Don't Gamble with Golden SAML

Presented by

Dan Kaiser, Sally Vincent, and Jake Williams

About this talk

On December 8, 2020, FireEye announced that they had been the subject of a cybersecurity incident. Through their investigation, they discovered the SUNBURST backdoor and notified SolarWinds of the issue just four days later. This backdoor gave attackers access to Orion systems on victim networks, and once you gain control of a system like Orion, you have a ticket to ride. And ride they did. The attack compromised victims Office365 email accounts. But how did attackers get from the on-prem Orion systems to the Microsoft cloud? The Golden SAML attack. Golden SAML is a federated attack that steals the private keys of your ADFS server and uses them to forge a SAML token trusted by your Office 365 environment. This allows the attacker to access any O365 resource available to the impersonated user, including their mailbox. In this webinar, Dan Kaiser and Sally Vincent, threat research engineers from the LogRhythm Labs team, will walk through what the Golden SAML attack is and is not, how it works, and how to identify and prevent the attack in your environment. SANS senior instructor, Jake Williams, will join in on the conversation and help answer your questions about supply chain attacks. It's time to stop gambling with threats like Golden SAML. Watch on-demand today to learn how to detect and prevent supply chain attacks from threat research experts.

Related topics:

More from this channel

Upcoming talks (9)
On-demand talks (236)
Subscribers (73054)
LogRhythm helps security teams stop breaches by turning disconnected data and signals into trustworthy insights. From connecting the dots across diverse log and threat intelligence sources to using sophisticated machine learning that spots suspicious anomalies in network traffic and user behavior, LogRhythm accurately pinpoints cyberthreats and empowers professionals to respond with speed and efficiency. With cloud-native and self-hosted deployment flexibility, out-of-the-box integrations, and advisory services, LogRhythm makes it easy to realize value quickly and adapt to an ever-evolving threat landscape. Together, LogRhythm and our customers confidently monitor, detect, investigate, and respond to cyberattacks. Learn more at