Modern Identity Providers Under Attack: Tactics, Techniques, and Mitigations

As identity has become the new perimeter, threat actors techniques to target Identity has evovled. Attackers are shifting focus from just stealing credentials to compromising the Identity Providers (IdPs) themselves. In this talk, we will share frontline experiences and lessons learned combating attacks on cloud-based identity providers, focusing on Entra ID, AWS Identity Provider, ADFS, Okta etc. We will talk about how modern adversaries exploit IAM misconfigurations, abuse trust relationships, register rogue domains or federation providers, manipulate multi-tenant apps, subvert SAML flows, and even bypass MFA protections.

We’ll dig into real tactics, detection methods, and defensive playbooks for securing these high-value targets. This talk is valuable for both red and blue teamers: Red teamers will gain insight into current techniques used by threat actors, while blue teamers will learn how to detect and defend against these emerging threats.

This fast-paced workshop offers a deep dive into Windows Active Directory (AD), focusing on what security professionals need to know.

We'll cover Active Directory security and dive into a couple of Kerberos attacks. The workshop is divided into two parts: the first provides an introduction to Active Directory in general, while the second focuses on Kerberos and attacks that target it.

Rather than concentrating on a specific tool, this workshop covers attack techniques used by threat actors within Active Directory and teaches defenders how to detect and protect against them.

Student Requirements
A x86 laptop with a newer CPU and a minimum of 16 GB (preferably 32 GB) of RAM.

VMware Workstation software

To follow along and practice during the workshop, you can set up your lab environment beforehand. The instructions are available at https://rudrasec.cloud/ad-lab-setup/ and the setup should take approximately 2-3 hours.