August 2, 2023

Telling More Okta Detection Stories with Google Chronicle

Defensive Cyber Operations

Robust protection comes from layers, and many of you are already familiar with the Swiss Cheese Model. Simply stated, even when you're confident in your primary controls, that confidence only grows with each additional layer added. Because who wants to have a defense that’s built around a single slice of sad cheese, wrapped in a pitiful film of plastic? No thanks, we’ll take that sturdy block of Swiss each and every time.

Of course, given how thin most security teams are spread, robust layering is often easier said than done. Not every security team has the luxury of dedicated Detection Engineers to craft, research and develop custom logic to catch threat actor activity, and not every security team has the time and skill to synthesize and recreate our logic in other SIEM platforms. With this in mind, Okta Security recently published a number of our bespoke detections.

“But,” quoth the game show hosts, “ that’s not all!” Today we’re excited to share that Chronicle and Okta have been collaborating to help these detections reach an even wider audience. And this time around, the Chronicle team threw a few extra slices of cheese on top!

Not only did they rewrite these detections for their environment, they also did their own research and wrote additional detections. You can read more about each of them over at Chronicle’s blog. We’ve described them below too.

To channel the words of Oprah, “You get a new detection, and you get a new detection, and you get a new detection!”

Okta Phishing Detection with FastPass Origin Check

ID	T1566
Technique	Phishing
Chronicle identifier	okta_phishing_detection_with_fastpass_origin_check
Description	Okta provides a platform detection for when a user enrolled in FastPass fails to authenticate via a real-time AiTM phishing proxy.
Okta Reference	Detecting Real-Time Phishing Attacks
Okta System Log Query	eventType eq "user.authentication.auth_via_mfa" AND result eq "FAILURE" AND outcome.reason eq "FastPass declined phishing attempt"

Successful MFA After Multiple Failures

ID	T1110
Technique	Credential Access
Chronicle identifier	okta_mfa_brute_force_attack
Description	Detects a successful login after multiple failed MFA pushes
Okta Reference	Using Workflows to Respond to Anomalous Push Requests

Repeated MFA Rejections by User

ID	T1110
Technique	Brute Force
Chronicle identifier	okta_user_rejected_multiple_push_notifications
Description	NEW: Detects when an Okta user rejects more than 2 Push notifications in a 10 minute window.
Okta Reference	Using Workflows to Respond to Anomalous Push Requests
Okta System Log Query	Okta Identity Engine eventType eq "user.authentication.auth_via_mfa" AND outcome.result="FAILURE" and outcome.reason="INVALID_CREDENTIALS" and debugContext.debugData.factor eq "OKTA_VERIFY_PUSH" Okta Classic Engine eventType eq "user.mfa.okta_verify.deny_push"

ID	T1539
Technique	Steal Web Session Cookie
Chronicle identifier	okta_suspicious_use_of_a_session_cookie
Description	Detects when an adversary attempts to reuse a stolen web session cookie in a different device that has a different OS, IP, Browser or User Agent.
Okta Reference	Defending against Session Hijacking

Failed Number Challenge

ID	T1621
Technique	Multi-Factor Authentication Request Generation
Chronicle identifier	okta_user_failed_number_challenge_during_push_notification
Description	Detects when an Okta user failed a number challenge during push notification.
Okta Reference	Number Challenge for Okta Verify

Mismatch Between Source and Response for Verify Push Request

ID	T1621
Technique	Multi-Factor Authentication Request Generation
Chronicle identifier	okta_mismatch_between_source_and_response_for_verify_push_request
Description	Okta Mismatch Between Source and Response for Verify Push Request
Okta Reference	Okta and Splunk Combine to Detect Common Attacks

Multiple Failed Users with Invalid Credentials from the same IP

ID	T1078
Technique	Valid Accounts
Chronicle identifier	okta_multiple_users_logins_with_invalid_credentials_from_the_same_ip
Description	NEW: Detects multiple user logins with invalid credentials from a single IP.
Okta Reference	System Log events for Okta ThreatInsight

User Reported Suspicious Activity

ID	T1078
Technique	Valid Account
Chronicle identifier	okta_user_suspicious_activity_reported
Description	NEW: An Okta user reports suspicious activity in response to an end user security notification.
Okta Reference	Suspicious Activity Reporting
Okta System Log Query	eventType eq "user.account.report_suspicious_activity_by_enduser"

Multiple Failed Requests to Access Okta Applications

ID	T1550.004
Technique	Use Alternate Authentication Material: Web Session Cookie
Chronicle identifier	okta_multiple_failed_requests_to_access_applications
Description	Detects multiple failed requests to access applications
Okta Reference	Okta and Splunk Combine to Detect Common Attacks

ThreatInsight Alert: Suspected Brute Force

ID	T1110.001
Technique	Brute Force: Password Guessing
Chronicle identifier	okta_threatinsight_suspected_brute_force_attack
Description	NEW: Okta ThreatInsight detects multiple login failures from the same IP across one or more Okta orgs
Okta Reference	System Log events for Okta ThreatInsight
Okta System Log Query	eventType eq "security.threat.detected" and outcome.reason eq "Login Failures"

ThreatInsight Alert: Suspected Targeted Brute Force

ID	T1110
Technique	Brute Force
Chronicle identifier	okta_threatinsight_targeted_brute_force_attack
Description	NEW: Okta ThreatInsight detects access requests from known malicious IPs targeting a specific org.
Okta Reference	System Log events for Okta ThreatInsight
Okta System Log Query	eventType eq "security.attack.start"

ID	T1110.004
Technique	Brute Force: Credential Stuffing
Chronicle identifier	okta_threatinsight_login_failure_with_high_unknown_users
Description	Okta's ThreatInsight can identify multiple login failures with high unknown users count from the same IP across one or more Okta orgs.
Okta Reference	System Log events for Okta ThreatInsight
Okta System Log Query	eventType eq "security.threat.detected" AND outcome.reason co "Login failures with high unknown users count"

ThreatInsight Alert: Suspected Password Spray Attack

ID	T1110.003
Technique	Brute Force: Password Spraying
Chronicle identifier	okta_threatinsight_suspected_password_spray_attack
Description	Okta's ThreatInsight can identify Password Spray attacks.
Okta Reference	System Log events for Okta ThreatInsight
Okta System Log Query	eventType eq "security.threat.detected" and outcome.reason eq "Password Spray"

ID	T1078
Technique	Valid Accounts
Chronicle identifier	okta_successful_high_risk_user_logins
Description	NEW: Detects successfully authenticated user logins based on Okta's Behavior Detection pattern analysis.
Okta Reference	Behavior Detection System Log events
Okta System Log Query	outcome.result eq "SUCCESS" and debugContext.debugData.risk co "HIGH"

Okta User Account Lockout

ID	T1078
Technique	Valid Accounts
Chronicle identifier	okta_user_account_lockout
Description	NEW: Detects when a user's account is locked out or a user account has reached the lockout limit.
Okta Reference	How Adaptive MFA Helps Mitigate Brute Force Attacks
Okta System Log Query	eventType eq "user.account.lock"

New Okta API Token Created

ID	T1078
Technique	Valid Accounts
Chronicle Identifier	okta_new_api_token_created
Description	NEW: Detects when a new API token is created.
Okta Reference	Tokens
Okta System Log Query	eventType eq "system.api_token.create"

Out of Hours Successful Authentication

ID	T1078
Technique	Valid Accounts
Chronicle identifier	okta_user_login_out_of_hours
Description	NEW: Detects out of hours successful authentication.
Okta Reference	User Sign-in and Recovery Events in the Okta System Log

User Logins from Multiple Cities

ID	T1078
Technique	Valid Accounts
Chronicle identifier	okta_user_logins_from_multiple_cities
Description	NEW: Detects user logins for the same user from different cities within 24 hours.
Okta Reference	Behavior Detection System Log events

We found this exercise to be fulfilling. Writing YARA-L queries is new to us, but they have been super easy to read and collaborate on. Even if you’re not a Chronicle customer, you might find it valuable to read the detection logic in Chronicle to frame your thinking about how you might go about detecting these types of threats.

What’s next?

Once we’re happy with our detections, phishing resistant factors and other control slices; where should we invest our energy next? I’d suggest considering what an adversary might now need to do for persistence and lateral movement. Perhaps they could socially engineer a new factor, a managed device or even a whole new account?

Best get thinking about how you’d detect:

User factors added or modified (user.mfa.factor*)
New users created (user.lifecycle.create)
Devices added to MDM
Remote Monitoring and Management tool installation or execution
VM installation on workstations
Duplicate hostnames

Gouda luck!

The Defensive Cyber Operations (DCO) team is responsible for detecting and responding to cyber threats that impact Okta or our customers via the Okta platform. Our intelligence-driven capability identifies the adversaries most likely to impact Okta and our customers, and prioritises our defensive capabilities based on the threats most likely to be realised.