2025-09-25 –, Off-Main Track
Modern Identity Providers Under Attack: Tactics, Techniques, and Mitigations
As identity has become the new perimeter, threat actors techniques to target Identity has evovled. Attackers are shifting focus from just stealing credentials to compromising the Identity Providers (IdPs) themselves. In this talk, we will share frontline experiences and lessons learned combating attacks on cloud-based identity providers, focusing on Entra ID, AWS Identity Provider, ADFS, Okta etc. We will talk about how modern adversaries exploit IAM misconfigurations, abuse trust relationships, register rogue domains or federation providers, manipulate multi-tenant apps, subvert SAML flows, and even bypass MFA protections.
We’ll dig into real tactics, detection methods, and defensive playbooks for securing these high-value targets. This talk is valuable for both red and blue teamers: Red teamers will gain insight into current techniques used by threat actors, while blue teamers will learn how to detect and defend against these emerging threats.
Anurag is a Director with the CrowdStrike Digital Forensics and Incident Response (DFIR) team, where he leads the team in Asia Pacific. His team works on several incident response investigations that involve nation state and eCrime adversaries every year.
He has led several high profile investigations over years involving nation state threat actors, investigating threat actor activity, scoping the incidents, creating and executing eviction plans and helping organisations improve detection capabilities .His work has led to detection and tracking of previously unknown threat actor groups and malware.
He has also been involved in eCrime incident response investigations, often getting into knife fights with adversaries, during dynamic threat actor activity.
Anurag is a SANS Certified Instructor where he teaches SEC504: Hacker Tools, Techniques, and Incident Handling.