BSidesSF 2026 - The Room Where It Happens (Identity Compromise Edition):... (Julie Agnes Sparks)

All right. We're just about ready to go with no more undue attention. I will hand this over to Julie to introduce herself and take us into the room where it happens. Thank you so much for coming all. So I'm going to just dive into some recent Octa chat campaigns. I've been looking at these for way too long and I picked some more recent ones because I think there are some things that we're all dealing with. Um a little bit about me is I do a lot of everything under detection and response. So detection engineering, threat hunting, IR. Um currently I'm at security research at Datadog. So I do a lot of looking at cloud infrastructure logs, SaaS

application logs, and trying to see if we can find emerging threats. Classically I do talk very fast, but there are a lot of things to cover and so this one um I'm actually very happy I talk fast. This is mainly going to focus on Octa. So if I could get a raise of hands, how many people use Octa in the room? Okay. >> [laughter] >> A lot of us. Um I know there's other IDPs out there. Um unfortunately they don't have as good of logging, they don't have as much to talk about. So I'm going to dive into Octa's logging visibility, some trends we've been seeing, and then basically I want you to walk away and say based on my Octa logs,

what can I start looking at ASAP? And so I can see a lot of you use Octa logs. They have gotten much better over the years. Um I will commend them on that. However, there's still a lot of events. And so you might ask yourself, okay, but how many events are there really? 1,081 event types. Um you'll be able to see this if you go to their website. I will give the caveat that not all of these log types are for current versions of Octa. Um they have log types that they've rolled out in like 2016 that are still supported. So not everything is um things you'll probably see in your environment. But if you go to their

documentation page and you're trying to figure out what to look at, what to research, it can be really hard. So I picked a couple event types that I think you should spend your time and sanity on. Uh we want to look at authentication events and then policy evaluation. So we want to know when a user logs in, what are they being evaluated against? So maybe you require two-factor authentication, maybe you require your device to be managed um through your MDM. Um in these policy evaluation events you can see uh allow, challenge, deny. You can see the user's journey and what applications um they're trying to access and what policies were applied. So that's very important here because we want to know

if they just used their password. Um and then we also want to focus on those authentication events because they will tell us what factors were used and where the potential attacker is going. Out of those logs, um every Octa log has similar log structure but actually very different log fields. Um some of the ones that I love and I use regularly that are in a lot of these logs are um session IDs, um dthash which is a device hash. Um that's not just taking user agent but taking a bunch of different characteristics. And that way you can look at if one device is trying to log into multiple user accounts. Um debug context debug data.behaviors.

So this can incorporate a lot. It has like risk fields, behavior fields, um a lot of security data. So you want to know if Octa thinks it's anomalous, if it's a new device, if it's a new geolocation, etc. Can be noisy but can also be very helpful if you tune it with um a smaller scope of a hunt. And then you want to know the factor they're using and where they're trying to go. So depending on what log you're looking at, that could be target app, target.display name, it could be in an array, etc. You kind of have to take a look at your logs and dive into that there. But these are my favorite fields.

Highly recommend taking a look at them if you're going to be diving into a hunt. Um there's been a lot of recent campaigns lately and so we've seen a lot with Octa, but I want to cover some of the stuff that's happened more recently because I think that's what's on a lot of our minds and what we're probably going to be seeing going forward and doing IR for. Um so a lot of adversary-in-the-middle campaigns and in 2025 I more noticed that Octa instances were targeted when necessary. They weren't always targeted just because they wanted access to Google Workspace, they wanted access to M365. And so when they had to target Octa, they would. But that wasn't the main

goal. So they could use phishing emails, vishing, etc. I would say these were like low to medium sophistication attacks. Um Octa's threat intelligence team does really good deep dives on their threat intel blog about this. Um highly recommend reading some of theirs, especially the reports last year. Um at Datadog we did a security labs post where we dove into some of the behavior that we were seeing. Um again that target was M365, also Google Workspace. And this is a really good diagram to just walk through it. Um this article is available on the security labs website for Datadog. Um myself and a couple of co-workers wrote it. So if you're interested in diving into that more traditional focus, highly

recommend. The other thing that I like about the low to middle sophistication attackers is sometimes it's just funny. Um so the first screenshot is from Octa's official documentation. So they recommend that you use a format of a user agent um and they say user agent {dot} {dot} fill in your user agent. Um but we'll actually see attackers programmatically use user agent {dot} {dot} and then fill in. Um and so a lot of times even using user agents and um IPs you like associate with VPNs, proxy services, etc. You can hunt with this information especially for those like low to medium sophistication hackers. And yeah, maybe you'll find something really funny. Um it's a nice way to improve your day when

you've been looking at logs for 8 hours. Um but here we have 2026. Uh late 2025 into 2026 we got that shift with new targets and I'm sure everyone was following the news with the Shiny Hunters um attributed campaign. Um very classic for social engineering and then their focus is data exfiltration, right? So that might be Microsoft 365, it might be Google Workspace, but it might not be. Um and so this is a really good diagram like just high-level Google threat intelligence group did, but just showing that they want to gain access, but they want to move to SaaS apps, they want to move to cloud infrastructure, and they want that data exfiltration so that they

can hold the company for ransom. And at first it's it's like thinking, oh M365, Google Workspace, that's what your head goes to. But they have been confirmed to do Salesforce, Atlassian, Slack, DocuSign, and probably many others that have not been confirmed. And they want to grab that information, find out one if there's any secrets stored, and two what sensitive internal and customer data is available that they can use against you. Another shift that I've been seeing is when I'm looking at these phishing infrastructure kits, there is a lot of vibe coded infrastructure. Not only is there a lot of vibe coded infrastructure, you'll see the same infrastructure being taken and slightly modified over and over again every

couple weeks. Um and it'll be very clear that they're using very similar infrastructure, similar code, and they're just adding to it because they probably don't want to build something new or buy something new. Um the last thing with the most recent attack um we were looking at was this use of how do we use free services to host dashboards to interact with the actual victim to make it more believable. Um so that the attackers can actually say, okay, we're moving you through this process. Um are we going to ask for OTP? Um do we have the password? Um are we going to send them an email? And so they need a dashboard, they need all these ways to interact with the end

user. And so Render is been recently used because they have a really good free tier. So lowering the barrier of entry to have those panels to store data and really free hosting platforms. And sometimes it works really well. I mean that's why we've seen dozens of companies come out that they were breached recently. Um the first screenshot we see verifying your connection, that's actually like a fake turnstile page. So at that point the attacker is determining whether they're going to push the victim through the entire workflow. Um and then we have very believable Octa pages. I think we've all seen some of these. So now that we're seeing these campaigns and probably leadership and hopefully

our own teams are really concerned that we should be doing more with Octa, I think it's time to threat hunt. And so I put together a really simple compromise flow. Um this isn't always what happens, it can get a lot messier than this. But the idea again, right, is we're looking at we're evaluating the policy when they try to sign in. We're sending them maybe like a push notification. We can see in those security behaviors that it's a new geolocation, a new device. Um the MFA was provided successful. They tried to get to Google the Google AMC app instance, and then they successfully got into Google Workspace. Um and this is actually like could be

very benign. And so the hunting part makes it very difficult because if you don't know you're actually being targeted, some of these behaviors might just be normal. Um they might be issued a new device, they might be using a mobile device, etc. Um one of the things that I was looking at last year was again more of these low to medium sophistication attacks. So a lot of brute force focus, a lot of using IP addresses, not necessarily from VPNs or proxy services, but from like Russia, China, etc. And not only are they looking at Octa, but they're looking at Octa only when the organization also uses M365. And they're really trying to target some legacy protocols. They're trying to

target users through social engineering. But then as we get further into 2025 and into 2026, we really see this rise in low and slow attempts, which are much much harder to detect on. Even if you think about an anomaly detection, an anomaly period, you can only set for so long. If you see someone that is taking behaviors at 8:00 a.m. and then 2:00 a.m. the next morning, sometimes it's really hard to write a detection to catch that. And they might use different user accounts, different VPNs, etc. And then lastly, kind of what we were talking about with the shiny hunters related attacks is the goal is to pivot into other SaaS apps, which is a very different goal than what

it used to be. And so you might see these attackers actually logging into your Octa dashboard, which is something I never really saw before. Usually it was Google Workspace. Maybe Slack, something else. They had a goal. But if they get into Octa dashboard, they know what the user has access to. They can perform lateral movement. They can find out where your most vulnerable vulnerable data is and they can do exfiltration. So you might be asking what can you do? And so there's a couple things. We can do things as security engineers, but we can also work with our IT teams. Um one of the things I encountered the most often was when a user was compromised,

it was because a policy in Octa, for those who haven't written policies before, you have 1 through 99. And whatever is the highest gets applied. So maybe you have worked at IT to implement fishing resistant multi-factor authentication. That policy might be number 30. But then accidentally one user in a group that they were in has a one-factor authentication policy at 29. And so the attacker knows the password, they log in and they successfully move past the policy evaluation and then into your Octa instance. So auditing those sign-in policies, they're messy, they're hard, they are in they can be split into different groups, into different departments, etc. But those are the biggest gaps where users are really able to, you know, be

as susceptible to social engineering. And with those policy requirements, it's a very slippery slope. Even if 90% of your employees are under the appropriate policies, you might have some that are not. And maybe they're engineers. Also the classic require fishing resistant MFA. And you can also use device management where you integrate your MDM with Octa. And I'll show how that's important or well useful in a minute. But most of us here are probably in the IR detection, threat hunting side of things. And so I would challenge you to threat model your Octa instance in the idea of how are you using Octa? What lateral movement is possible from the Octa dashboard, for example? And what SaaS

apps are you most worried about? Where are you storing customer data? Like immediately I think of Salesforce, Snowflake. DocuSign could be one. We have evidence of that. Atlassian is a huge one. Um And so not only are you looking at Octa, but what follow-up hunts are you going to need to do or detections you're going to need to write where you combine Octa data with other SaaS app data? MITRE ATT&CK framework, I think a year or a little longer ago, they came out with an identity provider matrix. It's kind of the beginning beginning stages of it, but I think it's a really good way to start a hunt. And I know that all of us after a hunt have to report

upward. And sometimes using the MITRE ATT&CK framework is the best way to kind of convey to leadership like what we've actually worked through. Push Security also has a really good one as well. So I wanted to call attention to I know Octa's huge. I just said that there was 1,081 event types. And maybe you haven't looked very closely at it from a threat hunt perspective. Maybe you're just in IR. And maybe you don't have that much time. So not having a ton of time and wanting to dive as deep as possible, where can you start? So the Octa team has a public repository called customer detections. They have recommended detections and they have recommended hunts. I believe it's in the

Octa query language. You might have to convert it for that. Myself at Datadog and some other folks have contributed to their hunts and their detections in their repository. So I would encourage you to take a look at that. And then I have a repository called SaaS forensic ideas, which I encourage people to go look at. Kind of some of these Google Docs that I've just been living in where I think about the logging visibility nuance, things that are maybe important, things that you might not think of if you haven't spent weeks reading random SaaS documentation that usually doesn't make a lot of sense. So the goal is if you're doing a threat hunt and you find logging

nuances, there's things that you think that could be better, I highly recommend contributing. It's a place where I'm going to store my threat hunting guides. And when you're getting started, I have a couple for Octa and I have a couple for Salesforce. So if you don't want to start from scratch, start there. But I always recommend threat modeling your own environment as your starting a point. The other thing that has been really really helpful with threat hunting is writing these tailored queries and then having them execute continuously. So maybe you did like this great threat hunt, you found these suspicious indicators, and then when do you have time to look at it again? And so instead of writing a detection,

which, you know, indicator may may or may not be useful in a week, being able to build out hunting queries that maybe work just like detections for you. But that you're able to have in a dashboard and you can see if those indicators are popping up. As incidents, threat intel articles come up, you can add those indicators. And you can have an idea of where you're seeing it across what users, what dates, timestamps etc. And depending on how you have it set up, it doesn't have to be just Octa. Like as we talked about, SaaS apps are also being targeted once a victim is able to or a victim account allows for access to the Octa dashboard.

So maybe you see these user agents, you see these IP addresses, you see a chain of behaviors. You can also look for when the source is Slack, when the source is Salesforce, when the source is CloudTrail. And then you can keep an idea on these and also bubble up when is important to have those threat hunts. Because sometimes it's hard to justify when you needed to stop your project work, stop your automation work, doing um building, I don't know, different like IR tooling and actually sit down and do these threat hunts. Maybe you only have half a day and you need to use pre-built templates. Maybe you have a day, maybe you have a week. Or you're able to bring

in folks like IT to help you. But these are really good starting points and ending points where you can kind of keep the momentum going. One other thing I wanted to mention and something that the Octa team and our team has used pretty extensively is if you implement FastPass, here's the caveat. If you a user successfully uses FastPass, it's a regular off via MFA event. But if they fail, the event will actually be taken by the Octa system. It will fail the authentication event and it could provide information on your current fishing infrastructure. That's or current, not yours. The one that's being used against your your company. And so here's an example. I will say

that this is not 100% always true. There's different risks and reasons why FastPass may fail. So I always look at it. I would say maybe like half the time it actually shows active fishing infrastructure. Sometimes it captures like a browser extension or something else that was interacting that they found suspicious. And then obviously you have the application name. So where was that user trying to access? And in this case, as we expected, Google. Once you have that information or honestly proactively, if you don't have that information, you should be using URLScan, VirusTotal, other third-party tools to just keep an idea on who is targeting your your users. So URLScan has brand names you can search by.

You have to kind of be a big brand for that to work. So you might have to play around with keywords. Maybe read like active threat intel. Put together there's some different keywords you think might be in the URL. And you can also take fishing infrastructure that you've seen targeting you in the past and use similarity algorithms to see if it's being seen in the future. And so having this just like automated, sends you an email, sends you a Slack notification, has been really helpful. And also you can see when infrastructure is continually being spun up. And maybe it's not even being spun up against you. Maybe it's spun spun up against your friend who's at a

different company and you can tell them and give a heads-up. So this is something that I actively used when looking into the shiny hunters campaigns. There's a ton of different information on URLScan. I'm sure you guys all know that you can spend hours there. But if you are looking at Octa logs, if you're threat modeling, you're hunting, it's also important to keep an idea of what infrastructure is out there and stay on top of it before your users actually interact with it. And so I did promise I talked very fast. Um so that means there's time for questions. Um I will say that I took it upon myself to make transparent stickers of the Maslow's hierarchy of needs. If you're a

psychology nerd, you'll get this. Um but basically this pyramid just describes the needs of a human being. And in my opinion as a detection engineer and a threat hunter, my main need is useful audit logs. So if you come find me after the talk, I have a bunch of stickers. Um they're transparent and they can go on your laptop. I'm happy to provide them. Um but yeah, I'm also happy to take questions now or you can connect with me via LinkedIn. And thanks for listening to me rant about Octa threat hunting. There we go. Good round of applause here for Julie. Thank you so much. There are no questions on the Slido, so we've got

time for maybe uh two questions here. Is there anyone that has a question for Julie? Maybe they've got a question that's a little more personal. They want to talk about their own threat hunt. So find uh her later in the uh event space upstairs. And once again, round of applause for Julie. Thank you so much. >> [applause]