Telling More Okta Detection Stories with Google Chronicle
Robust protection comes from layers, and many of you are already familiar with the Swiss Cheese Model. Simply stated, even when you're confident in your primary controls, that confidence only grows with each additional layer added. Because who wants to have a defense that’s built around a single slice of sad cheese, wrapped in a pitiful film of plastic? No thanks, we’ll take that sturdy block of Swiss each and every time.
Of course, given how thin most security teams are spread, robust layering is often easier said than done. Not every security team has the luxury of dedicated Detection Engineers to craft, research and develop custom logic to catch threat actor activity, and not every security team has the time and skill to synthesize and recreate our logic in other SIEM platforms. With this in mind, Okta Security recently published a number of our bespoke detections.
“But,” quoth the game show hosts, “ that’s not all!” Today we’re excited to share that Chronicle and Okta have been collaborating to help these detections reach an even wider audience. And this time around, the Chronicle team threw a few extra slices of cheese on top!
Not only did they rewrite these detections for their environment, they also did their own research and wrote additional detections. You can read more about each of them over at Chronicle’s blog. We’ve described them below too.
To channel the words of Oprah, “You get a new detection, and you get a new detection, and you get a new detection!”
Okta Phishing Detection with FastPass Origin Check
Successful MFA After Multiple Failures
Repeated MFA Rejections by User
Suspicious Use of an Okta Session Cookie
Failed Number Challenge
Mismatch Between Source and Response for Verify Push Request
Multiple Failed Users with Invalid Credentials from the same IP
User Reported Suspicious Activity
Multiple Failed Requests to Access Okta Applications
ThreatInsight Alert: Suspected Brute Force
ThreatInsight Alert: Suspected Targeted Brute Force
ThreatInsight Alert: Login Failure with High Unknown Users
ThreatInsight Alert: Suspected Password Spray Attack
Successful Login Evaluated as High Risk
Okta User Account Lockout
New Okta API Token Created
Out of Hours Successful Authentication
User Logins from Multiple Cities
We found this exercise to be fulfilling. Writing YARA-L queries is new to us, but they have been super easy to read and collaborate on. Even if you’re not a Chronicle customer, you might find it valuable to read the detection logic in Chronicle to frame your thinking about how you might go about detecting these types of threats.
Once we’re happy with our detections, phishing resistant factors and other control slices; where should we invest our energy next? I’d suggest considering what an adversary might now need to do for persistence and lateral movement. Perhaps they could socially engineer a new factor, a managed device or even a whole new account?
Best get thinking about how you’d detect:
- User factors added or modified (user.mfa.factor*)
- New users created (user.lifecycle.create)
- Devices added to MDM
- Remote Monitoring and Management tool installation or execution
- VM installation on workstations
- Duplicate hostnames