James Brodsky

Unlocking the Mystery of 700+ Okta System Log Events

When I started writing this post, there were 766 potential System Log types that can appear in System Log, the logging platform in every Okta administrative console. By the time I finished it, there were 768. Things move fast in the cloud. While the most important of these events are well documented already, the significance of others are only understood when you look them up. There must be an easier way to enrich this data! Sending System Logs to a SIEM The native way to leverage Okta’s...

Steve Ripaldi

Okta's Response to CVE-2022-22965 ("Spring4Shell")

Last Updated: 3/4/2022 1.30pm Pacific Time Three critical vulnerabilities have been identified affecting the Java Spring Framework and related software components - with one specific CVE being known as Spring4Shell/SpringShell (CVE-2022-22965). CVE-2022-22965: Within Spring Core, A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. Okta Security has triaged the Spring4Shell vulnerability, and determined Okta is not...

David Bradbury

Official Okta Statement on LAPSUS$ Claims

Last updated: 03/22/2022 12.00pm, Pacific Time Please note - Following this update all further information will be published at: https://www.okta.com/blog/2022/03/updated-okta-statement-on-lapsus/ The Okta service has not been breached and remains fully operational. There are no corrective actions that need to be taken by our customers. In January 2022, Okta detected an unsuccessful attempt to compromise the account of a customer support engineer working for a third-party provider. As part...

Brett Winterford

Protection, without perimeters

Given the premise that “identity is the new perimeter”, we’re often asked about the role network attributes should play in restricting access to applications, servers and data. Can we, and should we, for example, deny access requests originating in high-risk countries or countries involved in conflict? The reality is that network context still matters. We can take into account the identity of the network and location our users are authenticating from. If a customer determines that there are...

James Brodsky

Everything is Yes: Detecting and Preventing MFA Fatigue Attacks

UPDATED 22-04-12: We have added a Splunk query in the “How would we detect these attacks” section that is optimized for Okta Classic I’m the proud parent of 13-year-old fraternal twins. Most of the time they’re wonderful smaller humans, but sometimes they drive me bonkers with endless streams of rapid-fire, closed-ended questions. Here’s an example of a recent, pre-dinnertime question barrage: “Are you making pizza for dinner with your special dough? Did you get the shredded cheese or did...

Brett Winterford

We (still) need to talk about RDP

Quarter by quarter, for three years now, abuse of Remote Desktop Protocol (RDP) has been the most common root cause of all ransomware events. It’s no surprise why RDP makes for an attractive target: RDP is the primary vehicle for remote access to Windows servers and is used for administrative functions. It’s the most commonly listed method of remote access sold by initial access brokers. According to some 2019 research [pdf] by Sophos, an open RDP port gets its first connection request...

Brett Winterford

Just how risky is legacy authentication?

Does your organization still allow users to authenticate to Office 365 or other Microsoft services using only a username and password? If you do, you’re 53x more likely to be targeted in credential-based attacks. (No, not 53% more likely. It’s 53 times more likely). Many organizations (at least one in ten Microsoft customers, as of October 2021) still allow access to the M365 cloud using what Microsoft calls “Legacy Authentication”. In these requests, the client forwards the username and...

David Bradbury

Okta’s response to CVE-2021-44228 (“Log4Shell”)

Last Updated: 1/12/2022 3.30pm Pacific Time The Okta Security team continues to investigate and evaluate the Log4j Java library remote code execution (RCE) vulnerability (CVE-2021-44228), also known as Log4Shell. Log4j is a Java-based logging utility found in a wide number of software products. The vulnerability was disclosed by the Apache Log4j project on Thursday, December 9, 2021. If exploited, it could potentially allow a remote attacker to execute code on the server if the system logs...

Brett Winterford

Auditing your Okta org for Legacy Authentication

Using Okta System Logs to monitor use of basic authentication to Office 365 As promised on the Risky Business podcast, here are some System Log queries to help Okta administrators weed out examples of clients connecting to their Office 365 tenant over basic authentication (“legacy authentication”, in Microsoft parlance.) If you already know why these authentication methods are risky, skip straight on to the queries and containment strategies. Otherwise, read on! In 2019, Microsoft announced...

Page 1 of 7