Red Team 0 Trust Attack: Identity Theft is Key! #shorts

So, if you're a red teamer, how do you attack zero trust? Well, you steal an identity. It's identity theft is the core of zero trust attacks. And most of the time, an identity is just a cookie. It's a session token stored in your browser or stored in your Slack application or GitHub desktop application or whatever you're using. It's It's going to be a session cookie or a jit token or JWT or some form of string of text, really. And these strings of text are generally not stored in a secure manner. And so, you're going to try to attack it by fishing attacks. Uh you hunt for API tokens, access tokens, accounts. And you RTFM. You read the freaking manual when

you get access in and you find out how everything works, how everything's talking to each other. And as That's the overall view of how you attack zero trust. Going through this through the different phases of the kill chain, how do you attack initial access? Stealing cookies, number one. If you're not using FIDO2 mandatory everywhere for your MFA, you're vulnerable. Uh trust me, we just migrated about a year ago because we had a very exposing red team event where they showed us how push notifications with the numbers and all this other cool stuff wasn't enough. Um FIDO2 means that they do certificate pinning so that they can't proxy the connection. Um that little icon with the uh the dude

with the red eyes, that's Evil Engine X. Uh you can go out there. They got loads of training courses. You can uh hire it as a service. And that will proxy your login connections. It'll look exactly like you're logging in to your corporate website with the green lock at the top and the SSL connection and everything, except they steal your username, your password, and your session token. Um and then you get logged in and they get logged in. Unless you're using FIDO2. If you're using FIDO2, it does certificate pinning. It says, "Nope, I'm not logging in through this cuz that's not the right website." Um most IDPs also support device certification. So, if you want to take

it even further, you can say only FIDO2 from an authorized device.