Permiso Security - Experts & Thought Leaders

Permiso, the pioneer in real-time identity security, has released a suite of three open-source tools that help security teams bolster their detection capabilities for a variety of different attacks. The P0 Labs team, the threat research arm of Permiso has launched a total of ten open-source tools to date, developed from their ongoing threat research and observations from real-world attacks. YetiHunter, CloudGrappler Earlier in 2024, Permiso launched YetiHunter, an open-source tool that detects indicators of compromise in Snowflake environments. They also released CloudGrappler which queries high-fidelity and single-event detections related to well-known threat actors in popular cloud environments such as AWS and Azure.  Detection capabilities and rules A subset of these rules has been incorporated into a multitude of open-source projects Permiso, composed of former FireEye/Mandiant staff, has developed over 1,400 detection rules in their product as a result of their ongoing threat research. A subset of these rules has been incorporated into a multitude of open-source projects that allow security teams to uplevel their detection capabilities in a variety of different environments.  Cloud detection “The learning curve for detection in the cloud is steep, and our goal is to help security teams bolster their detections across their cloud environments without having to purchase commercial software solutions like a SIEM,” said Permiso Co-Founder and Co-CEO, Jason Martin. He adds, “We are committed to providing resources that can help the broader security community defend against the TTPs of modern threat actors.” DetentionDodger DetentionDodger will list all the identities with a Quarantine Policy (version 1-3) and look for failed policy attachments In the suite of projects is DetentionDodger which finds identities with leaked credentials and their potential impact. DetentionDodger will list all the identities with a Quarantine Policy (version 1-3) and look for failed policy attachments of a Quarantine Policy in CloudTrail Logs to generate a list of users with leaked credentials. It also lists all the inline and attached policies of the user and each group it is part of to determine the impact based on privileges. BucketShield BucketShield is a monitoring and alerting system built for AWS S3 buckets and CloudTrail logs. It ensures the consistent flow of logs from AWS services into S3 buckets and mitigates potential misconfigurations that could interrupt log collection. With real-time tracking of IAM roles, KMS configurations, and S3 log flows, BucketShield ensures that every critical event is recorded, and your cloud remains audit-ready. CAPICHE Detection Framework CAPICHE Detection Framework is an open-source tool designed to simplify each step of the cloud API detection Finally, CAPICHE Detection Framework (Cloud API Conversion Helper Express) is an open-source tool designed to simplify each step of the cloud API detection translation pipeline. It enables any defender to instantly create a multitude of different detection rules from groupings of APIs, even if the complete API names are unknown. Bolstering defences “The collection of these three tools helps security teams immediately hone their detections and bolster their defences against a variety of cloud-based attacks,” said Principal Threat Researcher, Daniel Bohannon. He adds, “This isn’t just to help better defend against future attacks but addresses key attack vectors in their environments that could be indicative of past or present compromise.” 

Permiso, the pioneer in real-time identity security, released SkyScalpel, an open-source tool that helps both offensive and defensive security professionals understand how policies could be obfuscated by threat actors in order to go undetected in an environment. JSON-based policies in cloud environments, particularly in AWS, dictate what resources users and systems can access and the actions they can perform. However, these policies can be susceptible to obfuscation—a technique where bad actors manipulate the policy’s syntax and semantics to hide their true intentions. This makes it difficult for security teams to detect and prevent unauthorised access effectively. Obfuscation techniques Some obfuscation methods are detectable in runtime events during yield but sanitised upon storage Obfuscation of cloud policies, remote administration command scripts and various permissions parameters are an often-overlooked attack vector with implications at several stages of the detection engineering pipeline.  Threat actors can utilise obfuscation in their policies such that "Allow" becomes "Al\u006Cow" and "iam:PassRole" becomes "iam:P*ole.” Some obfuscation techniques are detectable in runtime events during creation but silently sanitised upon storage and/or later retrieval by corresponding APIs.  Obfuscation scenarios  Other techniques persist into the storage of created entities (e.g., IAM policies). These obfuscation scenarios can evade string-based detections, break policy rendering pages in Management Consoles, and even selectively overwrite policy contents of an attacker's choosing based on the defender's viewing method. Additionally, we identified subtle differences between official cloud provider tooling (CLI, SDKs, Management Console) that further facilitate and complicate the generation and detection of these obfuscation scenarios. Cloud environments SkyScalpel addresses this issue by providing a robust solution for scanning, analysing SkyScalpel addresses this issue by providing a robust solution for scanning, analysing, and normalising obfuscated policies. It ensures that security teams can quickly identify and rectify policies that may compromise the security of their cloud environments.  Given a policy containing some obfuscation, the custom tokeniser parses and decodes the syntactical obfuscation techniques - enabling access to the underlying values while still preserving the original values for comparison (or reassembly of the original input policy). Obfuscated JSON documents “SkyScalpel will help teams detect obfuscated JSON documents, with additional rules and de-obfuscation capabilities targeting numerous syntactical and logical evasions that affect IAM policies (and the plethora of runtime events that contain policy statements),” said Permiso Principal Threat Researcher Daniel Bohannon.  “Attackers employing these obfuscation techniques can quite effectively evade traditional string-based detections, with some techniques persisting after JSON deserialisation." Azure and AWS environments Bohannon added: "SkyScalpel also includes a full obfuscation suite of functions so red teams can automate the multi-layer obfuscation of any input JSON document with additional obfuscation techniques applied to IAM policies to more thoroughly test an organisation’s defences against such evasion techniques.” Permiso has launched several other open-source tools within the past year, including CloudGrappler, which helps security teams quickly detect threat actors in their Azure and AWS environments, as well as YetiHunter, a tool that combines several Indicators of compromise in Snowflake environments.

Permiso, the pioneer in identity security, has announced the launch of their Universal Identity Graph to provide risk and threat visibility for all identities, in all environments. The Universal Identity Graph combines industry pioneering Identity Security Posture Management (ISPM) with Identity Threat Detection and Response (ITDR) to provide the most comprehensive identity security solution in the market. Identity infrastructure “For most organisations, identity security is incredibly siloed. Identity providers focus on securing the identity infrastructure, a separate solution is adopted to manage IaaS or PaaS, and yet another solution for SaaS. Many times, organisations adopt one solution that focuses on identity posture to mitigate risk, and yet another solution that focuses on threat detection at runtime." "While organisations benefit from securing these layers separately, it creates a massive blind spot across the authentication boundaries in an environment. We’ve seen how threat actors take advantage of those blind spots when orchestrating identity-based attacks. Permiso’s Universal Identity Graph helps organisations secure all of their human identities and non-human identities across those environments in one centralised location,” said Permiso Co-founder and Co-CEO, Jason Martin. Front line knowledge Experience has created more than 1,200 unique detections and more than 500 alert rules in their platform Permiso, whose team is composed of several former FireEye/Mandiant executives, has detected and responded to hundreds of breaches collectively. By living in the breach, the team has front line knowledge of threat actor’s TTPs and are able to understand where controls fail for security organisations. This experience has created more than 1,200 unique detections and more than 500 alert rules in their platform. Permiso's solution "Permiso's platform provides us with a comprehensive view of our identity risk. With their new Universal Identity Graph engine, we're able to mitigate high-risk identities in real-time, giving us added peace of mind that our most valuable assets are protected,” said Eric Tan, CIO & Chief Security Officer at Flock Safety. “Permiso's solution has enhanced our ability to detect and respond to threats, making our organisation more resilient to cyberattacks.”  Threat detection solutions Many existing security posture management and threat detection solutions alert based on atomic events - specific actions performed in an environment that could potentially be suspicious or malicious.  These may include activities such as resetting MFA, logging in from a different geographic location, or database snapshotting. Because each of these events often generate alerts in an environment, many security teams drown in alerts that have no context of the activity that is actually taking place in their environment. Identity-based threats Permiso can track identities wherever they go and quickly see identity-based threats in a domain Permiso’s Universal Identity Graph follows all human (workforce, guest, vendor) and non-human identities (access keys, secrets, services accounts) wherever they go and tie the activity back to the identity that performed them, even when shared credentials are being used. By monitoring access patterns and behavioural anomalies as identities move across authentication boundaries, Permiso is able to track identities wherever they go and quickly detect identity-based threats in an environment. Cloud and on-premise environments Permiso has experienced rapid growth over the last twelve months. After LUCR-3 (Scattered Spider) was able to breach the environments of several large organisations like MGM and Clorox, many teams turned to Permiso to provide the industry’s most comprehensive method to detecting identity-based attacks in both cloud and on-premise environments. The startup raised a dollar 18.5M Series A in April 2024 and recently added some of the strip’s luxury resorts and casinos to their customer base.