Features, Insight, Opinion

3 critical steps in responding to an Okta-style identity compromise

By: Taj El-khayat, Managing Director for Growth Markets at Vectra AI

Nowadays it seems that headline-grabbing cyberbreaches are a monthly occurrence. In March, the targets were Microsoft and San Francisco-based identity and access management company Okta, both compromised by the notorious Lapsus$ gang.

Microsoft’s encounter started with a SIM-swap attack on a single Microsoft employee that allowed Lapsus$ to intercept SMS messages, bypass MFA, and steal source code. Okta suffered a supply-chain attack originating with a third party called Sykes Enterprises. Lapsus$ claimed it had been able to access a “superuser portal” that gave the group “the ability to reset the password and MFA of ~95% of [Okta] clients”.

Both incidents, and similar ones such as Kaseya and SolarWinds, amply illustrate the need for a rethink on identity management. Identity providers (IDPs) such as Okta may have customers in the thousands, but those customers use IDPs to serve their own customers, so the end result can be millions of people made vulnerable.

While these incidents occurred halfway around the world, supply-chain attacks are just as likely to hit the Middle East. In 2019, the Tortoiseshell group was suspected of preparing for supply-chain incursions by targeting the kingdom’s IT providers. The consequences are sweeping privileges — from access to cloud-managed resources to control over network assets — ending up in the hands of threat actors without any payload having been dropped or contact made with endpoints. So, when an identity-based compromise occurs, whether an IDP is involved or not, security teams need to have a gameplan. The following steps are a start.

  1. Evaluate

Information is key. Get to know the breach quickly and thoroughly. If a third party, such as an IDP, is involved, security teams need to pressure them into full disclosure as soon as possible so the affected organisation can separate the claims made by attackers from the reality they face.

Let no information stone go unturned. Even commentary from independent security researchers may help form a clear picture. Timeframes are also important. IDPs and other organisations in the service chain will try to spin their way to brand preservation, so news of an event can sometimes come weeks, or even months, after it occurs.

While looking for information on indicators of compromise (IoCs), make sure to allow for all the services and applications the identity provider uses in the delivery of its platform. These could run to the hundreds, and even well-appointed SOCs may have trouble forming a complete picture. Nonetheless, every nugget of information can help in pinning down the source of the incident, and this includes the provider’s event and alert logs. These logs, together with a timeline estimate and a list of all changes in system configuration, admin users, and permissions, can go a long way in sketching an accurate view of a breach. The presence of redundant access credentials, new applications and devices, and other recent activities are also relevant. Each should be evaluated.

  1. Mitigate

Once security teams have identified the source of the attack, it is time to roll back any malicious changes. Analysts should take care to log full details of any misconfigurations for the purposes of forensic investigation. Any user accounts suspected of compromise should be subject to password resets, as should credentials for applications and services. Of course, password resets will be an irksome requirement for users, and reconfiguring apps is time-consuming for security teams, so ensure these steps are necessary before committing to them.

Organisations should also take steps to revoke all unnecessary third-party permissions. Some IDPs (including Okta) traditionally use such credentials to reconfigure their customers’ environments or perform system debugging. But if that IDP has already been compromised, the first step in mitigation is to change the locks.

  1. Review

Next, the affected organisation needs to look the future. Having (ideally) established the means of ingress of the attacker, it is time to shore up defenses against future incidents. A review of current security settings and policies is advisable. Because of the human factor in supply-chain attacks, eliminating all weak points is not possible. Effective detection and response is therefore imperative. Tools exist that are capable of scanning for identity-based vulnerabilities in a range of apps and platforms.

Of course, the review should cover incident preparedness. Organisations should sit down with their IDP to hammer out a mutual action plan that activates in the event of a breach. And third-party audits by renowned security providers can serve as evaluations for threat postures that have been adjusted following an incident.

A solution for the future

Today, given the complexity of IT environments, it is difficult to manage identities and access privileges in such a way as to guarantee zero breaches. AI-based threat detection and response is increasingly seeping into the industry conversation because the popular “assume breach” mindset of zero trust requires that we are in constant “hunt” mode.

Compromised accounts do not automatically accompany real damage in real time. Attackers often take days or weeks to make their move. Meanwhile, the anomalous accessing of valuable services, functionality, hosts, or data can serve as red flags, assuming analysts can agree on what constitutes “anomalous” and “valuable”. This is where AI can help, by monitoring and responding to threat actors’ moves across multiple environments, from hybrid cloud to SaaS platforms. Without such help, assessments of incidents and IDP configurations can be lengthy and incomplete.

In other words, in a problem like identity compromise, where the human factor cannot be eliminated, machine intelligence must be given the space to up its game. Only then will the headlines be free of stories about costly incursions.

Previous ArticleNext Article


The free newsletter covering the top industry headlines