www.obsidiansecurity.com
Open in
urlscan Pro
35.202.211.50
Public Scan
Submitted URL: https://start2.obsidiansecurity.com/MTI0LURJVi0yNjkAAAGOlN4L0muFyxND-DcHaFjxZG_Z4n_fJ_dwbmBRu-Y_sEVBu3-EITcXm2DzRbtGwwyCPcxkgJk=
Effective URL: https://www.obsidiansecurity.com/blog/circleci-and-token-threat-integration-risks/?mkt_tok=MTI0LURJVi0yNjkAAAGOlN4L0iSFMwN0TYdTmB...
Submission: On October 03 via manual from CA — Scanned from CA
Effective URL: https://www.obsidiansecurity.com/blog/circleci-and-token-threat-integration-risks/?mkt_tok=MTI0LURJVi0yNjkAAAGOlN4L0iSFMwN0TYdTmB...
Submission: On October 03 via manual from CA — Scanned from CA
Form analysis 1 forms found in the DOM
POST /blog/circleci-and-token-threat-integration-risks/?mkt_tok=MTI0LURJVi0yNjkAAAGOlN4L0iSFMwN0TYdTmBFErMOYt8mFT85riEfc6CgbOIGOojf6n_7w_tz5n8wOflCh9bkmJ1NlBPDl9HH_PzvQZ86w_Z6PncZtSLl_oUSt#gf_1
<form method="post" enctype="multipart/form-data" target="gform_ajax_frame_1" id="gform_1" class="gform-default"
action="/blog/circleci-and-token-threat-integration-risks/?mkt_tok=MTI0LURJVi0yNjkAAAGOlN4L0iSFMwN0TYdTmBFErMOYt8mFT85riEfc6CgbOIGOojf6n_7w_tz5n8wOflCh9bkmJ1NlBPDl9HH_PzvQZ86w_Z6PncZtSLl_oUSt#gf_1" data-formid="1">
<div class="gform-body gform_body">
<ul id="gform_fields_1" class="gform_fields top_label form_sublabel_below description_below">
<li id="field_1_2" class="gfield gfield--type-text gfield_contains_required field_sublabel_below gfield--no-description field_description_below gfield_visibility_visible placed-labels" data-field-class="placed-labels"
data-js-reload="field_1_2"><label class="gfield_label gform-field-label" for="input_1_2">Name<span class="gfield_required"><span class="gfield_required gfield_required_asterisk">*</span></span></label>
<div class="ginput_container ginput_container_text"><input name="input_2" id="input_1_2" type="text" value="" class="large" aria-required="true" aria-invalid="false"> </div>
</li>
<li id="field_1_3" class="gfield gfield--type-text gfield_contains_required field_sublabel_below gfield--no-description field_description_below gfield_visibility_visible placed-labels" data-field-class="placed-labels"
data-js-reload="field_1_3"><label class="gfield_label gform-field-label" for="input_1_3">Company<span class="gfield_required"><span class="gfield_required gfield_required_asterisk">*</span></span></label>
<div class="ginput_container ginput_container_text"><input name="input_3" id="input_1_3" type="text" value="" class="large" aria-required="true" aria-invalid="false"> </div>
</li>
<li id="field_1_4" class="gfield gfield--type-email gfield_contains_required field_sublabel_below gfield--no-description field_description_below gfield_visibility_visible placed-labels" data-field-class="placed-labels"
data-js-reload="field_1_4"><label class="gfield_label gform-field-label" for="input_1_4">Email<span class="gfield_required"><span class="gfield_required gfield_required_asterisk">*</span></span></label>
<div class="ginput_container ginput_container_email">
<input name="input_4" id="input_1_4" type="text" value="" class="large" aria-required="true" aria-invalid="false">
</div>
</li>
<li id="field_1_5" class="gfield gfield--type-phone field_sublabel_below gfield--no-description field_description_below gfield_visibility_visible placed-labels" data-field-class="placed-labels" data-js-reload="field_1_5"><label
class="gfield_label gform-field-label" for="input_1_5">Phone</label>
<div class="ginput_container ginput_container_phone"><input name="input_5" id="input_1_5" type="text" value="" class="medium" aria-invalid="false"></div>
</li>
<li id="field_1_7" class="gfield gfield--type-select gfield_contains_required field_sublabel_below gfield--no-description field_description_below gfield_visibility_visible" data-js-reload="field_1_7"><label
class="gfield_label gform-field-label" for="input_1_7">Primary Cloud Productivity System<span class="gfield_required"><span class="gfield_required gfield_required_asterisk">*</span></span></label>
<div class="ginput_container ginput_container_select"><select name="input_7" id="input_1_7" class="medium gfield_select" aria-required="true" aria-invalid="false">
<option value="G Suite">G Suite</option>
<option value="Office 365">Office 365</option>
<option value="Other">Other</option>
</select></div>
</li>
<li id="field_1_8" class="gfield gfield--type-select field_sublabel_below gfield--no-description field_description_below gfield_visibility_visible" data-js-reload="field_1_8"><label class="gfield_label gform-field-label" for="input_1_8">Primary
SSO/Authentication System</label>
<div class="ginput_container ginput_container_select"><select name="input_8" id="input_1_8" class="medium gfield_select" aria-invalid="false">
<option value="Okta" selected="selected">Okta</option>
<option value="OneLogin">OneLogin</option>
<option value="Ping Identity">Ping Identity</option>
<option value="Other">Other</option>
</select></div>
</li>
<li id="field_1_9" class="gfield gfield--type-consent gfield--type-choice gfield--input-type-consent gfield_contains_required field_sublabel_below gfield--has-description field_description_below gfield_visibility_visible"
data-js-reload="field_1_9"><label class="gfield_label gform-field-label gfield_label_before_complex">Consent<span class="gfield_required"><span class="gfield_required gfield_required_asterisk">*</span></span></label>
<div class="ginput_container ginput_container_consent"><input name="input_9.1" id="input_1_9_1" type="checkbox" value="1" aria-describedby="gfield_consent_description_1_9" aria-required="true" aria-invalid="false"> <label
class="gform-field-label gform-field-label--type-inline gfield_consent_label" for="input_1_9_1">I am older than 16 and agree to receive marketing communications from Obsidian.</label><input type="hidden" name="input_9.2"
value="I am older than 16 and agree to receive marketing communications from Obsidian." class="gform_hidden"><input type="hidden" name="input_9.3" value="2" class="gform_hidden"></div>
<div class="gfield_description gfield_consent_description" id="gfield_consent_description_1_9">You can unsubscribe from Obsidian marketing communications at any time by using the unsubscribe link in the emails we send. You may also request to
delete all of the information submitted in this form by writing to privacy@obsidiansecurity.com.</div>
</li>
<li id="field_1_10" class="gfield gfield--type-captcha field_sublabel_below gfield--no-description field_description_below gfield_visibility_visible" data-js-reload="field_1_10"><label class="gfield_label gform-field-label"
for="input_1_10">CAPTCHA</label>
<div id="input_1_10" class="ginput_container ginput_recaptcha" data-sitekey="6Lfgt_AUAAAAAB2Mfk0U2OLIxEfdEpFDaZx1ImsQ" data-theme="light" data-tabindex="0" data-badge=""></div>
</li>
<li id="field_1_11" class="gfield gfield--type-honeypot gform_validation_container field_sublabel_below gfield--has-description field_description_below gfield_visibility_visible" data-js-reload="field_1_11"><label
class="gfield_label gform-field-label" for="input_1_11">Email</label>
<div class="ginput_container"><input name="input_11" id="input_1_11" type="text" value=""></div>
<div class="gfield_description" id="gfield_description_1_11">This field is for validation purposes and should be left unchanged.</div>
</li>
</ul>
</div>
<div class="gform_footer top_label"> <input type="submit" id="gform_submit_button_1" class="gform_button button" value="Request Demo" onclick="if(window["gf_submitting_1"]){return false;} window["gf_submitting_1"]=true; "
onkeypress="if( event.keyCode == 13 ){ if(window["gf_submitting_1"]){return false;} window["gf_submitting_1"]=true; jQuery("#gform_1").trigger("submit",[true]); }"> <input type="hidden" name="gform_ajax"
value="form_id=1&title=1&description=1&tabindex=0">
<input type="hidden" class="gform_hidden" name="is_submit_1" value="1">
<input type="hidden" class="gform_hidden" name="gform_submit" value="1">
<input type="hidden" class="gform_hidden" name="gform_unique_id" value="">
<input type="hidden" class="gform_hidden" name="state_1"
value="WyJ7XCI5LjFcIjpcImI3MDZmMDk2MGRhM2Y1NTE4ZjdlNDZiMjcwYWU0NjJmXCIsXCI5LjJcIjpcIjZjZjUwNTk4MzMwNzhmY2YxY2JlMTk4ZDdlYTNmODRlXCIsXCI5LjNcIjpcIjJkMjYzNDMzZWRlZTI4YjI1NDE1MTI2MmVkZmFiMGEzXCJ9IiwiNmU0MGNjOWVhZGE1M2EzOTQxZDdiZDRjMzk1MThlMDEiXQ==">
<input type="hidden" class="gform_hidden" name="gform_target_page_number_1" id="gform_target_page_number_1" value="0">
<input type="hidden" class="gform_hidden" name="gform_source_page_number_1" id="gform_source_page_number_1" value="1">
<input type="hidden" name="gform_field_values" value="">
</div>
</form>Text Content
* Products
* Posture Hardening
* Threat Mitigation
* Integration Risk Management
* Solutions
* By use case
* Automate SaaS Compliance
* Secure 3rd party SaaS Integrations
* Accelerate SaaS Incident Response
* Prevent SaaS Configuration Drift
* By applications
* Salesforce
* Microsoft 365
* ServiceNow
* Workday
* Additional applications
* Technology
* Resources
* Closing the Gaps in SaaS Security
* Resource Center
* Blogs
* Trust Center
* Company
* About Us
* News
* Careers
* Partners
* Get a demo
* Products
* Posture Hardening
* Threat Mitigation
* Integration Risk Management
* Solutions
* By use case
* Automate SaaS Compliance
* Secure 3rd party SaaS Integrations
* Accelerate SaaS Incident Response
* Prevent SaaS Configuration Drift
* By applications
* Salesforce
* Microsoft 365
* ServiceNow
* Workday
* Additional applications
* Technology
* Resources
* Closing the Gaps in SaaS Security
* Resource Center
* Blogs
* Trust Center
* Company
* About Us
* News
* Careers
* Partners
* Get a demo
GET A DEMO
Thank you for your interest in Obsidian! Please enter your information in the
form and we will contact you shortly to schedule a demo.
* Name*
* Company*
* Email*
* Phone
* Primary Cloud Productivity System*
G SuiteOffice 365Other
* Primary SSO/Authentication System
OktaOneLoginPing IdentityOther
* Consent*
I am older than 16 and agree to receive marketing communications from
Obsidian.
You can unsubscribe from Obsidian marketing communications at any time by
using the unsubscribe link in the emails we send. You may also request to
delete all of the information submitted in this form by writing to
privacy@obsidiansecurity.com.
* CAPTCHA
* Email
This field is for validation purposes and should be left unchanged.
Security Guidance
6 minutes
CIRCLECI AND SLACK SECURITY INCIDENTS HIGHLIGHT RISKS OF TOKEN COMPROMISE AND
SAAS INTEGRATION THREATS
CIRCLECI AND SLACK SECURITY INCIDENTS
CircleCI offers a continuous integration and delivery platform for software
development. A recent breach provides an opportunity to learn about growing SaaS
security threats.
Per the company’s investigation, an attacker installed malware on a CircleCI
employee’s laptop while the “malware was not detected by our antivirus
software.” This malware helped the attacker steal employee session tokens,
backed by MFA. The targeted employee had privileged access to their production
system. The stolen tokens enabled the attacker to “impersonate the targeted
employee in a remote location and then escalate access to a subset of our
production systems.” This includes the stored Github token for their customers’
Github environment.
Coincidentally, Slack posted about a security incident, which occurred on the
same day when CircleCI was notified of suspicious activities. In that incident,
one of Slack’s vendors was breached resulting in the compromise of a Slack
employee’s Github token, and private repository access. We do not have
confirmation that these incidents are related. However, taken together, they
illustrate two significant risks to SaaS users: session hijacking and
integration threat. Read on to learn more about these threats.
WHAT IS SESSION HIJACKING?
Session hijacking is a technique where a hacker takes possession of a user’s
legitimate session and uses it to gain unauthorized access to the user’s
account. Authenticated sessions allow attackers to bypass multi-factor
authentication (MFA) and single-sign-on (SSO) controls.
When a session is hijacked, a hacker is able to obtain a copy of a user’s
session cookie, which is a small piece of data that is sent from a website to a
user’s computer and is used to identify the user’s session. If a hacker is able
to obtain a copy of this cookie, they can use it to impersonate the user and
perform actions on the website as if they were the user.
Once an attacker has a session token, they have persistent access until the
token is revoked or expired. Additionally, once in, a hacker can launch lateral
attacks on different systems including cloud databases and workloads, when an
SSO master token is in the hand of a threat actor.
Token theft is a common objective of session hijacking. Typically, tokens can be
stolen by installing malware onto a victim’s browser or OS. Successfully
launching a phishing attack is another way to get hands on a victim’s session. A
hacker could take possession of a user’s session cookie through credential
exchange after successful social engineering attacks, in which the hacker tricks
the user into revealing their login credentials.
Watch Glenn Chisholm, Obsidian CPO and co-founder, explain session hijacking
basics.
HOW OBSIDIAN HELPS CUSTOMERS DEFEND AGAINST SAAS SESSION HIJACKING
To accurately identify token theft and other compromises within your SaaS
environment, Obsidian begins with a consolidated understanding of your users,
activities, permissions, and configurations from across your core applications.
This data is normalized, enriched with context and threat intel, and ultimately
populated into a central knowledge graph of your SaaS environment. This serves
as the foundation for our models to detect malicious activity in its earliest
stages, giving your team the chance to mitigate threats before sensitive data is
being exfiltrated.
Because Obsidian carefully examines and analyzes details about the users and
client connections to the identity provider and SaaS applications, we detect the
potentially subtle anomalies consistent with token capture and reuse by an
attacker. When this is identified, our platform immediately flags the event for
your security team, providing a single timeline of events related to the attack
and a clear path for prompt remediation.
You can learn more about how you can defend against session hijacking attacks
here.
WHAT IS SAAS INTEGRATION THREAT?
Connected SaaS applications have many moving parts including integrations,
settings and controls. Users are responsible for some settings while others are
controlled by IT or a security team. When users install unauthorized software,
sometimes they connect that software to core corporate applications like
Salesforce, M365, and Google Workspace. It is important to have a vendor
security assessment process to determine whether you should allow an integration
with that vendor upfront.
But even authorized integrations can create risks because third-party vendors
could be compromised as an indirect attack on an organization. All of these
integrations expand your integration risk threatscape so it is important to have
visibility into those application behaviors on the go so that anomalies can be
detected.
When one integrated application is compromised, depending on the integration and
access privileges granted to that vendor, an attacker could make a lateral move
within a SaaS environment to read data, tamper, and delete data. The attacker
could also escalate their privileges via this attack vector into your
organization to do additional damage. When these scenarios occur, the faster the
security team is aware of a breach, the faster it can be contained or
eliminated, potentially defending your customer data, saving millions and your
corporate reputation.
One of the more common types of integration threats is when attackers gain
access to legitimate credentials. Watch this video to learn the fundamentals of
OAuth abuse.
HOW OBSIDIAN HELPS CUSTOMERS DEFEND AGAINST INTEGRATION THREAT
Obsidian combats integration threats by inventorying all third-party
integrations with high-risk access into the SaaS environment and building a
profile of typical behaviors and activity patterns. Machine learning models
continuously evaluate the way these integrations are behaving to identify
anomalies indicative of a compromise. Prompt detection enables security to take
timely corrective actions that remove an attacker’s access and their ability to
exfiltrate sensitive corporate data. This process provides an inventory of
unauthorized SaaS applications and integrations in use so that administrators
can decide whether to delete specific integrations.
The reality is that a single employee, with a few clicks, can change an
organization’s security posture. Knowing when this happens quickly, empowers a
security team to reduce or mitigate potential dangers.
GET A FREE SAAS SECURITY RISK ASSESSMENT
Want to see how your SaaS environment stacks up? Get a free SaaS security risk
assessment that comes with a full report of your SaaS posture with actionable
steps you can take to mitigate SaaS session hijacking attempts and integration
threats.
*
*
*
*
By Shuyang Wang
Feb 1, 2023
Security Guidance
6 minutes
BEHIND THE BREACH: SOCIAL ENGINEERING OF HELPDESK AGENTS
Company Update
2 minutes
OBSIDIAN SECURITY RECEIVES THE 2023 SINET16 INNOVATOR AWARD
GET STARTED
Start in minutes and secure your critical SaaS applications with continuous
monitoring and data-driven insights.
Get a Demo
APPLICATIONS
* Salesforce Security
* Workday Security
* Microsoft 365 Security
* All Applications
USE CASES
* Account Compromise
* Access & Privilege Right-Sizing
* Configuration & Compliance
* Detection & Response
COMPANY
* Leadership Team
* News & Press
* Careers
* Partners
* Contact
RESOURCES
* What is SaaS Security
* Blogs
* Briefs
* Data Sheets
* Webinars
* Whitepapers
* Trust Center
LEGAL
* Privacy Policy
* Sitemap
Notifications
×
We Value Your Privacy
Settings
NextRoll, Inc. ("NextRoll") and our advertising partners use cookies and similar
technologies on this site and use personal data (e.g., your IP address). If you
consent, the cookies, device identifiers, or other information can be stored or
accessed on your device for the purposes described below. You can click "Allow
All" or "Decline All" or click Settings above to customize your consent.
NextRoll and our advertising partners process personal data to: ● Store and/or
access information on a device; ● Create a personalized content profile; ●
Select personalised content; ● Personalized ads, ad measurement and audience
insights; ● Product development. For some of the purposes above, our advertising
partners: ● Use precise geolocation data. Some of our partners rely on their
legitimate business interests to process personal data. View our advertising
partners if you wish to provide or deny consent for specific partners, review
the purposes each partner believes they have a legitimate interest for, and
object to such processing.
If you select Decline All, you will still be able to view content on this site
and you will still receive advertising, but the advertising will not be tailored
for you. You may change your setting whenever you see the Manage consent
preferences on this site.
Decline All
Allow All
Manage consent preferences