Detect SaaS Session Hijacking with Obsidian

The prevalence of multi-factor authentication and single sign-on has caused attackers to forgo targeting credentials in favor of capturing session tokens. Learn about some of the methods bad actors are employing to steal tokens, hijack sessions, and establish persistence within SaaS identity providers and business-critical applications.

We sat down with Philip Martin, the Chief Security Officer of Coinbase, for a conversation around building world-class security programs and assessing cybersecurity challenges in the cloud-first era. In this clip, Philip details how his team detected and blocked a sophisticated, widespread attack leveraging two zero-day exploits in Firefox. He explores how and why attackers pivoted from the endpoint to SaaS, looking to hijack interesting sessions at the cloud-first company.

Not only can a captured session token potentially grant access to a SaaS application or a wealth of services connected to an identity provider—it also offers persistence in the environment for as many as 30 days. These attacks are discrete, often going undetected because the attacker is reusing legitimate tokens. As the threat of session hijacking continues to grow, it’s imperative that security leaders understand the techniques and consequences of token theft in a SaaS world in order to mitigate it.

In the second part of this blog series, we’ll walk through a demonstration of SaaS session hijacking in detail. Our objective is not only to explain the fundamentals of the attack, but also to show how easily a targeted user might be overlooked and highlight how Obsidian detects token compromise in your SaaS environment.