Defensive Cyber Operations

Telling More Okta Detection Stories with Google Chronicle

Robust protection comes from layers, and many of you are already familiar with the Swiss Cheese Model. Simply stated, even when you're confident in your primary controls, that confidence only grows with each additional layer added. Because who wants to have a defense that’s built around a single slice of sad cheese, wrapped in a pitiful film of plastic? No thanks, we’ll take that sturdy block of Swiss each and every time.  Of course, given how thin most security teams are spread, robust...

Defensive Cyber Operations and Brett Winterford

An Unexpected Endorsement for WebAuthn

Okta Security endorses phishing resistant authentication at every opportunity. We’ve long argued enrolling users in Okta FastPass, FIDO2 WebAuthn authenticators or Smart Cards, and enforcing phishing resistant authentication flows will: Protect users against real-time phishing proxies and other forms of session hijacking. Solve for far more attacks than simply adding Number Challenge to Push notifications to defeat MFA Fatigue. Offer detection opportunities via System Log and the automation...

Tim Peel and Laremy Legel

Social Engineering is Getting More Extreme, but the Fixes Can Be Simple

Social engineering is a hacking technique older than the internet itself, and it's tempting to think you've already seen it all. But recently, we've noted a trend among threat actors pursuing more sophisticated and aggressive techniques to trick, or even threaten, users into performing their desired actions. Their campaigns are convincing, brazen, and at times alarming. In this blog post, we want to talk about some of the techniques we've seen (or been made aware of) and provide some practical...

John Murphy and Laremy Legel

Study up on Okta Logs for Splunk’s Boss of the SOC!

Okta Security is pleased to announce another collaboration with our friends at Splunk - our security teams have joined forces to come up with a range of Okta-relevant scenarios for this year’s “Boss of the SOC'' competition at Splunk .conf23. Per Splunk, “Boss of the SOC (BOTS) is a blue-team capture the flag-esque competition. As a contestant, you will explore and investigate realistic event data in Splunk Enterprise and Splunk Enterprise Security. The questions in BOTS range from easy to...

Brett Winterford and Moussa Diallo

Keeping Phishing Adversaries Out of the Middle

Okta’s Identity Defense Operations frequently observes the use of Adversary-in-the-Middle (AiTM) phishing proxies in high-volume, non-targeted attacks against users of corporate email services. Real-time phishing proxies have been used in red team activity and targeted attacks since at least 2017. Microsoft Threat Intelligence Center (MSTIC) observed campaigns in July 2022 of far higher volume, with 10,000 Microsoft 365 customers targeted in one campaign alone. MSTIC also observed that...

Brett Winterford and Sean Hanrahan

Using Workflows to Respond to Anomalous Push Requests

“Push fatigue” is a noisy form of attack that generates numerous detection opportunities. In a “push fatigue” attack (sometimes called “MFA bombing”), an attacker already in possession of a user password triggers push notifications, often in rapid succession, to trick or frustrate the legitimate user into allowing access. The attacker gains unauthorized access to the account if the user approves the request out of habit or under the assumption of system error.  The most strategic, long-term...

Brett Winterford and Defensive Cyber Operations

Okta and Splunk Combine to Detect Common Attacks

In an ideal world, every security function would have a Detection Engineering team. Regrettably, even organizations that are stewards of highly sensitive data often can’t afford (or don’t prioritize) the capabilities required for effective security monitoring. There can be a misconception that cloud service providers are doing the monitoring for them. It's a challenge that Okta Security wants to help address. Whenever we write a detection for our own purposes (we use Okta, too!), there’s an...

Josh Clark and Tin Nguyen

Setting the Right Levels of Assurance for Zero Trust

Okta Identity Engine (OIE) is an incredibly powerful platform. What other platform allows you to have this level of security, granularity and control? “Only allow access to a highly sensitive application if the user authenticates with multiple authenticators that are at least one phishing-resistant, and only from a corporate-managed device with a strong EDR posture score.” The more sensitive an application is, the more security context we might seek to verify to ensure the access is...

Brett Winterford

Catch-All's and Canary Rules

Okta Identity Engine offers admins the ability to vary authentication flows to applications based on everything from group membership, device management, device posture, network zones, risk evaluation, user behaviour and more. Generally speaking, the more context evaluated at the point of access, the better the security outcome. That’s what this whole zero trust journey is about: all the stars should align before a legitimate user can access a sensitive resource. The flip-side of this is that...

Okta

User Sign-in and Recovery Events in the Okta System Log

During a security incident, it's critical that SOC analysts (or Okta admins) can rapidly identify all activity associated with a suspicious session, user or IP.  We are often asked to provide some sort of "cheat sheet" for new analysts that are unfamiliar with the extensive library of events available in Okta's Event Library. The following blog post re-publishes a support article that offers a few of these shortcuts. Okta Security has also published a range of platform and bespoke detections...

Page 2 of 10