On October 20, 2023, Okta Security identified adversarial activity that used a stolen credential to gain access to the company’s support case management system. Once inside the system, the hacker gained access to files uploaded by Okta customers using valid session tokens from recent support cases. As a result of using the extracted tokens from the Okta support system and support cases, the threat actor subsequently gained complete access to many of their customers’ systems. In reaction to the attack, Okta support asked customers to upload an HTTP Archive (HAR) file to help troubleshoot issues. HAR files often contain sensitive data that malicious actors can use to imitate valid users.

Zscaler ThreatLabz, an embedded team of security experts, researchers, and network engineers responsible for analyzing and eliminating threats and investigating the global threat landscape, described the impact of identity provider (IdP) breaches and how organizations can dramatically improve the protection against these types of sophisticated attacks by leveraging industry-wide best practices.

The potential damage of identity provider compromise

Identity threats targeting IdPs have quickly become the attack vector of choice for many threat actors. The recent compromise of a leading IdP provider isn’t the first time adversaries gained access to critical customer information, and it won’t be the last.

When an IdP is compromised, the consequences can be severe. Unauthorized access to user accounts and sensitive information becomes a significant concern, leading to potential data breaches, financial loss, and unauthorized activity.

Identity attacks use social engineering, prompt-bombing, bribing employees for 2FA codes, and session hijacking (among many techniques) to get privileged access. The theft of user credentials, such as usernames and passwords or session tokens, can enable attackers to infiltrate other systems and services and grant access to sensitive systems and resources. The exposure of personal or sensitive information can lead to identity theft, phishing attacks, and other forms of cybercrime. The recent breach is a stark reminder of the importance of robust security measures and continuous monitoring to safeguard identity provider systems and protect against these potential impacts.

Traditional security controls are bypassed in such attacks as bad actors assume a user’s identity and their malicious activity is indistinguishable from routine behavior.

Unfortunately, every time a breach like this is reported, the security community is bombarded with pseudo-silver bullets claiming how the compromise could have been averted if only a particular solution had been deployed.

There is no silver bullet in cybersecurity. Adversaries can bypass even the best laid defense plans.

This post explains several recommendations for better preventing, detecting, and/or containing a security incident targeting IdPs. By leveraging a combination of zero trust principles, deception & honeypots for detecting threats that bypass existing controls, and Identity Threat Detection & Response (ITDR) for maintaining strong identity hygiene, you can get visibility into active sessions and credential exposure on endpoints, while also being able to detect identity-specific attacks.

The criticality of a Zero Trust architecture in defending against IdP compromise

Zero Trust Network Access (ZTNA) replaces network-level based access and reduces excessive implicit trust for access to resources, primarily from remote locations, by employees, contractors, and other third parties.

In this breach, the user unknowingly uploaded a file that had sensitive information to Okta’s support management system. The adversary leveraged the session cookies from the uploaded information to further advance the breach. A DLP-like technology can be effective in preventing users from uploading files with sensitive data unknowingly.

Using posture control, organizations can limit access to applications on managed devices only. Access will be prohibited if the adversaries try to access the critical applications or servers from unmanaged devices. It is imperative to make unmanaged device access a mandatory part of the ZTNA architecture.

The blast radius from the attack can be reduced by enforcing stringent segmentation policies. An administrator should define the policies for combining user attributes and services to enforce who has access to what. It is important to determine if a universal access policy is needed when users are on and off premises.

In this recent OKTA breach, no reports suggest major incidents so far. But in most cyberattacks, the threat actors are after the crown jewel systems and the data. Once the attackers have established a network foothold, they move laterally in the network, identifying the systems that are critical for the organizations to launch further attacks, including data theft. Defense-in-Depth (DiD) plays a very critical role in breaking the attack chain. This layered security approach enforces a very strong defense against sophisticated attacks such that if one layer fails to detect an advancement of a threat actor in the attack chain, then the next layer can still detect the attacker’s next move and break the chain to neutralize the attack.  

Leveraging deception and ITDR using the Zero Trust platform for defense

While Zero Trust reduces your attack surface by making resources invisible to the internet and minimizes the blast radius by connecting users directly to applications, deception, and ITDR are two additional tools in your arsenal that can help prevent, detect, and contain identity-driven attacks.

Deception

Adversaries rely on human error, policy gaps, and poor security hygiene to circumvent defenses and stay hidden as they escalate privileges and move laterally. No security team can be 100% certain that their defenses are bulletproof all the time–this is what adversaries take advantage of.

Deception changes the dynamics by injecting uncertainty into your environment. After hijacking a session token or using credentials, the attacker will scan the environment to find accounts and keys in an attempt to access critical applications and sensitive data.

A simple deception strategy can help detect adversary presence before an attacker establishes persistence or exfiltrates data.

Kill chain	Attack technique	Deception defense
Initial Access	Uses stolen/purchased credentials to access internet-facing applications like IdPs, VPNs, RDP, and VDI.	Creates decoys of internet-facing applications like IdPs, VPNs, and Citrix servers that attackers are very likely to target.
Reconnaissance	Uses AD explorer to enumerate users, computers, and groups.	Creates decoy users, user groups, and computers in your Active Directory.
Privilege Escalation	Exploit vulnerabilities in collaboration platforms like Confluence, JIRA, and GitLab to get credentials of a privileged account.	Creates decoys of internal apps like Confluence, JIRA, and Gitlab that intercept the use of credentials to access this system.
Privilege Escalation	Uses Mimikatz to extract credentials from memory in Windows. These credentials are then used to access higher privileged accounts.	Plants decoy credentials in Windows memory.
Lateral Movement	Moves laterally to core business applications and cloud environments to gain access to the victim organization’s data.	Plants decoys of internal apps like code repositories, customer databases, business applications, and objects like S3 buckets and AWS keys in your cloud tenants.
Exfiltration	The adversary uses their access to download sensitive data and extort the victim.	Plants decoy files and other sensitive-seeming information on endpoints that detect any attempt to copy, modify, delete, or exfiltrate the files.

Using deception will not always stop an identity attack, but it will act as a last line of defense to detect a post-breach adversarial presence. This can help prevent a compromise from turning into a breach.

ITDR

ITDR is an emerging security discipline that sits at the intersection of threat detection and identity and access management.

It is becoming a top security priority for CISOs due to the rise of identity attacks and ITDR’s ability to provide visibility into an organization’s identity posture, implement hygiene best practices, and detect identity-specific attacks.

Augment your Zero Trust implementation with ITDR to prevent and detect identity attacks using the following principles:

Identity Posture Management: Continuously assess identity stores like Active Directory, AzureAD, and Okta to get visibility into misconfigurations, excessive permissions, and Indicators or Exposure (IOEs) that could give attackers access to higher privileges and lateral movement paths.

Implement identity hygiene: Use posture management best practices to revoke permissions and configure default policies that minimize attack paths and privileges.

Threat Detection: Monitor endpoints for specific activities like DCSync, DCShadow, Kerberoasting, LDAP enumeration, and similar changes that correlate to malicious behavior.

Detecting and responding to IdP breaches

An effective Security Operations Center (SOC) playbook plays a crucial role in proactively identifying and mitigating potential IdP attack vectors. By implementing a comprehensive monitoring and detection strategy, organizations can swiftly respond to IdP attack attempts, safeguard user identities, and protect critical resources.

A SOC playbook for the IdP and MFA threat vectors contains detection alerts that are essential to identifying and responding to potential security incidents.

Monitor and alert for:

• Permission changes implemented by suspicious users
  •  Admin with an unusual location
  •  Admin with an unusual user agent
  •  Admin with an unusual agent version
• Failed Okta authentications for privileged users without a follow-up successful authentication
• Failed Okta authentications for different users coming from the same source
• Reused session IDs
  •  Same session ID with different user agents
  •  Same session ID coming from different countries
• MFA resets

For Okta customers, it is advisable to contact the company directly to obtain more information regarding the potential impact on their organization. Additionally, we offer the following recommendations as immediate action:

Perform a thorough investigation for any of the following recent events in your environment:

• Recent password resets or MFA resets performed by helpdesk or support personnel
• Review all recently created Okta administrators
• Review that all password resets are valid
• Review all MFA-related events, such as MFA resets or changes to any MFA configuration
• Ensure MFA is enabled for all user accounts and administrator accounts, and review actions performed by the administrator accounts

Identity and MFA best practices

Employing security best practices in managing your identities and MFA configuration is paramount in establishing a robust security posture and effectively mitigating the risks associated with unauthorized access and data breaches. By diligently implementing the following measures and best practices, organizations can greatly fortify the safeguarding of identities and bolster the efficacy of their MFA deployment.

Protect user identities

• Use Strong and Unique Passwords: Encourage users to create strong, complex, and unique passwords for their accounts. Implement password policies that enforce minimum length, complexity, and regular password changes.
• Implement Least Privilege: Follow the principle of least privilege, granting users only the minimum access necessary to perform their tasks. By limiting user privileges, you reduce the potential impact of compromised credentials.
• Educate Users: User awareness and education play a vital role in maintaining security. Train users on the importance of strong passwords, how to recognize phishing attempts, and how to properly use MFA methods. Regularly remind users to follow security best practices and report any suspicious activities.

Protect against MFA attacks

Traditional MFA methods, such as SMS codes or email-based one-time passwords (OTPs), can be susceptible to phishing attacks. Phishers can intercept these codes or trick users into entering them into fake login pages, bypassing the additional security layer provided by MFA. To address this vulnerability, phish-resistant MFA methods have been developed. These methods aim to ensure that even if users are tricked into entering their credentials on a phishing website, the attacker cannot gain access without the additional authentication factor.

• Use FIDO2-Based MFA: FIDO2 (Fast Identity Online) is a strong authentication standard that provides secure and passwordless authentication. It is recommended to implement FIDO2-based MFA, which uses public key cryptography to enhance security and protect against phishing attacks.
• Utilize Hardware Tokens: Hardware tokens, such as USB security keys or smart cards, can provide an extra level of security for MFA. These physical devices generate one-time passwords or use public key cryptography for authentication, making it difficult for attackers to compromise.

Zscaler’s ThreatLabZ and security teams will continue to monitor the Okta breach. If any further information is disclosed by Okta or discovered through other sources, we will publish an update to this post.

To learn more, visit us here.