On October 20, 2023, Okta Security identified adversarial activity that used a stolen credential to gain access to the company\u2019s support case management system. Once inside the system, the hacker gained access to files uploaded by Okta customers using valid session tokens from recent support cases. As a result of using the extracted tokens from the Okta support system and support cases, the threat actor subsequently gained complete access to many of their customers\u2019 systems. In reaction to the attack, Okta support asked customers to upload an HTTP Archive (HAR) file to help troubleshoot issues. HAR files often contain sensitive data that malicious actors can use to imitate valid users.\n\nZscaler ThreatLabz, an embedded team of security experts, researchers, and network engineers responsible for analyzing and eliminating threats and investigating the global threat landscape, described the impact of identity provider (IdP) breaches and how organizations can dramatically improve the protection against these types of sophisticated attacks by leveraging industry-wide best practices.\n\nThe potential damage of identity provider compromise\n\nIdentity threats targeting IdPs have quickly become the attack vector of choice for many threat actors. The recent compromise of a leading IdP provider isn't the first time adversaries gained access to critical customer information, and it won't be the last.\n\nWhen an IdP is compromised, the consequences can be severe. Unauthorized access to user accounts and sensitive information becomes a significant concern, leading to potential data breaches, financial loss, and unauthorized activity.\n\nIdentity attacks use social engineering, prompt-bombing, bribing employees for 2FA codes, and session hijacking (among many techniques) to get privileged access. The theft of user credentials, such as usernames and passwords or session tokens, can enable attackers to infiltrate other systems and services and grant access to sensitive systems and resources. The exposure of personal or sensitive information can lead to identity theft, phishing attacks, and other forms of cybercrime. The recent breach is a stark reminder of the importance of robust security measures and continuous monitoring to safeguard identity provider systems and protect against these potential impacts.\n\nTraditional security controls are bypassed in such attacks as bad actors assume a user's identity and their malicious activity is indistinguishable from routine behavior.\n\nUnfortunately, every time a breach like this is reported, the security community is bombarded with pseudo-silver bullets claiming how the compromise could have been averted if only a particular solution had been deployed.\n\nThere is no silver bullet in cybersecurity. Adversaries can bypass even the best laid defense plans.\n\nThis post explains several recommendations for better preventing, detecting, and\/or containing a security incident targeting IdPs. By leveraging a combination of zero trust principles, deception & honeypots for detecting threats that bypass existing controls, and Identity Threat Detection & Response (ITDR) for maintaining strong identity hygiene, you can get visibility into active sessions and credential exposure on endpoints, while also being able to detect identity-specific attacks.\n\nThe criticality of a Zero Trust architecture in defending against IdP compromise\n\nZero Trust Network Access (ZTNA) replaces network-level based access and reduces excessive implicit trust for access to resources, primarily from remote locations, by employees, contractors, and other third parties.\n\nIn this breach, the user unknowingly uploaded a file that had sensitive information to Okta's support management system. The adversary leveraged the session cookies from the uploaded information to further advance the breach. A DLP-like technology can be effective in preventing users from uploading files with sensitive data unknowingly.\n\nUsing posture control, organizations can limit access to applications on managed devices only. Access will be prohibited if the adversaries try to access the critical applications or servers from unmanaged devices. It is imperative to make unmanaged device access a mandatory part of the ZTNA architecture.\n\nThe blast radius from the attack can be reduced by enforcing stringent segmentation policies. An administrator should define the policies for combining user attributes and services to enforce who has access to what. It is important to determine if a universal access policy is needed when users are on and off premises.\n\nIn this recent OKTA breach, no reports suggest major incidents so far. But in most cyberattacks, the threat actors are after the crown jewel systems and the data. Once the attackers have established a network foothold, they move laterally in the network, identifying the systems that are critical for the organizations to launch further attacks, including data theft. Defense-in-Depth (DiD) plays a very critical role in breaking the attack chain. This layered security approach enforces a very strong defense against sophisticated attacks such that if one layer fails to detect an advancement of a threat actor in the attack chain, then the next layer can still detect the attacker\u2019s next move and break the chain to neutralize the attack. \n\nLeveraging deception and ITDR using the Zero Trust platform for defense\n\nWhile Zero Trust reduces your attack surface by making resources invisible to the internet and minimizes the blast radius by connecting users directly to applications, deception, and ITDR are two additional tools in your arsenal that can help prevent, detect, and contain identity-driven attacks.\n\nDeception\n\nAdversaries rely on human error, policy gaps, and poor security hygiene to circumvent defenses and stay hidden as they escalate privileges and move laterally. No security team can be 100% certain that their defenses are bulletproof all the time\u2013this is what adversaries take advantage of.\n\nDeception changes the dynamics by injecting uncertainty into your environment. After hijacking a session token or using credentials, the attacker will scan the environment to find accounts and keys in an attempt to access critical applications and sensitive data.\n\nA simple deception strategy can help detect adversary presence before an attacker establishes persistence or exfiltrates data.\n\nUsing deception will not always stop an identity attack, but it will act as a last line of defense to detect a post-breach adversarial presence. This can help prevent a compromise from turning into a breach.\n\nITDR\n\nITDR is an emerging security discipline that sits at the intersection of threat detection and identity and access management.\n\nIt is becoming a top security priority for CISOs due to the rise of identity attacks and ITDR\u2019s ability to provide visibility into an organization\u2019s identity posture, implement hygiene best practices, and detect identity-specific attacks.\n\nAugment your Zero Trust implementation with ITDR to prevent and detect identity attacks using the following principles:\n\nIdentity Posture Management: Continuously assess identity stores like Active Directory, AzureAD, and Okta to get visibility into misconfigurations, excessive permissions, and Indicators or Exposure (IOEs) that could give attackers access to higher privileges and lateral movement paths.\n\nImplement identity hygiene: Use posture management best practices to revoke permissions and configure default policies that minimize attack paths and privileges.\n\nThreat Detection: Monitor endpoints for specific activities like DCSync, DCShadow, Kerberoasting, LDAP enumeration, and similar changes that correlate to malicious behavior.\n\nDetecting and responding to IdP breaches\n\nAn effective Security Operations Center (SOC) playbook plays a crucial role in proactively identifying and mitigating potential IdP attack vectors. By implementing a comprehensive monitoring and detection strategy, organizations can swiftly respond to IdP attack attempts, safeguard user identities, and protect critical resources.\n\nA SOC playbook for the IdP and MFA threat vectors contains detection alerts that are essential to identifying and responding to potential security incidents.\n\nMonitor and alert for:\n\nFor Okta customers, it is advisable to contact the company directly to obtain more information regarding the potential impact on their organization. Additionally, we offer the following recommendations as immediate action:\n\nPerform a thorough investigation for any of the following recent events in your environment:\n\nIdentity and MFA best practices\n\nEmploying security best practices in managing your identities and MFA configuration is paramount in establishing a robust security posture and effectively mitigating the risks associated with unauthorized access and data breaches. By diligently implementing the following measures and best practices, organizations can greatly fortify the safeguarding of identities and bolster the efficacy of their MFA deployment.\n\nProtect user identities\n\nProtect against MFA attacks\n\nTraditional MFA methods, such as SMS codes or email-based one-time passwords (OTPs), can be susceptible to phishing attacks. Phishers can intercept these codes or trick users into entering them into fake login pages, bypassing the additional security layer provided by MFA. To address this vulnerability, phish-resistant MFA methods have been developed. These methods aim to ensure that even if users are tricked into entering their credentials on a phishing website, the attacker cannot gain access without the additional authentication factor.\n\nZscaler\u2019s ThreatLabZ and security teams will continue to monitor the Okta breach. If any further information is disclosed by Okta or discovered through other sources, we will publish an update to this post.\n\nTo learn more, visit us here.