Okta Fumbles Again
10–23–2023 (Wednesday)
Hello and welcome to another edition of The Intentional Brief - your weekly video update on the one big thing in cybersecurity for growth stage companies, investors, and management teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, October 23, 2023, and we’re back to a more traditional topic for this channel: large technology vendors having security incidents that could represent systemic risk.
Okta Fumbles Again
The large tech company in question this week is Okta, perhaps the leading identity provider - who apparently suffered a breach of its own internal support system that allowed attackers to access both Okta’s support case management system, and, through that, client environments.
Krebs on Security reported last week that Okta typically requests recording of web browser sessions to troubleshoot issues, and that these files can include customer cookies and session tokens.
While the details around those are a little more technical than we may need to get into, it’s worth noting that this issue wasn’t identified by Okta, but rather by security firm BeyondTrust.
Apparently, BeyondTrust noticed on their own Okta environment that one of their engineers was trying to create an administrator account - and that they had just 30 minutes previously sent one of these browser recordings - called a HAR file, with a valid Okta session token - over to Okta support at Okta’s request.
What this allowed was for the threat actor to hijack this session and access BeyondTurst’s account. Unfortunately, it appears that Okta didn’t actually believe BeyondTrust’s findings, even after multiple phone calls, only to come back two weeks later with a customer advisory detailing this very issue.
This comes on the heels, of course, that Okta was at the center of both the Caesar’s and MGM breaches, and in 2022 that the teenage hacking group known as LAPSUS$ had compromised Okta via social engineering attacks.
I’m disappointed that the write-up from Okta isn’t nearly as thorough as the write-up from BeyondTrust.
While Okta does include some indicators of compromise (IPs and browser agents), they don’t even mention the improvements you can make to harden your environment.
BeyondTrust does, however, and their recommendations are good ones, including restricting Okta admin accounts using hardware tokens, reducing the length of Okta sessions, forcing MFA challenges at every sign on, and other reasonable risk mitigation practices.
Now - you might think this would all add up to a bad week for Okta - but this wasn’t the only news facing them.
At the same time as all this was going on, CloudFlare piled on and noted that they detected and mitigated a similar attack on their own Okta infrastructure.
Their write-up feels similar to BeyondTrust’s in that it’s more detailed, has remediation / risk reduction steps, and a little plug for their own detect / respond tools and capability.
But, what does this all mean for us on the operator’s side? Does this mean we dump Okta? Not necessarily - particularly since Okta acquired arguably their biggest competitor in this space, Auth0, a few years back.
Instead, I think what this should encourage us to do is a few things:
Revisit our risk tolerance around administrative accounts. There’s really no excuse for admins to not have hardware authentication (e.g. YubiKeys) at this point, and have an MFA challenge at each step. This is still a bit of a big ask for most users, but admins can carry the friction as a cost of doing business, securely.
Reduce session length. While the exploit in question was only 30 minutes (i.e. probably shorter than you’d want to reduce it) - there’s no reason for these sessions to be 30 days. You could likely reduce it to one day, and have most users log in at least once-per day, limiting the exposure significantly to this threat.
Finally, speaking of threats, this is a great chance to do some threat modeling, if you’re not already. Utilizing a Single Sign On platform like Okta is a great idea if you’re looking to scale your MFA capabilities, but what about if Okta itself has a compromise and someone gains access to it?
It’s hard not to get too paranoid about these things, but the reality of the world that we’re living in now is that threat actors are looking for systemic risk, areas that they can leverage to gain outsized access, and systems and services that are exposed on the edge - and will have to remain so to be functional (things like Okta, but also cloud services, file transfer appliances, firewalls, etc.).
You’re still likely better off using a solution like Okta vs. not using it, but there’s still more that you can do to harden that deployment, reduce the opportunity for bad things to happen, and monitor activity to detect anomalies before they become incidents - or breaches.
Fundraising
From a fundraising perspective, we’re continuing to see some multi-billion dollar fund commitments, and in areas of the market that remain compelling even through the larger volatility we’re currently experiencing.
A grand total of more than $9B in newly committed capital, including $2B for Copenhagen Infrastructure Partners new private equity and credit funds focused on alt fuel and renewable energy projects, $600M for Graycliff Partners’ fifth midmarket PE fund, and $3B for KKR’s third growth equity fund focused on tech companies in North America, Europe and Israel.
You can find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next week for another edition of the Intentional Brief.
Links
https://krebsonsecurity.com/2023/10/hackers-stole-access-tokens-from-oktas-support-unit/
https://www.beyondtrust.com/blog/entry/okta-support-unit-breach
https://blog.cloudflare.com/how-cloudflare-mitigated-yet-another-okta-compromise/