Alert Logic is researching a potential breach of Okta, a commonly used authentication company, reported by a hacking group. Okta has released a statement indicating that the Okta service has not been breached and that an attacker had access to a single account from January 16-21, 2022. However, the hacking group reports a deeper breach than the Okta statement claims.
While this attempt seems to have been limited in scope, organizations using Okta may be concerned about exposure. If you are concerned, Alert Logic recommends reviewing your Okta logs to check for suspicious actions using the guidance below. Additionally, there are several best practices for securing your use of the Okta service to limit exposure to potential threats.
Alert Logic has not been impacted by this event.
What can I do to check for suspicious activity related to the Okta breach?
If you have concerns about the Okta breach, consider doing the following:
- Reach out to Okta for further confirmation.
- Review your MFA settings have not been disabled.
- Audit access to Admin and Super Admin accounts ensuring source of access is expected.
- Search for specific event in Okta:
- Okta Console > Reports > System Log > Search for ‘eventType eq "user.session.impersonation.initiate"’
- Audit existing users ensuring expected and authorized activity for the following:
- Recently created accounts
- Changes to account settings (MFA, permissions, etc.)
Alert Logic has pre-designed a query to help you identify suspicious activity related to the Okta hack. The following query looks for Okta events related specifically to MFA and password resetting or update during the relevant dates announced in the Okta statement (January 16-22). This query provides the person that made the request, as well as the target of the reset attempt, the IP address of the client, and debug context such as the URL or method used to attempt the reset process.
SELECT time_recv AS "Time Received", parsed.json.displayMessage AS "displayMessage", parsed.json.outcome.result AS "outcomeResult", parsed.json.request.ipChain[0].ip AS "Request IP", parsed.json.actor.alternateId AS "actorID", parsed.json.target[0].alternateId AS "targetID", parsed.json.debugContext.debugData.url AS "debugURL", parsed.json.debugContext.debugData.threatSuspected AS "threatStatus"
FROM logmsgs
WHERE parsed.json.eventType IN ['system.agent.ad.reset_user_password', 'system.email.mfa_reset_notification.sent_message', 'system.email.password_reset.sent_message', 'system.sms.send_password_reset_message', 'user.account.reset_password', 'user.mfa.factor.reset_all', 'user.mfa.factor.update', 'application.user_membership.change_password', 'user.account.update_password']
ORDER BY time_recv DESC
LIMIT 1000
Open this query in the Alert Logic console
Note: If you are not currently sending Okta logs to Alert Logic, you can set up collection via the Application Registry. For more information on collecting Okta logs through the Application Registry, refer to our Configure Log Collector documentation.
How can I secure my organization’s use of the Okta service?
There are several best practices Alert Logic recommends to secure use of the Okta service.
Account Management
- Ensure both Administrator and Standard User have the least privilege necessary to be successful in their position.
- Limit the number of Super Admin accounts.
- Audit them ensuring you know who needs them and for what purpose.
- Enable admin email notifications for all system changes.
- Enable MFA for all users.
- Disable Okta Support Access if not working an active support case.
- In the Admin console set the option Okta Support Access to Disabled.
Monitoring with Alert Logic
- If you are not already, configure a collector for Okta logs to be monitored by Alert Logic.
- Several log analytics are currently available for Alert Logic to detect suspicious activity from Okta logs. The following analytics are currently available:
Name |
Summary |
GLADOktaLogin |
Geographically Anomalous Okta Login from {attacker} |
NewCountryInOktaLogin |
Anomalous Country in Okta Login from {attacker} |
LoginSuccessRiskyIP |
{vendor} Successful Logins for {source_usernmae} from a Malicious IP |
MultiCountriesSingleDay |
{vendor} Logins for User {victim_username} from Multiple Countries |
CredStuffing |
{vendor} Possible Credential Stuffing Activity Detected from {attacker_ip} |
MFADisabled |
{vendor} MFA Disabled for User {victim_username} by User {attacker_username} |
UserLoginFailures |
{vendor} Brute Force Activity Detected from {attacker_ip} |
AdminAppAccess |
{vendor} User {attacker_username} Attempting to Access Admin Application |
AdminPrivilegeGrant |
{vendor} User {victim_username} Granted Admin Privileges by {attacker_username} |
Using these analytics, you can perform searches in the Search console to identify suspicious activity. For customers with Managed Detection & Response subscriptions, these analytics can also be viewed in the Threat Intelligence Center.
Monitoring with Okta’s HealthInsight
Okta’s HealthInsight audits organizations' security settings and suggests recommended tasks to improve security posture. These security recommendations are intended primarily for admins that manage employees within their organization.
- Review HealthInsight and audit all incomplete, complete, and dismissed.
- Review ThreatInsight. Okta recommends enabling ThreatInsight to log and block authentication attempts from suspicious IP addresses.
Comments
0 comments
Please sign in to leave a comment.