, very research led and [00:45:00] so we are pushing out a lot of research in this area.

And so, you know, reach out to me directly. I'd be happy to, to share some of that with you. But you can also, you know, follow us on, on, on X or LinkedIn. Um, and you can see a lot of the research we've been, we've been pushing out there as well, so, yeah.

Ashish Rajan: That's awesome and thank you for sharing that. And I'll put those links in there as well.

But man, this is like an evolving conversation. It sounds like we should definitely have a part two for this. But, uh, I'll let you go for now. Thank you so much for your time and, uh, thank you everyone for tuning in. Thanks. Thank you for listening or watching this episode of Cloud Security Podcast. This was brought to you by.

Tech riot.io. If you are enjoying episodes on cloud security, you can find more episodes like these on Cloud Security podcast tv, our website, or on social media platforms like YouTube, LinkedIn, and Apple, Spotify. In case you are interested in learning about AI security as well. To check out a sister podcast called AI Security Podcast, which is available on YouTube, LinkedIn, Spotify, apple as well, where we talked.

To other CISOs and practitioners about what's the latest in the world of AI security. Finally, if you're after a [00:46:00] newsletter, it just gives you top news and insight from all the experts we talk to at Cloud Security Podcast. You can check that out on cloud security newsletter.com. I'll see you in the next episode, please.

‍