VentureBeat presents: AI Unleashed – An unique government occasion for enterprise knowledge leaders. Community and be taught with business friends. Learn More
Exhibiting how fragile digital identities are even for a number one supplier of identification and entry administration (IAM) options, Okta’s safety breach, acknowledged by the corporate on October 20, began with stolen credentials used to realize entry to its assist administration system. From there, attackers gained entry to HTTP Archive (.HAR) information that comprise energetic session cookies and commenced breaching Okta’s clients, making an attempt to penetrate their networks and exfiltrate knowledge.
Daniel Spicer, Ivanti’s chief safety officer (CSO instructed VentureBeat, “Many IT workforce members, even those that are security-conscious, don’t take into consideration what info they share with vendor assist groups as a result of they’re ‘trusted.’ Safety groups must interview their IT groups to grasp what knowledge they generally should share to resolve assist circumstances.” Spicer advises, “You also needs to examine the output for routinely generated troubleshooting knowledge from delicate methods. You would discover something from certificates and credentials to PII in these knowledge units.”
Attackers exploited belief in privileged credentials
Attackers labored quick to make use of stolen session cookies and tokens from HAR information to impersonate legit customers and try to realize unauthorized entry to Okta’s clients’ methods. Okta clients BeyondTrust, Cloudflare, and 1Password — who collectively serve tens of 1000’s of organizations and clients, together with a few of the world’s largest and most vital — instantly detected uncommon exercise, together with new account creation and modifications in administrative permissions. Every of those clients found the breach weeks earlier than Okta did, instantly alerting their identification administration vendor. It took Zoom calls and shared knowledge outcomes with Okta for the latter to substantiate the breach, weeks later.
In an ironic twist for Okta, whose advertising and marketing slogan is all the pieces begins with identification. Its clients detected tried breaches instantly when unauthorized makes an attempt have been made to entry high-privilege Okta accounts utilizing a stolen session cookie from a just lately uploaded HAR file.
Stolen cookies and compromised tokens
Id safety firm BeyondTrust’s blog post says that on October 2, it detected an unauthorized try to entry a high-privilege Okta account utilizing a stolen session cookie from a just lately uploaded HAR file.
BeyondTrust realized the breach try got here simply half-hour after one in every of their admins shared the HAR file with Okta assist. Attackers have been utilizing the stolen cookie to attempt to create a brand new administrative Okta profile within the BeyondTrust atmosphere.
On October 18, Cloudflare observed assaults originating from Okta and traced them again to a compromised authentication token. Cloudflare used its methods to detect attackers making an attempt to leverage an energetic, open Okta session to realize entry to Cloudflare. Attackers had moved quick within the Cloudflare atmosphere and had already managed to compromise two separate Cloudflare worker accounts inside their Okta occasion.
1Password detected suspicious exercise on its Okta occasion on September 29 when its inner methods recognized a profitable account takeover of one in every of its employees’s Okta accounts that had privileged entry. 1Password was additionally capable of hint the assault to a cookie harvested from the exfiltrated HAR file intercepted from the Okta assist administration system.
The attacker gained entry to 1Password’s Okta administrative capabilities. 1Password’s security incident report supplies extra particulars concerning the assault. 1Password additionally rotated IT members’ credentials and switched to utilizing Yubikey for multi-factor authentication (MFA) internally.
Attackers’ tradecraft prioritizes identification breaches
Identities proceed to be a favourite assault floor as a result of attackers, prison gangs, and advanced persistent threat (APT) organizations know identities are the final word management floor. Seventy-eight percent of enterprises say identity-based breaches have instantly impacted their enterprise operations, and of these enterprises breached, 96% now imagine they might have prevented a breach if that they had adopted identity-based zero-trust safeguards earlier. Forrester discovered that 80% of all security breaches begin with privileged credential abuse.
Delinea’s survey on securing identities discovered that 84% of organizations skilled an identity-related breach within the final 18 months. Gartner discovered that 75% of security failures are attributable to human error in managing entry privileges and identities.
The final a number of high-profile cyberattacks share the widespread trait of capitalizing on the weaknesses of how identities and their privileged entry credentials are managed. Okta’s assumption — that enabling HAR information to be shared with its assist administration system was safe — makes the purpose clear.
Any assumption of belief in how identities and entry credentials are used must be changed with verification and visibility. Attackers have lengthy been concentrating on the gaps in endpoint safety and identification administration to make the most of assumed belief in endpoint brokers. Their purpose is to seize privileged entry credentials and penetrate infrastructure to carry out reconnaissance, set up malware, and exfiltrate knowledge for monetary acquire.
Zero belief calls for controls and visibility
Okta’s unlucky breach exhibits how ingenious attackers are in exploiting any alternative there’s to steal privileged entry credentials, all the way down to intercepting Okta session cookies and making an attempt assaults with dwell classes. The tried breach illustrates why the core ideas of zero belief have rapid sensible advantages.
Zero belief, predicated on least privilege entry, auditing and monitoring each transaction, use of assets, and workflow, have to be given in each interplay throughout a community. By definition, zero belief safety is a framework that defines all units, identities, methods, and customers as untrustworthy by default. All require authentication, authorization, and steady validation earlier than being granted entry to functions and knowledge.
The zero belief framework protects towards exterior and inner threats by logging and inspecting all community visitors, limiting and controlling entry, and verifying and securing community assets. The Nationwide Institute of Requirements and Expertise (NIST) has created a regular on zero belief, NIST 800-207, that gives prescriptive steerage to enterprises and governments implementing the framework.
Make sure you learn VentureBeat’s two-part interview with zero belief’s creator, John Kindervag, to realize insights into his analysis at Forrester that led to the creation of the framework.