Insights and Research

Okta Source Code Breach: How to Evaluate the Impact & Protect your Organization

SOC playbooks and guidance on security best practices

Okta Source Code Breach: How to Evaluate the Impact & Protect your Organization

What happened in the Okta source code breach?

Okta, a leading provider of authentication services and Identity and Access Management (IAM) solutions, confirmed that its private GitHub repositories were hacked this month. According to an email notification reported by BleepingComputer, and later confirmed by Okta security post, the incident involves threat actors stealing Okta's source code. The leaked Okta source code pertains to the Workforce Identity Cloud repository and does not pertain to any Auth0 (Customer Identity Cloud) products.

Zscaler’s cloud is not at risk

After a thorough investigation, ThreatLabz determined that Zscaler has not been impacted by the Okta breach. While Zscaler does use Okta internally for employees as an Identity Provider (IDP), all access to our production environments requires multiple additional factors including hardware tokens not provided by Okta. You can read our security trust post here.

Source Code Repository Security

Source code repositories should undergo periodic and systematic security assessments to ensure the confidentiality and integrity of the codebase. Developer and administrator access  control audits, server and platform patching, and configuration reviews should be periodically performed to ensure that repositories are secure and that data is not lost or compromised.

Assumed-breach scenarios and red team exercises should be leveraged against your code repositories to assess the impact of a successful external attack. The feedback from such activities should be used to strengthen security posture, inform incident response capabilities, and prepare for real-life incidents such as one reported by Okta.

Consider the following with respect to securing your code repositories from compromise:

  • Ensure that your source control software is up to date with the latest security patches.
  • Leverage strict Role Based Access Control (RBAC) and MFA for your internal repositories, with access limited to authorized users with full audit trail. 
  • Protect access to the code in repositories using tokens or keys. Frequently rotate these keys, and revoke them when they are no longer needed.
  • Perform routine scans on repositories to ensure that there are no secrets in code. This reduces the likelihood of further security impact after an initial compromise of the environment.

ThreatLabz’ SOC playbook for Okta and Code Repositories

We are sharing our SOC playbook that organizations can leverage to perform assessment and response activities for this type of breach. 

The Zscaler Security team has developed Security Operations Center (SOC) playbooks for identity (IDP) providers and Code Repositories such as GitHub. This playbook provides security analysts and researchers fast track access to threat identification and remediation at the user level. Suspicious behaviors trigger a security action workflow: for example, moving a user to a higher-access security group, changing multi-factor authentication methods, unauthorized access to our code repositories  or other anomalous and potentially dangerous user behaviors.

A review of identity provider logs for indicators of compromise associated with this attack should include the following steps:

  • Review Okta admin/super admin account audit logs.
  • Review cloud admin/super admin account audit logs.
  • Review all executive accounts including MFA method changes.
  • Review new Okta account creations and compare against employee onboarding.
  • Review full Okta config to check for API access, logging configs, etc. 
  • Identify Okta accounts where MFA was disabled. Identify the user and root cause of the disablement. Re-enable MFA for those accounts.
  • Reset password for Okta admins.
  • Reset 2-factor authentication for Okta superadmins.
  • Rotate Okta-generated API tokens.
  • Verify Okta Support access is disabled.
  • Verify Directory Debugger access is disabled.
  • Review all critical users' access levels.

Security Operations Center (SOC) Detection Rules for Okta and Github

The process to enable Threat Detection for Identity Provider (IDP) like Okta using a SOC Playbook should be well-defined with specific workflows and actions. Okta has pre-built log ingestion modules for many of the common SIEM solutions. Once events are ingested, a number of queries can be created and easily leveraged for signs of a potential compromise or other suspicious activities. While they are not a comprehensive set of queries, they serve as a solid starting point for a security investigation.
 

Detection Name

Detection Query 

MFA Deactivation Attempt

event.dataset:okta.system and event.action:user.mfa.factor.deactivate

MFA Reset Attempt

event.dataset:okta.system and event.action:user.mfa.factor.reset_all

MFA Push Brute Force Attempt

sequence by user.email with maxspan=10m

  [any where event.module == "okta" and event.action == "user.mfa.okta_verify.deny_push"]

  [any where event.module == "okta" and event.action == "user.mfa.okta_verify.deny_push"]

  [any where event.module == "okta" and event.action == "user.authentication.sso"]

MFA Bypass Attempt

event.dataset:okta.system and event.action:user.mfa.attempt_bypass

Account Login Brute Force Attempt

event.dataset:okta.system and event.action:user.account.lock

User Session Impersonation

event.dataset:okta.system and event.action:user.session.impersonation.initiate

Group Administrative Privilege Assignment

event.dataset:okta.system and event.action:group.privilege.grant

User Administrative Privilege Assignment

event.dataset:okta.system and event.action:user.account.privilege.grant

Policy Rule Modification

event.dataset:okta.system and event.action:policy.rule.update

Policy Rule Deletion

event.dataset:okta.system and event.action:policy.rule.delete

Policy Rule Deactivation

event.dataset:okta.system and event.action:policy.rule.deactivate

 

Similarly, you may want to monitor your Github logs for suspicious activity to ensure that a similar breach does not happen to your organization. Here are some suggested queries. Please refer to relevant MITRE ATT&CK TTPs for your code repositories.

 

Detection Name

Detection Query 

Enterprise Owner added

business.add_admin

SAML SSO Disabled

business.disable_saml

2FA Disabled

business.disable_two_factor_requirement

Enterprise Admin Invited

business.invite_admin

Github Connect Created

dotcom_connection.create

Anonymous Git Access Enabled

enterprise.config.enable_anonymous_git_access

Git Push to Repo

git.push

Git Clone to Repo

git.clone

Migration Created

migration.create

Secret Keys Created

oauth_application.generate_client_secret

Forking to Private Repo Enabled

private_repository_forking.enable

User Public Key Created

public_key.create

Pull Request

pull_request.create

Repo Downloaded as Zip

repo.download_zip

Integration Created

integration.create

 

Guidance and Best Practices

Following are some of the recommendations to enhance your security posture against similar scenarios involving your Identity Provider (IDP) and Source code repositories to protect your organization:

  • Ensure MFA is enabled for all users. Consider MFA methods not facilitated by your primary Identity Provider (IDP) for critical systems including hardware-based tokens.
  • Continuously monitor your Source Code Repositories such as Github logs for suspicious activity. 
  • Granular Role Based Access Control (RBAC) for your Source Code Repositories, Build Systems and Crown-Jewels to ensure only authorized users have access to the systems.
  • Continually review policies and procedures with any organization involved in your supply chain. Many organizations could be potentially impacted by this type of incident.
  • Run security incident preparedness exercises for incidents just like this (a primary Identity Provider compromise, or an internal codebase compromise) to understand how to respond and what to communicate to whom and when.

How can Zscaler protect organizations against this kind of attack?

The Zscaler platform is built on a holistic zero trust architecture that offers defense-in-depth against supply chain and compromised user attacks, mitigating incidents such as this in the following ways:

  • Minimize the attack surface by making internal apps invisible to the internet.
  • Prevent compromise by using cloud native proxy architecture to inspect all traffic inline and at scale, enforcing consistent security policies. This is critical in blocking the prevalent Adversary-in-The-Middle (AiTM) phishing campaign that is actively targeting organization’s Github credentials with ability to bypass MFA.
  • Stop lateral movement by connecting users directly to applications (rather than the network) to reduce the attack surface, and contain threats by using deception and workload segmentation.
  • Stop data loss by inspecting data-at-rest (SaaS) and all internet-bound traffic, including encrypted channels, to prevent data theft including code repositories.

About ThreatLabz

ThreatLabz is the security research arm of Zscaler. This world-class team is responsible for hunting new threats and ensuring that the thousands of organizations using the global Zscaler platform are always protected. In addition to malware research and behavioral analysis, team members are involved in the research and development of new prototype modules for advanced threat protection on the Zscaler platform, and regularly conduct internal security audits to ensure that Zscaler products and infrastructure meet security compliance standards. ThreatLabz regularly publishes in-depth analyses of new and emerging threats on its portal, research.zscaler.com.

 

Get the latest Zscaler blog updates in your inbox

Subscription confirmed. More of the latest from Zscaler, coming your way soon!

By submitting the form, you are agreeing to our privacy policy.