September 30, 2024 at 08:30AM
Attackers are increasingly using session hijacking to bypass MFA. Microsoft detected 147,000 token replay attacks in 2023, a 111% increase YoY. Modern session hijacking targets cloud-based apps, seeking to steal session material and bypass MFA. Phishing toolkits like AitM and BitM, as well as infostealers, are used to hijack sessions. These attacks require a multi-layered defense, and new controls are being developed to detect and prevent session hijacking.
The key takeaways from the meeting notes are:
1. Session hijacking is on the rise and is being used to bypass Multi-Factor Authentication (MFA) controls.
2. Modern session hijacking is now an identity-based attack, targeting cloud-based apps and services over the public internet.
3. Attackers aim to steal session material such as cookies, tokens, and IDs to resume the session from a different remote device, bypassing standard defensive controls.
4. The objectives of stealing live sessions are to bypass authentication controls like MFA and gain access to valuable app data, making identity the new security perimeter.
5. Two main approaches to session hijacking include modern phishing toolkits such as AitM and BitM, and infostealers targeting browser data.
6. Both methods aim to steal session cookies and other credentials, allowing attackers to access live user sessions.
7. Despite the existence of controls such as EDR and passkeys, detection and response to session hijacking remain challenging, with most organizations relying on variable app-level controls.
8. A new layer of defense against session hijacking is proposed by injecting a unique marker into the user agent string of sessions occurring in browsers, allowing for the detection of stolen sessions.
Finally, the meeting notes also provide additional resources for understanding session hijacking and the proposed browser-based defense mechanism.
Let me know if you need further details on any specific point.