Responding and Defending Against IdP Vendor Compromise

Introduction

Based on Okta's statement on October 20 regarding a recent security breach, it has been determined that the threat actor successfully gained access to Okta's customer support system. Once inside the system, the threat actor was able to view files uploaded by Okta customers in relation to recent support cases with valid session tokens. By utilizing the extracted token from the Okta support system and support cases, the threat actor subsequently gained access to customer systems.

In this post, Zscaler ThreatLabz and the product security team describe the impact of identity provider (IdP) breaches and how your organization can better protect itself against these attacks by leveraging industry-wide best practices.

The Potential Impacts of Identity Provider Compromise

Identity threats targeting IdPs have quickly become the attack vector of choice for many threat actors. The recent compromise of a leading IdP provider isn't the first time adversaries gained access to critical customer information and it won't be the last.

When an IdP is compromised, the consequences can be severe. Unauthorized access to user accounts and sensitive information becomes a significant concern, leading to potential data breaches, financial loss, and unauthorized activity. 

Identity attacks use social engineering, prompt-bombing, bribing employees for 2FA codes, and session hijacking (among many techniques) to get privileged access. The theft of user credentials, such as usernames and passwords or session tokens, can enable attackers to infiltrate other systems and services, and grant access to sensitive systems and resources. The exposure of personal or sensitive information can lead to identity theft, phishing attacks, and other forms of cybercrime. The recent breach serves as a stark reminder of the importance of robust security measures and continuous monitoring to safeguard identity provider systems and to protect against these potential impacts.

Traditional security controls are bypassed in such attacks as attackers assume a user's identity and their malicious activity is indistinguishable from routine behavior.

Unfortunately, every time a breach like this is reported, the security community is bombarded with pseudo-silver bullets claiming how the compromise could have been averted if only a particular solution had been deployed.

There are no silver bullets in cybersecurity. Adversaries can bypass even the best-laid defense plans.

This post explains several vendor-agnostic recommendations for how you can better prevent, detect, and/or contain a security incident targeting IdPs. By leveraging a combination of zero trust principles, deception & honeypots for detecting threats that bypass existing controls, and Identity Threat Detection & Response (ITDR) for maintaining strong identity hygiene, you can get visibility into active sessions and credential exposure on endpoints, while also being able to detect identity-specific attacks.

The Importance of Zero Trust Architecture in Defending Against IdP Compromise

Zero Trust Network Access (ZTNA) replaces network-level based access and reduces excessive implicit trust for access to resources, primarily from remote locations, by employees, contractors, and other third parties.

In this breach, the user unknowingly uploaded a file which had sensitive information to Okta's support management system. The adversary leveraged the session cookies from the uploaded information to further advance the breach. The DLP-like technology can be effective in preventing users uploading files with the sensitive data unknowingly.

Using posture control, organizations can limit access to applications on managed devices only. If the adversaries try to access the critical applications or servers from unmanaged devices, access will be prohibited. It is imperative to make unmanaged device access a mandatory part of the ZTNA architecture.

The attack blast radius can be reduced by enforcing stringent segmentation policies. An administrator should define the policies for combining user attributes and services to enforce who has access to what.  It is important to determine if a universal access policy is needed for when users are on and off premises.

In this recent Okta breach, there are no reports that suggest major incidents so far. But in most cyberattacks, the threat actors are after the crown jewel systems and the data. Once the attackers have established a network foothold, they move laterally in the network, identifying the systems that are critical for the organizations to launch further attacks, including data theft. Defense-in-Depth (DiD) plays a very critical role in breaking the attack chain. The layered security approach enforces very strong defense against sophisticated attacks such that if one layer  fails to detect an advancement of a threat actor in the attack chain, then the next layer can still detect the attacker’s next move and break the chain to neutralize the attack.

Leveraging Deception and ITDR Using the Zero Trust Platform for Defense

While zero trust reduces your attack surface by making resources invisible to the internet and minimizes the blast radius by connecting users directly to applications, deception and ITDR are two additional tools in your arsenal that can help prevent, detect, and contain identity-driven attacks.

Deception

Adversaries rely on human error, policy gaps, and poor security hygiene to circumvent defenses and stay hidden as they escalate privileges and move laterally. No security team can be 100% certain that their defenses are foolproof all the time–this is what adversaries take advantage of. 

Deception changes the dynamics by injecting uncertainty into your environment. After hijacking a session token or using credentials, the attacker will scan the environment to find accounts and keys, and attempt to access critical applications and sensitive data.

A simple deception strategy can help detect adversary presence before an attacker can establish persistence or exfiltrate data.

Using deception will not always stop an identity attack but it will act as a last line of defense to detect a post-breach adversarial presence. This can help prevent a compromise from turning into a breach.

ITDR

ITDR is an emerging security discipline that sits at the intersection of threat detection and identity and access management.

It is becoming a top security priority for CISOs due to the rise of identity attacks and ITDR’s ability to provide visibility into an organization’s identity posture, implement hygiene best practices, and detect identity-specific attacks.

Augment your zero trust implementation with ITDR to prevent and detect identity attacks using following principles:

• Identity Posture Management: Continuously assess identity stores like Active Directory, AzureAD, and Okta to get visibility into misconfigurations, excessive permissions, and Indicators or Exposure (IOEs) that could give attackers access to higher privileges and lateral movement paths.
• Implement identity hygiene: Use posture management best practices to revoke permissions and configure default policies that minimize attack paths and privileges.
• Threat Detection: Monitor endpoints for specific activities like DCSync, DCShadow, Kerberoasting, LDAP enumeration, and similar changes that correlate to malicious behavior.

Detecting and Responding to IdP Breaches

An effective Security Operations Center (SOC) playbook plays a crucial role in proactively identifying and mitigating potential IdP attack vectors. By implementing a comprehensive monitoring and detection strategy, organizations can swiftly respond to IdP attack attempts, safeguard user identities, and protect critical resources. 

Our SOC playbook for the IdP and MFA threat vectors contains detection alerts which are essential to identifying and responding to potential security incidents. 

Monitor and alert for:

• Monitor permission changes implemented by suspicious users
  •  Admin with an unusual location
  •  Admin with an unusual user agent
  •  Admin with an unusual agent version
• Monitor for failed Okta authentications for privileged users without a follow-up successful authentication
• Monitor for failed Okta authentications for different users coming from the same source
• Monitor for reused session IDs
  •  Same session ID with different user agents
  •  Same session ID coming from different countries
• Monitor for MFA resets 

For Okta customers, it is advisable to contact the company directly to obtain more information regarding the potential impact to their organization. Additionally, we offer the following recommendations as immediate action:

Perform thorough investigation for any of the following recent events in your environment:

• Recent password resets or MFA resets performed by helpdesk or support personnel
• Review all recently created Okta administrators
• Review that all password resets are valid 
• Review all MFA related events, such as MFA resets or changes to any MFA configuration
• Ensure MFA is enabled for all user accounts and administrator accounts, and review actions performed by the administrator accounts

Identity and MFA Best Practices

Employing security best practices in managing your identities and MFA configuration is paramount in establishing a robust security posture and effectively mitigating the risks associated with unauthorized access and data breaches. By diligently implementing the following measures and best practices, organizations can greatly fortify the safeguarding of identities and bolster the efficacy of their MFA deployment.

Protect User Identities

• Use Strong and Unique Passwords: Encourage users to create strong, complex, and unique passwords for their accounts. Implement password policies that enforce minimum length, complexity, and regular password changes
• Implement Least Privilege: Follow the principle of least privilege, granting users only the minimum access necessary to perform their tasks. By limiting user privileges, you reduce the potential impact of compromised credentials.
• Educate Users: User awareness and education play a vital role in maintaining security. Train users on the importance of strong passwords, how to recognize phishing attempts, and how to properly use MFA methods. Regularly remind users to follow security best practices and report any suspicious activities.

Protect against MFA attacks

Traditional MFA methods, such as SMS codes or email-based one-time passwords (OTPs), can be susceptible to phishing attacks. Phishers can intercept these codes or trick users into entering them into fake login pages, thereby bypassing the additional layer of security provided by MFA. To address this vulnerability, phish-resistant MFA methods have been developed. These methods aim to ensure that even if users are tricked into entering their credentials on a phishing website, the attacker cannot gain access without the additional authentication factor.

• Use FIDO2-Based MFA: FIDO2 (Fast Identity Online) is a strong authentication standard that provides secure and passwordless authentication. It is recommended to implement FIDO2-based MFA, which uses public key cryptography to enhance security and protect against phishing attacks.
• Utilize Hardware Tokens: Hardware tokens, such as USB security keys or smart cards, can provide an extra level of security for MFA. These physical devices generate one-time passwords or use public key cryptography for authentication, making it difficult for attackers to compromise.

Zscaler’s ThreatLabZ and product security teams will continue to monitor the Okta breach. If any further information is disclosed by Okta or discovered through other sources, we will publish an update to this post.