Extracting the Attacker: Getting the Bad Guys Off Your SaaS presented at BSidesNashville 2019

by David Branscome,

Summary : The Microsoft Office 365 suite contains many applications that can help organizations do some amazing things. But every once in a while, a user in your organization will click on a link in an email, open a file or visit a malicious website, and their account will get compromised by an attacker. You can (and should) reset the user password, but is that enough? As you've probably guessed, if that was all you needed to do, this would be a VERY short session. The truth is, regaining control of a user account takes a little more effort to ensure the attacker isn't just temporarily inconvenienced. What are the steps you need to take to extract the attackers and get them off your SaaS? That's what I'll show you in this session, complete with demos. I'll also walk you through some sneaky areas where an attacker could potentially retain access, and show you how to shut it down. Finally, I'll show you some proactive steps you can take to keep these events to an absolute minimum. I can almost guarantee I'll show you some attack methods you haven't thought of before!