Skip to content
Tiatra, LLCTiatra, LLC
Tiatra, LLC
Information Technology Solutions for Washington, DC Government Agencies
  • Home
  • About Us
  • Services
    • IT Engineering and Support
    • Software Development
    • Information Assurance and Testing
    • Project and Program Management
  • Clients & Partners
  • Careers
  • News
  • Contact
 
  • Home
  • About Us
  • Services
    • IT Engineering and Support
    • Software Development
    • Information Assurance and Testing
    • Project and Program Management
  • Clients & Partners
  • Careers
  • News
  • Contact

What you need to know about Okta’s security breach

On October 20, 2023, Okta Security identified adversarial activity that used a stolen credential to gain access to the company’s support case management system. Once inside the system, the hacker gained access to files uploaded by Okta customers using valid session tokens from recent support cases. As a result of using the extracted tokens from the Okta support system and support cases, the threat actor subsequently gained complete access to many of their customers’ systems. In reaction to the attack, Okta support asked customers to upload an HTTP Archive (HAR) file to help troubleshoot issues. HAR files often contain sensitive data that malicious actors can use to imitate valid users.

Zscaler ThreatLabz, an embedded team of security experts, researchers, and network engineers responsible for analyzing and eliminating threats and investigating the global threat landscape, described the impact of identity provider (IdP) breaches and how organizations can dramatically improve the protection against these types of sophisticated attacks by leveraging industry-wide best practices.

The potential damage of identity provider compromise

Identity threats targeting IdPs have quickly become the attack vector of choice for many threat actors. The recent compromise of a leading IdP provider isn’t the first time adversaries gained access to critical customer information, and it won’t be the last.

When an IdP is compromised, the consequences can be severe. Unauthorized access to user accounts and sensitive information becomes a significant concern, leading to potential data breaches, financial loss, and unauthorized activity.

Identity attacks use social engineering, prompt-bombing, bribing employees for 2FA codes, and session hijacking (among many techniques) to get privileged access. The theft of user credentials, such as usernames and passwords or session tokens, can enable attackers to infiltrate other systems and services and grant access to sensitive systems and resources. The exposure of personal or sensitive information can lead to identity theft, phishing attacks, and other forms of cybercrime. The recent breach is a stark reminder of the importance of robust security measures and continuous monitoring to safeguard identity provider systems and protect against these potential impacts.

Traditional security controls are bypassed in such attacks as bad actors assume a user’s identity and their malicious activity is indistinguishable from routine behavior.

Unfortunately, every time a breach like this is reported, the security community is bombarded with pseudo-silver bullets claiming how the compromise could have been averted if only a particular solution had been deployed.

There is no silver bullet in cybersecurity. Adversaries can bypass even the best laid defense plans.

This post explains several recommendations for better preventing, detecting, and/or containing a security incident targeting IdPs. By leveraging a combination of zero trust principles, deception & honeypots for detecting threats that bypass existing controls, and Identity Threat Detection & Response (ITDR) for maintaining strong identity hygiene, you can get visibility into active sessions and credential exposure on endpoints, while also being able to detect identity-specific attacks.

The criticality of a Zero Trust architecture in defending against IdP compromise

Zero Trust Network Access (ZTNA) replaces network-level based access and reduces excessive implicit trust for access to resources, primarily from remote locations, by employees, contractors, and other third parties.

In this breach, the user unknowingly uploaded a file that had sensitive information to Okta’s support management system. The adversary leveraged the session cookies from the uploaded information to further advance the breach. A DLP-like technology can be effective in preventing users from uploading files with sensitive data unknowingly.

Using posture control, organizations can limit access to applications on managed devices only. Access will be prohibited if the adversaries try to access the critical applications or servers from unmanaged devices. It is imperative to make unmanaged device access a mandatory part of the ZTNA architecture.

The blast radius from the attack can be reduced by enforcing stringent segmentation policies. An administrator should define the policies for combining user attributes and services to enforce who has access to what. It is important to determine if a universal access policy is needed when users are on and off premises.

In this recent OKTA breach, no reports suggest major incidents so far. But in most cyberattacks, the threat actors are after the crown jewel systems and the data. Once the attackers have established a network foothold, they move laterally in the network, identifying the systems that are critical for the organizations to launch further attacks, including data theft. Defense-in-Depth (DiD) plays a very critical role in breaking the attack chain. This layered security approach enforces a very strong defense against sophisticated attacks such that if one layer fails to detect an advancement of a threat actor in the attack chain, then the next layer can still detect the attacker’s next move and break the chain to neutralize the attack.  

Leveraging deception and ITDR using the Zero Trust platform for defense

While Zero Trust reduces your attack surface by making resources invisible to the internet and minimizes the blast radius by connecting users directly to applications, deception, and ITDR are two additional tools in your arsenal that can help prevent, detect, and contain identity-driven attacks.

Deception

Adversaries rely on human error, policy gaps, and poor security hygiene to circumvent defenses and stay hidden as they escalate privileges and move laterally. No security team can be 100% certain that their defenses are bulletproof all the time–this is what adversaries take advantage of.

Deception changes the dynamics by injecting uncertainty into your environment. After hijacking a session token or using credentials, the attacker will scan the environment to find accounts and keys in an attempt to access critical applications and sensitive data.

A simple deception strategy can help detect adversary presence before an attacker establishes persistence or exfiltrates data.

Kill chain Attack technique Deception defense
Initial Access Uses stolen/purchased credentials to access internet-facing applications like IdPs, VPNs, RDP, and VDI. Creates decoys of internet-facing applications like IdPs, VPNs, and Citrix servers that attackers are very likely to target.
Reconnaissance Uses AD explorer to enumerate users, computers, and groups.   Creates decoy users, user groups, and computers in your Active Directory.
Privilege Escalation Exploit vulnerabilities in collaboration platforms like Confluence, JIRA, and GitLab to get credentials of a privileged account.   Creates decoys of internal apps like Confluence, JIRA, and Gitlab that intercept the use of credentials to access this system.
Privilege Escalation Uses Mimikatz to extract credentials from memory in Windows. These credentials are then used to access higher privileged accounts.   Plants decoy credentials in Windows memory.  
Lateral Movement Moves laterally to core business applications and cloud environments to gain access to the victim organization’s data. Plants decoys of internal apps like code repositories, customer databases, business applications, and objects like S3 buckets and AWS keys in your cloud tenants.
Exfiltration The adversary uses their access to download sensitive data and extort the victim. Plants decoy files and other sensitive-seeming information on endpoints that detect any attempt to copy, modify, delete, or exfiltrate the files.

Using deception will not always stop an identity attack, but it will act as a last line of defense to detect a post-breach adversarial presence. This can help prevent a compromise from turning into a breach.

ITDR

ITDR is an emerging security discipline that sits at the intersection of threat detection and identity and access management.

It is becoming a top security priority for CISOs due to the rise of identity attacks and ITDR’s ability to provide visibility into an organization’s identity posture, implement hygiene best practices, and detect identity-specific attacks.

Augment your Zero Trust implementation with ITDR to prevent and detect identity attacks using the following principles:

Identity Posture Management: Continuously assess identity stores like Active Directory, AzureAD, and Okta to get visibility into misconfigurations, excessive permissions, and Indicators or Exposure (IOEs) that could give attackers access to higher privileges and lateral movement paths.

Implement identity hygiene: Use posture management best practices to revoke permissions and configure default policies that minimize attack paths and privileges.

Threat Detection: Monitor endpoints for specific activities like DCSync, DCShadow, Kerberoasting, LDAP enumeration, and similar changes that correlate to malicious behavior.

Detecting and responding to IdP breaches

An effective Security Operations Center (SOC) playbook plays a crucial role in proactively identifying and mitigating potential IdP attack vectors. By implementing a comprehensive monitoring and detection strategy, organizations can swiftly respond to IdP attack attempts, safeguard user identities, and protect critical resources.

A SOC playbook for the IdP and MFA threat vectors contains detection alerts that are essential to identifying and responding to potential security incidents.

Monitor and alert for:

  • Permission changes implemented by suspicious users
    •  Admin with an unusual location
    •  Admin with an unusual user agent
    •  Admin with an unusual agent version
  • Failed Okta authentications for privileged users without a follow-up successful authentication
  • Failed Okta authentications for different users coming from the same source
  • Reused session IDs
    •  Same session ID with different user agents
    •  Same session ID coming from different countries
  • MFA resets

For Okta customers, it is advisable to contact the company directly to obtain more information regarding the potential impact on their organization. Additionally, we offer the following recommendations as immediate action:

Perform a thorough investigation for any of the following recent events in your environment:

  • Recent password resets or MFA resets performed by helpdesk or support personnel
  • Review all recently created Okta administrators
  • Review that all password resets are valid
  • Review all MFA-related events, such as MFA resets or changes to any MFA configuration
  • Ensure MFA is enabled for all user accounts and administrator accounts, and review actions performed by the administrator accounts

Identity and MFA best practices

Employing security best practices in managing your identities and MFA configuration is paramount in establishing a robust security posture and effectively mitigating the risks associated with unauthorized access and data breaches. By diligently implementing the following measures and best practices, organizations can greatly fortify the safeguarding of identities and bolster the efficacy of their MFA deployment.

Protect user identities

  • Use Strong and Unique Passwords: Encourage users to create strong, complex, and unique passwords for their accounts. Implement password policies that enforce minimum length, complexity, and regular password changes.
  • Implement Least Privilege: Follow the principle of least privilege, granting users only the minimum access necessary to perform their tasks. By limiting user privileges, you reduce the potential impact of compromised credentials.
  • Educate Users: User awareness and education play a vital role in maintaining security. Train users on the importance of strong passwords, how to recognize phishing attempts, and how to properly use MFA methods. Regularly remind users to follow security best practices and report any suspicious activities.

Protect against MFA attacks

Traditional MFA methods, such as SMS codes or email-based one-time passwords (OTPs), can be susceptible to phishing attacks. Phishers can intercept these codes or trick users into entering them into fake login pages, bypassing the additional security layer provided by MFA. To address this vulnerability, phish-resistant MFA methods have been developed. These methods aim to ensure that even if users are tricked into entering their credentials on a phishing website, the attacker cannot gain access without the additional authentication factor.

  • Use FIDO2-Based MFA: FIDO2 (Fast Identity Online) is a strong authentication standard that provides secure and passwordless authentication. It is recommended to implement FIDO2-based MFA, which uses public key cryptography to enhance security and protect against phishing attacks.
  • Utilize Hardware Tokens: Hardware tokens, such as USB security keys or smart cards, can provide an extra level of security for MFA. These physical devices generate one-time passwords or use public key cryptography for authentication, making it difficult for attackers to compromise.

Zscaler’s ThreatLabZ and security teams will continue to monitor the Okta breach. If any further information is disclosed by Okta or discovered through other sources, we will publish an update to this post.

To learn more, visit us here.

Security
Read More from This Article: What you need to know about Okta’s security breach
Source: News

Category: NewsOctober 25, 2023
Tags: art

Post navigation

PreviousPrevious post:How medical technology helps us live the best version of ourselvesNextNext post:Generative AI: 5 enterprise predictions for AI and security — for 2023, 2024, and beyond

Related posts

Barb Wixom and MIT CISR on managing data like a product
May 30, 2025
Avery Dennison takes culture-first approach to AI transformation
May 30, 2025
The agentic AI assist Stanford University cancer care staff needed
May 30, 2025
Los desafíos de la era de la ‘IA en todas partes’, a fondo en Data & AI Summit 2025
May 30, 2025
“AI 비서가 팀 단위로 지원하는 효과”···퍼플렉시티, AI 프로젝트 10분 완성 도구 ‘랩스’ 출시
May 30, 2025
“ROI는 어디에?” AI 도입을 재고하게 만드는 실패 사례
May 30, 2025
Recent Posts
  • Barb Wixom and MIT CISR on managing data like a product
  • Avery Dennison takes culture-first approach to AI transformation
  • The agentic AI assist Stanford University cancer care staff needed
  • Los desafíos de la era de la ‘IA en todas partes’, a fondo en Data & AI Summit 2025
  • “AI 비서가 팀 단위로 지원하는 효과”···퍼플렉시티, AI 프로젝트 10분 완성 도구 ‘랩스’ 출시
Recent Comments
    Archives
    • May 2025
    • April 2025
    • March 2025
    • February 2025
    • January 2025
    • December 2024
    • November 2024
    • October 2024
    • September 2024
    • August 2024
    • July 2024
    • June 2024
    • May 2024
    • April 2024
    • March 2024
    • February 2024
    • January 2024
    • December 2023
    • November 2023
    • October 2023
    • September 2023
    • August 2023
    • July 2023
    • June 2023
    • May 2023
    • April 2023
    • March 2023
    • February 2023
    • January 2023
    • December 2022
    • November 2022
    • October 2022
    • September 2022
    • August 2022
    • July 2022
    • June 2022
    • May 2022
    • April 2022
    • March 2022
    • February 2022
    • January 2022
    • December 2021
    • November 2021
    • October 2021
    • September 2021
    • August 2021
    • July 2021
    • June 2021
    • May 2021
    • April 2021
    • March 2021
    • February 2021
    • January 2021
    • December 2020
    • November 2020
    • October 2020
    • September 2020
    • August 2020
    • July 2020
    • June 2020
    • May 2020
    • April 2020
    • January 2020
    • December 2019
    • November 2019
    • October 2019
    • September 2019
    • August 2019
    • July 2019
    • June 2019
    • May 2019
    • April 2019
    • March 2019
    • February 2019
    • January 2019
    • December 2018
    • November 2018
    • October 2018
    • September 2018
    • August 2018
    • July 2018
    • June 2018
    • May 2018
    • April 2018
    • March 2018
    • February 2018
    • January 2018
    • December 2017
    • November 2017
    • October 2017
    • September 2017
    • August 2017
    • July 2017
    • June 2017
    • May 2017
    • April 2017
    • March 2017
    • February 2017
    • January 2017
    Categories
    • News
    Meta
    • Log in
    • Entries feed
    • Comments feed
    • WordPress.org
    Tiatra LLC.

    Tiatra, LLC, based in the Washington, DC metropolitan area, proudly serves federal government agencies, organizations that work with the government and other commercial businesses and organizations. Tiatra specializes in a broad range of information technology (IT) development and management services incorporating solid engineering, attention to client needs, and meeting or exceeding any security parameters required. Our small yet innovative company is structured with a full complement of the necessary technical experts, working with hands-on management, to provide a high level of service and competitive pricing for your systems and engineering requirements.

    Find us on:

    FacebookTwitterLinkedin

    Submitclear

    Tiatra, LLC
    Copyright 2016. All rights reserved.